What Legal and Compliance Leaders Need to Know About the CLOUD Act

Thoughts about digital transformation and AI for enterprise leaders and their legal & compliance advisors

These posts represent my personal views on enterprise governance, regulatory compliance, and legal or ethical issues that arise in digital transformation projects powered by the cloud and artificial intelligence. Unless otherwise indicated, they do not represent the official views of Microsoft.

As legal and compliance professionals we are all familiar with the new reality of the cloud era that data has become global. National borders still exist and national governments still make and enforce the laws that govern their own territories. But data flows everywhere at near-instantaneous speeds and borders cannot stop it. This does not mean that data no longer has a precise physical location. On the contrary, the global Internet of connected servers and data centers makes it possible at any given moment to pinpoint exactly the location—or multiple locations—of every email or electronic document that leaves your computer. But nothing guarantees that your email—or that of your organization—will reside exclusively on servers in your own country.

From these simple facts arises an important source of potential conflict between the laws of nation-states and the privacy rights of data owners:

• On the one hand, law enforcement agencies conducting legitimate criminal investigations need access to digital evidence wherever it may reside, even in a cloud data center in a foreign country. We can probably all agree that Italian police investigating a serious crime committed in Rome by an American tourist should have the ability—after proper due process—to view potentially incriminating emails belonging to that American and stored on a Microsoft cloud server in Virginia (for example).
• On the other hand, data owners want their legitimate privacy rights to be respected. If they reside in a country with strong privacy laws, they will want their cloud provider to respect those laws. For example, if they live in the European Union, they will want their cloud provider to respect the provisions of the EU’s GDPR privacy law. Among other things, that law says that data belonging to EU residents and stored in the EU cannot be sent to non-EU countries without proper legal procedure and justification.

Leaders with responsibilities for legal and regulatory compliance in their organizations must learn to grapple with these challenges. One important recent development whose implications they must study closely is a new law passed by the U.S. Congress last year. The law seeks to create a mutually acceptable framework for countries that respect privacy rights and the rule of law to allow carefully constrained cross-border access to cloud data by their respective law enforcement agencies. Appropriately enough, the law is known as the CLOUD Act, using a clever acronym for “Clarifying Lawful Overseas Use of Data Act.”

Technically, the CLOUD Act amends a much older law, the 1986 Stored Communications Act. The SCA was written in an era when no one imagined that vast quantities of electronic data belonging to individuals and corporations would one day circulate between giant cloud data centers spread across every continent except Antarctica. We should also note that there is already an existing framework of Mutual Legal Assistance Treaties (MLAT), but it is widely regarded as too slow and cumbersome to meet the needs of law enforcement in the cloud era.

If we were to distill CLOUD Act’s provisions down to three key provisions, they would be the following:

1. U.S. law enforcement agencies such as the FBI are allowed to seek warrants for data stored overseas, provided they can convince a judge that there is probable cause to believe that a crime has been committed and that the targeted data bears on the crime. A case like this led to a four-year court battle between Microsoft and the Department of Justice that ultimately reached the Supreme Court before being rendered moot by passage of the CLOUD Act.
2. At the same time, the law confirms that U.S. cloud providers such as Microsoft have the right to challenge these warrants in court if complying with them would violate the laws of other countries—for instance, the EU’s GDPR. That’s what happened in the case cited above. This right rests on the internationally accepted legal principle of comity. According to the Congressional Research Service’s analysis of CLOUD Act, “the principles of comity have been understood to permit courts to excuse violations of U.S. law, or moderate the sanctions imposed for such violations when the violations are compelled by a foreign nation’s law.” In other words, a U.S. court can reject a warrant if it determines that the warrant severely conflicts with a foreign law such as the GDPR.
3. Recognizing that the two previous points do not entirely eliminate the possibility of further litigation between cloud providers and the government over privacy rights and overseas data, the CLOUD Act proposes a new international legal framework for resolving such conflict-of-law situations between nations. In brief, the law allows the U.S. government to negotiate executive agreements with other countries that would allow mutual access to cloud data by law enforcement agencies in the respective countries, provided that certain rigorous conditions are met. I hope to walk readers through these conditions in future posts, but for today we can summarize them by saying that the conditions ensure that only countries with strong protection for privacy rights, due process, and the rule of law will be able to enter into such agreements with the U.S.

Some civil libertarians fear that the CLOUD Act gives too much power to foreign and U.S. law enforcement agencies seeking data in each other’s jurisdictions. But the reality is that the new law, even if imperfect, is a significant improvement over the obsolete pre-Internet laws such as SCA that it replaces. If the legal uncertainty created by the conflict between those older laws and the modern reality of global data flows had been allowed to fester, the risk is real that many countries would have been tempted to impose harmful data localization laws. Such laws could trigger a race to the bottom that might shut down modern cloud computing and the digital transformation revolution that it is powering.

The CLOUD Act is an important step toward strengthening cross-border data privacy rights in the cloud era. The law is a balancing act between competing interests that are both legitimate. But more is needed. Our President and Chief Legal Officer, Brad Smith, has laid out a set of six principles that we believe should govern law enforcement access to data. I’ll come back to those principles in a future post. But the key takeaway is that Microsoft’s leaders are committed to the view that privacy is indeed a fundamental human right. In the era of the global Internet, international law must evolve to accommodate this right.

Microsoft has published a book about how to manage the thorny cybersecurity, privacy, and regulatory compliance issues that can arise in cloud-based Digital Transformation—including a section on lawful access. The book explains key topics in clear language and is full of actionable advice for enterprise leaders. Click here to download a copy. Kindle version available as well here.