The United States and European Union are at a transitional moment in their transatlantic digital relationship. This transition affects the future of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a piece of U.S. legislation that aims to provide timely access to electronic evidence (e-evidence). Despite past disputes over data privacy and surveillance, both sides have found common ground—through the EU–U.S. Data Privacy Framework and the Organization for Economic Cooperation and Development (OECD)’s Declaration on Government Access to Personal Data held by Private Sector Entities—and created a forum for cooperation in digital trade through the Trade and Technology Council (TTC). Getting to this point, however, involved a complicated process, and despite real progress, the story is not yet over.
The United States and the European Union are each other’s top trading partners. The transatlantic and data transfer relationship creates a $7.1 trillion economic relationship, so this is not a minor problem. All sides want to find solutions that permit digital trade to continue and that streamline the evidentiary process needed for law enforcement in the digital age.
This white paper looks at the tensions between the desire for timely law enforcement access to evidence, European concerns over digital sovereignty, and the mutual desire for a strengthened transatlantic relationship. The nature of cloud services means that data is often stored on one or several servers outside of a user’s borders as well as outside of the country where a company’s headquarters may be located. This makes economic sense but raises legal questions when governments wish to access electronic evidence that is stored outside of their jurisdiction for an investigation.
This is not a new problem, and enforcement agencies in many countries have complained for years about the slowness of conventional processes, such as Mutual Legal Assistance Treaties when compared to the transitory nature of digital evidence. A 2013 internal government review on the United States’ ability to fulfill these requests noted it took approximately 10 months, with some requests taking much longer.
Conflict over government access to data in another jurisdiction came to a head in the 2013 Microsoft Ireland case. In 2013, the United States presented Microsoft with a warrant to disclose data—which the company found to be stored in a data center in Dublin. Given the data’s location, Microsoft argued that a U.S. court did not have the authority to issue a warrant for data stored abroad and asked the court to suppress the order. While the reasoning of the U.S. District Court for the Southern District of New York that material control over the data—regardless of where stored—was enough for Microsoft to comply with the order, the U.S. Court of Appeals for the Second Circuit found this to be an unauthorized extraterritorial application of U.S. law.
The United States appealed the Second Circuit’s decision to the Supreme Court, referencing other courts had previously found requiring U.S. companies to comply with Stored Communications Act (SCA) warrants outside of the United States is a domestic application of the law. Before the Supreme Court ruled, Congress passed the CLOUD Act and made the Microsoft Ireland case moot. The CLOUD Act amended the SCA to clarify that communication service providers must comply with legal requests for data from the U.S. government, “regardless of whether such communication, record, or other information is located within or outside of the United States.”
While the CLOUD Act confirmed the legality of U.S. government requests for data stored by U.S. communications service providers outside of the United States, it also created concerns in the European Union over extraterritorial application of U.S. law. Building on the mistrust over user privacy and data protection that was exacerbated in part by the Snowden revelations about surveillance, the CLOUD Act faced criticism and concern from EU officials worried that it would infringe upon European digital sovereignty. Digital sovereignty, or the control of technology operating under one’s jurisdiction, is a key goal for EU member states.
Service providers have traditionally been hesitant to answer foreign government requests for data because of fears that they could be found in violation of domestic laws governing privacy and data protection. The CLOUD Act was intended to address this, however, with a second provision that allowed the U.S. government to enter into executive agreements with third countries for reciprocal expedited access to e-evidence held by providers based abroad. This provision was frequently misunderstood.
The bilateral agreements contemplated under the CLOUD Act were intended to remove these conflicts when both the requesting and supplying jurisdictions share similar privacy and civil liberties protections. An agreement under the CLOUD Act requires an assessment of the foreign country’s domestic law to ensure it respects “substantive and procedural protections for privacy and civil liberties” and limits who can be targeted. Any orders issued under the CLOUD Act must “be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism” and must be subject to review or oversight by a judicial authority. This provision of the CLOUD Act was intended to create a quicker and more efficient way for law enforcement agencies to gain access to electronic data held outside of their borders by global cloud service providers. The act does not replace the Mutual Legal Assistance Treaty process, but rather provides an additional method of cross-border data access.
Despite a shared transatlantic recognition of the problem, the United States has only been able to reach CLOUD Act agreements with the United Kingdom and Australia and is reportedly negotiating with Canada. This slow pace means that the environment for CLOUD Act negotiations is being reshaped by transatlantic developments and new agreements on data and privacy.
