The Clarifying Lawful Overseas Use of Data Act (Cloud Act) was introduced to the Senate and the House of Representatives on February 6th, 2018. It was passed by Congress on March 23rd, 2018. The Act was part of the Consolidated Appropriation Act (2018) which is the omnibus spending bill necessary to avoid government shut-down.

The Cloud Act significantly changes the current legislation. These modifications will be examined by Mathias Avocats as well as the potential consequences of the Cloud Act.

What is the scope of the Cloud Act?

The Cloud Act applies to providers of electronic communication services or remote computing services. The Cloud Act does not change the definitions under §2510,12° of the Stored Communications Act (SCA) and §2711, 2° of the SCA.

In a few words, the Cloud Act applies to any company or individual providing electronic services including computer storage, transfer of signs, signals, writing and so forth transmitted in whole or in part by electronic means (ex: Google, Snapchat, Facebook). This implies that all non-electronic services or computing activities are outside the scope of the Cloud Act (ex: oral communications or any communication from a tracking devices).

It must be stressed that the Cloud Act can apply to providers of electronic communication services or remote computing services which are not based in the United-States or do not operate in the United-States. It thus has an extra-territorial scope. This is namely clearly stated for exceptions to the obligation of providers not to disclose their clients’ information or data as Mathias Avocats explains below.

What are the major changes?

The Cloud Act amends the Stored Communications Act (SCA, 18 U.S. Code §§ 2701 et. seq.) which applies to stored wire and electronic communications and transactional records access. In a few words, the SCA imposes a general obligation of non-disclosure on service providers. However, there is an important exception to this obligation entitling a governmental entity to require disclosure by a provider of electronic communication services of the contents of a wire or electronic communication (18 U.S. Code § 2703). This is the bone of contention in the Microsoft case.

The Cloud Act expands the above-stated exception by adding §2713 which states that providers of electronic communication services or remote computing services must comply with their obligations, namely to disclose the information pertaining to a customer, whether the information “is located within or outside the United-States”. Therefore, the government will be able to access data stored or collected outside of the United-States.

Nonetheless, providers of electronic communication services to the public or remote computing services required to disclose such information “may file a motion to modify or quash the legal process whether the provider reasonably believes:

(i) that the customer or subscriber is not a United-States person and does not reside in the United-States and

(ii) that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government” ( 2703, h) of the Cloud Act).

Moreover, a new section concerning executive agreements on access to data by foreign governments has been added (§2523 of the Cloud Act). Under this section, the President of the United-States may enter into an executive agreement with a foreign government which allows providers of electronic communication services to the public or remote computing services to disclose their customers’ data to the foreign government. Under the SCA, the providers were generally prohibited from complying with a request from foreign governments.

These executive agreements are subject to strict scrutiny by the Attorney General and Secretary of State. Congress may also vote a joint-resolution of disapproval of a new proposed executive agreement. Furthermore, the orders issued under executive agreements must meet certain conditions such as being for the purpose of investigating or preventing serious crimes. Thus, several limitations apply to the new executive agreements.

What are the potential consequences?

The Cloud Act significantly alters the legal landscape of the SCA regarding data stored overseas and foreign governments. The United-States government has more leeway to access data outside of the United-States and broadens the exception for non-disclosure of customer data.

These changes will most likely have an important impact in the Microsoft case and on further international cases. For example, how do the Cloud Act and foreign regulations interplay? What impacts will executive agreements have? What remedies will data subjects or clients have?

Furthermore, the Cloud Act could also undermine the European Union’s regulation  n°2016/679, also called the General Data Protection Regulation or GDPR.  The latter specifically provides that personal data must be kept confidential. If executive agreements authorise disclosure, how are both legislations compatible? The GDPR also provides a strict framework for cross-border transfers of personal data. Will the guarantees be provided for in executive agreements or will the executive agreements remove them?

Mathias Avocats will keep you informed of any further developments.