Frequently Asked Questions about the U.S. CLOUD Act

Introductory note: This set of FAQs responds to questions from non-U.S. countries about the meaning and implications of the CLOUD Act. Some questions have arisen from the European Union in connection with the CLOUD Act, and this paper seeks to address those questions specifically. But it is important to note that countries outside of the EU are expected to seek executive agreements under the CLOUD Act as well.

The U.S. Department of Justice (DOJ) also recently published a Cloud Act White Paper, with accompanying FAQs, which covers many of the key questions as well. We encourage readers to look at the DOJ’s official explanation and clarification of the legislation. These FAQs here are meant to provide an independent, supplemental assessment of the legislation and the recurring questions that continue to arise. We also provide additional citations to assist the reader in further research. As with the other publications from CBDF, the views expressed here are solely those of the authors.

1. 1. What are the two major parts of the CLOUD Act?
   2. How does the Stored Communications Act create obstacles for non-U.S. law enforcement to access evidence?
   3. Why not simply improve the current MLAT system?
   4. What would be the advantages to the EU or a Member State of signing an Executive Agreement with the United States under the CLOUD Act?
   5. Why is the United States attempting to make it easier for foreign governments to gain access to evidence held by US companies?
   6. What terms would have to be in an Executive Agreement for each individual request from a qualifying foreign government?
   7. What ongoing institutional safeguards for protection of personal data would have to be in an Executive Agreement for requesting countries (such as a Member State) to qualify under the CLOUD Act?
   8. The EU has suggested negotiating with the U.S. outside of the CLOUD Act framework. What would be different if a non-CLOUD Act approach were adopted?
   9. The CLOUD Act says that Executive Agreements have to provide “reciprocal” access to the United States. What does the term “reciprocal” mean in the CLOUD Act?
   10. Under a CLOUD Act Executive Agreement, would DOJ be able to access evidence about persons from the non-U.S. country?
   11. Executive Agreements would apply only for “serious crimes.” What constitutes a “serious crime”?
   12. If a company refuses to comply with a non-U.S. evidence request made under an Executive Agreement, what are the penalties?
   13. Would the U.S. gain the power to conduct wiretaps in the E.U. under an Executive Agreement?
   14. How would DOJ requests under the executive agreement fit with the EU’s privacy protections?
   15. How will U.S. law enforcement make requests under an Executive Agreement?
   16. Will US agencies be able to send evidence requests to companies in a qualifying foreign country?
   17. When a provider receives an evidence request under an Executive Agreement, can the provider challenge the request?
   18. Are the individuals whose data is requested by investigating agencies under an Executive Agreement notified about the request?
   19. What was the goal of this part of the CLOUD Act?
   20. Does the U.S. CLOUD Act expand the territorial reach of U.S. law?
   21. What sort of “providers” of “electronic communication services” and “remote computing services” are required to respond to DOJ under the CLOUD Act?
   22. What sorts of evidence can DOJ collect under the CLOUD Act?
   23. How strict are the procedural requirements before DOJ can access this evidence?
   24. How broad is the power of DOJ to seek information under the “possession, custody, or control” of a service provider?
   25. Does this part of the CLOUD Act enable DOJ to gain evidence held by a European company doing business only in Europe?
   26. Does the U.S. require notice to the individual when a request for evidence is made?
   27. Does a U.S. service provider have any legal way to challenge an order issued under the CLOUD Act?
   28. Can the CLOUD Act be used for U.S. intelligence purposes? For U.S. civil, commercial, or administrative litigation?
   29. Can the CLOUD Act be used to steal intellectual property or trade secrets of non-U.S. companies, for the benefit of U.S. competitors?
   1. What are the two major parts of the CLOUD Act?
      The CLOUD Act contains two key parts. One part responds to foreign governments’ concerns about U.S. laws that restrict foreign law enforcement’s access to communications content held by U.S. service providers [2] —restrictions that apply even when foreign governments are seeking to access data regarding their own nationals in the investigation of local crime. This part of the CLOUD Act authorizes the creation of bilateral executive agreements that would lift those restrictions and thereby enable foreign governments to access communications content directly from U.S.-based service providers, subject to a set of conditions.

   The other key part clarifies the rules governing U.S. law enforcement access to data in the hands of U.S. providers. The following seeks to answer key questions and clarify the operation of both parts.

   Executive Agreements and Non-U.S. Access to Evidence

   1. How does the Stored Communications Act create obstacles for non-U.S. law enforcement to access evidence?
      The Stored Communications Act (SCA) operates as a “blocking statute.” Except where a statutory exception applies, it prohibits U.S.-based service providers from disclosing communications content to a foreign government, unless there is a CLOUD Act agreement in place (as discussed below). [3]

   The SCA applies even if the non-U.S. government is seeking communications content with regard to one of its own nationals in the investigation of a local crime. It also applies even if the non-U.S. government has obtained a compelled disclosure order pursuant its national laws.

