United States-based providers of e-commerce resources, including cloud services, must release foreign-held customer information to law enforcement agencies under a new law enacted in March.Providers have strongly objected to releasing customer information residing outside the U.S. for fear of violating the privacy laws of other countries. In a legal filing, the providers noted a potential “staggering” loss of international customers who no longer would trust the providers to protect their privacy. The document cites the positive trade balance of US$18 billion for U.S.-based cloud service providers in 2015.
As the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, was enacted, a dispute between Microsoft and the U.S. Department of Justice over the release of foreign-held customer data was playing out in the U.S. Supreme Court. Microsoft had challenged the basis of a 2013 DoJ warrant for customer information residing at a data facility in Ireland. The DoJ sought the information in connection with a criminal drug investigation. Since the CLOUD Act addressed the major issue in dispute between DoJ and Microsoft, the Supreme Court agreed to a request by both parties and mooted the case.
The Justice Department quickly resumed its case against Microsoft under the CLOUD Act. DoJ asserted that the Act clearly provides U.S. law enforcement agencies with the ability to seek customer information related to criminal investigations when that data resides at a facility outside the U.S. DoJ argued that the CLOUD Act demolishes the legal basis for Microsoft’s past refusal to comply with its request for the information, and issued a new warrant to the company. DoJ and Microsoft had different views on the reach of the SCA, which led to the original court case. The CLOUD Act removed the SCA ambiguity by stating that U.S. law now would cover customer information that is “located within or outside of the United States”. The CLOUD Act applies to any “electronic communication service or remote computing service,” and it requires providers to “preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber.” The data must be within a provider’s “possession, custody, or control”.
Microsoft may be contemplating a rejection of the new DoJ warrant, however. While the company no longer can use the international location argument to reject the DoJ request, it has indicated there may be another legal means to challenge the department under the international “comity” provisions of the CLOUD Act. Courts then would have to find that the release of sought-after information would compromise the comity of any country-to-country agreement. In the event there was no specific bilateral agreement, the CLOUD Act would allows companies to challenge a warrant based on the “common law” concept of comity, according to Microsoft. In its petition for dismissal of the Supreme Court case, the company argued that it would evaluate its options under the CLOUD Act regarding the new DoJ warrant.