As previously discussed, courts are dealing with increasing demands for data that resides abroad. The Microsoft warrant case awaiting Supreme Court action was anticipated to yield important guidance on issues of international cross-border electronic evidence transfers. If the Supreme Court had ruled, the decision might also have addressed related issues of data privacy and comity.
Perhaps for the best, Congress has finally acted, obviating the need for the Supreme Court to rule. The CLOUD Act, signed into law by President Trump last month, establishes the requirements for U.S. law enforcement to obtain data from abroad in criminal matters like the Microsoft case in which the government issued a warrant under the Stored Communications Act for data that Microsoft stores in Ireland.
This is big news. Seeking extraterritorial evidence in criminal – and civil – matters is nothing new. However, with the explosion of electronic communications, an explosion accelerated by cloud computing, international investigations and discovery are more frequent, the information more important, and the risk of stepping all over foreign laws like privacy protections, greater than ever. Laws like the Stored Communications Act have failed to keep pace with technology. For example, the Stored Communications Act was enacted in 1986 and last amended in 2002. Updating the law was long overdue. The CLOUD Act at the very least acknowledges the need for change. It’s a start. It begins to establish a structure for U.S. law enforcement to get information abroad while respecting international law and individual privacy rights.
The CLOUD Act
The law covers data sought in criminal actions where information in the “possession, custody, or control” of a party is located outside the US. It does not cover civil cases. Still, it addresses some of the same concerns attorneys in civil matters have been worrying about. Recognizing that communication service providers are facing conflicting international laws regarding privacy, the law incorporates an 8-factor “comity analysis,” which provides:
“In making a decision to grant a warrant, the court shall take into account, as appropriate—
- (A) the interests of the United States, including the investigative interests of the governmental entity seeking to require the disclosure;
- (B) the interests of the qualifying foreign government in preventing any prohibited disclosure;
- (C) the likelihood, extent, and nature of penalties to the provider or any employees of the provider as a result of inconsistent legal requirements imposed on the provider;
- (D) the location and nationality of the subscriber or customer whose communications are being sought, if known, and the nature and extent of the subscriber or customer’s connection to the United States, or if the legal process has been sought on behalf of a foreign authority pursuant to section 3512, the nature and extent of the subscriber or customer’s connection to the foreign authority’s country;
- (E) the nature and extent of the provider’s ties to and presence in the United States;
- (F) the importance of the information to the investigation required to be disclosed;
- (G) the likelihood of timely and effective access to the information through means that cause less serious negative consequences; and
- (H) if the legal process has been sought on behalf of a foreign authority pursuant to section 3512, the investigative interests of the foreign authority making the request for assistance.”
Attorneys specializing in civil cases anticipated the Microsoft case would yield important guidance for cross border discovery even though the Microsoft warrant involved a criminal investigation. With broad support, a group of civil attorneys filed an amicus brief recommending that the Supreme Court look to the comity analysis cited with approval in a case that is almost as old as the Stored Communications Act, Société Nationale Industrielle Aérospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522, 543-44 (1987). Footnote 28 set out considerations that are similar to the Cloud Act. In other words, after almost 40 years, Congress has passed a law that adopts considerations suggested by the Supreme Court. Now for the heavy lifting.
First, although comity is just as much of a concern in a civil setting, it’s not even clear that the same CLOUD Act framework applies. For 40 years, many civil courts have required parties to produce evidence from abroad in U.S. litigation with little or no regard for the foreign laws that might be abrogated. The CLOUD Act provides no new assurances of change or protection against adverse discovery orders and rulings on civil cases. It does, however, provide strong support for comity, and the related concerns over data privacy and foreign procedural laws even in civil actions.
The law hopefully ushers in a period of deliberate comity consideration. Assuming courts will agree on the need for comity, how will the interests of the courts in civil discovery measure up to “the interests of the qualifying foreign government in preventing any prohibited disclosure?” In 1986, the Supreme Court in Aérospatiale noted the incongruity of U.S. discovery rules allowing non-government attorneys to conduct evidence gathering in light of French “blocking” statutes. Today, we look forward to the imminent launch of a sweeping EU data privacy framework under GDPR.
How will courts interpret “the likelihood of timely and effective access to the information through means that cause less serious negative consequences?” Perhaps, the consideration will bring improvements to “old school” treaty-based international discovery procedures. One of my first assignments as an associate was to draft “letters rogatory” to pursue cross border discovery under the Hague Convention. I think I recall my research indicated they had to be bound with blue colored shoe-laces and written on parchment paper that I had to cut to the right size. I don’t remember where the documents we were after were located, but I do remember we never received them.
Assuming the Court vacates the Microsoft case, and assuming the CLOUD Act gives courts the impetus to develop procedural rules that recognize the importance of both comity and discovery in civil matters, this is only the beginning. Attorneys – government and civil – need to work together to establish international legal rules that satisfy law enforcement, civil justice and privacy advocates. Perhaps more importantly, they also need to work with technology companies to protect the interests of all parties. After all, technology has come a long way in 40 years.
Now more than ever, companies and litigants should look to experienced eDiscovery service providers who are knowledgeable about international laws and can collect data in compliance with those laws.
Contact CDS today for a consultation with our cross-border data experts.