Governmental authorities are able to reach data stored onthe servers of a Cloud service provider over whom they donot have jurisdiction through an
with a foreign nation where the Cloud service provider is based. For example, the United States and member states in theEuropean Union have entered into bilateral MLATs thatallow governmental authorities on both sides of the Atlantic to request access to data stored on the servers of a Cloud service provider physically located in or subject to the jurisdiction of the foreign nation.Pursuant to an agreement governing MLATs between theU.S. and EU member states, a request for data shall only bed enied on data protection grounds in “exceptional cases.”That is, most MLAT requests for data will be honored bythe recipient party. Currently, Article 13(3) of Framework Decision 2008/977/JHA of the Council of the European Union allows transfers of personal data for law enforcement purposes even to countries whose privacy regimes have not been found “adequate” by the EU where there are “appropriate safeguards.” The phrase“appropriate safeguards” is widely interpreted to include international agreements such as MLATs.Other treaties, such as the multilateral Council of Europe Convention on Cybercrime, as well as informal relationships between law enforcement agencies, also allowfor governmental access to data in the “possession, custody,or control” of Cloud service providers over whom there questing country does not otherwise have jurisdiction.The existence of these treaty relationships diminishes any perceived advantage of placing data with a Cloud in a jurisdiction believed to permit less governmental access than other jurisdictions covered by the treaties. For all practical purposes, the laws permitting governmental access by the requesting country have their reach extended through operation of the treaties.
2. UNITED STATES
Any discussion of U.S. government access to data in theCloud needs to begin with the Patriot Act, , but erroneously, is believed to have created invasive new mechanisms for the United States government to get information. The reality is that most of methods in the Patriot Act were before it was enacted. And those investigative toolshad, and still have, limitations imposed by the United States Constitution and by statute. It is more accurate to say that the Patriot Act did not create broad new investigatory powers but, rather, expanded existing investigative methods, and retained Constitutional and s tatutory checks on abuse.Even with the Patriot Act, it is generally the case in the United States that the more substantive the data sought by the government, the greater the government’s burden of demonstrating a strong legal justification to obtain thatdata. That is, there are greater restrictions on accessing thecontents of electronic files and communications (“content data”) than for other information associated with those files such as the file owner’s contact information and server log information (“non-content data”).In most circumstances, governmental access to data stored by a Cloud service provider is regulated under the Electronic Communications Privacy Act (“ECPA”). Underthe ECPA, if a government body seeks disclosure of customer data from a Cloud service provider, it can only do so if a judge issues a
ECPA court order
, or if the government issues a valid
to the provider.
A judge can issue a search warrant for Cloud data onlyif the government demonstrates that there exists
– that is, reason to believe that acrime has been committed and that evidence of thecrime would be found in the Cloud data sought. Asearch warrant is the
method under the ECPA through which the government may obtain the
of stored online communications facilitated by a Cloud service provider (as opposed to other types of electronic files) that are 180 days old or less.
A judge can issue an ECPA court order for Cloud data only if the government demonstrates that there exist
reasonable grounds to believe
that the data sought are relevant and material to an ongoing investigation.
Prosecutors and other government investigators may issue subpoenas requesting Cloud data directly to Cloud service providers if the data are relevant to theinvestigation.
If the government requests customer content data from a Cloud service provider through an ECPA court orde ror a subpoena, the government generally must notify the customer before obtaining the requested data from the provider. This allows the customer to challenge the governmental request.
However, no prior notice is required to customers when the government requests (i)non-content data or (ii) content data via a search warrant,although customers can challenge the validity of search warrants in court after the data are produced. In addition,in situations where the ECPA requires notice to a Cloud customer, the notice may be delayed in certain limited situations, such as when notice would endanger a person’s safety or compromise the investigation