It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.

The Application of the CLOUD Act and its Relatio to Corporate Infrastructure

-- By AmyTang - 14 Dec 2021

Introduction

There is no debate that the United States government has spent significant money, time and effort in the pursuit of “greater good”, interpreted as democracy, fighting crime and terrorism, both abroad and domestically. U.S. Congress had passed many laws that are alleged to violate privacy, civil liberties and human rights under the pretence of advancing this goal. One of the more recent technological-oriented statutes that was adopted, the Clarifying Lawful Overseas Use of Data (CLOUD) Act enacted in March 2018, purports to help “investigations of serious crime, ranging from terrorism and violent crime to sexual exploitation of children and cybercrime”.

This paper highlights the disadvantages and weaknesses of the Cloud Act and suggests that there are ways to benefit from particular corporate organizational structures to protect foreign privacy.

The Cloud Act

The Cloud Act allows U.S. law enforcement to access and obtain electronic communications, documents stored in the cloud, and to certain types of transmission and account information from servers located outside the U.S. by forcing U.S. companies to give up such data, even if they store it abroad, once a warrant is issued by a U.S. judge:

A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.

The measure was introduced by Congress consequently to Microsoft Corp. v. United States, where the Second Circuit held that law enforcement was not authorized to access data stored abroad, under the then-existing Stored Communications Act (“SCA”). The Cloud Act therefore implemented new procedures for U.S. law enforcement to request such data, facilitating and legalizing the process. It does so by amending the SCA, an act aimed initially to protect “the privacy of stored Internet communications”.

The Cloud Act also provides for reciprocity measures, amending the existing provisions of the Electronic Communications Privacy Act (ECPA) to structure an exchange of domestically-stored data by U.S. service providers to certain foreign countries, under lawful foreign orders.

The Cloud Act would allegedly “preserve law and order, advance the United States’ leadership in cybersecurity, ease restrictions on American businesses and enhance privacy standards globally.” While the Cloud Act claims to attain such noble goals in principle, one can only ponder on the of potential violations of privacy caused by such an invasive and overreaching practice, by both U.S. and foreign partner law enforcement agencies. Currently, the dominating electronic communication provider are arguably Google, Amazon, Facebook, Apple, and Microsoft (“GAFAM”), with user bases in the billions and a combined market value of over four trillion U.S. dollars. Coincidentally, the GAFAM are all headquartered in the U.S., therefore under the purview of the Cloud Act.

The weaknesses of the Cloud Act are numerous, but can be summarized as follows: 1- It is overreaching and can violate the rule of sovereignty : there are limited mechanism for providers to challenge warrants allowing for the disclosure of electronic data located outside the U.S., violating sovereignty in jurisdictions where applying the Cloud Act to such data might create conflicting obligations when foreign law prohibits providers from such disclosure. Prior to the Cloud Act, law enforcement must proceed under the mechanism of Mutual Legal Assistance Treaty to obtain evidence abroad. 2- There are no checks and balances: the Cloud Act gives too much latitude to the executive branch to form executive agreements between the U.S. and another jurisdiction under the CLOUD Act. The certified foreign jurisdiction can then go directly to U.S. providers to request access to contents of their users’ communications. There are few infrastructures in place to prevent abuse, such as Congress oversight. 3- There may be violations of civil liberties: prior to “the cloud” and online hosting of data, if U.S. law enforcement wanted evidence, it would not be allowed to access a party’s residence overseas. This rule should not differ for data hosted overseas. Further, the provider has no obligation to challenge any warrant or requests for customer data even if they are overbroad or otherwise inappropriate. 4- Lack of transparency for users: nothing in the Cloud Act would force the provider to reveal to the user that their data is disclosed.

How structuring corporate structure can shield a provider of electronic communication service from the Cloud Act

Under the Cloud Act and the SCA, it is clear that only providers subject to U.S. jurisdiction must comply with the obligation of disclosing of data when requested. While for GAFAM, a significant number of data centers are located in the U.S., and jurisdiction can therefore be presumed, there are ways to structure corporate entities to escape the overreaching claws of the Cloud Act.

The key word in the Cloud Act is that a provider must disclose the data within its “possession, custody or control”. If the provider’s corporate subsidiaries remain independent, U.S. law enforcement cannot therefore force disclosure using the Cloud Act, even if the U.S. subsidiary shares are 100% held by the foreign corporation, or vice-versa.

Pragmatic means to ensure said lack of “possession, custody or control” by foreign corporations include refraining from conducting any business in the U.S.; ensuring that their U.S. entity is a separate legal person; using different and disconnected computer networks from their U.S. entity; building operations, corporate strategy, management and marketing team independently from those of the U.S. entity; and maintaining a computer structure that would not allow U.S. entity’s employees from accessing any data belonging to foreign subsidiaries stored abroad.

Not only will this be deemed preferable by many users concerned with their privacy and freedom of choice, this will also better shield companies from the numerous disadvantages of the Cloud Act, including the potential irreconcilable obligations under two different countries' laws.

Sources

https://www.aclu.org/other/surveillance-under-usapatriot-act https://www.justice.gov/dag/cloudact 18 U.S.C. § 2703. 18 U.S.C. § 2713. United States v. Microsoft Corp., 138 S. Ct. 356 (2017) Congress Enacts the Clarifying Lawful Overseas Use of Data (Cloud) Act, Reshaping U.S. Law Governing Cross-Border Access to Data, 112 Am. J. Int'l L. 487 (2018) Idem. https://www.nytimes.com/2018/02/14/opinion/data-overseas-legislation.html https://www.statista.com/topics/4213/google-apple-facebook-amazon-and-microsoft-gafam/#dossierKeyfigures https://www.justsecurity.org/54242/improved-cloud-act-poses-threat-privacy-human-rights/

---

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

• #Set ALLOWTOPICVIEW = TWikiAdminGroup, AmyTang
• #Set DENYTOPICVIEW = TWikiGuest

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.