Attorneys across the country have been eagerly watching U.S. v. Microsoft Corp. to see what kind of guidance the Supreme Court would offer for how parties could obtain cross-border electronic evidence during ediscovery.
The hotly contested case involved a criminal warrant from the U.S. government seeking email data about a Microsoft customer in Ireland who the government suspected of drug trafficking. Although U.S.-based Microsoft possessed the email data, it was entirely located in an overseas datacenter in Dublin, Ireland. Therefore, Microsoft moved to quash the warrant, and the case ascended all the way to the Supreme Court, where the parties presented oral argument on February 27, 2018.
And then, on April 17, the court dismissed the case as moot — thanks to an amendment to the Stored Communications Act (SCA) that was appended to the tail end of a “2,232-page, $1.3 trillion omnibus spending bill.”
The CLOUD Act
On March 23, Congress enacted — and the president signed into law — the Clarifying Lawful Overseas Use of Data (CLOUD) Act. Congress did not separately debate the CLOUD Act before its passage, which updated the SCA for the first time since 2002.
The CLOUD Act requires that any communication service provider served with a warrant for information must “preserve, backup, or disclose” all data within its “possession, custody, or control.” That mandate applies regardless of where the stored information is actually located.
Should the provider believe both that the information sought concerns a non-U.S. data subject and that its disclosure would materially risk violating another country’s laws, it can move to modify or quash the warrant. The act sets out an eight-part comity analysis for that determination. The factors that a court should consider include:
- the U.S. government’s interests in the information;
- the “interests of the qualifying foreign government in preventing any prohibited disclosure”;
- the “location and nationality” of the data subject as well as that subject’s connections to the U.S.;
- the “nature and extent of the provider’s ties to and presence in” the U.S.; and
- the ability to gain “timely and effective access” to the same information through other means with “less serious negative consequences.”
While any motion to modify or quash is pending, the act requires that the service provider continue to preserve the information sought by the warrant.
Finally, the CLOUD Act establishes a process by which the U.S. and “qualifying foreign governments” can adopt executive agreements concerning reciprocal data access. None of those agreements appear to exist yet.
As far as U.S. v. Microsoft, the government has already obtained a new warrant under the amended law.
Ediscovery Implications of the CLOUD Act
While the CLOUD Act does not govern civil discovery, it does establish a clear framework for either requesting information stored abroad or objecting to such a request. Given the rapidly approaching May 25, 2018 enforcement date for the EU’s General Data Protection Regulation (GDPR), many companies should rightfully be concerned that producing data concerning European residents will violate foreign laws.
When a party requests discovery of data that isn’t stored within the U.S., ensure that you promptly take steps to preserve that information even if you object to producing it.
Consider using the eight-factor comity analysis to frame your argument, whether you are trying to obtain foreign data or are objecting to its production. The seventh factor, the “likelihood of timely and effective access to the information through means that cause less serious negative consequences,” is particularly promising for those objecting to production. Offer alternative methods wherever possible, such as anonymized data, to provide the substance of the requested information without running afoul of foreign data protection laws.
Weather forecasts are notoriously fickle; we’ll be watching to see how this one turns out.