Skip to content

Question: What is the CLOUD Act?

Answer:

The Clarifying Lawful Overseas Use of Data (CLOUD) Act was enacted by the US Department of Justice in March 2018 to assist foreign partners with serious crime investigation (e.g., terrorism, cybercrime, sexual exploitation of children, etc.). It became necessary due to increased requests for electronic information being held by US-based global vendors concerning individuals or entities located in other countries. For example, UK law enforcement is investigating 2 UK citizens, but the information they need to access is stored by the communications service provider (CSP) in Amazon Web Services (AWS) or Microsoft Azure or another US-based company – the CLOUD Act gives the foreign partner’s authorities easier access to the data.

To enter into these bilateral agreements and become a partner, the country(ies) must have robust civil liberties and privacy protections; currently only 3 partners have agreements with the US under this Act:

  • United Kingdom
  • European Union
  • Australia

Importantly, the Act does not add any new obligations for the US-based companies or give the US government jurisdiction over foreign companies. It merely speeds up established processes so law enforcement can gain timely access to electronic evidence under the legal system of the country seeking the data. (As a bilateral agreement, US law enforcement has the same level of access to data stored in partner locations; however, the benefit is heavily in favor of the partners, for now.) The CLOUD Act can be used only to prevent or investigate serious crimes; it cannot be used for spying, nor does it allow partners to target data of US citizens or persons located in the US, and vice versa. The second part of the CLOUD Act requires CSPs subject to US jurisdiction to disclose data for US legal processes no matter where the company chooses to store the data, inside or outside of the country. Again, this doesn’t extend new authority to US law enforcement to acquire data – it just ensures the information will be provided regardless of where it’s kept, as long as the warrant meets legal requirements.