   More specifically, the SCA states that a covered service provider “shall not divulge” stored communications content to “any person or entity,” unless pursuant to one of nine statutory exceptions, none of which authorizes disclosure to foreign governments. [4]

   The SCA also sets out the situations in which service providers can be compelled to disclose communications content. Only a “governmental entity”—defined as a U.S. federal or state department or agency [5] —is given the authority to compel a provider to disclose communications content, and only according to specified substantive and procedural standards. As discussed further below, access to communications content requires a search warrant, signed by an independent U.S. judge, based on the judge’s finding that there is “probable cause” both that (a) a specific crime has occurred or is occurring and (b) the place to be searched, such as an email account, contains evidence of that specific crime. In addition, the warrant must describe with particularity the data to be searched or seized. Service providers who furnish the content of communications to a U.S. or foreign government, in the absence of such a search warrant or a CLOUD Act-authorized executive agreement, risk civil liability. Prior to the Cloud Act, there was no provision that authorized disclosure of communications content to foreign law enforcement in any circumstance, even in response to compelled disclosure orders issued by foreign courts.

   1. Why not simply improve the current MLAT system?
      The increasing globalization of criminal evidence creates significant challenges for law enforcement. Historically, requests for evidence held in other countries have been handled through a Mutual Legal Assistance Treaty (MLAT). According to a 2018 European Commission impact assessment report, more than half of all criminal investigations include a cross-border request to access electronic evidence. As the U.S. Department of Justice Deputy Assistant Attorney General Richard W. Downing explained, “[t]he exponential rise in demand for electronic evidence also places extraordinary demands on the existing [MLAT] process.” While the MLAT system is and will continue to a critically-important information gathering system in many cases, it is widely considered too slow and cumbersome to handle the increasing volume and frequency of requests. In addition, because some service providers move data among multiple different data storage centers, located in multiple different countries, it can be difficult to identify where particular sought-after data is even located at a given point of time. Moreover, the place where the data is located may have no connection to the case other than the fact that a service provider decided to store it there. Multiple scholars and government reports have concluded that incremental improvements to the existing MLAT system cannot effectively address these issues, given the volume of requests, the inability to identify a stable location for particular data, and the ongoing frustration about having to get foreign government consent for a domestic investigation that would not otherwise involve the foreign government but for the location of the data.

   For more detailed discussions of the current MLAT system and the potential scope and impact of proposed reforms, see:

   • • Martin Böse, An assessment of the Commission’s proposal on electronic evidence
     • Sergio Carrera, et al., Access to Electronic Data by Third-Country Law Enforcement Authorities: Challenges to EU Rule of Law and Fundamental Rights
     • European Commission, E-Evidence – cross-border access to electronic evidence
     • European Parliament Committee on Civil Liberties, Justice, and Home Affairs, 6 th Working Document (A); 6 th Working Document (B); 6 th Working Document (C)
     • Gail Kent, Sharing Investigation Specific Data with Law Enforcement – An International Approach
     • Peter Swire & Justin Hemmings, Mutual Legal Assistance in an Era of Globalized Communications: The Analogy to the Visa Waiver Program
     • Jennifer Daskal, Law Enforcement Access to Data Across Borders: The Evolving Security and Rights Issues
     • Andrew Keane Woods, Against Data Exceptionalism
     1. What would be the advantages to the EU or a Member State of signing an Executive Agreement with the United States under the CLOUD Act?
        Countries that enter into an executive agreement with the United States under the CLOUD Act would be able to make direct requests to U.S. providers for communications content relevant to the investigation of “serious crime” and subject to several other limitations and conditions. These kinds of direct requests, where available, would provide an alternative to the time-consuming requirements of the MLAT process. Individual requests for communications content would need to meet the specific privacy and fundamental rights safeguards set forth in the CLOUD Act, discussed below. (See questions 7 and 8 below for a discussion of the privacy and other limits on what can be disclosed under CLOUD Act executive agreements).

     There is some question under U.S. law about whether the European Union could sign an executive agreement under the CLOUD Act. The CLOUD Act permits an executive agreement with a “Qualifying Foreign Government” (QFG). We have written elsewhere that an EU Member State could be a QFG, but there is doubt whether the EU as whole would qualify. As we have suggested previously, however, the EU could enter into a framework agreement that would lay out the parameters of Member State agreements. Such a framework would be easier to negotiate than separate agreements with the over two dozen Member States, and create consistency across country-level agreements with the United States.

