Should we fear the CLOUD Act? The answer is yes. For the moment.

Note: this article was translated from French by an automated tool A few weeks ago, on September 11, 2018, Brad Smith, the President of Microsoft, posted on his blog a post calling for the conclusion of international agreements on access to data and respecting a number of fundamental principles. (A call for principle based international agreements to govern law strengthening access to data).This position takes place in very specific circumstances. The United States Congress in fact voted in March Clarifying Lawful Overseas Use of Data Act or CLOUD Act, the adoption of which had an immediate impact on a dispute involving Microsoft. However, if Microsoft and the other American digital giants have, on the whole, approved the adoption of this legislation on the grounds that it would have clarified positive law, it nevertheless poses indisputable difficulties which explain the vehement criticisms of which it is subject to either side of the Atlantic.

 From the Microsoft case to federal law

In 2013, a criminal investigation into a narcotics case led the FBI to seek and obtain a search warrant from a federal judge (search warrant) for the purpose of obtaining communication of emails sent by a user of MSN messaging. Although the file does not specify the nationality of the user concerned, it appears that the data is stored by Microsoft on servers located in Ireland, which suggests that the person concerned is based in Ireland or in a nearby country. Indeed, Microsoft's algorithm distributes data between different storage areas according to the "country code" of users. Microsoft then disputes the warrants and refuses to communicate these elements on the grounds that American law cannot have an extra-territorial scope. For Microsoft, in fact, the federal law providing for the possibility of ordering the communication of the elements necessary for a criminal investigation (the Stored Communications Act) can only relate to data stored in the United States. The FBI should therefore contact the Irish authorities here by virtue of the treaty concluded between the United States and Ireland on judicial cooperation (Mutual Legal Assistance Treaty or MLAT).

In first instance, the search warrant is confirmed by a federal judge in New York. However, seized of an appeal, the Court of Appeal of the Second Circuit follows Microsoft's arguments and annuls the warrants (Microsoft Corp. v. United States, Dec. 9 2016, see Nick Wingfield, Cecilia Kang, “Microsoft Wins Appeal on Overseas Data Searches”, New York Times, July 14, 2016). In the eyes of the Court of Appeal, the geographical location of data storage is decisive and the procedure provided for by the mutual assistance treaty should be observed.

The judgment of the Court of Appeal of the Second Circuit does not result in fixing the case law. Several Federal Courts of Appeal ruled in the following months in the opposite direction. In cases involving Yahoo (In re Information Associated with One Yahoo Email Address That Is Stored at Premises Controlled by Yahoo) and Google (In re the Search of Content That Is Stored at Premises Controlled by Google), the federal judges consider that the only relevant criterion to be taken into consideration is the geographical location of the establishment of the service provider, and not the location of the servers. They conclude that the warrants provides access to data stored outside of the United States. These circumstances certainly explain why the Department of Justice (DOJ) American maintained its point of view and appealed to the Supreme Court of the United States. He argued that the fact that the content of the emails was under the control of Microsoft, which is headquartered in the United States, was sufficient to justify the request for communication, regardless of the geographic location of the servers. In other words, for the DOJ, it suffices for an American company to have control of said servers, and therefore to be able to very easily copy the data stored there, for recourse to international judicial cooperation procedures to be unnecessary.

The appeal filed by the DOJ gave rise to a hearing before the Supreme Court in February 2018. The decision was expected in June…. But that was without counting the adoption of the CLOUD Act, which put de facto an end to the debate. The dispute was then declared moot (L. Hurley, "US top court rules that Microsoft email privacy dispute is moot"). A new warrants was issued on the basis of the new text and Microsoft disclosed the disputed emails to the FBI. It should be noted in passing that the Commission of the European Union had, in view of the decision of the Supreme Court, produced a " friend brief », Recalling the principles of territoriality and international comity of public international law (European Commission Brief). Specifically, while claiming not to take sides on the interpretation of US law, the Commission argued that the interests and laws of the country in which the data is stored should be taken into consideration, starting with the Regulations. General Data Protection (RGPD), which specifically includes provisions relating to the communication of personal data.

What does the CLOUD Act provide for?

