International Impact of the Clarifying Lawful Overseas Use of Data (cloud) Act and Suggested Amendments to Improve Foreign Relations

• Publication year: 2020

International Impact of the Clarifying Lawful Overseas Use of Data (CLOUD) Act and Suggested Amendments to Improve Foreign Relations

Jordan A. Klumpp^*

Table of Contents

I. Introduction................................................................................614

II. Cross-Border Data Sharing.....................................................616

III. The Clarifying Lawful Overseas Use of Data (CLOUD) Act .........................................................................................................620

IV. Domestic Reaction to the Cloud Act.....................................623

V. Foreign Reaction to the CLOUD Act......................................625

VI. Proposed Amendments to the Cloud Act...............................629

A. Mandatory Annual Compliance Review............................631
B. Congressional Approval of Executive Agreements...........633
C. Eliminate Reciprocal Data Sharing Requirement for Executive Agreements........................................................637
D. Notice Requirement...........................................................639

VII. Conclusion...................................................................................641

[Page 614]

I. Introduction

In the modern world, digital data is everywhere. The average person generates a huge data footprint thanks to technological advancements such as cloud storage and increased connectedness of devices. Each day yields approximately 3.5 billion Google searches and 1.5 billion people active on Facebook, and every minute there are 156 million emails sent, 4.1 million new YouTube video views, 45,000 Uber trips, and 16 million text messages received.¹

This massive data stockpile presents opportunities to improve business efficiency, aid in criminal investigations, and even create new job markets.² However, it's also a logistical nightmare. The sheer volume of data presents organizational and analytical challenges.³ Beyond the administrative problems, there are also privacy concerns and accessibility issues.⁴

These privacy and accessibility concerns are even more severe in the context of criminal investigations.⁵ Because of digital data's prevalence in modern society, that type of information is sometimes used as evidence of criminal activity.⁶ But there remain questions on how much of a person's digital footprint should be accessible when that person's civil liberties are on the line.⁷ The issue is further complicated when data flows between multiple foreign states and the data must be shared across international borders.

Cross-border data sharing is a major hurdle to data accessibility, especially in the context of data sharing as part of criminal investigations. International entities must cooperate for effective data sharing because digital data moves

[Page 615]

freely outside of international boundaries.⁸ Consider an email sent from Atlanta, Georgia to Seattle, Washington. That email might take a direct route across the United States, but it is also possible the email could bounce through a Canadian server before reaching its final destination.⁹ Cloud storage further erodes data's respect for international borders because stored data could be held in storage centers located across the globe in nations such as India, Ireland, or Chile.¹⁰

Various agreements and pieces of legislation have attempted to facilitate cross-border data sharing. The most recent law addressing this issue is the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which is a United States law enacted in March 2018.¹¹ The CLOUD Act is aimed at assisting criminal investigations by allowing law enforcement to collect data stored in foreign states.¹² The CLOUD Act achieves this purpose through two main functions.

First, the CLOUD Act forces U.S. companies to comply with domestic warrants and turn over digital data, regardless of whether the data is "physically" stored in the United States or on foreign soil.¹³ As an illustration of this function, imagine an Irish citizen who allegedly commits a crime against the United States. Law enforcement wants to obtain emails held on a Microsoft account, but "physically" located on a server in Ireland, as part of their investigation. The CLOUD Act allows law enforcement to obtain this data via a U.S. warrant, without consideration of Irish law.¹⁴

The CLOUD Act's second function gives the executive branch of the United States power to enter into data sharing executive agreements with foreign governments.¹⁵ For example, the United States could have a data sharing executive agreement with Australia. If the Australian government requested data held by Microsoft, or any other U.S. technology company, the United States would be inclined to turn over the data with no additional process.¹⁶

[Page 616]

