Articles

The CLOUD-Act: U.S. sets the rules for cross-border e-evidence gathering?

The CLOUD-Act: U.S. set the rules for cross-border e-evidence gatheri

The CLOUD-Act: U.S. sets the rules for cross-border e-evidence gathering?

11.04.2018 EU law

On March 23, 2018, the U.S. Congress passed the Clarifying Overseas Use of Data Act (CLOUD Act), which provides for important changes in relation to cross-border law enforcement access to communications data.

The Cloud Act covers the disclosure of content, records and other information pertaining to a customer or subscriber within the possession, custody or control of a provider of an electronic communication service or remote computing service. The Act has a dual purpose, explicitly allowing US law enforcement authorities to access data stored abroad and allowing foreign (non-US) authorities to directly seek the disclosure of data by US-providers when certain conditions are met.  

Access by U.S. LEA to data stored abroad

Firstly, the Act aims to solve the issue in the Microsoft case, which is pending before the U.S. Supreme Court. This case addresses the question whether U.S. law enforcement can legitimately oblige Microsoft, located in the US, to provide communications data that are stored on servers in Ireland. The CLOUD Act explicitly gives U.S. law enforcement authorities the possibility to compel providers (such as email service providers, certain cloud service providers and social media providers) to disclose communication data regardless of where the data in question are stored (on or outside U.S. territory).

The Act also adopts a procedure for addressing potential conflicts of laws, taking into account foreign (privacy) laws:

  •  It provides for a specific balancing mechanism in relation to orders to disclose content that potentially breach the laws of a qualifying foreign government (i.e. a country that has signed an executive agreement with the United States to facilitate cross-border law enforcement access to data (infra)). In those circumstances, the (potentially foreign) provider concerned may file a motion to have the order for disclosure modified or quashed if it reasonably believes that (i) the customer or subscriber is not a United States person or he or she does not reside in the United States and (ii) the required disclosure would create a material risk that laws of a qualifying foreign government would be violated. A court will decide whether the order should be modified or quashed while having a rather wide margin of appreciation (taking into account the investigative interests of the US, the foreign government’s interest in preventing disclosure, the location and nationality of the subscriber or customer in question, etc.). This balancing mechanism shall be the sole basis for moving to quash on the grounds of a conflict of law related to a qualifying government.
  • The CLOUD Act does not give clear guidelines, however, when service providers are confronted with disclosure orders that could potentially violate foreign legislation outside said hypotheses (such as orders potentially violating the laws of non-qualifying foreign governments). It even explicitly states that the introduction of the balancing mechanism does not affect existing standards in relation to compulsory procedures not covered by the said mechanism. Therefore, the CLOUD Act does not answer the currently pressing question about what standards do apply in those circumstances. As long as governments do not acquire the capacity of a “qualifying foreign government”, it thus seems that providers are still left in the dark as to how they should respond to U.S. requests that could potentially violate foreign (privacy) laws (such as orders to produce data on a foreign customer or subscriber).

Cross-border cooperation orders from foreign LEA

Secondly, the CLOUD Act allows foreign (non-U.S.) governments the possibility to enter into an executive agreement with the United States. Once such executive agreement is concluded, the foreign government becomes a qualifying foreign government (supra). The executive agreement would permit U.S. service providers to intercept or disclose communication content in response to an order coming from a government that is signatory of the said agreement. This is not the case, however, if the order targets a U.S. person or person located in the U.S.

In order to be eligible to enter into an executive agreement, the criminal justice system of the foreign government must meet a set of criteria aimed at ensuring robust protection of the right to privacy and other civil liberties, such as the freedom of speech. Furthermore, the Cloud Act spells out procedural requirements in relation to said cross-border cooperation orders. The order should relate to serious crime, indicate a specific identifier as the object of the order, comply with the domestic law of the country concerned, be reasonably justified, and subject to review by an independent authority.

The executive agreements will be based on the principle of reciprocity. The foreign governments will have to remove restrictions on communications service providers (including providers that are subject to U.S. jurisdiction) and thereby allow them to respond to valid cooperation orders coming from U.S. governmental entities. Furthermore, the local laws have to provide substantive and procedural opportunities to service providers which are similar to the balancing mechanism mentioned above.

Awaiting disclosure of EU legislative initiatives

In the meanwhile, the European Commission is, in turn, working on legislation concerning cross border e-evidence gathering from an EU law perspective. Release of the said initiative has been expected for a while and is now scheduled for mid-April. It remains to be seen whether the EU point of view will coincide with the U.S. perspective and whether and/or under what circumstances it will remain possible for individual EU Member States to enter into executive agreements with the United States further to the CLOUD Act. 

To be continued…

(CLOUD-Act: H.R.1625 – 115th Congress, https://www.congress.gov/115/bills/hr1625/BILLS-115hr1625enr.pdf, 866 et seq.)

Related news

12.07.2018 NL law
Algemene verordening gegevensbescherming van toepassing

Short Reads - Vanaf 25 mei 2018 zijn de Algemene verordening gegevensbescherming (Verordening (EU) 2016/679) (AVG) en de Uitvoeringswet Algemene verordening gegevensbescherming (Uitvoeringswet) van toepassing in Nederland. De AVG en de Uitvoeringswet vervangen de richtlijn betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens (Richtlijn 95/46/EG) en de Wet bescherming persoonsgegevens (Wbp).

Read more

12.07.2018 NL law
Boskalis/Fugro: begrenzing van het agenderingsrecht van aandeelhouders

Articles - Aandeelhouders en certificaathouders hebben op grond van art. 2:114a BW agenderingsrecht. Maar kunnen zij ook op de algemene vergadering een (informele) stemming afdwingen over een onderwerp dat niet tot de bevoegdheid van de algemene vergadering behoort? Deze vraag stond centraal in een arrest van de Hoge Raad van 20 april 2018 tussen Boskalis en Fugro.  

Read more

12.07.2018 NL law
Voortgang wetsvoorstel Wet bescherming bedrijfsgeheimen

Short Reads - Op 5 juli 2016 is de Richtlijn bedrijfsgeheimen (2016/943/EU) in werking getreden. De richtlijn heeft tot doel de regels inzake bescherming van niet-openbaar gemaakte knowhow en bedrijfsinformatie (bedrijfsgeheimen) in de EU lidstaten te harmoniseren. De richtlijn moest voor 9 juni 2018 geïmplementeerd zijn in de Nederlandse wet- en regelgeving. Nederland heeft deze termijn niet gehaald.

Read more

12.07.2018 NL law
Bescherming van beursvennootschappen tegen ongewenste overnames, voorkoming van ongewenste zeggenschap in de telecomsector en bescherming van andere vitale sectoren

Articles - In onze Corporate Update van 18 januari 2018 behandelden wij de toegenomen aandacht, zowel in Nederland als in Europees verband, voor bescherming van beursgenoteerde vennootschappen tegen ongewenste overnames en bescherming van vitale economische sectoren. In deze Corporate Update geven wij een beknopt overzicht van de laatste ontwikkelingen.

Read more

12.07.2018 NL law
Evaluatie van de Wet aanpassing enquêterecht

Articles - Op 1 januari 2013 is de Wet aanpassing enquêterecht in werking getreden. Deze wet is geëvalueerd door de Tilburg University. De uitkomsten van deze evaluatie zijn op 21 maart 2018 door de Minister voor Rechtsbescherming gepubliceerd. In deze Corporate Update een overzicht van enkele conclusies en aanbevelingen van de onderzoekscommissie. Wij verwijzen in dit verband tevens naar de samenvatting van het onderzoek.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring