Cloud Compliance Center

United States

Select a Topic
Quick Links
Start Comparison
Data disclosure requirements
12. Are there any local laws that would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

Yes. The Clarifying Lawful Overseas Use of Data Act ("CLOUD Act") amended the Stored Communications Act ("SCA") and established a procedure for a provider of electronic communication services to seek protection from the mandatory disclosure of non-US data to the US government where disclosure would violate the non-US law of the jurisdiction where the data is stored. The CLOUD Act also established a framework for qualifying foreign governments to procure non-US data stored in the US without creating legal liability under the SCA for the provider of electronic communications services. The CLOUD Act clarified the requirements to preserve data stored abroad even if the company plans to utilize the procedures available to contest disclosure.

A threshold requirement for invoking the protective procedures under the CLOUD Act is that the data at issue must be stored in a "qualifying foreign country." A qualifying foreign country is one that has entered into an executive agreement with the US government governing access to data in this context. The CLOUD Act prescribes certain prerequisites for a foreign government to be eligible to enter into such an Executive Agreement, including that such foreign country must have robust substantive and procedural civil liberties protections that are comparable to those in the US. To date, the US government has only entered into an executive agreement with the UK and Australia, but subsequent agreements with other countries may later be adopted.

The CLOUD Act amended the SCA to allow US federal law enforcement authorities to use a warrant or subpoena to compel entities subject to US jurisdiction to provide certain types of data stored in foreign countries. However, several requirements must be met before US law enforcement authorities can properly request the data of foreign entities under the CLOUD Act, as follows:

  • First, the entity to which a CLOUD Act request is issued must be an applicable network provider, i.e., a provider of an electronic communication service ("ECS") or a provider of a remote computing service ("RCS").
  • Second, that entity must have "possession, custody, or control" of the stored data sought in the request.
  • Third, the request must pass US constitutional muster, i.e., US law enforcement must meet certain standards of proof before obtaining data from an ECS or RCS.
  • Fourth and finally, the ECS or RCS to which a CLOUD Act request is issued must be subject to the jurisdiction of the US.
Quick Links
{{ $store.state.loadingScreen.message }} ...