The CLOUD Act: Mooting the Microsoft Ireland Case, but Not Forecasting Clear Skies Just Yet
Posted on Aug 13, 2019Patrick J. Gallagher
One of the highest profile cases of the current Supreme Court term is likely now mooted due to a small portion of the lengthy omnibus spending bill, passed in March by Congress in a last-minute effort to avert an impending government shutdown.
United States v. Microsoft[1]—which the Supreme Court heard oral argument for on February 27, 2018—is pending before the Court and a decision would have far reaching implications for government investigations, consumer privacy, and cloud storage technology.
The main issue in Microsoft is whether an email provider must comply with a United States government warrant to produce emails that are stored outside of the United States.[2] The warrant in Microsoft was issued pursuant to the Stored Communications Act of 1986,[3] a statute that predates the Internet, making it unclear how it applies to modern technology.
As part of its cloud computing service, Microsoft stores some consumer data abroad. This case arose because the technology company refused to turn over emails linked to a drug-trafficking case that were stored on a server in Ireland.[4] After the United States District Court for the Southern District of New York denied Microsoft’s motion to quash the warrant and held the company in contempt for refusing to execute it, the United States Court of Appeals for the Second Circuit reversed.[5]
The Second Circuit relied on Supreme Court precedent—most recently re-affirmed in RJR Nabisco[6]—that calls for a presumption against extraterritoriality in statutory interpretation, stating “we presume that legislation of Congress ‘is meant to apply only within the territorial jurisdiction of the United States,’ unless a contrary intent clearly appears.”[7] While this reasoning captures Microsoft’s argument, the government’s position is that no extraterritorial act is required to fulfill an order under the Stored Communications Act since the focus of the order—namely gathering the data—can be primarily executed within the borders of the United States.[8]
Although the Supreme Court granted certiorari despite the absence of a circuit court split, both parties—as well as Justices Ruth Bader Ginsburg and Sonia Sotomayor—seemed to agree that Congress, not the Court, would be the best branch to resolve the issue by passing new legislation that unambiguously addresses modern cloud computing technology.[9]
That hope came true on March 23, 2018 when President Donald J. Trump signed into law a $1.3 trillion spending bill, which includes a measure on electronic data—the Clarifying Lawful Overseas Use of Data (CLOUD) Act.[10] The Act amends the Stored Communication Act to require an electronic communication provider to disclose records “regardless of whether such communication, record, or other information is located within or outside of the United States.”[11] As a result, the Department of Justice and Microsoft now agree the action is moot and have asked the Supreme Court to dismiss the case.[12]
While it may appear that Congress has effectively decided the case in the government’s favor, Microsoft—and other technology companies—have welcomed the CLOUD Act because it provides more consistency than the outdated legislation did.[13]
Nonetheless, the Act raises several questions that are worth exploring.
1. Is Congress legislating for territory outside of its jurisdiction?
No. First, the language of the CLOUD Act makes it explicitly clear that Congress intends to legislate extraterritorially. Therefore, it will rebut the RJR and Morrison presumption that the Second Circuit noted and that was discussed during oral argument. As such, a court interpreting this statute should have no doubt that it is meant to apply to data stored overseas.
Taking a step back, Congress’s legislative power is not limited to the borders of the United States. It is a longstanding principle of international law that states may prescribe laws with respect to “the activities, interests, status, or relations of its nationals outside as well as within its territory.”[14] Because foreign cloud servers affect American companies and individuals, Congress is within its power to enact this legislation.
2. What if another country’s laws make it illegal to turn over the data?
The CLOUD Act outlines a process through which a company can object to complying with an order that would cause it to violate the laws of the country in which its data is stored.
A company subject to a disclosure order may move to quash it if (1) the customer whose data is being requested is not a United States citizen, national, permanent resident, association, or corporation and does not reside in the United States, and (2) complying with the order would risk violating the laws of a “qualifying foreign government,” defined as a government with which the United States has entered into an executive data sharing agreement.[15] When such a motion is made, a court is directed to then engage in a comity analysis—essentially weighing the interests of the United States against the foreign country’s interests—to determine whether or not the company must comply with the order.[16]
The Microsoft case did not involve such a situation because Ireland did not claim the data disclosure would violate Irish law. In fact, this situation is unlikely to come up because, under the CLOUD Act, the countries with which the United States chooses to enter into data sharing agreements are required to have privacy laws similar to that of the United States (see response to question three below for more details). As such, it is unlikely the United States will form an agreement with a foreign government that would prevent the release of such data. Consequently, a conflict of laws is unlikely to arise.
3. Do these agreements mean that foreign governments can also request data stored in the United States?
Yes and no. Under the CLOUD Act, executive agreements may be formed between the United States and foreign governments if the Attorney General and Secretary of State submit to Congress that, among other things, the foreign government’s law “affords robust substantive and procedural protections for privacy,” which are outlined in detail in the Act.[17] Such agreements will be made so that data can be efficiently shared without needing to request such data through existing, but often cumbersome, international treaties.
It is unclear at this early stage how many agreements will be formed. However, in a letter to Congress, the ACLU and other privacy groups have expressed concern about the power foreign governments may have under the Act to access Americans’ data.[18]
4. What will happen next?
Microsoft is complying with the new warrant issued pursuant to the CLOUD Act. Therefore, the Supreme Court will most likely dismiss Microsoft since the question to be answered is now moot.
Depending on the agreements formed with foreign governments, challenges to the CLOUD Act could arise under conflicts of law. If this occurs, courts will have to conduct comity analyses to determine whether such orders should be enforced.
Therefore, although the CLOUD Act has resolved the issue of whether domestic companies must produce foreign-stored data, uncertainty remains over the reach of this mandate if and when it conflicts with a foreign country’s laws.
[1] Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016), cert. granted, 60 U.S.L.W. 3184 (U.S. Oct. 16, 2017) (No. 17–2).
[4] Microsoft, 829 F.3d 197 at 203–05
[5] Id. at 201–02
[6] RJR Nabisco, Inc. v. European Community, 136 S.Ct. 2090 (2016).
[7] Microsoft, 829 F.3d 197 at 210 (quoting Morrison v. National Australia Bank Ltd., 561 U.S. 247, 255 (2010)).
[14] Restatement (Third) of the Foreign Relations Law of the United States § 402; see also Andrew Keane Woods, Against Data Exceptionalism, 68 Stan. L. Rev. 729, 764-73 (2016).