WHAT IS THE U.S. CLOUD ACT?
Last year the U.S. passed the Cloud Act which essentially makes it possible for the U.S. to compel a data provider to produce electronic evidence regardless of what country the data is stored.
It also provides for bilateral agreements between the U.S. and other qualifying countries to not restrict access to the data if stored in their country.
WHAT DOES THE WORD “CLOUD’ IN THE CLOUD ACT MEAN?
The acronym C-L-O-U-D stands for, “Clarifying Lawful Overseas Use of Data Act”
WHAT WAS ONE OF THE CATALYSTS FOR THE CLOUD ACT?
The United States vs. Microsoft 2013 case in which (U.S. based) Microsoft challenged a warrant served on them by the U.S. Department of Justice as part of a drug-trafficking investigation to produce electronic evidence Microsoft had stored in Ireland.
WHAT DOES THE CLOUD ACT HOPE TO ACHIEVE?
The Cloud Act serves to help global law enforcement receive electronic evidence in a timely fashion by lifting the obstacle to data stored in another country.
Absent the Cloud Act, law enforcement would need to go through a cumbersome Mutual Legal Assistance Treaty (MLAT) process which could take months before the electronic evidence is made available making it possible for suspects to evade potential prosecution.
EUROPEAN LAW ENFORCEMENT BENEFIT OF THE CLOUD ACT (HYPOTHETICAL)
If the Munich police are working an active child-kidnapping occurring in Munich, and the provider for the suspect’s texting/phone service is in Germany, even if data is stored in the U.S., Munich law enforcement need only subpoena the data from the German provider to receive the electronic evidence. They do not need to make a request through U.S. government channels (MLAT process.)
U.S. LAW ENFORCEMENT BENEFIT OF THE CLOUD ACT (HYPOTHETICAL)
Conversely, if the kidnapping has taken place in the U.S., and the suspect’s U.S. phone service provider stores its data in Germany, U.S. law enforcement need only subpoena the data from the U.S. provider who is then required to produce the electronic evidence even though it’s stored in Germany.
SYNOPSIS OF THE CLOUD ACT
Here is a synopsis of the Cloud Act presented by Professor Jennifer Daskal, American University Law School at the Computers, Privacy, Data Protection (CPDP) Conference earlier this year in Belgium in the program’s segment titled, “The Cloud Act and E-Evidence–America First or GDPR First?”:
Part I: US warrants and other compelled disclosure orders reach data that is in the “possession, custody, or control” of a U.S.-based provider, regardless of where the data is located.
Part II: Authorizes U.S. executive branch to enter into bilateral MLAT bypass agreements with foreign governments.
And here is one quote from remarks made by U.S. Deputy Assistant Attorney General Richard W. Downing at the 5th German-American Data Protection Day this past May on “What the U.S. Cloud Act Does and Does not Do” that recognizes the current deficiency of the MLAT system:
“There is also widespread understanding that countries need the domestic authority to compel providers within their jurisdiction to produce electronic evidence within the providers’ possession, custody, or control, regardless of where the providers might choose to store that data.”
Again, transnational law enforcement investigators do not need to go through official channels in the foreign country of storage to obtain electronic evidence. Law enforcement need only subpoena the provider in their home country who is then compelled to produce the electronic evidence regardless of where it is stored.
And as Professor Daskel stated, “The idea is to target the individual [in other words, the target of the investigation in the country of occurrence] not the location of the data.“
CLOUD ACT DATA PRIVACY SAFEGUARDS
Professor Daskal detailed the essential elements required of countries that want to enter into bilateral agreements under the Cloud Act as follows:
Foreign governments must be certified as affording “robust substantive and procedural protections for privacy and civii liberties.”
Requests must be:
- Based on “reasonable and credible facts’
- Subject to independent review or oversight
- For purpose of investigating “serious crime”
- Subject to requirements that non-relevant info be deleted or sealed and not disseminated
- Not used to “infringe freedom of speech”
- Subject to secure storage/access limits
- Must only target non-US citizen/legal permanent resident located outside the United States
DATA PRIVACY DEBATE
I will not discuss the debate over data privacy and the Cloud Act, except to say that there are interested parties that do not feel adequate data privacy safeguards have been put in place.
View the Computers, Privacy, Data Protection (CPDP) Conference on You Tube referenced above titled, “The Cloud Act and E-Evidence–America First or GDPR First?” to hear opposing views.
WHY SHOULD GLOBAL IP INVESTIGATORS CARE?
As global IP private investigators and brand protection specialists, we often collaborate with law enforcement on behalf of our clients.
It’s important for us to know that there is now an expeditious process by which law enforcement can get electronic evidence from a provider regardless of where the data is stored around the world.
IP CASE SCENARIOS IN WHICH APPLICATION OF THE CLOUD ACT WOULD BE USEFUL (HYPOTHETICALS)
It is hard to say how the application of the Cloud Act would be helpful in IP cases at this time, but I don’t think it’s a stretch to imagine a few urgent IP case scenarios that could justify its use. Here are a couple of possibilities:
Trade Secrets Theft Case (Hypothetical):
The target of a trade secrets theft investigation is approached by investigators on his way to the airport (the target is booked on a flight overseas) and asked for permission to inspect the contents of his iPhone.
The target refuses and there’s insufficient probable cause to make an arrest and seize the phone, but a judge may find there is enough information to subpoena the target’s data provider to ascertain the iPhone’s contents.
And, because of the Cloud Act, that information could be expeditiously collected (regardless of where it is being stored) and presented to the investigators in a timely fashion.
After review of the data, trade secrets could be uncovered on the phone, which potentially gives the investigators probable cause to make an arrest, seize the iPhone and, consequently, prevent the target from leaving the country.
Trademark Infringement Case (Hypothetical):
Investigators into the counterfeiting of an energy drink (concocted after the drink’s formula was stolen) have identified a suspect and the manufacturing location of the drink, but have not been able to obtain samples of the alleged counterfeited drink.
The IP attorney attached to the case may advise that if they had an ex parte seizure order (applying the 2016 Defend Trade Secrets Act) they could get samples from the manufacturing location to test its contents.
Except, the judge is not prepared to issue the ex parte order based on the initial information provided by the investigators, but is willing to issue a subpoena for electronic evidence from the suspect’s iPhone provider.
As a result of serving the subpoena on the U.S. data provider (who collected the data from storage in a foreign country), incriminating electronic communications pulled from the suspect’s phone persuaded the judge to issue the the ex parte seizure order to prevent the the destruction of evidence and any potential harm to consumers.
Copyright and Patent Cases:
I think it’s reasonable to anticipate scenarios in which the Cloud Act will be critical to advancing urgent patent or copyright infringement investigations as well.
Here is the final quote from U.S. Deputy Assistant Attorney General Downing’s remarks which I think captures the necessity for the Cloud Act:
“We must not lose sight of the bottom line: Cross-border transfers of electronic evidence are necessary and appropriate, and they are a critical component of investigating crime in the 21st century. The CLOUD ACT represents a new way forward.”
Disclaimer: IPPIBlog.com is offered as a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, with regard to content provided in IPPIBlog.com. We disclaim any and all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such person and the accuracy and validity of the information provided by them. This blog is provided for general information purposes only and is not intended to provide legal or other professional advice.