On March 23, 2018, the President signed into law the Consolidated Appropriations Act of 2018 (H.R. 1625), an omnibus spending bill that includes the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). Among other provisions, the CLOUD Act amends the Stored Communications Act of 1986 (18 U.S.C. §§ 2701-2712, hereinafter the SCA) by adding a new § 2713 which states as follows:

A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.

The above amendment of the SCA appears intended to address the controversy in United States v. Microsoft Corporation, a case argued before the Supreme Court on February 27, 2018, but not yet decided by the Court. At issue in the Microsoft case is whether a warrant obtained by the Department of Justice under the SCA directing Redmond, Washington-based Microsoft to produce the contents of a subscriber’s email account stored on a Microsoft subsidiary’s server located in Ireland represents an impermissible extraterritorial application of the SCA (see here for our prior analysis of the case).

Notably, during oral argument multiple Justices suggested that in lieu of rendering a decision in the case, it may be preferable for the Court to allow Congress to enact a legislative solution to the conflict regarding applicability of the SCA in the modern digital world. For example, Justice Ginsburg asked whether it would not “be wiser” for the Court to “leave things as they are” and to defer to Congress to “regulate in this brave new world,” and Justice Sotomayor similarly questioned whether “we shouldn’t leave the status quo as it is and let Congress pass a bill in this new age… that addresses the potential problems” with interpretation of the SCA.

Subsequent to the passage of the CLOUD Act on March 23, Solicitor General Noel Francisco submitted a letter to the Supreme Court notifying the Court of the passage of the CLOUD Act in general and of the above amendment to the SCA in particular. That SCA amendment within the CLOUD Act appears to require a U.S. company served with a court order under the SCA to turn over the data without regard to where the data is stored, provided the data was within the U.S. company’s “possession, custody, or control.” The Solicitor General further stated in his letter that “[t]he United States is currently determining whether, and if so, to what extent the passage of the CLOUD Act affects the Court’s disposition of this case” and indicated that the government will submit a supplementary filing to address that question “as promptly as possible.” It seems likely that the government will take the position that the issue in Microsoft is moot because of the CLOUD Act’s amendment of the SCA (and thus the Court should vacate the Second Circuit decision that gave rise to the appeal and remand the case). But it remains to be determined how the Court will ultimately resolve Microsoft, given the passage of the CLOUD Act and the government’s likely position.

Technology companies and other service providers should be aware that in addition to the SCA amendment discussed above, the CLOUD Act includes an extensive legal framework governing the exchange of certain data between the United States and foreign governments. For example, the CLOUD Act includes requirements for a comity analysis in response to attempts by foreign governments to seek the contents of wire or electronic communications, as well as corresponding revisions to federal laws in contemplation of the provision of access to certain data by foreign governments in accordance with the CLOUD Act. Please keep an eye out for a future post that will address these provisions in greater detail.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Conor Duffy Conor Duffy

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy and Security Team. Conor advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on…

Conor Duffy is a member of Robinson+Cole’s Health Law Group and the firm’s Data Privacy and Security Team. Conor advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, and other data privacy and security matters. Read his rc.com bio here.

Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.