     1. Why is the United States attempting to make it easier for foreign governments to gain access to evidence held by US companies?
        This part of the CLOUD Act was enacted in direct response to the urging of non-U.S. law enforcement, who sought streamlined access to criminal evidence held by U.S. providers critical to their own domestic investigations. The U.S. Congress recognized that so long as baseline human rights, rule of law, and privacy protections are in place and effectively implemented, foreign governments should be able to make direct requests to providers for data critical to their own law enforcement investigations. The Act authorizes these types of agreements, subject to a number of specified privacy and rights protections. It thus provides an alternative to the overburdened MLAT system in specified situations so long as baseline rules and protections are put in place.
        
     1. What terms would have to be in an Executive Agreement for each individual request from a qualifying foreign government?
        The CLOUD Act sets out the minimum requirements for each individual request pursuant to a CLOUD Act agreement. Specific agreements themselves can incorporate additional requirements so long as these baselines are met. Specifically, each individual request from a qualifying foreign government must, among other requirements:
     • Be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime (as defined by the relevant Executive Agreement), including terrorism;
     • Identify a specific person, account, address, personal device, or other identifier as the object of the order;
     • Be in compliance with the domestic law of the qualifying foreign government;
     • Derive the obligation to produce the specified data solely from the relevant domestic law of the qualifying foreign government;
     • Demonstrate a reasonable justification for the order based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation;
     • Be subject to review or oversight by a court, judge, magistrate, or other independent authority prior to, or in proceedings regarding, enforcement of the order; and
     • Not be used to infringe freedom of speech. [6]
     1. What ongoing institutional safeguards for protection of personal data would have to be in an Executive Agreement for requesting countries (such as a Member State) to qualify under the CLOUD Act?
        Executive agreements can only be concluded with QFGs that ensure strong institutional safeguards for fundamental rights protecting personal data, including: [7]
     • QFGs must have a legal system that institutes “robust substantive and procedural protections for privacy and civil liberties” in regards to data collection by law enforcement agencies. Relevant factors include the partner government’s respect for the rule of law and internationally recognized human rights, in particular the right to protection from unlawful interference with privacy; the partner government’s “demonstrate[d] commitment to promote and protect the global free flow of information and the open, distributed, and interconnected nature of the Internet;” and the existence of “clear legal mandates” that govern how the government’s police agencies can collect, retain, use, and share data, along with effective oversight for these activities.. [8]
     • The QFG must promptly review the data and securely store anything that is unreviewed, ensuring that it is only accessed by those with requisite authority. [9]
     • The QFG must segregate, seal, delete, and not disseminate data accessed under the executive agreement, unless relevant to the prevention, detection, investigation, or prosecution of serious criminal offenses. [10]
     • The QFG shall agree to periodic review of compliance to ensure the terms of agreement are being met. [11]

     These safeguards resemble protections contained in the GDPR and EU Police Directive, such as (a) the requirement for a clear legal mandate for police agencies to access personal data; [12] (b) the principle of data minimization; [13] and (c) the requirement to institute transparency and accountability as foundational principles of law. [14]

     1. The EU has suggested negotiating with the U.S. outside of the CLOUD Act framework. What would be different if a non-CLOUD Act approach were adopted?
        Some in the EU have expressed an interest in establishing a non-CLOUD Act mechanism for facilitating EU access to evidence held by U.S. providers. The LIBE Committee of the European Parliament, for instance, wrote: “it has to be clarified if and how such an agreement (depending on its status) could be envisaged outside the framework of the CLOUD Act.”

     CBDF has a separate article elaborating on this issue and the possible alternatives. That article contrasts the executive agreement procedure under the CLOUD Act with three alternative U.S. procedures – a non-CLOUD Act executive agreement, a treaty, or a new U.S. statute. The key takeaway is that additional votes by the U.S. Congress would be required for any of these alternative mechanisms to be implemented. [15] By contrast, a CLOUD Act executive agreement, once submitted to Congress, automatically takes effect in 180 days unless Congress disapproves the executive agreement, making it easier to put an agreement into effect.

