By Amelia Pennington. A legal intern at Sunstein
In United States v. Microsoft Corporation, the question that made its way through the Southern District of New York, the Second Circuit Court of Appeals, and then to the Supreme Court is: Under what circumstances may federal law enforcement issue a warrant for digital information that is stored abroad? On March 23, 2018, President Trump signed the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”), rendering the case moot.
The United States served Microsoft with a warrant pursuant to the Stored Communications Act (“SCA”) on December 4, 2013. The warrant directed Microsoft to seize and subsequently deliver to federal investigators the contents of a customer’s email account. The government believed that the account was being used in connection with narcotics trafficking. Microsoft delivered the information that was stored in the United States but refused to comply with the warrant as to information that was stored in Dublin, Ireland.
The District Court held Microsoft in contempt for failing to comply with the warrant. On appeal, the Second Circuit reversed that decision, concluding that “Congress did not intend the SCA’s warrant provision to apply extraterritorially.” On October 16, 2017, the Supreme Court granted the government’s petition for certiorari.
The CLOUD Act amended the SCA by explicitly extending disclosure requirements to information stored in or outside of the United States. Section 2703 of the SCA provides that a government entity, pursuant to a proper warrant, may “require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication.” Section 2713, created by the CLOUD Act, now adds that “a provider of electronic communication service or remote computing service shall comply with the obligations of this chapter. . . regardless of whether such communication, record, or other information is located within or outside of the United States.” The CLOUD Act has thus settled the question of whether a warrant issued under the SCA is applicable to information stored outside of the United States.
In response to the new legislation, both the Solicitor General and Microsoft agreed that the suit against Microsoft be dismissed as moot, given that the CLOUD Act had resolved the question that was before the court. In addition, the government has withdrawn its original warrant and served a fresh warrant pursuant to the CLOUD Act.
How the CLOUD Act will affect international relations remains unanswered. Foreign governments, such as New Zealand and Ireland, highlighted a pressing concern in their amicus briefs. They questioned how the extraterritorial application of the SCA works when there is a conflict with the law of the country where the data is stored. For example, New Zealand pointed out that its privacy laws protect information related to religious beliefs. Therefore, if a warrant were to issue that implicated such disclosure, it might interfere with New Zealand’s sovereign rights.
The CLOUD Act does not fully address how conflicts of law among nations will be handled. The Act does provide a mechanism for service providers to challenge the warrant if (1) there is a material risk that it will violate the laws of a qualifying foreign government and (2) the customer is not a “United States person.” However, a foreign government only qualifies if it has entered into an Executive Agreement with the United States that meets several statutory requirements enumerated in the CLOUD Act. Additionally, if the person whose information is being targeted is a U.S. person, there is no recourse to address a conflict of law issue.
The new legislation may also have implications for how nations cooperate to achieve law enforcement goals. As Ireland expressed in its amicus brief, it executed a treaty with the United States in 2001 that was to govern how the two countries would share data to combat crime. Ireland said that it believes those treaty procedures were the most appropriate way to handle such situations. This treaty is one of a web of bilateral Mutual Legal Assistance Treaties (MLATs) designed to facilitate the exchange of information relating to government investigations.
The European Commission has now launched a proposal similar to the CLOUD Act, suggesting that organizations with an office in the EU be required to respond to requests for data connected to criminal investigations within six hours, regardless of where the data is stored. The Electronic Frontier Foundation argues that improving MLATs, rather than enacting unilateral legislation, is the way to modernize law enforcement while preserving privacy rights, a cause that is gaining new prominence.
It seems likely that there will be blowback against the CLOUD Act from other nations. Some feel that this new legislation oversteps the bounds of MLATs already in place with the United States and may wonder about the value of entering into such agreements in the first place. Some countries might respond to the CLOUD Act by forbidding cloud service providers from complying with foreign subpoenas, putting the service providers in a real quandary.
How other nations will react to the CLOUD Act and how frequently the United States will utilize the law remains to be seen. But Congress has made it clear that information stored abroad is subject to a proper warrant issued under the SCA.
 18 USC § 2703.