Promulgated on March 23, 2018 (see D. Bitkower and N. Orpett, “Congress Passes CLOUD Act Governing Cross-Border Law Enforcement Access to Data”), the CLOUD Act modifies the Stored Communications Act so as to allow the authorities to circumvent the traditional rules of international judicial cooperation. On the one hand, it allows American government authorities to obtain data controlled by any company established in the United States, even if it is stored outside American territory (1). On the other hand, it provides that, conversely, the foreign authorities could directly force American companies to provide them with data once their country of origin has entered into an agreement. Executive Agreement with the United States (2).

1- Communication to the American authorities of data stored outside the United States

Adopted in 1986, Stored Communications Act says SCA (USC Title 18 Chapter 121) allows the American authorities to oblige electronic communications service providers (messaging services or social networks for example) to disclose the content of communications as well as the metadata associated with these communications (dates, times, senders, recipients, addresses) .

For all data stored electronically for less than 180 days, the access request must be made on the basis of a search warrant (search warrant) issued by a judge on condition that the authorities provide him with information establishing that there is “probable cause” of prosecution within the meaning of the Fourth Amendment (18 USC §2703 (a)). This means that the authorities must present elements allowing a reasonable belief in the commission of an offense going beyond mere suspicion. The person concerned by the warrants is not present at the hearing and cannot directly contest it.

Obtaining a search warrant is not always necessary in order to be able to require the disclosure by the service providers of the electronic communications which they hold. Data stored for more than 180 days or stored in the cloud (remote computing services), must be communicated in the presence of a simple  subpoena (injunction formulated by the administration, the court or a lawyer) or a judicial injunction (short order) issued on the basis of "specific and precise" facts showing that it is reasonably possible to believe that such data is relevant and essential for an ongoing criminal investigation. In this case, the affected user must first be notified of the communication request by the authorities (18 USC §2703 (b)). In addition, certain metadata (name, address, record of telephone communications, etc.) can be obtained under the same conditions but without notification of the user concerned (18 USC §2703 (d)). Finally, the FBI may require the disclosure of certain data in the context of counterintelligence and counterterrorism investigations (18 USC §2709). In all these cases, the guarantees provided for by the Fourth Amendment are not intended to apply, which explains the opposition of certain federal courts of appeal, which have ruled that the disclosure of emails in the absence of warrants was unconstitutional (see United States v. Warshak). Most recently, last June, the Federal Supreme Court ruled, in Carpenter c. United States, that the prosecuting authorities should have a warrants to be able to obtain the geolocation data of a user. However, the judgment is only valid with regard to the geolocation data of mobile phones (see Carpenter V. United States Decision Strengthens Digital Privacy).

In any event, it is these provisions of the SCA that the CLOUD Act, by adding Section 2713, now unambiguously applies to data stored outside of the United States (" regardless of whether such communication, record or other information is located within or outside the United States "). It is sufficient that the data is under the control of a US service provider (" within such provider's possession, custody or control ”) So that the American authorities - federal and state alike - can require it to be communicated under the aforementioned conditions.

2- Communication of data stored in the United States to foreign authorities

The CLOUD Act provides for the possibility for foreign authorities to have data stored on the territory of the United States directly communicated to each other by avoiding the application of procedures provided for by the judicial cooperation treaties (MLAT). The text indeed provides that it is possible for third countries to conclude treaties with the United States called Executive Agreements (18 USC §2523) to allow government authorities of the co-signer to directly require service providers based in the United States to disclose data of interest to them. Such a treaty can be concluded bilaterally by the federal executive without having to be approved by Congress. It suffices that theAttorney General inform Congress of the conclusion of the agreement within 7 days of its adoption, which then has 180 days to oppose it by means of a joint resolution in both Houses (18 USC § 2523 (d)).

Countries eligible for the conclusion of such Executive Agreements must meet strict conditions expressly provided for in the text. For a country to be eligible, theAttorney General and the US Secretary of State attest that the law of that country offers substantive and procedural guarantees in terms of protection of personal data and fundamental rights (18 USC § 2523 (b)). In particular, theAttorney General of the United States must examine and evaluate the legal system of the country in question. The CLOUD Act also provides that communication requests from authorities in foreign countries may not target a US citizen or resident and may only relate to investigations relating to offenses of a certain seriousness (serious crimes). They must, moreover, concern a person or a specially identified account, be formed in accordance with the law of the country from which they emanate, be justified by precise and credible facts ”, and be able to be the subject of a control by a independent judge (18 USC § 2523 (b) (4) (D)).

