Unpacking and Updating the CLOUD Act

The CLOUD Act, enacted in 2018, is the most significant amendment to ECPA in over a decade. It clarified that U.S. law enforcement can compel data from covered providers regardless of where it is stored, and it created a framework for foreign governments to enter into executive agreements with the United States, enabling direct access to non-Americans’ data held by U.S. providers subject to specified requirements.

Eight years later, the act has failed to achieve its full potential. It has been mischaracterized as a new surveillance authority, when it changed neither the standards nor process for compelling data from providers within its jurisdiction, though it did clarify that data location was irrelevant to the authority to compel. Its executive agreement framework has also fallen short: only two agreements, with the U.K. and Australia, are in place, while EU and Canadian negotiations have stalled. The U.K. also leveraged its agreement to support a decryption mandate against Apple, despite the statute specifying that CLOUD Act agreements cannot create new decryption obligations.

This report proposes three legislative fixes: codifying DOJ policy designed to ensure businesses and other enterprises retain more control over their own data; encouraging and explicitly enabling new executive agreements, including with supranational entities like the EU; and prohibiting use of CLOUD Act agreements to support foreign decryption mandates or other security-reducing measures.

This paper was published as part of a series marking the 40th anniversary of the Electronic Communications Privacy Act. View the paper series here.

You can read this paper here or below: