CLOUD Act Fulfills Microsoft's Legal Wish: Now What?

Microsoft got its legal wish.

That wish fulfillment in the form of the CLOUD Act came about in such a surprising fashion that it took Microsoft more than a week to release a full public response.

In a lengthy blog post Tuesday, Microsoft President and Chief Legal Officer Brad Smith admitted that passage of the CLOUD Act on March 23 was a "bit of a shock."

Congress slipped the CLOUD Act into a 2,000-plus-page omnibus bill that President Donald Trump signed after a brief show of protest. Trump had tweeted that he might veto the bill, although his objections to the $1.3 trillion bill that narrowly averted a government shutdown involved other aspects of the legislation, such as the level of border-wall spending and a lack of action on DACA. The CLOUD Act portion did not come up in most news coverage of the omnibus bill.

Microsoft has been lobbying hard for some time for the CLOUD Act, which stands for Clarifying Lawful Overseas Use of Data Act. The company urged the Supreme Court during oral arguments in the Microsoft warrant case in late February to wait for the CLOUD Act.

"This Court's job is to defer, to defer to Congress to take the path that is least likely to create international tensions. And if you try to tinker with this, without the tools that -- that only Congress has, you are as likely to break the cloud as you are to fix it," said Microsoft lawyer E. Joshua Roskenkranz in his closing statement in the case, which involved U.S. law enforcement efforts to obtain customer data stored by Microsoft in a datacenter in Ireland.

For his part, Michael R. Dreeben, deputy solicitor general for the U.S. Department of Justice, was probably shocked by the timing, as well. Dreeben had argued that the high court, which is expected to rule on the case in June, shouldn't wait for Congress. "As to the question about the CLOUD Act, as it's called, it has been introduced. It's not been marked up by any committee. It has not been voted on by any committee. And it certainly has not yet been enacted into law," Dreeben said just a month before the act passed.

While the effect of the new law on the high court's ruling is hard to predict, Microsoft's Smith blogged this week that this update to the legal code written in the context of the existence of cloud computing will help U.S. cloud providers like Microsoft balance the requirements of cooperating with legitimate law enforcement requests while protecting the privacy rights of international customers.

The road forward from the passage of the law until it starts yielding evidence for U.S.-based law enforcement efforts could be somewhat long. The act calls on the executive branch to establish reciprocal international agreements allowing law enforcement in both countries to access data in each other's countries. Yet as a first step, the administration must also establish that each country with which it creates an agreement protects privacy and human rights. Congress also has 180 days to review the agreements.

Smith's interpretation is that the law leaves room for cloud providers to challenge law enforcement requests during the interim period. "The CLOUD Act both creates the foundation for a new generation of international agreements and preserves rights of cloud service providers like Microsoft to protect privacy rights until such agreements are in place," Smith said.

Unstated in Smith's blog entry is the sigh of relief. Right now, U.S.-based technology companies dominate the global cloud computing infrastructure market. But there is no iron law that this state of affairs must continue. The Edward Snowden revelations of 2013 marked a huge challenge to international businesses' and governments' trust in U.S.-based companies ability and willingness to protect their data from the U.S. government. Microsoft, Google and Amazon have been looking over their shoulders for potential new international competitors and contemplating a potentially fragmented global market where U.S.-based cloud providers could be shut out of some countries over data sovereignty and citizen privacy concerns.

Smith laid out that line of thinking in a February post about the Supreme Court case. "U.S. companies are leaders in cloud computing. This leadership is based on trust. If customers around the world believe that the U.S. Government has the power to unilaterally reach in to datacenters operated by American companies, without reference or notification to their own government, they won't trust this technology," Smith wrote.

The passage of the CLOUD Act gives Microsoft and its channel partners a much stronger privacy story for international customers and an opportunity, along with other U.S.-based cloud providers, to continue leading the global charge for cloud computing.

Posted by Scott Bekker on April 04, 2018