Implications of the CLOUD Act for Commonwealth procurements

Introduction

The United States enacted on 23 March 2018 the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) in response to the US Supreme Court proceedings of United States v. Microsoft Corporation. The proceedings relate to a warrant obtained by the US Government under the Stored Communications Act 1986 for emails held by Microsoft in its data centre in Ireland.¹

The CLOUD Act amends the SCA to extend its operation extraterritorially to apply to providers of ‘electronic communication services’ and ‘remote computing services’² (Service Providers) that have a jurisdictional presence in the US. The Act applies regardless of where the data in the Service Providers’ possession, custody, or control is stored.

Commonwealth departments and agencies would not be considered Service Providers for the purpose of the Act. However, cloud service providers that host Commonwealth electronic data would be subject to the Act provided they have a jurisdictions presence in the US.

Background

The CLOUD Act was introduced in response to the Microsoft case. In this matter, Microsoft had refused to comply with a federal warrant demanding the production of an individual’s email records in 2013. Microsoft challenged the validity of the warrant and argued the Government could not compel the production of the records because the data was stored in Ireland and the SCA did not apply extraterritorially. Microsoft further contended disclosing emails stored in Ireland may be a violation of European data privacy laws. The US Government argued that the SCA did apply extraterritorially and to all data in the service providers’ possession regardless of the location it is stored.

Prior to the outcome of the Microsoft case, the US Government introduced the CLOUD Act. The Act amends the SCA and sets out the conditions under which Service Providers, that have a jurisdictional presence in the US, are required to disclose the contents of stored communications, or other information about a customer. The SCA requires Service Provider’s to disclose the information regardless of whether the data in their possession, custody and control is located inside or outside the US.

The CLOUD Act also provides the US Government the framework to enter into international agreements with foreign governments to access data in the US (Executive Agreements). To date no Executive Agreements have been established.

The CLOUD Act further creates a right to challenge mandatory disclosure when the data is stored in a country with which the US has an Executive Agreement. Upon application, a US federal district court may modify or quash a SCA warrant to obtain data where it finds that the:

• customer (owner of the data) is not a US citizen or legal resident and does not live in the US, and
• disclosure of data would create a material risk that the Service Provider would violate the laws of the foreign government (which has an Executive Agreement with the US).³

A US federal district court may also modify or quash a legal process where it finds that the:

• disclosure will cause the Service Provider to violate the laws of the foreign government
• customer (owner of the data) is not a US citizen or legal resident and does not live in the US, and
• interest of justice dictate that the legal process should be modified or quashed.⁴

Although this process provides an avenue for the Service Provider to apply to a US federal district court in the event of a legal process requiring disclose of Commonwealth data, there remains a risk to the Commonwealth. The process and amendments are untested by the courts and it is uncertain how they will be applied.

Potential Impact

The CLOUD Act does not apply to Commonwealth departments or agencies. However, CSPs contracted by the Commonwealth to host Commonwealth electronic data may be subject to the Act, provided there is some jurisdictional nexus between the CSP and the US.

Further CSP’s storing Commonwealth electronic data could not rely on principles of foreign state immunity. However, the Commonwealth could object through diplomatic channels or in the US federal district courts.

The CLOUD Act may also have implications for the Commonwealth’s obligations under the Australian Privacy Principle guidelines when collecting, using or disclosing personal information. A CSP that has a connection to the US may be ordered to disclose information about an individual where that information is stored in a country outside of the US.

What does this mean for Commonwealth procurements?

The CLOUD Act may have an impact on Commonwealth procurements where the CSP is a Service Provider for the purpose of the SCA.

When conducting a procurement of suppliers that may be subject to the Act, Commonwealth departments or agencies should:

• conduct a due diligence review of suppliers, in particular assessing their connection and presence in the US
• where personal information is the subject of the procurement, ensure appropriate contractual measures are taken to comply with its obligations under the APS, and
• consider the Digital Transformation Agency’s Secure Cloud Strategy and any other applicable department and agency specific polices and guidelines.