Criticisms leveled against the CLOUD Act

Much criticism has been leveled against the CLOUD Act, in the United States and in Europe. These criticisms are due both to the conditions in which the text was adopted and to its content.

The terms of adoption of the text

Filed in Congress by two Republican elected officials - Utah Senator Orrin Hatch and Georgia Representative Doug Collins - the text of the CLOUD Act was added at the end of a particularly long catch-all budget law (over 2000 pages). This law did not follow the procedure usually used to have a text adopted by Congress: no committee and following the best practices, no hearing, no in-depth review of the text by members of Congress. This unusual method has aroused suspicion, especially since the CLOUD Act has notable differences with the projects that preceded it.

In 2015, the project Law Enforcement Access to Data Stored Abroad Act (LEADS Act) provided for generalizing the requirement of warrants, to allow the communication of data stored abroad when it concerns a US national and to improve the conclusion and implementation of judicial cooperation treaties (MLAT). The text was, however, rejected. In 2017, theInternational Communications Privacy Act (ICPA), which generally included the same provisions, was not voted on either. This project provided in particular for the possibility for the authorities to have data relating to American citizens communicated to each other regardless of their storage location and determined the more exceptional circumstances in which these requests could relate to foreign nationals. In doing so, the text clearly rejected the criterion of the place of installation of the servers in favor of that of the nationality and location of the users concerned.

While the CLOUD Act is a continuation of the work relating to these two texts, it nevertheless contains very different provisions, in particular in that it provides for the unprecedented possibility of concluding Executive Agreements not submitted to Congress.

Critics in the United States

In the United States, the CLOUD Act was supported by tech giants like Microsoft, Apple and Google, who saw it as a welcome clarification. The fact that the laws applicable to the protection of personal data diverge widely from one country or region to another creates, in fact, a great deal of legal uncertainty for service providers. The implementation of judicial cooperation treaties (MLAT) is, moreover, a source of slowness and complexity, which justifies resorting to simpler modalities.

However, the text has been the subject of a large number of criticisms, in particular from organizations for the protection of fundamental rights, such as Electronic Frontier Foundation, American Civil Liberties Union, Amnesty International, le Center for Democracy and Technology et Human R Watch It is mainly the second part of the text, that which allows foreign authorities to obtain data through the conclusion of a Executive Agreement which arouses the opposition of these associations. They consider, in particular, that the possibility recognized for the American executive power to conclude international agreements without control of Congress is problematic. They also fear that the ability granted to foreign authorities deprives users of the guarantees provided by American law, starting with the judicial intervention provided for by the Fourth Amendment. 

If we can understand the reluctance in the face of these Executive Agreements of an unprecedented kind, however, it seems unlikely that such an agreement will one day provide that American companies will be required to disclose their data on simple request to foreign authorities without judicial oversight. Everything will depend, of course, on the content of the Executive Agreements concluded with third countries, but the safeguards provided for by the CLOUD Act itself make it possible to qualify these fears.

Critics of Europeans

On the side of the European Union, the criticisms mainly target the first part of the text in that it allows the American authorities to require companies established in the United States to disclose all the data in their possession, even -they stored outside the United States. Given the omnipresence of American service providers, this implies that almost all of the services offered on the Internet (Facebook, Whatsapp, Gmail, Instagram, Messenger, etc.) are concerned. The text could, moreover, concern much more than just established groups (incorporated) in the United States and with subsidiaries abroad. One could also imagine that European or Asian multinationals would be asked for data relating to their users on the grounds that they have an establishment or a subsidiary in the United States. This point was specifically raised by Microsoft's lawyers, who took as an example the case of a Chinese internet service provider with a subsidiary in Silicon Valley who would be ordered to communicate emails exchanged in China and stored on a server located in Beijing.

In general, it is indisputable that the CLOUD Act allows, for the time being, the disclosure of communications from non-American nationals under conditions particularly favorable to the American authorities, especially since no Executive Agreement has not yet been concluded. Several difficulties can be highlighted here.

* The lack of recourse from the user whose data is requested

As the texts stand, the person whose communications are requested by the American authorities is not necessarily notified of the request. The granting by the American judge of a search warrant is done in his absence and without the possibility of dispute on his part. Overall, the user is, for the protection of his data, entirely dependent on the attitude chosen by the service provider who can contest the communication request but can, just as well, decide to communicate the elements requested by the American authorities without dispute.

