The CLOUD Act is an important step forward, but now more steps need to follow

On Feb. 27, we went to the U.S Supreme Court to argue a case that has become known as the “Microsoft warrant case.” As we arrived at court that morning, we thought it was important to repeat a point we’ve been making since we first filed our legal challenge more than four years ago. We said that while litigation was important, we needed new legislation and new international agreements to reform the process by which law enforcement officials around the world gather digital evidence and investigate crimes. And we said international agreements must have strong protections for privacy and other human rights.

As we headed to the Supreme Court, there was one point which the Department of Justice, Microsoft, most state attorneys general and the vast majority of the tech sector all agreed: it was time for Congress to act. Last month, Congress did just that, passing the CLOUD Act as part of the omnibus budget bill the president signed into law on March 23.

Although the CLOUD Act resulted from successive drafts over several years, its passage surprised many. And the speed with which it happened was a bit of a shock, especially in an era when potential compromises in Washington, D.C. more commonly result in failure and disappointment than new policy or law. As the company that brought the lawsuit that led to the Supreme Court and has spent perhaps more time on this issue than any other, we wanted to take the time to offer what is admittedly a long blog to share our perspective about the CLOUD Act and what it means for the future.

Most importantly, the passage of the CLOUD Act is an important milestone in the journey to modernize the law, enable enforcement officials to do their jobs and protect people’s privacy rights across borders. It has strong and broad support. But it’s not the end of the road. There remains important and urgent work ahead of us.

The CLOUD Act both creates the foundation for a new generation of international agreements and preserves rights of cloud service providers like Microsoft to protect privacy rights until such agreements are in place. Each of these aspects is critical. And it points to the importance of first putting the CLOUD Act in its proper context.

Putting the CLOUD Act in context

As information has moved to the cloud, tech companies have had to assume a more important role in protecting people’s privacy rights. Before cloud computing, individuals stored their digital information on a computer at home and companies typically stored their information on server computers in their offices. In practical terms, this meant that if the government obtained a warrant to search someone’s information on a computer, officials had to enter one’s premises to access a device. As a result, individuals or companies knew about the search and could mount a legal defense if they chose.

As information moved to the cloud, however, the government could search digital information by serving warrants on a cloud service provider rather than on the individual or company that owned the information itself. This changed the privacy equation between citizens and the state. No longer would an individual or company necessarily know when the government was searching its information. And without that knowledge, individuals and companies lacked the ability to protect their rights.

The breadth of this impact has galvanized the tech sector, and we’ve been fortunate to work with so many great individuals at other great companies, including firms we compete with every day. Microsoft has been among the most active participants in our industry on these issues. From our perspective, we had little choice but to get so involved, given the high stakes and broad implications for our customers and ourselves. We’ve appreciated the critical need for law enforcement to retain the ability to access information quickly pursuant to the rule of law. But it is equally important that individuals and companies retain their privacy rights. Achieving the right balance in today’s world is as complicated as it is fundamental.

We have brought four different privacy lawsuits against the U.S. government since 2013 to seek to modernize the law and ensure that the privacy rights of individuals and customers are protected. In fact, they’ve all been part of a singular effort:

  • The first lawsuit, settled with the government in 2014, affirmed a clear and constitutional right for cloud service providers to publish information about the number and types of law enforcement and national security orders we receive.
  • The second lawsuit, which successfully caused the government to withdraw an administrative subpoena in 2014, asserted that officials who seek information that belongs to a legitimate business or other enterprise should seek that information directly from that enterprise rather than the cloud service provider. We’ve followed that lawsuit with continuing work that led the DOJ to publish written instructions to its prosecutors around the country in most circumstances to do just that.
  • The third lawsuit challenged as unconstitutional what we regarded as a too-routine practice of imposing secrecy orders on cloud service providers that prevented us from informing customers – sometimes indefinitely – that the government had accessed their information. After our lawsuit survived the government’s motion to dismiss it, the DOJ changed its approach and established a new policy to diminish the number of secrecy orders, end indefinite secrecy orders and make sure that every application for a secrecy order is reviewed more carefully. This was an unequivocal win for our customers.
  • The fourth lawsuit, which we filed in 2013 and took us to the Supreme Court in February, challenged the U.S. practice of issuing unilateral search warrants that reach into datacenters in other countries. Our angst was twofold. Our first concern was the disregard this practice had for the ability of people in other countries to protect their privacy rights under their own laws. The second was the conflict of laws we have seen emerging between U.S. law, which the government asserted could force cloud service providers to turn over information in other countries, and foreign laws, which increasingly prohibit this from happening.

We’ve always viewed the issues in these four lawsuits as connected, since they each address a distinct but related part of modern privacy issues. They each also involve the need to strike a balance that both enables effective law enforcement and strong privacy protection. Finally, they each have required not just success in a lawsuit, which could only call the question on current practices, but the creation of new and more modern legal processes and rules.

Of the four lawsuits, we have always recognized that the issues that led to the Supreme Court case would be the most complicated, as indeed they have been. This is for two reasons. First, given their nature, these issues required Congress to pass a new law rather than a solution based on action that could be taken by the Executive Branch or the Judiciary alone. And second, given their inherently international nature, it was always clear that new domestic legislation would need to be followed by new international treaties. In short, progress would require a broad and sustained effort to modernize both domestic and international laws.

Viewed in this context, it’s important to consider both what the CLOUD Act preserves and what it creates.

What the CLOUD Act preserves

While the CLOUD Act creates new rights under new international agreements, it also preserves the common law right of cloud service providers to go to court to challenge search warrants when there is a conflict of laws – even without these new treaties in place. This is a vital right for companies such as Microsoft, and it’s a right that we’ll continue to rely on.

Before our lawsuit began in 2013, there was no consensus about the existence and strength of this right. But as the case reached the Supreme Court, the DOJ in December alluded in its brief to our common law right to go to court in the United States to raise comity concerns when there is a conflict between laws. Any remaining doubt about the government’s acceptance of this right was eliminated during the oral argument on February 27 when first Justice Breyer and then Justice Kagan quizzed the government on this point. When the government’s lawyer posited to Justice Breyer that a court “could” conduct a comity analysis when there is a conflict of laws, Justice Kagan interjected with a more direct question. She asked whether the government was agreeing “that a court in that circumstance should conduct a comity analysis.” (Emphasis added.) The government’s answer consisted of a single word – “yes”. Even before the oral argument concluded, that answer alone ensured a stronger basis for our ability to protect the privacy needs of our customers.

The CLOUD Act combines an extraterritorial reach for U.S. warrants with retention of this comity right. One of the Act’s critical features is that it leaves this common law right unchanged, even independent of new international agreements. Section 103(c) of the Act states explicitly that nothing in the relevant section should “be construed to modify or otherwise affect the common law standards governing the availability or application of comity analysis” under the relevant provisions. Having in effect won the DOJ’s affirmative acknowledgement of this right before the Supreme Court, Congress has taken care to preserve it.

The protection of common law comity rights is of even greater importance given the effective date next month of Europe’s General Data Protection Regulation, or GDPR. This indirectly but effectively puts the EU in a position to help control its own destiny when it comes to the reach of U.S. search warrants. The EU institutions can interpret the GDPR’s relevant provisions and thereby determine whether there is a conflict of laws in specific circumstances that would mandate a comity analysis. Especially as the EU does so, cloud service providers such as Microsoft can then use our common law rights to go to court to raise comity issues and protect European customers.

Comity has been an important principle in U.S – EU cooperation in other contexts, for example for competition law, with the 1991 EU/US Competition Cooperation Agreement and the 1998 EU/U.S. Positive Comity Agreement. We believe comity steps similarly can help reduce international conflicts of law in the context of law enforcement access to data.

What the CLOUD Act creates

Even more important than what the CLOUD Act preserves is what it creates. After all, our goal has always been not to make repeated visits to court to litigate contentious propositions but to establish new international rules that will avoid legal conflicts and advance privacy rights and law enforcement needs together. It is here that the CLOUD Act makes a vital contribution.

First, the CLOUD Act creates the authority and framework for the U.S. to establish international agreements that on a reciprocal basis will enable law enforcement agencies to access data in each other’s countries to investigate and prosecute crimes. These 21st century agreements will supplement the older and slower Mutual Legal Assistance Treaties, or MLATs, that governments around the world understandably have been complaining about. These new agreements can combine digital and other modern processes to enable law enforcement to work effectively and quickly.

Second, the CLOUD Act protects privacy and other human rights by stipulating that these international agreements can only be established with countries that protect privacy and other human rights and by subjecting the Executive Branch’s assessment of these aspects to congressional review. Our support for the CLOUD Act was conditioned on it containing a broad and robust set of protections, which included:

  • Respect for the rule of law and principles of nondiscrimination;
  • Protection from arbitrary and unlawful interference with privacy;
  • Fair trial rights;
  • Freedom of expression, association, and peaceful assembly;
  • Prohibitions on arbitrary arrest and detention; and
  • Prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.

Importantly, the Executive Branch must articulate how each country fulfills these requirements.  No international agreement can take effect until Congress has 180 days to review the agreement and the Executive Branch’s analysis and decide whether to reject it. This creates a strong foundation for transparency and an opportunity for privacy groups, human rights advocates, cloud service providers, and others to object if they discern a basis to do so.

Third, the CLOUD Act creates strong norms to govern surveillance requests in the new international agreements. These effectively incentivize governments to update their digital privacy laws to ensure that law enforcement requests are narrow, incorporate specific rule of law protections, are subject to judicial review or oversight, and meet baseline legal standards around accountability and transparency.

Fourth, the CLOUD Act ensures that these new international agreements will not become vehicles for requiring cloud service providers to create back doors to break encryption. The Act states explicitly that terms of these agreements “shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.”

Fifth, the CLOUD Act gives cloud service providers added and direct legal rights to protect privacy under these international agreements. These rights come in two complementary forms. The first gives providers the right to inform foreign governments that have these agreements when their citizens are impacted by U.S. warrants. And second, providers can go directly to court to raise comity concerns under a new statutory process when the U.S. seeks a warrant that goes beyond the scope of an agreement and that conflicts with a foreign law.

Finally, as all this makes clear, the collective impact of the CLOUD Act and resulting international agreements will both reduce the potential for conflicts between laws and create a clear legal process for courts to address conflicts under the new comity process when such conflicts arise. In short, the CLOUD Act’s approach to international agreements helps point towards the modernization of international law the world needs.

What the CLOUD Act requires

Like any foundation, the CLOUD Act will be of lasting importance only if we build strong structures on top of it. That is why the Act is an important stepping stone and not the end of the journey. Like all the issues of the past four years, this will require important and even urgent action by many in both the public and private sectors.

More than anything, we now need governments to move forward quickly to put new international agreements in place. The United States and United Kingdom two years ago completed their initial draft of such an agreement, and they have been waiting for Congress to act to provide statutory authority. With the passage of the CLOUD Act, that authority is now in place. The two governments will now need to review their draft under the final terms of the Act, consider the European legal aspects of it, make any final revisions, and submit it to Congress for formal review. All of this will represent an important new step.

We clearly need many similar international agreements with other governments around the world. Importantly, the U.S. will need to engage with the European Commission in a constructive way to hammer out a mutual understanding on how one or more international agreements should work across the Atlantic. And this may require some additional steps by Congress. The ultimate goal – one that is likely to take some additional years to achieve – is a set of agreements that create an accepted model and establish clear international legal rules that satisfy law enforcement and privacy advocates alike.

But both before and even after such agreements are in place, there will be important questions in specific cases. These will have significant ramifications for law enforcement and privacy alike. In this sense, one of the common themes of the last four years will persist into the foreseeable future. This is the vital role played under the law by cloud service providers.

The cloud has made the role of tech companies on privacy issues a practical necessity. The CLOUD Act preserves and expands this role with legal certainty. It creates a responsibility for tech companies both to help protect public safety and preserve personal privacy.

We appreciate that this is a heavy responsibility at a time when there are increasing questions about the tech sector. At Microsoft, our answer is that we appreciate and accept the responsibility thrust upon us. We acknowledge that no company will ever be perfect, and we recognize that constant learning will be essential to fulfilling this responsibility each day. But we also point to our track record. We did not sue our own government four times and devote energy to these issues over four sometimes long years to stop showing resolve now. Law enforcement needs to be effective and privacy rights need to be protected. This journey is not yet complete, and we look forward to continuing to work with so many others to see it to a successful conclusion.

Tags: , ,