The Application of the CLOUD Act and the International Politics Over Data Localization

-- By AmyTang - 14 Dec 2021

Introduction

There is no debate that the United States government has spent significant money, time and effort in the pursuit of “greater good”, interpreted as democracy, fighting crime and terrorism, both abroad and domestically. In pursuit of, and fixated by this goal, U.S. Congress had passed numerous laws that are claimed to violate privacy, civil liberties and human rights under the pretence of “democracy”. One of the more recent technological-oriented statutes that were adopted, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in March 2018, purports to help “investigations of serious crime, ranging from terrorism and violent crime to sexual exploitation of children and cybercrime” according to the Department of Justice.

This paper highlights the disadvantages and weaknesses of the Cloud Act and discusses the consequences of the Act on international politics over data localization.

The Cloud Act

The Cloud Act allows U.S. law enforcement to access and obtain electronic communications, documents stored in the cloud, along with certain types of transmission and account information from servers located outside the U.S. by forcing U.S. companies to give up such data, even if they store it abroad, once a warrant is issued by a U.S. judge. The Act was introduced by Congress consequently to Microsoft Corp. v. United States, where the Second Circuit held that law enforcement was not authorized to access data stored abroad, under the then-existing Stored Communications Act (“SCA”). The Cloud Act, therefore, implemented new procedures for U.S. law enforcement to request such data, facilitating and legalizing the process. It does so by amending the SCA, an act aimed initially to protect “the privacy of stored Internet communications”. The Cloud Act also provides for reciprocity measures, amending the existing provisions of the Electronic Communications Privacy Act (ECPA) to structure an exchange of domestically-stored data by U.S. service providers to certain foreign countries, under lawful foreign orders.

The Cloud Act applies to “provider of electronic communication service” and “remote computing service”. These providers may be obliged to “preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber”. The scope of providers under the reach of the Cloud Act is broad and may apply to a variety of messaging, social media and cloud storage and processing platforms.

The Cloud Act would allegedly “preserve law and order, advance the United States’ leadership in cybersecurity, ease restrictions on American businesses and enhance privacy standards globally.” While the Cloud Act claims to attain such noble goals in principle, one can only ponder on the potential violations of privacy caused by such an invasive and overreaching practice, by both U.S. and foreign partner law enforcement agencies. Currently, the dominating electronic communication provider are arguably Google, Amazon, Facebook, Apple, and Microsoft (“GAFAM”), with user bases in the billions and a combined market value of over four trillion U.S. dollars. Coincidentally, the GAFAM are all headquartered in the U.S., therefore under the purview of the Cloud Act.

The Consequences of the Act on the International Politics Over Data Localization

The weaknesses of the Cloud Act are numerous. Its overreaching nature allows for the violation of the rule of sovereignty in situations where the laws of the foreign jurisdiction where the electronic data is located conflict with the obligations imposed by the Cloud Act. Further, there is a lack of transparency for users: nothing in the Cloud Act would force the provider to reveal to the user that their data is disclosed.

A glaring shortcoming of the Act is that there are no checks and balances. Therefore, it gives too much latitude to the executive branch to form executive agreements between the U.S. and another jurisdiction under the Cloud Act. The law enforcement agencies can then go directly to providers abroad to request access to contents of their users’ communications with few infrastructures in place to prevent abuse, such as congressional oversight. For instance, between January and June 2021, Microsoft received 101 warrants from US law enforcement seeking to obtain data stored outside the U.S. that allegedly lacked legal justification. Further, a number of obligations imposed by the Act conflict with the European Union's General Data Protection Regulation.

Given the above, the choice of data localization for companies becomes subject to international politics given that the Act and its administration open the door for complexities of bureaucratic side-taking due to the reciprocity measures and to the GDPR. The application of the Cloud act created new opportunities for European-based managed service providers.

Under the Cloud Act, it is clear that only providers subject to U.S. jurisdiction must comply with the obligation of disclosing data when requested. While for GAFAM, a significant number of data centres are located in the U.S. and jurisdiction can therefore be presumed, there are ways for a company to structure corporate entities to escape the overreaching claws of the Cloud Act, that is if the company wishes to do so. Some companies choose to shield themselves from the Act as a means of competitive advantage in countries outside of the U.S. These corporate manipulations demonstrate political choices over data localization centres for providers of “electronic communication service” and “remote computing service”.

The keyword in the Cloud Act is that a provider must disclose the data within its “possession, custody or control”. If the provider’s corporate subsidiaries remain independent and store data outside of the U.S., U.S. law enforcement cannot, therefore, force disclosure using the Cloud Act, even if the U.S. subsidiary’s shares are 100% held by the foreign corporation, or vice-versa. Pragmatic means to ensure said lack of “possession, custody or control&#8221 by foreign corporations include refraining from conducting any business in the U.S., by ensuring that their U.S. entity is a separate legal person, by using different and disconnected computer networks and structures from their U.S. entity and by building operations, corporate strategy, management and marketing team independently from those of the U.S. entity.

Data localization then becomes a political choice for providers who may also choose to segregate their corporate structures in countries that have signed bilateral agreements with the U.S. under the Cloud Act, such as Australia and the United Kingdom.

Avoiding the application of the Cloud Act will better shield companies from its numerous disadvantages and providers who do so may be deemed preferable by users concerned with their privacy.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.