On March 23, 2018, President Trump signed the CLOUD Act–which was attached to the omnibus spending bill–into law. The CLOUD Act is a necessary update to the United States’ laws concerning issued warrants to businesses located in the United States for data stored overseas. The CLOUD Act modifies the Electronic Communications Privacy Act (“ECPA”). When the ECPA was passed, Ronald Regan was President, the USSR suffered the Chernobyl disaster, and the price of gas was 89 cents. The internet and e-mail were still new phenomena. The CLOUD Act finally brings certainty and clarity to an area of the law that desperately needed to be updated.
When the ECPA was passed, early forms of e-mail were stored on one’s own computer. ((David Kraves, Aging ‘Privacy Law Leaves Cloud E-mail Open to Cops, Wired (Nov. 14, 2017), https://www.wired.com/2011/10/ecpa-turns-twenty-five/.)) Person A would send an e-mail to person B and her computer would download the email and store it on her computer. ((Id.)) There was an inherent limit to the amount of e-mails one’s computer could store, since computers only have a definite amount of memory. ((Id.))
Today, e-mail is stored on the cloud–large groupings of servers that are linked together around the globe. ((See id.)) While there is technically a limit to how many e-mails a server farm can hold, the technical limit is astronomically high. ((Id.)) For all intents and purposes, servers can hold a limitless amount of e-mails. E-mails commonly cross national borders.
The CLOUD Act was passed largely because of Microsoft Corporation’s legal disputes with the United States. On February 27, 2018, Microsoft’s counsel argued in front of the Supreme Court in the case United States v. Microsoft. ((Brad Smith, The CLOUD Act is an important step forward, but more steps need to follow, Microsoft (Apr. 3, 2018), https://blogs.microsoft.com/on-the-issues/2018/04/03/the-cloud-act-is-an-important-step-forward-but-now-more-steps-need-to-follow/.)) The case centered around the outdated ECPA and whether it allowed the United States to issue warrants for data stored overseas. ((Microsoft Corp. v. United States, 829 F.3d 197 (2017).)) The government previously issued a warrant to Microsoft for data connected to an individual. ((Id. at 202.)) That data was stored on a server in Ireland. Id. Microsoft refused to hand over the data located in Ireland because it argues that none of the language in the ECPA indicates that Congress intended the statute to have extraterritorial reach. ((Id. at 202-204.)) Compliance with these types of warrants could bring cloud companies, such as Microsoft, into direct conflict with another country’s privacy laws. ((Id.))
The CLOUD Act addresses many of Microsoft’s concerns. Unlike the ECPA, the CLOUD Act explicitly applies to data stored internationally. ((Smith, supra note 6.)) With this simple change, the CLOUD Act provides certainty to law enforcement officials and companies storing data overseas. ((Id.)) The CLOUD Act also creates a framework to address situations in which the privacy laws of the United States conflicts with the privacy laws of a foreign country. ((See id.)) The CLOUD Act creates a legal process that companies can use to challenge warrants when complying with the warrant requires them to break another country’s laws. ((Id.)) Only time will tell whether the CLOUD Act effectively balances law enforcement’s need for data with another country’s privacy laws. But it certainly cannot be worse than the ECPA, which was passed before the internet even existed.
Latest posts by Jonathan Slack (see all)
- CLOUD Act: An Update Long Overdue - May 5, 2018
- Wells Fargo’s Punishment: A New Approach to Corporate Governance or Just a Mirage? - April 8, 2018
- The Electronic Communications Privacy Act: A Law Past its Prime - January 12, 2018