On March 23, 2018, President Trump signed the CLOUD Act–which was attached to the omnibus spending bill–into law. The CLOUD Act is a necessary update to the United States’ laws concerning issued warrants to businesses located in the United States for data stored overseas. The CLOUD Act modifies the Electronic Communications Privacy Act (“ECPA”). When the ECPA was passed, Ronald Regan was President, the USSR suffered the Chernobyl disaster, and the price of gas was 89 cents. The internet and e-mail were still new phenomena. The CLOUD Act finally brings certainty and clarity to an area of the law that desperately needed to be updated.
When the ECPA was passed, early forms of e-mail were stored on one’s own computer.1 Person A would send an e-mail to person B and her computer would download the email and store it on her computer.2 There was an inherent limit to the amount of e-mails one’s computer could store, since computers only have a definite amount of memory.3
Today, e-mail is stored on the cloud–large groupings of servers that are linked together around the globe.4 While there is technically a limit to how many e-mails a server farm can hold, the technical limit is astronomically high.5 For all intents and purposes, servers can hold a limitless amount of e-mails. E-mails commonly cross national borders.
The CLOUD Act was passed largely because of Microsoft Corporation’s legal disputes with the United States. On February 27, 2018, Microsoft’s counsel argued in front of the Supreme Court in the case United States v. Microsoft.6 The case centered around the outdated ECPA and whether it allowed the United States to issue warrants for data stored overseas.7 The government previously issued a warrant to Microsoft for data connected to an individual.8 That data was stored on a server in Ireland. Id. Microsoft refused to hand over the data located in Ireland because it argues that none of the language in the ECPA indicates that Congress intended the statute to have extraterritorial reach.9 Compliance with these types of warrants could bring cloud companies, such as Microsoft, into direct conflict with another country’s privacy laws.10
The CLOUD Act addresses many of Microsoft’s concerns. Unlike the ECPA, the CLOUD Act explicitly applies to data stored internationally.11 With this simple change, the CLOUD Act provides certainty to law enforcement officials and companies storing data overseas.12 The CLOUD Act also creates a framework to address situations in which the privacy laws of the United States conflicts with the privacy laws of a foreign country.13 The CLOUD Act creates a legal process that companies can use to challenge warrants when complying with the warrant requires them to break another country’s laws.14 Only time will tell whether the CLOUD Act effectively balances law enforcement’s need for data with another country’s privacy laws. But it certainly cannot be worse than the ECPA, which was passed before the internet even existed.
David Kraves, Aging ‘Privacy Law Leaves Cloud E-mail Open to Cops, Wired (Nov. 14, 2017), https://www.wired.com/2011/10/ecpa-turns-twenty-five/. ↩
Id. ↩
Id. ↩
See id. ↩
Id. ↩
Brad Smith, The CLOUD Act is an important step forward, but more steps need to follow, Microsoft (Apr. 3, 2018), https://blogs.microsoft.com/on-the-issues/2018/04/03/the-cloud-act-is-an-important-step-forward-but-now-more-steps-need-to-follow/. ↩
Microsoft Corp. v. United States, 829 F.3d 197 (2017). ↩
Id. at 202. ↩
Id. at 202-204. ↩
Id. ↩
Smith, supra note 6. ↩
Id. ↩
See id. ↩
Id. ↩