Cloud Providers Look for Legal Loopholes to Protect Customer Data

By John K. Higgins
May 17, 2018 10:36 AM PT

United States-based providers of e-commerce resources, including cloud services, must release foreign-held customer information to law enforcement agencies under a new law enacted in March.

Providers have strongly objected to releasing customer information residing outside the U.S. for fear of violating the privacy laws of other countries. In a legal filing, the providers noted a potential “staggering” loss of international customers who no longer would trust the providers to protect their privacy. The document cites the positive trade balance of US$18 billion for U.S.-based cloud service providers in 2015.

As the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, was enacted, a dispute between Microsoft and the U.S. Department of Justice over the release of foreign-held customer data was playing out in the U.S. Supreme Court. Microsoft had challenged the basis of a 2013 DoJ warrant for customer information residing at a data facility in Ireland. The DoJ sought the information in connection with a criminal drug investigation.

Since the CLOUD Act addressed the major issue in dispute between DoJ and Microsoft, the Supreme Court agreed to a request by both parties and mooted the case.

DoJ Targets Microsoft in New Warrant

The Justice Department quickly resumed its case against Microsoft under the CLOUD Act.

DoJ asserted that the Act clearly provides U.S. law enforcement agencies with the ability to seek customer information related to criminal investigations when that data resides at a facility outside the U.S. DoJ argued that the CLOUD Act demolishes the legal basis for Microsoft’s past refusal to comply with its request for the information, and issued a new warrant to the company.

“The government is now unquestionably entitled to disclose foreign-stored data under the Stored Communications Act (SCA),” DoJ said in a petition to dismiss the Supreme Court case.

DoJ and Microsoft had different views on the reach of the SCA, which led to the original court case. The CLOUD Act removed the SCA ambiguity by stating that U.S. law now would cover customer information that is “located within or outside of the United States.”

The CLOUD Act applies to any “electronic communication service or remote computing service,” and it requires providers to “preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber.” The data must be within a provider’s “possession, custody, or control.”

Microsoft Is Not Rolling Over

Microsoft may be contemplating a rejection of the new DoJ warrant, however. While the company no longer can use the international location argument to reject the DoJ request, it has indicated there may be another legal means to challenge the department under the international “comity” provisions of the CLOUD Act.

“We did not sue our own government four times and devote energy to these issues over four sometimes long years to stop showing resolve now,” said Brad Smith, president and chief legal officer at Microsoft.

The Act allows some leeway for companies to refuse to comply with law enforcement requests for information located outside the U.S., he contended.

Broadly speaking, the comity provision allows companies to ask a court to cancel — in legal terms to “quash” — a warrant for information if the situation would interfere with the terms of any reciprocal agreement between the U.S. government and another country over such data protection.

Courts then would have to find that the release of sought-after information would compromise the comity of any country-to-country agreement.

In the event there was no specific bilateral agreement, the CLOUD Act would allows companies to challenge a warrant based on the “common law” concept of comity, according to Microsoft. In its petition for dismissal of the Supreme Court case, the company argued that it would evaluate its options under the CLOUD Act regarding the new DoJ warrant.

However, Smith’s commentary highlighting the value of bilateral agreements and the use of common law protections in lieu of such agreements appears to indicate that a challenge to DoJ on the comity issue is an option.

“The CLOUD Act both creates the foundation for a new generation of international agreements and preserves rights of cloud service providers like Microsoft to protect privacy rights until such agreements are in place. Each of these aspects is critical,” Smith said.

Microsoft did not respond to multiple requests to comment for this story.

Questions About Comity

The only problem with Microsoft using the comity argument associated with country-to-country agreements is that currently there aren’t any such accords, according to a commentary by DLA Piper attorneys Ilana Hope Eisenstein, Jim Halpert and Lindsay R. Barnes.

“As of yet, no CLOUD Act agreements have been established, and thus providers have no present recourse under this procedure,” they wrote.

That presents another legal hurdle, as there are no rulings by courts related to use of the procedure.

“Comity analysis only comes into play if the data the government seeks resides in a country with whom the U.S. already has the kind of bilateral executive agreement contemplated under the CLOUD Act,” Eisenstein told the E-Commerce Times.

“Only after the U.S. starts to make these agreements with other countries and the courts have an opportunity to interpret the CLOUD Act will we start to see what that comity analysis looks like,” she pointed out.

“Both before and after the CLOUD Act, providers could raise common law comity concerns, if and when a disclosure order puts the provider in the middle of conflicting legal obligations,” noted Jennifer Daskal, associate professor at American University Washington College of Law.

“Microsoft has never claimed that any such explicit conflict existed, so it seems strange that it would raise the issue now,” she told the E-Commerce Times.

“That said, the European Union’s General Data Protection Regulation goes into effect at the end of May,” said Daskal.

“Once in place, that could provide a source of conflict if the data is located within the EU. I would think, however, that courts would — and should — look unfavorably on any delay tactic that dragged this out until the end of May and then claimed conflict there,” she observed.

“There are, of course, other independent reasons why Microsoft might object that have nothing to do with the location of the data or foreign law — that could possibly provide a separate reason for their further evaluation,” Daskal said, “although I don’t have any knowledge as to what those objections might be.”

John K. Higgins has been an ECT News Network reporter since 2009. His main areas of focus are U.S. government technology issues such as IT contracting, cybersecurity, privacy, cloud technology, big data and e-commerce regulation. As a freelance journalist and career business writer, he has written for numerous publications, including
The Corps Report and Business Week.
Email John.

You Might Also Like