Search Results

Sorry we couldn't find any results for you.

To find more of our people, please search using the ‘People’ option at the top.

    Loading search results

    Skip to Content

    The Clarifying Lawful Overseas Use of Data Act, signed into law in March 2018

    While much of the technology world has been preparing for or bracing for GDPR, Congress passed the CLOUD Act. The Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, signed into law in March 2018, provides United States law enforcement agencies access to user data such as emails and text messages stored on severs located in foreign jurisdictions. While it remains to be seen how, or even whether, the rights and obligations created by the CLOUD Act will intersect with GDPR, it seems the two are manifestations of two differing philosophies to data privacy.¹

    While the CLOUD Act brings welcomed certainty for companies in the technology sector, data privacy advocates are concerned this certainty comes at the price of personal privacy.


    The Act supplements the Stored Communications Act (SCA) of 1986 which “governs U.S. authority to compel disclosure of electronic communications or data stored with a service provider.2 Warrants issued under the SCA were, and remain, the mechanism under which U.S. agencies may obtain a warrant compelling companies to turn over the private data of its users.

    The Act extends the reach of the SCA in several important ways: First, the Act allows foreign agencies to obtain personal information stored on U.S. servers without a warrant, a procedural mechanism that ensuring judicial review.³ Second, the Act allows foreign agencies to collect personal information such as emails and text messages without notifying the person whose private data is being collected.4 the Act allows U.S. agencies to collect private data of any person regardless of the location of the data so long as a U.S. company has control or custody of the data.5 Fourth, the Act allows the Executive branch to enter into agreements with foreign countries that have substantially lower privacy standards.6

    Impact for our U.S. Clients

    Technology companies also laud the CLOUD Act for balancing the needs of domestic and foreign government agencies with the rights of the technology companies.7 Moreover, because the Act only allows entering into Executive agreements with countries that meet the specified privacy standards, the Act creates an incentive for foreign countries to update their own privacy standards.8 Under the rubric of the CLOUD Act, companies can challenge an order compelling production of user data, but the Act does not provide a mechanism for individuals whose data is the subject of the order.

    Foreign Jurisdictions

    The Act empowers the Executive Branch to enter into agreements with foreign countries, granting agencies in those foreign countries to compel production of user data stored within the United States. Foreign countries entering into such agreements must meet minimum data privacy standards and agree to minimize the amount of personal data collected on United States citizens. Like other Executive agreements, Congress can object to agreements with individual foreign countries, but they will not be subject to judicial review by the Courts.

    While at first blush the CLOUD Act presents regulatory compliance issues, much remains unsettled. For example, because Executive agreement nations each have their own mechanism for seeking data stored in the United States, the potential implications for liability are hard to predict. Likewise, it remains unclear whether the CLOUD Act will inspire lawsuits against service providers filed by customers whose data is produced to government agencies for failing to challenge the data request.

    1“The CLOUD Act's Dramatic Impact on International Privacy Laws,” The National Law Review, June 7, 2018, available here and “While You Were Busy With GDPR – The US CLOUD Act Was Passed, And It Has Significant Impact For European Organisations,” Data Economy, June 18, 2018, available here.
    2“CLOUD Act is Now Law,” The AntiCorruption Blog (Squire Patton Boggs LLP), Ericka Johnson and Anthony Dursi, April 5, 2018, available here.
    3Responsibility Deflected, the CLOUD Act Passes, David Ruiz, The Electronic Frontier Foundation, March 22, 2018, available here.
    4Coalition Letter Opposing the CLOUD Act, available here.
    7“The CLOUD Act is an important step forward, but now more steps need to follow,” Brad Smith, Microsoft, April 3, 2018, available here.