Reed Smith Client Alerts

The U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act has the potential to create conflicting obligations for companies that must comply with the European Union’s General Data Protection Regulation (GDPR). The CLOUD Act allows governments to compel U.S.-based providers of electronic communications services and remote computing services (Providers), to store and produce electronic communications held anywhere in the world. Because data controllers and processors owe a heightened duty to their customers under GDPR, a Provider that complies with a CLOUD Act request potentially exposes itself and the EU companies that utilize its services to liability.

Although it has yet to be seen how regulators will enforce these laws where there is a conflict, a company faced with a request to produce data under the CLOUD Act may have to exercise its lawful rights to transfer that data under Articles 44-49 or perhaps seek to quash the request altogether. Ultimately, it is imperative that businesses understand their obligations under each regulation, and that they act with those obligations, and the potentially steep fines that accompany noncompliance, in mind.

The CLOUD Act

Enacted in March 2018, the CLOUD Act amends the Stored Communications Act1 and resolves a prior ambiguity: whether a U.S. warrant can compel U.S.-based Providers to produce electronic communications stored in another country. This question was central to the now-mooted Supreme Court case United States v. Microsoft Corp. (Microsoft Ireland).2 Before the Supreme Court could decide Microsoft Ireland, the United States passed the CLOUD Act, creating a framework for law enforcement authorities in the United States to request customer and subscriber data stored abroad by U.S.-based Providers. Under the new framework, the U.S. government or another “qualifying foreign government” can issue warrants to U.S.-based Providers to preserve and produce customer or subscriber data (CLOUD Warrants).3

The CLOUD Act defines a “qualifying foreign government” as “a foreign government with which the United States has an executive data sharing agreement… [and] the laws of which provide to [Providers] substantive and procedural opportunities” to challenge CLOUD Warrants similar to those provided by the United States.4 A foreign government can only issue CLOUD Warrants to U.S.-based Providers if it has entered into one of these executive agreement with the United States.

Providers that receive a CLOUD Warrant can move to quash the request if the Provider reasonably believes: (i) the subscriber is not a U.S. citizen, and (ii) that disclosing the information creates a material risk that the Provider would violate the laws of a qualifying foreign government.5

The quash procedures under the CLOUD Act are rather limited for two reasons. 

First, a Provider can only quash a CLOUD Warrant seeking a non-U.S. citizen’s data. Because GDPR, on the other hand, applies even to ‘controller’ processing of the personal data of U.S. citizens living in the EU; such a person’s data would simultaneously be protected by GDPR but also subject to transfers pursuant to the CLOUD Act. Second, a Provider can only move to quash a CLOUD Warrant if the data transfer will violate the laws of a “qualifying foreign government.”6 Thus, Providers may not be able to withhold data stored outside of countries that have entered into executive data sharing agreements with the United States. In any event, Providers can still challenge a warrant through the courts because the CLOUD Act does not affect the “common law standards governing the availability or application of comity analysis to other types of compulsory process.”7

In addition to the limitations detailed above, a court reviewing a CLOUD Act challenge may only grant the challenge if, “based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed.”8 The court conducting this analysis must weighs factors including: the interests of both governments, whether other means of obtaining the data exist, and the likely penalties the Provider and its employees may suffer “as a result of inconsistent legal requirements imposed on the provider.”9