     1. The CLOUD Act says that Executive Agreements have to provide “reciprocal” access to the United States. What does the term “reciprocal” mean in the CLOUD Act?
        The term “reciprocal” appears in the CLOUD Act only in one specialized section. The basic idea is that the U.S. will lift the blocking provisions in the SCA, so long as the partner government also removes any blocking statutes that would restrict U.S. access to foreign-held communications content. Specifically, the statute provides:‘‘(I) the foreign government shall afford reciprocal rights of data access, to include, where applicable, removing restrictions on communications service providers, including providers subject to United States jurisdiction, and thereby allow them to respond to valid legal process sought by a governmental entity (as defined in section 2711) if foreign law would otherwise prohibit communications-service providers from disclosing the data;” [16] Although the term “reciprocal” is mentioned in this specific context only, the CLOUD Act requirements set the floor for what requirements must be included in each agreement. Specific agreements can include additional requirements and protections.For example, the CLOUD Act retains the current MLAT process where the non-U.S. government targets the communications of a U.S. person (a U.S. citizen or legal permanent resident). A non-U.S. government, in the course of negotiations, could seek a “reciprocal” provision for its own citizens and legal permanent residents. If an executive agreement includes such a provision, the U.S. would be required to utilize the MLAT system to access such data.
     1. Under a CLOUD Act Executive Agreement, would DOJ be able to access evidence about persons from the non-U.S. country?
        As mentioned in response to Question 9, U.S. access to evidence about persons from a non-U.S. country would depend upon the terms of the CLOUD Act executive agreement with the QFG. Existing law and practice also place jurisdictional and other limits on U.S. access to foreign-controlled data abroad. Specifically, the United States must have personal jurisdiction over a service provider in order to compel production of data within that service provider’s possession, custody, or control. In addition, compelled disclosure orders are subject to specified substantive and procedural requirements—requirements that vary based on the kind of information that is being requested. The CLOUD Act does not change any of these requirements.
     1. Executive Agreements would apply only for “serious crimes.” What constitutes a “serious crime”?
        The scope of “serious crime” would be provided for in the Executive Agreement. We are not aware of any prior relevant U.S. legal definition of “serious crime.” In other words, it is up to the negotiating states to further define that term.
     1. If a company refuses to comply with a non-U.S. evidence request made under an Executive Agreement, what are the penalties?
        For the purposes of U.S. law, the executive agreements simply lift the otherwise applicable blocking statute and permits a company to respond to a foreign-based order for content. Any such penalty for non-compliance would be based on the law in the requesting (non-U.S.) country.
     1. Would the U.S. gain the power to conduct wiretaps in the E.U. under an Executive Agreement?
        No. As described by Jennifer Daskal (here), executive agreements under the CLOUD Act do not provide any authority for the U.S. to conduct wiretaps. Rather, the authority for any such orders must come from U.S. domestic law. Under current U.S. law, there is no authority for a judge to issue a wiretap warrant for the interception of data in Europe, or any other place outside the territorial boundaries of the United States. The CLOUD Act does not change this.

     By contrast, the CLOUD Act does permit an executive agreement to authorize wiretaps by the QFG on U.S. providers in specified circumstances and according to specified requirements. Specifically, such interception can only: “(i) be for a fixed, limited duration; (ii) may not last longer than is reasonably necessary to accomplish the approved purposes of the order; and (iii) be issued only if the same information could not reasonably be obtained by another less intrusive method.” [17] Whether any such wiretaps would be permitted would be governed by what the parties agree to when negotiating the executive agreement.

     1. How would DOJ requests under the executive agreement fit with the EU’s privacy protections?
        Any EU nation negotiating an Executive Agreement with the United States would be subject to the requirements of the EU General Data Protection Regulation (GDPR), the Police Directive, and other applicable privacy rules in the EU. The terms of the Executive Agreement could not override those requirements and would presumably reflect them. On the specific issues of data transfers, Article 48 of the GDPR states that an “international agreement” can be a lawful basis for transferring personal data out of the EU. Presumably a CLOUD Act executive agreement (or other agreement between the EU and U.S.) would qualify as such an international agreement, providing a lawful basis for transfers.
     1. How will U.S. law enforcement make requests under an Executive Agreement?
        Under current U.S. law, the procedures for a U.S. law enforcement request pursuant to a CLOUD Act executive agreement would be the same as for any other U.S. law enforcement request. Moreover, as described in response to question 10, the United States must have personal jurisdiction over a service provider in order to compel production of data within that service provider’s possession, custody, or control. To the extent that compelled disclosure orders can be issued to entities located outside the U.S. (i.e., if they have sufficient business or other contacts with the U.S. to establish jurisdiction), an executive agreement could specify the standards applying to any such U.S. requests.
     1. Will US agencies be able to send evidence requests to companies in a qualifying foreign country?
        Under current U.S. law, the warrant authority is territorially limited. Thus, there is currently no mechanism under U.S. law for a U.S. court to issue a warrant to a company that is outside of the territory of the United States.
     1. When a provider receives an evidence request under an Executive Agreement, can the provider challenge the request?
        Any person or entity that receives an order to produce evidence, including under the Stored Communications Act, can challenge the order on a variety of grounds, including: (i) that the order is not authorized by law, (2) that it is unduly burdensome, (3) that it violates some legal privilege, or (4) that it conflicts with legal requirements in another jurisdiction. Indeed, this is what Microsoft did in the Microsoft Ireland case, when it moved to quash the warrant issued in that case, claiming that the court had exceeded its authority in issuing the warrant. The CLOUD Act does not in any way change the underlying grounds for challenging a request. To the contrary, the CLOUD Act adds a new statutory-based provision to govern challenges based on international comity involving QFGs (those governments with whom the United States has an executive agreement). Moreover, any executive agreement could provide additional bases on which a challenge could be brought.
     1. Are the individuals whose data is requested by investigating agencies under an Executive Agreement notified about the request?
        The background rules on notice under U.S. law are stated in answer to question 26. As with other issues, parties negotiating Executive Agreements could include additional requirements with respect to notice as part of those agreements, including the possibility of providing notice to a non-U.S. government concerning relevant requests.

