As part of the recently enacted federal spending bill, the US Congress has passed a momentous piece of legislation directly affecting providers of electronic communication services like email service providers and social media networks. The so-called CLOUD Act, by amending the Stored Communications Act, 18 USC. §§ 2701 et seq. (SCA), makes clear that American law enforcement officials can compel US providers to produce data even if it is stored outside the United States. It also establishes new rules facilitating foreign law enforcement access to data stored within the United States. The CLOUD Act effectively moots the central question in a pending, potentially landmark case before the US Supreme Court, and it may have ripple effects on other multinational companies that hold data in different jurisdictions.
The Case of the Extraterritorial Warrant
On February 27, the US Supreme Court heard oral argument in United States v. Microsoft Corp., in which the company had received a US warrant under the SCA for data held in Ireland. While the parties agree that the SCA had lacked extraterritorial reach, they disputed whether the warrant at issue in this case was extraterritorial. Microsoft argued that the warrant was extraterritorial because it sought information stored in Ireland. The government argued that the warrant was domestic because Microsoft could comply by “undertaking acts entirely within the US.” Brief for United States at 25, United States v. Microsoft Corp., 138 S. Ct. 356 (2017) (No. 17-2).
As a practical matter, when the Department of Justice served Microsoft with the warrant, Microsoft faced three choices: (1) comply with the US government’s interpretation of the SCA and potentially violate Irish law or impinge on Irish sovereignty;1 (2) comply with Irish law and be held in contempt in the United States; or (3) seek to quash the SCA warrant to the extent it requires Microsoft to violate Irish law and thus force the United States to use a Mutual Legal Assistance Treaty (MLAT). Microsoft chose the third option. Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197, 200-01 (2d Cir. 2016), cert. granted sub nom. United States v. Microsoft Corp., 138 S. Ct. 356 (2017).
The Purpose of the CLOUD Act
With passage of the CLOUD Act, Congress has likely mooted the central question in Microsoft by implementing Section 2713 of the SCA. This new section requires that electronic communication service providers and remote computing service providers “comply with the obligations of [the SCA] to preserve, back up, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” CLOUD Act § 103(a), to be codified at 18 USC. § 2713.
This new rule clarifying the SCA warrant power’s reach to “information located within or outside of the United States” applies to a number of SCA obligations, including those pursuant to a warrant for content; warrant, subpoena or other search authorization for non-content records; or pursuant to National Security Letters. Providers, upon request by a government entity, must preserve data in their possession for at least 90 days (180 days if the government entity requests) pending the issuance of a court order or other process. See 18 USC. § 2703(f). Id. The new provision would also apply to 18 USC. § 2704, which requires service providers to create backup copies of electronic communications sought by a government entity.
The CLOUD Act also attempts to...
