United States Cloud Act Limited by European Union
This one is for those people who really like to keep up to date on current cases and interesting legal battles taking place. I found the following synopsis by the Middle District of Florida Defenders Office.
You may remember the Big Deal about the Microsoft case that was in SCOTUS. The government sought data from an American company (Microsoft) but it was held in their server in Ireland. Extraterritoriality issue. Other countries have far more stringent privacy laws than we do, including privacy of electronic data on their shores. And there are treaties and international agreements between countries about accessing electronic data that is stored in another country.
Origin of the Cloud Act
Enter the FBI wanting to get e-data on Microsoft, and said data happens to be located on its server in Ireland. They used the Stored Communication Act for a warrant, but because the government failed to comply with the international agreement (re accessing e-data in the EU), Microsoft said they could not lawfully comply, and moved to quash. It went all the way up to SCOTUS and was set for oral argument in 2018. At that point, Congress stepped in to provide a “fix,” and enacted the U.S. Cloud Act. See 18 USC § 2713 (“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”). It basically says that the US government has the right to get e-data regardless whether it is on-shore or off-shore.
Cloud Act is not the End All Be All
So, the EU just responded to America’s enactment of the Cloud Act. See document. It concludes that any order under the Cloud Act for electronic data in the EU is only lawful if that order complies with the EU’s General Data Protection Regulation (“GDPR”). This sets us up for a dandy little conflict of law issue, since the government tends to rely on US law (Cloud Act) rather than international when grabbing their evidence.