he Clarifying Lawful Overseas Use of Data ("CLOUD") Act was enacted into law on March 23, 2018. The Act provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries – a key question in United States v. Microsoft Corporation, No. 17-2, a case argued before the Supreme Court on February 27.[1] Both the government and Microsoft recently agreed that the closely watched case is now moot following the CLOUD Act.
Recognizing the limits of existing law enforcement tools and privacy laws to govern requests for electronic evidence in the age of cloud computing, the CLOUD Act establishes processes and procedures for law enforcement requests for data in other countries. Most significantly:
The Act expressly provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries.
The Act also allows certain foreign governments to enter into new bilateral agreements with the United States that will prequalify them to make foreign law-enforcement requests directly to U.S. service providers, rather than via the U.S. government under a mutual legal assistance treaty. This should streamline compliance with foreign law-enforcement requests.
The Act formalizes the process for companies to challenge a law enforcement request.
The Act imposes certain limits and restrictions on law enforcement requests to address privacy and civil liberty concerns.
Especially once foreign governments enter into new agreements with the U.S., the CLOUD Act should introduce a measure of clarity for providers who previously found themselves in a legal bind caught between two conflicting jurisdictional laws.
The CLOUD Act's Effects on the Stored Communications Act
The CLOUD Act lays out the circumstances under which a "provider of electronic communication service or remote computing service" must comply with a U.S. law-enforcement order to disclose data within its "possession, custody, or control," even when that data is "located … outside the United States." CLOUD Act § 103(a).
Although the Act expands the geographic scope of the SCA, it does not change who is subject to SCA orders or what type of data is subject to U.S. law-enforcement requests under the SCA. As before the Act's passage, the SCA applies only to providers of "electronic communications services" and "remote computing services" – generally businesses that offer email, electronic messaging, or cloud storage services to the public. 18 U.S.C. §§ 2510(15) (defining electronic communications services), 2711(2) (defining remote computing services).
Also unchanged is that the SCA only regulates access to the content of electronic communications and cloud-stored documents, as well as non-content data relating to electronic communications (like transmission records and user-account information), but not other types of personal or business data. The CLOUD Act simply clarifies that the SCA's rules governing U.S. law-enforcement agents' access to content and non-content information – such as the provision requiring that law enforcement obtain a warrant before demanding that email providers turn over private email content, 18 U.S.C. § 2703(a) – generally apply to data that is stored outside the United States as well.
The CLOUD Act's Executive Agreements Will Provide Clarity for Providers
The centerpiece of the CLOUD Act is a provision allowing the U.S. to establish Executive Agreements under which law-enforcement agencies will be given reciprocal access to data held in each other's countries in order to investigate and prosecute certain crimes.
Before the CLOUD Act, a U.S. provider subject to an order under the SCA seeking data stored overseas may have reasonably feared that complying with such a request could violate foreign law. That fear will only become more acute when the European Union's General Data Protection Regulation (GDPR) enters force next month, as Article 48 of the GDPR prohibits the transfer of data outside the European Union for law enforcement purposes unless doing so is authorized under an international agreement, such as a mutual legal assistance treaty, between the EU and the requesting country.
https://www.orrick.com/Insights/2018/04/The-CLOUD-Act-Explained#