One year ago, on 23 March 2018, President Trump signed into law the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a piece of legislation passed by the Congress of the United States of America that allows the U.S. government to access – under certain circumstances – data stored worldwide. The extraterritorial effects of the CLOUD Act are also of particular relevance for Swiss companies, as more and more companies are relying on the services of US providers. In addition, providers are also increasingly offering country-specific cloud products for Switzerland, as the recent launch of the Google Cloud Switzerland region shows. At the same time, many Swiss companies are also subject to the EU General Data Protection Regulation (GDPR), another extraterritorial regulation, in addition to the Swiss Data Protection Act (DPA). Both decrees place strict requirements on the transfer of personal data to countries which, like the USA, do not have an adequate level of data protection. Although many questions remain unanswered, Swiss companies must be aware of the risks associated with choosing a cloud provider that is potentially subject to the CLOUD Act.
United States v. Microsoft Corp.
The issue of the transfer of personal data to the USA was at the heart of the dispute that arose in 2013 between the U.S. Department of Justice (DoJ) and Microsoft Corp. In December of that year, federal law enforcement agents applied for a warrant in accordance with 18 USC § 2703 (Stored Communications Act, SCA) to the United States District Court for the Southern District of New York, requiring Microsoft to disclose all e-mails and other information associated with the account of one of its customers, suspected of drug trafficking. Since part of the data was stored in Dublin, Ireland, Microsoft moved to quash the warrant with respect to those data.
The point of discordance between Microsoft and the DoJ was not whether the SCA foresaw any extraterritorial application. Rather, they had opposite views in their understanding of what extraterritorial application meant. For the DoJ, the key question was whether the conduct relevant to the statute – i.c. the SCA – was purely domestic. The focus of the SCA was, according to the DoJ, the disclosure of electronic records to the government in the United States. Since Microsoft was a U.S. provider and had full control over communications occurred within the United States, the matter was purely domestic, irrespective of the location of those data. The DoJ saw therefore no extraterritorial application of the SCA. On the other side, Microsoft considered that a warrant requiring the disclosure of data located abroad was an extraterritorial application of the SCA.
The federal district court denied the motion to quash of Microsoft and held it in civil contempt for refusing to comply fully with the warrant, what the Court of Appeals for the Second Circuit (Connecticut, New York, Vermont) then reversed.
After a petition for certiorari filed by the DoJ, the Supreme Court of the United States granted a writ of certiorari in this matter and added the case to its docket for the October term 2017. The issue at stake was whether a 18 USC § 2703 warrant covered also data stored outside the United States, forcing thereby Microsoft to deliver its data stored in Ireland.
This question remained however unanswered, because the U.S. Congress passed the CLOUD Act prior to the ruling of the Court.
The two components of the CLOUD Act
The CLOUD Act contains two components. On one side, it amended the SCA, allowing government authorities thereby to avoid international mutual legal assistance rules and tools. Now, government authorities can require every data of any U.S. company, irrespective of their location. On the other side, the CLOUD Act also establishes a framework for bilateral agreements (executive agreements) on cross-border data requests.
Extraterritorial Reach of the CLOUD Act
The SCA in general allows the U.S. government access to electronic communication (e-mails, messages, etc.) as well as to metadata associated with those electronic communications (dates, time, transmitter, addressee etc.). The CLOUD Act extended or, more precisely, clarified in 18 USC § 2713 that this applies also to data stored outside the United States.
However, the key question that has not yet been answered is which providers are ultimately subject to the Cloud Act and can therefore be forced to disclose personal data. For providers based in the USA, this appears to be undisputed. In any case, some “minimum contacts” with the USA are necessary. With regard to the US case law, it cannot be ruled out that European providers with a mere branch in the USA or providers who advertise their services in the USA may also be forced to disclose data. However, the CLOUD Act states that only data which are “within the provider’s possession, custody, or control” have to be disclosed (cf. 18 USC § 2713). While this could be understood as meaning that the disclosure only has to take place if the provider has either the right or the practical possibility to access the data in question, the wording is also open to more extensive interpretation.
In any case, it is clear that the fact where the data is located is irrelevant for the application of the CLOUD Act. If a provider is subject to the CLOUD Act, the US law enforcement authorities can in any case demand that the data be released on the basis of a warrant, a subpoena or a court order. A challenge to this order to disclose data on the grounds that it violates the legal provisions of another country is explicitly excluded. This would only be possible if an executive agreement existed with this state, as described hereafter. So far, however, no such agreement has been concluded.
Executive Agreements enabled by the CLOUD Act
The CLOUD Act also creates a framework for bilateral agreements which allows qualifying foreign governments access to data stored in the United States (18 USC § 2523). The government can enter into such agreement without approbation of Congress.
The aim of this new regime is to avoid mutual legal assistance treaties (“MLATs”) for the obtention of evidence stored in another country. Prior to the CLOUD Act and the conclusion of an executive agreement, the foreign country had to ask the DoJ to obtain a U.S. court order. This new framework should now accelerate the access to data stored overseas.
According to 18 USC § 2523(b), for the foreign country to be eligible for such executive agreement, the Attorney General, with the concurrence of the Secretary of State must determine that the domestic law of the foreign government affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement. This includes inter alia that the foreign government has adequate substantive and procedural laws on cybercrimes and electronic evidence, demonstrates respect for the rule of law and principles of non-discrimination and adheres to applicable international human rights obligations.
Conclusions and comments from a Swiss perspective
As stated above, the absence of an executive agreement hinders providers to challenge any order to disclose data based on the premise that the required disclosure could create a material risk of violating the laws of a foreign country. Such violations can result both from an infringement of the provisions of the GDPR and the provisions of the Swiss Data Protection Act. This is because both statutes impose strict requirements for the transfer of personal data to countries without an adequate level of data protection (cf. Art. 6 DPA and Art. 44-50 GDPR) and these requirements may be violated when the data is transferred to US authorities. In addition, the provider can also make himself liable to prosecution through the data disclosure because he has carried out unlawful activities on behalf of a foreign state (cf. Art. 271 Swiss Criminal Code).
Against this background, a provider potentially subject to the CLOUD Act may be faced with the unpleasant decision of whether to violate the US order to disclose data order or the Swiss or EU regulations. As long as the countries involved have not concluded any agreements, this conflict will persist.
Finally, it should be noted that companies that store their data in the cloud of a provider subject to the CLOUD Act also face significant risks. These risks are not limited to unwanted access to the company’s data by the US authorities. Rather, the choice of such a provider can already be seen as an infringement of data protection regulations. This circumstance should be taken into account when making a decision.