     U.S. Access to Evidence under the CLOUD Act

     1. What was the goal of this part of the CLOUD Act?
        This part of the CLOUD Act was enacted in response to the Microsoft Ireland decision, in which the U.S. Court of Appeals for the Second Circuit ruled that warrants issued under the Stored Communication Act only reached data held within the territorial borders of the United States. As a result of this ruling, while the case was pending appeal to the U.S. Supreme Court, U.S.-issued warrants could not, at least within the Second Circuit, compel U.S. providers to disclose communications content stored outside of the U.S. even if that data were accessible from within the U.S. A range of federal courts outside of the Second Circuit disagreed with that holding in Microsoft Ireland.[18]

     As described by Richard Downing of DOJ, the rule in the Microsoft Ireland decision created significant obstacles for law enforcement—blocking access to evidence critical to U.S. investigations, based simply on where the data is stored. Among the many challenges, some companies regularly move customer data between data centers in different countries. The United States may not have any way to know where sought-after data is located and therefore where to go to attempt to access it; or even if it does learn where the data is at any given point in time, the location may have shifted by the time the MLAT request can be processed. In addition, in many instances there is no logical or normative relationship between where the data happens to be located and any sovereign interest in the case.

     The CLOUD Act responds to this, making clear that the location of storage does not determine law enforcement access. Pursuant to the CLOUD ACT, the legal obligations of a provider with “possession, custody, or control” of the sought-after data remain the same “regardless of whether such communication, record, or other information is located within or outside of the United States.” [19] That said, the U.S. can only issue the order if there is personal jurisdiction over the provider and the data is needed for the investigation of a crime over which the United States has subject matter jurisdiction.

     1. Does the U.S. CLOUD Act expand the territorial reach of U.S. law?
        The answer to this question depends on one’s assessment of prior practice and whether the Department of Justice or Microsoft was likely to prevail in the Microsoft Ireland case. Based on our understanding of then-established practice and the Supreme Court arguments in that case, we believe that DOJ was likely to prevail in the Supreme Court. If so, then the Supreme Court would have found that DOJ access to evidence under the Stored Communications Act did not vary based on the location of data storage. The CLOUD Act established the same rule – DOJ access under the SCA does not vary based on the location of data storage.

     Moreover, as described by Eric Wenger (here) and Jennifer Daskal (here), the government has long demanded data in the possession, custody or control of entities subject to its jurisdiction — regardless of where those records are stored. This was the U.S. government’s understanding of the law, including under the SCA, both before and after the CLOUD Act, as recently expressed by the Department of Justice’s Deputy Assistant Attorney General, Richard Downing, here:

     “Far from introducing a new surveillance power, the CLOUD Act codified what had been the longstanding practice in the United States until a single 2016 decision by a court of appeals in a case involving Microsoft. It is well established that a company present in our territory is subject to a U.S. subpoena for physical records in its possession, custody, or control, and must produce those records, regardless of where they are stored. For decades, the corollary principle – that a provider in our jurisdiction must produce evidence in its control, regardless of where the provider chooses to store the evidence – has been equally settled.”

     The CLOUD Act thus codified for the SCA the Department of Justice’s view of what was longstanding U.S. doctrine and practice. It did not, according to the Department of Justice, and contrary to the claims of some, expand U.S. assertion of jurisdiction. As Downing stated:

     “Nothing in the CLOUD Act’s clarification of U.S. law expands U.S. jurisdiction over foreign companies or any other entity. Nothing in the CLOUD Act expands the categories of providers subject to U.S. jurisdiction. The CLOUD Act does not alter who falls under the jurisdiction of U.S. courts; it merely confirms the obligations of the providers that already do.” [20]

     As described in the DOJ Cloud Act White Paper, the CLOUD Act’s requirements are consistent with those of many other countries: “Australia, Belgium, Brazil, Canada, Colombia, Denmark, France, Ireland, Mexico, Montenegro, Norway, Peru, Portugal, Serbia, Spain, the United Kingdom, and other countries assert domestic authority to compel production of data stored abroad.”

