While the U.S. Supreme Court weighed the arguments in United States v. Microsoft, heard February 27, 2018, Case No. 17-2, the opposing parties before the Court were united in favor of new legislation that ultimately passed as part of the recent omnibus spending bill. As was reported in a previous practice point, United States v. Microsoft involved whether, under the Stored Communications Act (SCA), data held in a foreign country by a U.S. corporation is subject to production under a warrant issued by a U.S. court on probable cause. The CLOUD Act, which stands for Clarifying Lawful Overseas Use of Data, resolved that issue in late March with a statutory addition providing that such information must be disclosed regardless of whether it is located within or outside of the United States. Following the addition, the Department of Justice obtained a new warrant based on the new provision, and Microsoft produced the documents in question. Accordingly, on April 17, 2018, the Supreme Court declared the issues under review moot, vacated the judgment, and directed the Second Circuit to instruct the district court to dismiss the case.
The new language in the CLOUD Act generally was accepted by commentators, especially as it is accompanied by additional procedural safeguards in the form of a motion to quash process for warrants that create a material risk of violating foreign law. The legislation, however, shattered previous alliances between tech companies and privacy watchdogs because it also introduced measures to streamline the process by which data held in the United States can be produced to foreign law-enforcement officials.
The CLOUD Act was introduced on February 6, 2018 by a bipartisan group led by Senators Orrin Hatch (R-Utah), Christopher Coons (D-Delaware), Lindsey Graham (R-South Carolina) and Sheldon Whitehouse (D-Rhode Island). In addition to the “Microsoft fix” described above, the legislation updates the process governing the international exchange of data. Before the passage of the CLOUD Act, foreign governments seeking data from providers in the United States had to adhere to a process for disclosure under the Mutual Legal Assistance Treaty (MLAT), which requires the Justice Department to seek data on behalf of the requesting foreign government via a probable-cause warrant. The new law allows the executive branch to enter into agreements with foreign nations to allow for production from U.S. companies of foreign users’ data and communication intercepts (wiretaps) of foreign users. The CLOUD Act provides that only those countries with “robust substantive and procedural protections for privacy and civil liberties” and “appropriate procedures” for minimizing collection of information concerning United States persons are eligible for such agreements. Before becoming operative, agreements under the CLOUD Act must be presented by the attorney general (with consent of the Secretary of State) to Congress, which has 90 days to object by joint resolution. Agreements under the CLOUD Act are not subject to judicial or administrative review. In-place executive agreements automatically sunset after five years if not renewed. The bill also provides a corresponding process for U.S. collection of data overseas.
The Trump administration supported the bill, as did the majority of state attorneys general, as well as Facebook, Apple, Google, and Microsoft. Proponents of the legislation argued that the CLOUD Act was a needed fix to a cumbersome and outdated process that no longer reflects the nature of international law enforcement. They argued that there are sufficient substantive and procedural safeguards in the legislation to allow for a reasonable balance of privacy and security. Proponents also argued that the legislation will allow the United States to frame the international conversation around data retrieval rather than reacting after “data localization” (movement of data storage centers to country-specific locations) has occurred. Supporters—including the deputy national security advisor for the United Kingdom, who wrote an op-ed in the New York Times—pointed to a draft agreement with the United Kingdom as an example of how an executive agreement under the new law would work. That draft agreement was negotiated during the Obama administration and is now held out by the British government as one of its key diplomatic priorities with the United States.
An alliance of human rights and privacy organizations, including the American Civil Liberties Union, Amnesty International, and the National Association of Criminal Defense Lawyers, argued that the CLOUD Act undermines privacy and human rights by eliminating important procedural safeguards. Chief among the opposition group’s arguments were that the legislation puts significant new power in the executive branch with inadequate congressional oversight. Although the act attempts to restrict those countries eligible for executive agreement to those with adequate human rights records, the standards are largely undefined and subject to interpretation. And, while Congress can object, it is argued, Congress likely will have to overcome a presidential veto to stop any particular executive agreement. The opposition group also was concerned that the act allows foreign governments to wiretap and seek data in the United States—for the first time—without adhering to U.S. legal standards. Especially because U.S. citizens’ communications and data will inevitably be caught up in this data collection, they argued that probable-cause standards remain critical.
The CLOUD Act is now law, and the issues before the Court in the United States v. Microsoft case have been mooted (indeed, Microsoft produced the documents at issue in response to the government’s new warrant). Time will tell whether the government and Microsoftremain allied in support of this congressional fix in the long term.
Eileen H. Rumfelt is with Miller & Martin, PLLC, in Atlanta, Georgia.