Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0

Privacy and Security

Article Snapshot


Jennifer Daskal


Stanford Law Review Online, Vol. 71, p. 9, 2018


The Clarifying Lawful Overseas Use of Data (CLOUD) Act requires firms based in the United States to give law enforcement access to data stored abroad. The CLOUD Act recognizes the need to protect privacy and free speech.

Policy Relevance

Rules for cross-border transfers of data will set international standards for privacy.

Main Points

  • In Microsoft Ireland, the Supreme Court considered whether law enforcement in the United States could demand access to data controlled by a US-based firm, but stored on a data server in Ireland.
  • Before the Court decided the case, Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which requires data providers to disclose data within their control, regardless of the location of the data.
  • Under the CLOUD Act, data providers may object to the data disclosure order if the demand for data conflicts with foreign law.
  • The European Union's (EU's) General Data Protection Regulation (GDPR) may create conflicts, as it limits when data may be sent out of the EU; the GDPR applies to any firm doing business in the EU, even if the firm is not physically located in the EU.
  • The CLOUD Act also sets out foreign governments' rights to access data held in the US.
    • Generally, US-based providers may not disclose data to foreign states.
    • To access US-held data, foreign states must request assistance from the US government through the cumbersome Mutual Legal Assistance Treaty (MLAT) process.
    • The CLOUD Act will allow select foreign states to bypass the MLAT system in some cases.
  • Under the CLOUD Act, foreign states may access US-held data directly from the data provider in serious criminal cases, if safeguards to protect civil liberties are followed; key safeguards include:
    • The state must enter into an executive agreement with the United States.
    • The state must protect privacy rights, and not use the data to hinder free speech.
    • The request for data must be subject to judicial review.
    • The request must be for the data of foreigners located outside of the United States.
  • Legislation addressing access to data across borders is a form of international lawmaking through domestic regulation; if successful, these efforts will lead to international convergence of norms that protect privacy and security.

Get The Article

Find the full article online

Search for Full Article