The CLOUD Act Casts a Shadow Over Email Privacy

It’s hardly news that email isn’t private, but the Consolidated Appropriations Act of 2018, Public Law 115-141, including the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), has made it easier for law enforcement interested in – and able to establish probable cause for — reading your email and personally identifiable information.

The CLOUD Act changed 18 U.S.C. section 2701 – the part of the Stored Communications Act that has, since 1986, regulated government, warrant-based access to email accounts – to compel a service provider to:

“…comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” {Emphasis Added.}

United States v. Microsoft Corporation, pending in Federal courts since 2013, was rendered moot by the President’s approval of the CLOUD Act as part of the budget bill. The U.S. Supreme Court issued a per curium opinion March 23, 2018, vacating the judgment of the 2nd Circuit Court of Appeals and remanding the case to the Court of Appeals for dismissal, because Microsoft complied with a warrant issued under the new law. Thus ended its five-year effort to determine the Stored Communications Act precedent regarding a provider’s obligation to disclose emails stored on a foreign server – in this case, in Ireland. Some privacy advocates had high hopes that the Microsoft case would provide further legal protection of email communication and personal information. Those hopes were dashed.

The CLOUD Act goes quite a bit further, too. Additional modifications made to the Stored Communications Act require providers to deliver communications to foreign governments when an executive agreement provides for it, and strip private litigants of any cause of action in civil court against a provider who complies with a court order under the chapter. The Act also makes good faith reliance on a court order under the chapter a complete defense in cases of disclosures to foreign governments.

Most alarming from a purely legal standpoint, however, is probably the Act’s attempt to dictate the comity analysis to be used by courts when considering requests from foreign governments. The analysis directs that courts “shall” take into account eight factors when considering a motion to quash, ranging from the interests of the United States to the investigative interests of the foreign authority making the request. Combined with the executive branch authority to make agreements regarding disclosure, the required comity analysis constrains a court’s ability to consider unique challenges to subpoenas and opens the door to extensive bilateral disclosures between nations in law enforcement matters. Providers are definitely out of the middle now, as motions to quash based on the Stored Communications Act will be very hard to sustain.

The CLOUD Act is undoubtedly another opportunity to make the nation – and world – safer from terrorists. Civil libertarians and privacy advocates will likely also think of it as another significant erosion of individual rights and a major transfer of power to the executive branch. And the “bad guys”? They will likely find it just another reason never to use email to do their bad business.

The Consolidated Appropriations Act of 2018, Public Law 115-141 can be found at: The CLOUD Act is Division V, beginning on page 2201. The U.S. Supreme Court’s per curium opinion in United States v. Microsoft can be found at:


Gregory J. Brandes is a law professor and Dean of St. Francis School of Law. He is an expert on legal education and admission to the bar and is admitted to the bars of the United States Supreme Court, Colorado, and Illinois.