* The impossibility of contesting the "search warrant" in the absence of an Executive Agreement

The text provides that it is possible for the service provider to contest the search warrant within 14 days if he reasonably believes that two circumstances are cumulatively met:

• • • the customer or subscriber whose data is required is neither a citizen, nor permanent resident in the US, nor a registered company (incorporated) in the US and does not reside in the US

ET

• • • the disclosure of the data would create a risk that the service provider violates a foreign law, but on the condition that it is the laws of a country having signed with the United States theExecutive Agreement provided for by the text and that said national laws provide substantive and procedural guarantees equivalent to those provided by the American SCA (18 USC § 2703 (h) (2)).

If these conditions are not met, and in particular if no Executive Agreement was signed, on warrants cannot be disputed. No Executive Agreement having not yet been concluded, no dispute is possible to date, even if the data concern, for example, European nationals.

* The uncertain scope of invoking the GDPR or national legislation in the absence of an "Executive Agreement"

The only possible option, in the absence of Executive Agreement, to oppose the communication of data remains the invocation of the "principle of international comity", as recognized by the American courts. Refusing to provide the requested data would in particular claim that the disclosure of the data would constitute a violation of national regulations. In the case of a national of the European Union, the invocation of the European Regulation of April 27, 2016 (the GDPR), in force since last May, and several provisions of which protect European nationals from disclosure of their data to third countries (Articles 45 to 49), would be possible. However, the possibility of invoking the principle of international comity in the context of the implementation of the Stored Communications Act is highly debated and there is no case-law precedent allowing a conclusion in this direction (see D. Bitkower and N. Orpett, “Congress Passes CLOUD Act Governing Cross-Border Law Enforcement Access to Data”).

It must therefore be concluded that, as it stands, the data of French Internet users held by American service providers (Apple, Google, Facebook, Microsoft, etc.) and stored on French or European servers may be subject to an request for communication from the American authorities under the conditions mentioned and without it being possible to oppose in a certain and effective manner the request of these authorities.

The conclusion of a " Executive Agreement With the United States the solution?

The CLOUD Act was clearly drafted with the aim of encouraging third States to conclude Executive Agreements with the United States. And it cannot be denied that this is, for the United States, a way of imposing the rules of the game. The DOJ has so far announced that it is negotiating such an agreement with the United Kingdom. It is certainly to be hoped that other States will take the lead in concluding such agreements and ensure that their national legislation effectively enables them to protect their nationals. The conclusion of a Executive Agreement by the European Union itself could also be considered, even if the terms of the CLOUD Act do not seem to go in this direction.

However, the conclusion of such agreements will doubtless not be able to alleviate the persistent uncertainties surrounding the implementation of the Stored Communications Act American. In particular, it should be specified which companies are targeted by the text and whether the simple American subsidiary of a foreign group could be required to communicate the data held by the group to the rest of the world. It would also be necessary to settle the point of knowing whether a warrants is still essential or if certain disclosures can take place on the basis of other modalities (subpoena ou short order).

In addition, the conclusion ofExecutive Agreements will not make it possible to fully compensate for the imbalances established by the text of the CLOUD Act itself. While the US authorities may require the disclosure of data on the grounds of the probable commission of any offense, foreign authorities may only request disclosure of data in the event of the commission of serious breaches (serious crimes). While data relating to US citizens or companies may not under any circumstances be disclosed to foreign authorities, US authorities have the option of claiming data relating to non-US nationals unless challenged citing a national law preventing such disclosure and on condition that this national legislation presents substantive and procedural guarantees equivalent to those provided for by American law.

In such a context, it is hardly surprising to see Microsoft promoting some fundamental principles, in the hope that they will be taken up by national laws and agreements or Executive Agreements to come up. The principles invoked by Brad Smith, in his recent post, are six in number:

• • • the universal right for each user to be informed of the communication of their data to governments,
    • the obligation to obtain a judicial authorization before any data transmission to the authorities,
    • a clear and precise procedure for contesting the order to communicate the data,
    • the conclusion of international agreements making it possible to avoid and / or resolve conflicts of laws,
    • procedures providing for requests for communication of company data to be addressed directly to them,
    • a principle of transparency allowing the public to know precisely the rules applicable to data protection.

In short, if digital technology comes to dissolve borders and render the reference to geographical location irrelevant, we must then reach agreement, in cyberspace, on universal and balanced principles for the protection of Internet users.