Trump Signs the CLOUD Act, Microsoft Complies and the U.S. Supreme Court Dismisses U.S. v. Microsoft, but the Forecast Remains Cloudy.

April 17, 2018

The Supreme Court dismissed as moot the case United States v. Microsoft Corp. (584 U.S. ___ (2018)) in light of the recently enacted CLOUD Act (Clarifying Lawful Overseas Use of Data Act). This is an interesting trans-national case involving the interaction of global data security with U.S. law regarding search and seizure during criminal investigations. The Stored Communications Act, 28 U.S.C 2703, (SCA) had empowered a U.S. governmental entity to “require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication.” The case involved the question of whether under that statute the Department of Justice could require disclosure of email data that is only stored overseas. The problem faced by companies hosting customer data across an international infrastructure is double-jeopardy: complying with an order to disclose under U.S law may violate E.U. data privacy law.

The case started when the U.S. Attorney, Southern District of New York, obtained a warrant for Microsoft to turn over the email data of one of its customers, allegedly an illicit drug dealer. It turned out that the data was only stored on servers in Dublin, Ireland, so Microsoft contested the warrant. Their position (and that of other amicus curiae) was that this was an improper extra- territorial extension of the SCA and compliance with it would be in conflict with European privacy and data security laws. Microsoft lost, but they appealed to the U.S. Court of Appeals, 2d Circuit. Microsoft won the appeal because the 2d Circuit held that the SCA did not apply overseas because it did not expressly state that it did. However, the 2d Circuit, in Judge Lynch’s concurring opinion, suggested that Congress pass a new statute that addressed the issue. In the meantime, the U.S. DOJ appealed to the U.S. Supreme Court. Congress did pass a new law: the CLOUD Act, which was signed into law on March 23, 2018. The following language was added to 18 U.S.C. 1701: “A [service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” CLOUD Act §103(a)(1). Then, the DOJ obtained a new warrant under § 2703. Because the CLOUD Act expressly extended the disclosure requirement to data stored overseas, Microsoft decided to comply. As a result, the U.S. Supreme Court decided the pending case against Microsoft was moot and dismissed it.

Microsoft supported the passage of the CLOUD Act, presumably because it does contain an exception: a company in Microsoft’s position “ may file a motion to modify or quash the legal process where the provider reasonably believes (i) that the customer or subscriber is not a United States person and does not reside in the United States; and (ii) that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government. However, if such a motion is brought, the CLOUD Act provides that a court may only grant the motion, i.e. block the request for data, “… if the court finds that: (i) the required disclosure would cause the provider to violate the laws of a qualifying foreign government; (ii) based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed; and (iii) the customer or subscriber is not a United States person and does not reside in the United States.” So the law is structured so that it is initially presumed that the exception doesn’t apply because the party subject to the warrant has to convince the court that all three factors apply. Interestingly, the notion of “comity” in international law, which is the principle under which the U.S. Supreme Court in the past has resisted applying U.S. law overseas, is stuffed into factor (ii). The CLOUD Act requires a court to apply a “Comity Analysis” by applying another multifactor test (this time with 8 factors) to determine whether factor (ii) is determinative. While the nationality of the alleged illicit drug dealer was not disclosed in the court opinions, one presumes that Microsoft decided that their case failed at least one of these factors. (Interestingly, a knowledgeable wag reported to me that there are no “qualifying foreign governments”, the implication being that it is impossible to even bring the motion to quash.)

Despite the passage of the CLOUD Act, international law issues still remain: i.e. whether the E.U. will respect it, given the “qualifying foreign governments” test. Further, in parallel with all this were the recent Google cases, where a number of courts outside the 2d Circuit, forced Google to disclose data stored overseas by simply rejecting the 2d Circuit’s interpretation of the SCA. The bottom line is that the CLOUD Act is no panacea: a company can still face double- jeopardy when responding to a U.S. warrant for a customer’s data that is stored on a server in a foreign location.