De-fogging the Cloud Act

Recently, and perhaps in response to plans by the Quebec government to transfer much of the personal data it holds to a cloud infrastructure most probably hosted by an American server, there has been renewed interest and concern about the effects of the U.S. Clarifying Lawful Overseas Use of Data Act otherwise know as the Cloud Act on data protection. 

Danielle Miller Olofsson has authored this article.

While concerns about the extraterritorial reach of any legislation are justified, some of the alarmism and misconceptions regarding the Cloud Act are not. They may in fact be diverting attention from an equally important risk: cybersecurity. 

What Is the Cloud Act?

The Cloud Act is a law that was passed March 23 2018 largely in response the case of Microsoft Corp. v. United States in which Microsoft challenged the extraterritoriality of United States law enforcement seeking access to electronic data stored on Microsoft servers in Ireland. Although Microsoft lost at trial, it won on appeal. Congress then passed the Cloud Act rendering any appeal to the Supreme Court moot.

Welcomed by companies such as Microsoft and Apple, the Cloud Act essentially enables the American government to ask a communications or remote computing service provider to preserve, back-up or disclose the contents of a wire or electronic communication. It also allows the government to access any record or other information pertaining to a customer or subscriber in the provider’s possession, custody or control regardless of whether the provider is located in the United States or abroad. In essence, the law enables the U.S. government to initiate a process to access data hosted on an American server even if this server is located in another country. 

The Cloud Act, however, also enables the service provider to bring a motion to quash or modify the disclosure process if: 

• the customer or subscriber is not an American citizen and does not reside in the United States; and
• the disclosure would create a material risk that the provider would violate the laws of the foreign jurisdiction.

A court would then have to apply a three part test in which it determines: 

• first, whether the disclosure causes the provider to violate the laws of a foreign jurisdiction;
• second, whether the interests of justice dictate that the disclosure process should be modified or quashed and; 
• third, whether the customer or subscriber is a citizen and residents of the United States.

In light of the above, given that most information that Quebec companies store in the cloud – even clouds hosted by American servers – pertain to citizens and residents of countries other than the United States, and given that Quebec privacy legislation, notably the Act Respecting the Protection of Personal Information in the Private Sector (arts. 17-23) and the Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information would most certainly prevent such a transfer, it is difficult to see how an American server would not bring a motion to quash a disclosure process. Indeed, the Cloud Act finally gives large American servers a means to stand up to government disclosure demands thus assuaging the costly fears of organisations that refuse to use these servers because of their inability to protect information from the extraterritorial reach of the US government It is also difficult, but perhaps not impossible, to conceive that a court would deny a motion to modify or quash a demand provided the right circumstances were present. 

Although there has been much justified concern about the extraterritorial nature of legislation passed by the United States in the wake of the terrorist attacks of September 11 2001, many indications suggests that the United States is retreating from its previous position according to which it could seek information anywhere by any means. The Cloud Act, arguably, is an example of this new approach. Another example is the USA Freedom Act that replaced the Patriot Act in 2015 and that has considerably reduced the scope of America’s extraterritorial reach.

So while extraterritoriality may have been a convincing argument for non-American servers seeking to attract business by playing on justified fears, these fears are not as justified as they once were. Moreover, when it comes to data protection, although national sovereignty is a valid concern, a second equally pressing concern is cyber security and the fact that large, mostly American, servers have the resources required to offer the most adequate protection against criminals seeking to access and misuse our data.