The CLOUD Act’s Impact on Cross-Border Investigations

Written By Kristina Cervi


United States of America v. Microsoft Corporation

On December 4, 2013, in response to an application by federal law enforcement agents, Magistrate Judge James C. Francis of the Southern District of New York issued a search warrant that authorized the search and seizure of all e-mails and other information associated with an account believed to be furthering illegal drug trafficking. Under the §2703 warrant, Microsoft was compelled to disclose to the Government the contents of the specified e-mail account and all other records or information “[t]o the extent that the information . . . is within [Microsoft’s] possession, custody, or control.”

Microsoft’s Global Criminal Compliance team (“GCC”) produced the non-content information stored on servers in the United States. However, once the GCC determined that the target account’s data was hosted and stored in Dublin, Ireland, Microsoft filed a motion seeking to quash the warrant to the extent that it directed the production of information stored abroad. Microsoft cited the Stored Communications Act (“SCA”) and Rule 41 of the Federal Rules of Criminal Procedure (“Rule 41”) in their motion, claiming “[f]ederal courts are without the authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.”

Judge Francis ultimately denied the motion which was later adopted by the District Court, and Microsoft was held in civil contempt for refusing to comply fully with the warrant. Microsoft appealed to a panel of the Court of Appeals for the Second Circuit contending the SCA and Rule 41 preempted the production of information stored overseas. The Government continued to argue that Microsoft had full control of the data and should be compelled to turn it over despite its overseas storage location. The Second Circuit reversed the denial of the motion to quash and vacated the civil contempt order, holding “that requiring Microsoft to disclose the electronic communications in question would be an unauthorized extraterritorial application of §2703” of the SCA as had been argued by Microsoft at the district level.

Tech Industry Takes It to The Hill

On October 16, 2017, the Supreme Court granted the United States’ Petition for Writ of Certiorari. As both parties prepared for their day before the highest court in the land, Microsoft sought creative solutions and spearheaded a lobbying effort on Capitol Hill. Joined by parties like Apple, Facebook, and Google that could also be implicated by warrants like the one at issue here, Microsoft drafted a letter to Congressional leadership on February 6, 2018. The letter encouraged members of both Houses to adopt the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”), a bipartisan bill that would amend the SCA and deliver “a logical solution for governing cross-border access to data” while also protecting customers and data holders with the law. The CLOUD Act essentially provided the legal answer to the question of law that parties argued over in front of the Court on February 27, 2018.

On March 23, 2018, Congress passed the $1.3 trillion Omnibus spending bill which included the CLOUD Act and President Trump signed the Consolidated Appropriations Act, 2018 into law. Under the CLOUD Act, companies must provide information properly requested by law enforcement, “regardless of whether such communication, record, or other information is located within or outside of the United States.” The CLOUD Act offers mechanisms for companies or the courts to reject or challenge the warrants, if the request violates the privacy rights of the foreign country storing the data, and if it does not overcome the muster of international comity which seeks to restrain the reach of domestic laws abroad.

Consequently, on April 17, 2018, the Supreme Court of the United States dismissed United States v. Microsoft Corp. on grounds of mootness, citing to the authority of the CLOUD Act. The Court explained that the Government had obtained a validly legal search warrant under the new version of §2703 and that no outstanding disputes remained.

What’s next for cross-border investigations?

The CLOUD Act ultimately provides clarity in a field of law that was in desperate need of an update. The Act preserves the common law right of cloud service providers to challenge search warrants where a conflict of laws exists and to evolve in the wake of the European Union’s new General Data Protection Regulations. Tech companies expect that Europe will consider the comity analysis requirements of the CLOUD Act and decide its own fate in terms of U.S. search warrants.

Further, the law will supplement Mutual Legal Assistance Treaties, which have become increasingly antiquated in the Digital Age. The law provides authority and a framework for the U.S. to establish international agreements. This framework only supports executive agreements with countries that protect privacy and human rights by mandating a broad and robust set of protections found enumerated in the U.S. Constitution. These include the rule of law and principles of nondiscrimination; lawful interference with privacy; fair trial rights; freedom of expression, association, and peaceful assembly; and prohibitions on arbitrary arrests and prohibitions or cruel and unusual punishment.

Overall, the CLOUD Act is a modern legislative action worthy of praise. Companies like Microsoft are able to preserve data privacy in the interest of their consumers through the outlined appellate process. Law enforcement has clarity in an area of law that was becoming increasingly vague, and the CLOUD Act will now streamline the global data exchanges commonly used in cross-border investigations of major crimes. Lastly, the international community will benefit from the enhanced privacy protections and the outlined executive agreement requirements that provide legal structure for the digital evidence gathering phases of criminal litigation.

Sources Cited

Devin Coldewey, Supreme Court dismisses warrant case against Microsoft after CLOUD Act renders it moot, TechCrunch (Apr. 17, 2018).

Taylor Hatmaker, As the CLOUD Act sneaks into the omnibus, big tech butts heads with privacy advocates, TechCrunch (Mar. 22, 2018).

In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 15 F.Supp.3d 466 (S.D.N.Y. 2014).

In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 829 F.3d 197 (2nd Cir. 2016).

United States v. Microsoft Corp., 584 U.S. ___ (2018).

2383, 115th Cong. (2018).

Dylan Matthews, Congress’s new $1.3 trillion omnibus spending bill, Vox (Mar. 23, 2018).

John Wagner and Mike DeBonis, Trump signs $1.3 trillion spending bill despite veto threat on Twitter, The Washington Post (Mar. 23, 2018).

Brad Smith, The CLOUD Act is an important step forward, but now more steps need to follow, Microsoft (Apr. 3, 2018).

Photo courtesy of FCW.