CLOUD Act — Clarifying Lawful Overseas Use of Data Act
The CLOUD Act (2018) enables US authorities to access data held by US tech companies regardless of storage location and creates bilateral data agreements.
Summary
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a US federal law enacted on 23 March 2018 as part of the Consolidated Appropriations Act 2018. It governs cross-border access to electronic data and clarifies that US technology companies are required to disclose stored data in response to US law enforcement requests — regardless of whether the data is stored in the United States or abroad.
The law was a direct response to the case of United States v. Microsoft Corp. (also known as the 'Microsoft Ireland Case'), in which Microsoft refused to hand over email data stored on servers in Ireland. The CLOUD Act also created a framework for executive agreements (bilateral accords) between the US and allied nations, enabling mutual law enforcement access to data without the traditional Mutual Legal Assistance Treaty (MLAT) process.
The CLOUD Act has significant implications for international data protection and exists in partial tension with the European GDPR, as it enables US authorities to access data of EU citizens.
History
The background of the CLOUD Act dates to 2013, when the DOJ issued a warrant to Microsoft in a drug trafficking investigation to produce email data stored on servers in Dublin, Ireland. Microsoft resisted, arguing that the Stored Communications Act of 1986 did not authorise extraterritorial access. The case went all the way to the Supreme Court.
Before the Supreme Court could rule, Senators Orrin Hatch, Chris Coons, Lindsey Graham, and Sheldon Whitehouse introduced the CLOUD Act as a standalone bill (S. 2383) on 6 February 2018. The law was ultimately enacted as Division V of the Consolidated Appropriations Act 2018 (H.R. 1625, Public Law 115-141) and signed by President Trump on 23 March 2018. The Supreme Court subsequently declared the Microsoft case moot on 17 April 2018. The first executive agreement was signed between the US and the United Kingdom on 3 October 2019 and entered into force on 8 October 2022.
Scope
The CLOUD Act affects various actors in the domain of electronic communications and data storage:
- US technology companies (providers): All providers of electronic communication services and remote computing services subject to US jurisdiction — including cloud providers, email services, social media platforms, and messaging services.
- US law enforcement agencies: Federal agencies (DOJ, FBI) and state authorities that can request data on the basis of warrants, subpoenas, or court orders.
- Foreign governments: Nations that enter into executive agreements with the US can request data directly from US providers — subject to specified human rights and rule-of-law standards.
- Affected individuals: Users of the aforementioned services worldwide, whose data may be disclosed regardless of storage location.
- EU companies: Indirectly affected insofar as they use services from US providers or fall under executive agreements — the EU-US Data Privacy Framework addresses some of the tensions.
Key Requirements
- Extraterritorial data disclosure: US providers must produce stored data in response to lawful orders (warrants, subpoenas, court orders), regardless of whether the data is stored within or outside the United States.
- Comity analysis (conflict-of-law review): Providers may file a motion to quash or modify an order if compliance would violate the law of a qualifying foreign government — the court then balances the interests of both nations.
- Executive agreements: Bilateral agreements enabling qualifying foreign governments to request data directly from US providers without going through the MLAT process.
- Qualification criteria for partner nations: Foreign governments must demonstrate substantive procedural safeguards and protections for privacy and civil liberties before an executive agreement can be concluded.
- Safeguards: Executive agreements may not be used to target data of US persons, must incorporate minimisation procedures, and are subject to review by the US Congress.
- Reciprocity: Under executive agreements, US authorities may also request data from providers in partner nations.
Related Frameworks
Corrections & Errata
The key_dates list only the signing of the US-Australia executive agreement (15 Dec 2021), not its entry into force on 31 January 2024.
Full details on the errata page →The text states the CLOUD Act was enacted 'as Section 105 of the Consolidated Appropriations Act 2018'. In fact it was enacted as Division V of the Consolidated Appropriations Act 2018 (Public Law 115-141); its short title is in Sec. 101 of that Division.
Full details on the errata page →CLOUD Act had no connections. Linked to Dodd-Frank as US regulation.
Full details on the errata page →key_dates: 2023-12-18 corrected to 2021-12-15
Full details on the errata page →key_dates: 2022-10-08 corrected to 2022-10-03
Full details on the errata page →