Storm Clouds or Silver Linings? : The Impact of the U.S. CLOUD Act

Download a printable PDF of this article.

In March 2018, President Trump signed a $1.3 trillion annual appropriations bill. Wedged into its 2,232 pages, and unseen by nearly everyone, was the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), which sets far-reaching new rules for international cooperation by criminal investigators seeking emails and data from foreign countries.

The act fills gaps highlighted during the recent Supreme Court oral argument in United States v. Microsoft. That case pressed the justices to interpret the 1986 Stored Communications Act (SCA) in light of new and rapidly evolving technology. The Supreme Court never decided the Microsoft case. Instead, the Court dismissed it as moot after the CLOUD Act was enacted.

While the CLOUD Act provides innovative new approaches to some of the criminal investigation challenges posed by technology, it naturally also raises new questions and concerns. The fact that most information is digitized (that is, recorded as bytes), the ubiquity of the Internet, and fast-paced globalization complicate traditional approaches to obtaining information in criminal investigations because data may be stored in a different country than the person or entity seeking it.

In the course of a criminal or regulatory investigation, police, prosecutors, and others routinely need access to private information held by a person being investigated or by a third party. The procedures for them to do this are well known: Investigators can obtain a subpoena, warrant, or other order from a local authority; effect service subject to the jurisdiction of that authority; and either compel the recipient to turn over the information or authorize a local official to seize it.