The federal government can seize electronic data stored abroad by serving a warrant on a U.S.-based company.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act authorizes the seizure of electronic data abroad and provides statutory procedures for quashing warrants when searches conflict with foreign law. While the Act purports to protect public safety and combat serious crime, critics question whether the law strikes an appropriate balance between effective law enforcement and privacy rights.
Overruling the Presumption against Enforceability Beyond Borders
Microsoft Corporation challenged whether a warrant authorized by the Stored Communications Act (SCA) requires companies to produce customer content stored abroad. After being served with an SCA warrant, Microsoft moved to quash the search insofar as it related to user content stored in its Dublin, Ireland, data center. Likening the warrant to a subpoena, the U.S. District Court denied the motion to quash and ordered Microsoft to produce data stored at locations it “owned, maintained, controlled, or operated,” including the data stored in Ireland.
On appeal to the U.S. Court of Appeal for the Second Circuit, Microsoft argued enforcing the warrant “would effect an unlawful extraterritorial application of the SCA . . . and would work an unlawful intrusion on the privacy of Microsoft’s customer.” Meanwhile, the government argued the warrant’s reach depends on the records available to the served party, not where the served party stores its records. In Microsoft Corp. v. United States, the Second Circuit sided with Microsoft, holding “the Stored Communications Act does not authorize courts to issue and enforce against the U.S.-based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.”
The Department of Justice petitioned for certerari, which the U.S. Supreme Court granted. Before the Court could rule, however, Congress enacted the CLOUD Act, which codified the government’s position. As a result, the Supreme Court remanded the case for dismissal as moot.
There are two basic pieces to the CLOUD Act, explains Eileen Hintz Rumfelt, cochair of ABA Section of Litigation’s Editorial Board Subcommittee of the Criminal Litigation Committee. “The first resolves the fairly straightforward question before the Supreme Court in Microsoft—it makes overseas data controlled by a U.S. company subject to a criminal warrant,” observes Rumfelt. Some applaud this component for its bright-line certainty. “Companies can take advantage of overseas data farms and now know that data is subject to U.S. criminal search just like U.S.-based data. The government now knows that a subpoena to Microsoft is a subpoena for all of the data Microsoft controls,” explains Rumfelt. “And the individual user, who has little transparency into where his or her data is held anyway, now knows that putting data with a U.S. company means all of that data is subject to U.S. criminal laws,” adds Rumfelt.
The second piece provides a statutory mechanism for U.S. and foreign governments to exchange data. “The act purports to allow foreign governments to enter into executive agreements with the U.S., allowing them to collect communications from U.S. companies without multiple levels of procedural protections,” notes Marc J. Zucker, Philadelphia, PA, cochair of the Section of Litigation’s Pretrial Practice & Discovery Committee. Whether this is an improvement for data exchange is unclear. “The answer will depend on how actively the executive branch uses the new process, the international partners it deals with under the Act, and how thoughtfully agreements on the exchange of data are struck,” notes Rumfelt. “The Act vests more power in the executive branch and less in the judicial, and there is certainly an argument that this is not a good development for individual privacy concerns,” concedes Rumfelt.
Some Section leaders have concerns about the Act’s impact on privacy interests. “The Act grants foreign governments the ability to collect data directly from U.S. companies without requiring a U.S. warrant, in violation of the Fourth Amendment,” warns Matthew A.S. Esworthy, Towson, MD, cochair of the Section of Criminal Justice’s Cyber Crime Committee. The President can now “circumvent the need for Congressional approval with ‘international agreements,’ which will permit foreign governments to directly obtain data in the U.S. while ignoring U.S. privacy laws,” argues Esworthy. “Companies will likely be faced with a Hobson’s choice of whether to protect the privacy interests of its employees, customers, and users, or face the wrath of the federal government. This Act is in no way a win for individual liberties or privacy rights,” argues Esworthy.
Advising Clients in a Cloud-Computing Era
ABA leaders agree knowing the client’s business is key to providing legal advice involving electronic data. “All of our clients, to one degree or another, deal with data,” declares Rumfelt. “This legislation is just one example of how the law is changing to accommodate the rapidly evolving technological landscape, and lawyers who understand these changes will be better able to counsel their clients on the day-to-day management of their business data,” suggests Rumfelt. “The best advice you can give a client is to understand what kind of data it has, what data is important or valuable, and to streamline or get rid of anything that isn’t necessary to successfully run or operate the business,” advises Esworthy. “In other words, the client must ‘know thyself’ before counsel can meaningfully assist,” he concludes.
Kristen L. Burge is an associate editor for Litigation News.
Hashtags: #criminallaw, #electronicdata, #legislation, #privacylaw, #CLOUDAct
- Eileen H. Rumfelt, “Congress’s Effort to Deal with Overseas Data in the Wake of United States v. Microsoft,” Criminal Litig. Committee, Practice Points (May 29, 2018).
- Eileen H. Rumfelt, “Supreme Court to Decide the Extraterritorial Reach of the Stored Communications Act,” Criminal Litig. Committee, Practice Points (Jan. 2, 2018).
- Sean Fernandes, "Supreme Court to Address Significant Stored Communications Act Cases,” Privacy & Data Security Committee, Practice Points (Aug. 16, 2017).
Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).