Wednesday, April 10, 2019
The Department announced today the public release of a white paper on the Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act. The CLOUD Act was enacted in March 2018 and updates the legal framework for how law enforcement authorities may request electronic evidence needed to protect public safety from service providers while respecting privacy interests and foreign sovereignty.
“Our collective safety and security depends on our ability to maintain lawful and efficient access to electronic evidence, and the CLOUD Act offers a sorely-needed solution to that challenge,” said Deputy Attorney General Rod Rosenstein. “As today’s white paper makes clear, the Department will be proactive in working, both in the United States and abroad, to promote greater understanding and appreciation of what the CLOUD Act accomplishes. We look forward to working with our trusted foreign law enforcement partners on CLOUD agreements that will make all our citizens safer.”
The CLOUD Act has two distinct parts. First, the Act authorizes the United States to enter into bilateral agreements to facilitate the ability of trusted foreign partners to get the electronic evidence they need to combat serious crimes. In order to qualify under the Act, a partner country must adhere to baseline rule-of-law, privacy, and civil liberties protections. Through bilateral agreements, each country would agree to lower the legal barriers that prevent their communication service providers from complying with qualifying lawful orders for electronic data issued by the other country. By dropping legal barriers, each country could serve its legal process – like search warrants – directly on the providers of the other country, dramatically increasing speed and efficiency compared with existing methods of transferring electronic evidence.
Second, the CLOUD Act makes explicit in U.S. law the established principle – longstanding in both the United States and in many foreign countries – that a company subject to our jurisdiction can be required to produce data within its custody and control, regardless of where it chooses to store that data at any point in time. This provision simply codified what had been the law and practice prior to the 2016 Microsoft decision by a court of appeals, and ensured that the United States continued to be in compliance with its obligations under the Budapest Cybercrime Convention, which requires all member states to have the power to compel providers in their territory to disclose electronic data in their control, no matter where stored. The CLOUD Act provision did not alter whether or not a provider is subject to U.S. jurisdiction, nor did it give U.S. law enforcement any new authority to acquire data.
The white paper released today, Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act, was compiled with the input of components across the Department, including attorneys from the Criminal Division and the National Security Division. The white paper describes the interests and concerns that prompted the enactment of the CLOUD Act and provides a concise point-by-point distillation of the effect, scope, and implications of the Act, as well as answers to frequently asked questions.
For the full white paper, click here. On April 5, Deputy Assistant Attorney General Richard W. Downing delivered remarks on the CLOUD Act at the Academy of European Law Conference entitled “Prospects for Transatlantic Cooperation on the Transfer of Electronic Evidence to Promote Public Safety.” The remarks can be viewed here. The Department has created a resource page for CLOUD Act materials at www.justice.gov/CLOUDAct.