     Notably, the EU’s E-Evidence proposal adopts a similar approach, with a broad jurisdictional scope. The proposal is “applicable if the service providers are not established or represented in the Union, but offer services in the Union.” [21] As with the CLOUD Act, covered providers are required to relevant electronic evidence in response to a compelled disclosure order – regardless of where the underlying data is stored. [22]

     In summary, the U.S. CLOUD Act did not expand the territorial reach of U.S. law, under the DOJ’s unchanging view and, in the view of the authors, the most likely prior reading of the law.

     1. What sort of “providers” of “electronic communication services” and “remote computing services” are required to respond to DOJ under the CLOUD Act?
        The CLOUD Act requires that “a provider of electronic communication service or remote computing service” shall comply with its requirement to provide evidence. The term “remote computing service” means “the provision to the public of computer storage or processing services by means of an electronic communications system.” [23] The term “electronic communication service” is relatively broad, as Swire has explained previously in sworn testimony; it includes “any service which provides to users thereof the ability to send or receive wire or electronic communications.” [24]

     Notwithstanding this broad scope, there are legal limits on who is required to respond. Notably, DOJ can only compel production from an entity under the personal and subject matter jurisdiction of the U.S. The entity can only be compelled to provide the evidence where it has “possession, custody, or control” of the requested evidence. In addition, U.S. law enforcement must meet all of the usual requirements to access the content of communications. An independent judge must find probable cause both that (a) a specific crime has occurred or is occurring and (b) that the place to be searched, such as an email account, contains evidence of that specific crime.

     1. What sorts of evidence can DOJ collect under the CLOUD Act?
        The same sorts of evidence that it could collect prior to the CLOUD Act. As discussed in the next question, the procedural rules vary based on categories of data, with stricter rules for accessing the content of communications than for accessing basic information about subscribers.
     1. How strict are the procedural requirements before DOJ can access this evidence?
        Procedural requirements for obtaining electronic evidence under U.S. law vary based on the type of evidence. These requirements are often stricter than existing procedures applied in EU Member States. [25]

     Basic Subscriber Information (BSI): DOJ can obtain BSI with a subpoena or a court order. [26] If DOJ uses a subpoena, the subpoena must identify the subscribers or accounts for which DOJ seeks BSI. A provider can object to the subpoena by filing a motion to quash, which results in a court assessing the legality of the subpoena.

     Telecommunications metadata and other non-content data: DOJ must obtain a court order to require a provider to produce a range of data that falls between subscriber information and content data. [27] To obtain the order, DOJ must present “specific and articulable facts” that convince the court there are reasonable grounds to believe the metadata is “relevant and material” to an ongoing criminal investigation. [28] The order must specifically identify the subscribers and/or accounts whose communications metadata is to be produced. After the order is issued, the provider can object to it before a court by filing a motion to quash.

     Content: To obtain the content of communications, DOJ must obtain a warrant from a court based on probable cause. [29] DOJ must show a court (a) probable cause that a crime has been committed, and (b) probable cause that the content DOJ is requesting will be evidence of the crime. The warrant must particularly describe the content data that DOJ is authorized to obtain, and can require DOJ to collect the data within a specified time. A U.S. probable cause warrant, issued by an independent judge, is widely regarded as among the strictest, and quite possibly the strictest, standard in the world for law enforcement access to evidence of the contents of communications. [30]

     1. How broad is the power of DOJ to seek information under the “possession, custody, or control” of a service provider?
        The Cross-Border Data Forum is engaged in an ongoing research project concerning the ways in which U.S. courts have interpreted the requirement of “possession, custody, or control” in U.S. law. That term has been used for decades in U.S. criminal and civil litigation, with extensive judicial opinions that are highly fact-dependent. Forthcoming work will seek to inform both U.S. and non-U.S. readers as to the key, salient factors that underlie courts’ analysis.

     It also is important to avoid confusion between the meaning of “control” in two different legal systems. The term “possession, custody, or control” has been used in U.S. litigation involving contested access to evidence. By contrast, the term “controller” is used in EU and other data protection laws, as distinguished from a “processor” of personal data. Non-U.S. lawyers should be alerted that the word “control” in that U.S. litigation is an entirely different term than the word “controller” under data protection law.