This Note presents a comprehensive look at cross-border data sharing, placing special emphasis on the CLOUD Act. It briefly recounts the history of U.S. legislation governing cross-border data accessibility in criminal investigations, while illustrating that modern advancements in law enforcement techniques and data management systems created a need for liberalized cross-border data sharing. This Note will explain how the CLOUD Act fulfills that need by streamlining the cumbersome process previously used to request extraterritorially stored data. This Note will further discuss both domestic and international reaction to the CLOUD Act. It will suggest that reaction within the United States was mostly positive, but the foreign response was mixed and exuded nervousness about the Act's potential impacts (especially regarding the executive agreements provision). Finally, this Note will provide recommended amendments to the executive agreements provision. The suggested amendments are aimed at maintaining positive foreign relations and protecting personal privacy interests in the wake of heightened cross-border data accessibility. This Note recommends modifications to the CLOUD Act executive data sharing agreements, including mandated compliance reviews every year instead of every five years, required congressional approval of each executive agreement, elimination of the reciprocal data sharing requirement, and adding a notice requirement.

II. Cross-Border Data Sharing

Section II of this note will provide a brief history of cross-border data sharing. It will explore the various pieces of legislation used to facilitate international flow of data, while highlighting the reasons cross-border data sharing is necessary and the problems associated with transferring data this way. This Section will demonstrate the inconsistencies between modern technology and prior legislation governing cross-border data access; it will show why the CLOUD Act was necessary.

In the 1980s, electronic communication became a main staple of society. New inventions such as personal computers, cellular phones, fax machines, and pagers ushered in a digital revolution and a new era of digital data.¹⁷ Congress, concerned that the Fourth Amendment alone would not adequately protect electronic communication, passed the Electronic Communications Privacy Act in 1986.¹⁸ Title II of the Electronic Communications Privacy Act, called the Stored Communications Act (SCA), was intended to protect digital

[Page 617]

communications from unreasonable government interference through "a set of Fourth Amendment-like privacy protections."¹⁹

The SCA's privacy protections were codified in 18 U.S.C. §§ 2702 and 2703. Section 2702 described the rules for whether or not a service provider could voluntarily disclose information to the government,²⁰ while Section 2703 detailed the procedure the government had to follow when compelling a provider to disclose information.²¹

However, the SCA also contained ambiguities and potential data accessibility problems. For example, the SCA expressly prohibited U.S. companies from turning over digital data to foreign law enforcement.²² Because of this provision, foreign states conducting local investigations that needed data stored within their boundaries would still have to go through the U.S. government to access that data.²³ This system unnecessarily hindered foreign criminal investigations, and the United States was burdened with a large amount of requests for data.²⁴

It was also not clear whether the SCA prohibited U.S. companies from providing the U.S. government with data that was physically stored in foreign nations—i.e., whether the SCA applied extraterritorially.²⁵ The SCA's application to data stored on foreign soil was the pinnacle issue in the once-anticipated U.S. Supreme Court case Microsoft Corp. v. United States; however, the CLOUD Act eliminated the need for judicial intervention by overriding this provision of the SCA.²⁶ The CLOUD Act's intervention will be discussed with further detail in Section III of this Note.

Many critics viewed the SCA as an obstacle to cross-border data sharing in criminal investigations.²⁷ Modern criminal investigations often require obtaining digital evidence stored in other countries because the data is frequently held by U.S. technology companies, which have complex global data management systems.²⁸ For example, Microsoft stores data based on proximity to

[Page 618]

where the customer says he or she is physically located; Google segments and stores data by type on different servers around the world.²⁹

When the SCA was created in 1986, almost all digital data was stored domestically, and the United States had undeniable jurisdiction over that data. However, the advent of cloud storage compounded the complexity of data management in a way the drafters of the SCA never comprehended.³⁰

The method for states to obtain international cooperation in criminal investigations under the SCA regime was through use of mutual legal assistance treaties (MLATs).³¹ These treaties are bilateral cooperation agreements between nations.³² MLATs assist not only in data sharing, but also apply the laws...