16 Oct 19
16 Oct 19
The Clarifying Lawful Overseas Use of Data Act

The Clarifying Lawful Overseas Use of Data Act known as the (CLOUD ACT) came into existence after a high profile legal case between the United States Government and Microsoft Corporation, this case has become known as the Microsoft Warrant Case.

This case began in 2013 when a New York District Court issued a warrant for e-mails and additional information about one of Microsoft’s customers. Microsoft complied partly with this request by providing some metadata and non-content information about the customer concerned to the US government. However refused to turn over the e-mails when the US Government issued a warrant, this was because the e-mails were stored in Ireland and in a Irish Data centre. Microsoft said that the e-mails stored in Ireland were not subject to the US Governments warrant. In 2014 a federal magistrate Judge Ordered again that the e-mails be turned over and this is when Microsoft appealed to the Second Circuit Court.

In 2016 Microsoft succeeded on appeal of this case to the US Court of Appeals. The Second Circuit Court ruled that Microsoft was not required to comply with the initial warrant which was for users’ e-mails, if such data is not stored in the US.

Due to this case and at that time the US Government being prevented by Microsoft from accessing the data in another country this being Ireland, and to solve this problem going forward. Congress passed an act called the Cloud Act on 23 March 2018. 

The Cloud Act became law in the US in 2018 by the passing of the Consolidated Amendments Act 2018, The Cloud Act amends the Stored Communications Act (SCA) of 1986. 

This is to allow federal law enforcement to compel US based technology companies either by way of a warrant or a subpoena to request data stored on servers regardless of whether the data is stored in the US or another Country. 

The other reason for this act coming into play is that more information nowadays has moved to the Cloud and this means that technology companies have had to assume a greater role in protecting peoples privacy rights. Governments find it easier now to search digital information by serving warrants on a cloud service. Individuals do not know when the US government obtains information about them and this is information which can infringe a person’s privacy rights. 

The Cloud Act creates new rights under international agreements and confirms a “provider of electronic communication service or remote computing service” must comply with US law-enforcement to disclose data which is within its “possession, custody or control” when such data is located outside of the US, this is the Cloud Act section 103 [a].

The Act also preserves the common law right of the Cloud service providers to challenge search warrants when there is a conflict of laws situation. 

Section 103[c] of the Act states that this section should “be construed to modify or otherwise affect the common law standards governing the availability or application of comity analysis”.

Under this common law analysis in Section 103[c] above, the courts may consider the matters below:

1) The importance of information requested.

2) Degree of specificity regarding the request 

3) If the information originated in the US.

4) Alternative means available to obtain the information.

5) US and foreign interests.

What is the benefits of the Cloud Act?

The Act will create the authority for international agreements on a reciprocal basis to enable law enforcement agencies to access another country’s data to investigate and solve criminal activities. The Act also has a requirement to take into account balancing acts and to protect privacy and human rights, and to do this it has the following protections.

- Respect for the Rule of Law and principles of non-discrimination

- Protection from unlawful interference with privacy 

- Fair trial rights

- Freedom of expression, association and peaceful assembly 

- Prohibitions on arbitrary arrest and detention and 

- Prohibitions against torture and cruel inhuman or degrading treatment.

The General Data Protection Regulations which came into force in Europe and by way of updating the UK Data Protection Act 2018 which implements the GDPR into English law can have a affect in terms of enabling US companies to use the Common Law and the GDPR to protect European individual’s data. The new Cloud Act like the GDPR and Microsoft case addresses real world data issues and law and focuses on data wanted to prevent crime which is data likely to be held in the Cloud and in countries outside of the jurisdiction of the US, UK or EU. This new US law has been implemented to enable and allow countries to work together to share data and whether this is for good or bad, only time will tell.

By A City Law Firm