On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by adding a new § 2713 which states as follows:
A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
The above amendment of the SCA appears intended to address the controversy in United States v. Microsoft Corporation, a case argued before the Supreme Court on February 27, 2018, but not yet decided by the Court. At issue in the Microsoft case is whether a warrant obtained by the Department of Justice under the SCA directing Redmond, Washington-based Microsoft to produce the contents of a subscriber’s email account stored on a Microsoft subsidiary’s server located in Ireland represents an impermissible extraterritorial application of the SCA (see here for our prior analysis of the case).
Notably, during oral argument multiple Justices suggested that in lieu of rendering a decision in the case, it may be preferable for the Court to allow Congress to enact a legislative solution to the conflict regarding applicability of the SCA in the modern digital world. For example, Justice Ginsburg asked whether it would not “be wiser” for the Court to “leave things as they are” and to defer to Congress to “regulate in this brave new world,” and Justice Sotomayor similarly questioned whether “we shouldn’t leave the status quo as it is and let Congress pass a bill in this new age… that addresses the potential problems” with interpretation of the SCA.
Subsequent to the passage of the CLOUD Act on March 23, Solicitor General Noel Francisco submitted a letter to the Supreme Court notifying the Court of the passage of the CLOUD Act in general and of the above amendment to the SCA in particular. That SCA amendment within the CLOUD Act appears to require a U.S. company served with a court order under the SCA to turn over the data without regard to where the data is stored, provided the data was within the U.S. company’s “possession, custody, or control.” The Solicitor General further stated in his letter that “[t]he United States is currently determining whether, and if so, to what extent the passage of the CLOUD Act affects the Court’s disposition of this case” and indicated that the government will submit a supplementary filing to address that question “as promptly as possible.” It seems likely that the government will take the position that the issue in Microsoft is moot because of the CLOUD Act’s amendment of the SCA (and thus the Court should vacate the Second Circuit decision that gave rise to the appeal and remand the case). But it remains to be determined how the Court will ultimately resolve Microsoft, given the passage of the CLOUD Act and the government’s likely position.
Technology companies and other service providers should be aware that in addition to the SCA amendment discussed above, the CLOUD Act includes an extensive legal framework governing the exchange of certain data between the United States and foreign governments. For example, the CLOUD Act includes requirements for a comity analysis in response to attempts by foreign governments to seek the contents of wire or electronic communications, as well as corresponding revisions to federal laws in contemplation of the provision of access to certain data by foreign governments in accordance with the CLOUD Act. Please keep an eye out for a future post that will address these provisions in greater detail.
This post is also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.