     1. Does this part of the CLOUD Act enable DOJ to gain evidence held by a European company doing business only in Europe?
        No. U.S. law enforcement cannot seek to compel production of data under the Stored Communications Act, and hence the CLOUD Act, unless the U.S. has both subject matter and personal jurisdiction. If a European-based company operates exclusively outside the United States, then the United States does not have personal jurisdiction over that company.
     1. Does the U.S. require notice to the individual when a request for evidence is made?
        If and when the data is or is intended to be used in a criminal case, it must be disclosed to the defendant as part of the discovery process. Prior to that point, there is no explicit requirement of governmental notice to the customer when the content of communications is sought under the Stored Communications Act, except if the government is proceeding by a subpoena or a form of court order that is not a warrant. However, consistent with long-standing Department of Justice practice, and as now effectively required by the Supreme Court, [31] all demands for communications content require a warrant.

     That said, providers are permitted to provide notice to their customers, except in those cases in which the government has explicitly obtained a “preclusion of notice” order. These orders are implicitly time-limited and available only in certain circumstances. In order to issue such an order, the court must first determine that notice will result in one of the following adverse consequences: “(1) endangering the life or physical safety of an individual; (2) flight from prosecution; (3) destruction of or tampering with evidence; (4) intimidation of potential witnesses; or (5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.” [32]

     In October 2017, the Department of Justice, in response to litigation initiated by Microsoft regarding what was perceived to be the over-use of such preclusion orders, issued guidance emphasizing the importance of a clear factual predicate to support such orders and one-year time limits, absent exceptional circumstances. (Note: this litigation initiated by Microsoft is entirely separate from the Microsoft Ireland case.)

     1. Does a U.S. service provider have any legal way to challenge an order issued under the CLOUD Act?
        Yes. As described in response to question 17, any person or entity that receives an order to produce evidence, including under the Stored Communications Act, can challenge the order on a variety of grounds, including: (i) that the order is not authorized by law, (2) that it is unduly burdensome, (3) that it violates some legal privilege, or (4) that it conflicts with legal requirements in another jurisdiction. In addition, CLOUD Act adds an explicit statutory basis to quash based on comity. This provision can only apply if the U.S. government is requesting data from a country with which the United States has an executive agreement, as discussed above.

     More broadly, the CLOUD Act retained the existing range of motions available to providers to object to an order. The Act states: “Nothing in this section, or an amendment made by this section, shall be construed to modify or otherwise affect the common law standards governing the availability or application of comity analysis to other types of compulsory process.” [33]

     Furthermore, nothing in the CLOUD Act reduces or otherwise affects the existing mechanism under the SCA for providers to move to quash certain kinds of court orders if “the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden.” [34]

     1. Can the CLOUD Act be used for U.S. intelligence purposes? For U.S. civil, commercial, or administrative litigation?
        No. The CLOUD Act narrowly applies only to criminal investigations. The Act amends only the criminal law legislation under Title 18 of the U.S. Code. By contrast, the law governing requests for intelligence purposes is contained in Title 50 of the U.S. Code.

     Similarly, the CLOUD Act does not amend the Federal Rules of Civil Procedure, which govern courts for civil litigation. And it does not amend the Administrative Procedure Act or any other statute that authorizes a U.S. government entity to access evidence outside of a criminal prosecution.

     1. Can the CLOUD Act be used to steal intellectual property or trade secrets of non-U.S. companies, for the benefit of U.S. competitors?
        No. The DOJ Cloud Act White Paper states: “The United States has championed the international norm that no government should in any way conduct or support the theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors… Under U.S. law, theft of trade secrets is subject to criminal prosecution with penalties of up to ten years in prison.”

     A forthcoming CBDF article explains in additional detail why U.S. law and policy mean that the CLOUD Act may not be used to steal trade secrets for the benefit of U.S. companies.

     [1] The authors express their thanks for comments on earlier drafts from Théodore Christakis, Dan Felz, Justin Hemmings, and Robert Litt.

     [2] These FAQs use the term “service provider” to apply to those companies whose production of evidence is covered by the CLOUD Act. The CLOUD Act itself refers to “communications service providers,” which includes both types of providers covered by the Stored Communication Act, “electronic communication services” and “remote computing services.” 18 U.S.C. § 2703.

     [3] The statute does not contain such a prohibition for non-content data.

     [4] 18 U.S.C. § 2702(a)(1), (2). In addition to these exceptions, a service provider can respond to a non-U.S. government request for communications content pursuant to a Cloud Act executive agreement.

     [5] Id. § 2711(4) (“the term ‘governmental entity” means a department or agency of the United States or any State or political subdivision thereof.”).

     [12] See Police Directive 2016/680, Art. 8(1): “Member States shall provide for processing to be lawful only if and to the extent that processing is necessary for the performance of a task carried out by a competent authority for the purposes set out in Article 1(1) and that it is based on Union or Member State law.”

     [13] See GDPR, Art. 5(1)(c) (establishing the principle of data minimization); Police Directive 2016/680, Art. 4(1)(3) (requiring law enforcement processing of personal data to be “not excessive in relation to the purposes for which [personal data] are processed”).

     [14] See GDPR, Art. 5(1)(a) (establishing the principles of fair processing and transparency), Art. 5(2) (establishing the principle of accountability).

     [15] As discussed in the more detailed article on this topic, the description of the voting procedures assumes that a treaty would not be “self-executing.” In other words, after a treaty were signed, there would remain the need to pass implementing legislation through Congress.

     [18] Those alternative cases concluded that, as the government argued, the warrant authority under SCA reached communications content within a service provider’s possession, custody, and control, irrespective of the location of the servers. See, e.g., In re Info. Associated with @gmail.com, Case No. 16–mj–757, 2017 U.S. Dist. LEXIS 130153, 2017 WL 3445634, at *27 (D.D.C. July 31, 2017) (“[T]he SCA warrant [is] simply a domestic execution of the court’s statutorily authorized enforcement jurisdiction over a service provider, which may be compelled to retrieve electronic information targeted by the warrant, regardless of where the information is ‘located;’ ”); In re Search Warrant No. 16-960-M-01 to Google, 275 F. Supp. 3d 605, 606 (E.D. Pa. 2017); In re Two Email Accounts Stored at Google, Inc., No. 17-M-1235, 2017 WL 2838156, at *4 (E.D. Wis. June 30, 2017); In re Search of Content that Is Stored at Premises Controlled by Google, No. 16-mc-80263-LB, 2017 WL 1487625, at *4 (N.D. Cal. Apr. 25, 2017); In re Search of Information Associated with Accounts Identified as [Redacted]@gmail.com, 268 F.Supp.3d 1060, 1071 (C.D. Cal. 2017).

     [20] The DOJ Cloud Act White Paper, at 17, provided additional detail on the reach of U.S. jurisdiction: “United States requirements for exercising jurisdiction over a person are often more stringent than those in the law of other countries. Whether a company providing services in U.S. territory is subject to U.S. jurisdiction is a highly fact-dependent analysis regarding whether the entity has sufficient contacts with the U.S. to make the exercise of jurisdiction fundamentally fair. The more a company has purposefully availed itself of the privilege of conducting activities in the United States or purposefully directed its conduct into the U.S., the more likely a U.S. court is to find that the company is subject to U.S. jurisdiction.”

     [21] See Electronic Evidence Proposal, Art. 3(1); Explanatory Memorandum at 13.

     [22] See Electronic Evidence Proposal, Explanatory Memorandum at 13: “The Regulation [] moves away from data location as a determining connecting factor, as data storage normally does not result in any control by the state on whose territory data is stored. Such storage is determined in most cases by the provider alone, on the basis of business considerations.”

     [24] Peter Swire, Independent Expert Testimony in case of Schrems v. Facebook, ch. 9 (2016), available at https://www.alston.com/-media/files/insights/publications/peter-swire-testimony-documents/chapter-9–the-broad-scope-of-electronic-communica.pdf?la=en. These providers include not only the expected sorts of providers of email and social network services, but a broader array, including a company that provides its employees with corporate email or similar ability to send and receive electronic communications.

     [29] Although the SCA on its face does not require a warrant when communications have been stored for more than 180 days, the requirement to obtain a warrant even in such cases originates from the case of United States v. Warshak, 631 F.3d 266 (6th Cir. 2010). Following Warshak, DOJ adopted a policy of obtaining a warrant whenever it seeks to obtain the content of emails or other “similar stored content information” from a service provider in a criminal investigation. See U.S. Department of Justice, Acting Assistant Attorney General Elana Tyrangiel Testifies Before the U.S. House Judiciary Subcommittee on Crime, Terrorism, Homeland Security, and Investigations (Mar. 19, 2013), https://www.justice.gov/opa/speech/acting-assistant-attorney-general-elana-tyrangiel-testifies-us-house-judiciary.

     [30] See Peter Swire & Debrae Kennedy-Mayo, How Both the EU and the U.S. Are “Stricter” Than Each Other for the Privacy of Government Requests for Information, 66 Emory L. J. 617 (2016), 66 Emory Law Journal 101 (2017), available at https://ssrn.com/abstract=2920748.

     [31] See Carpenter v. United States, 138 S.Ct. 2206, 2222 (2018) (holding that a warrant is required to access more than six days of cell-site historical location data and describing as “sensible” a warrant requirement for communications content).