Legal access to the global cloud
Increased use of the cloud and its international scope raise significant challenges to traditional legal authorities that permit access to data stored outside the United States. The resulting stakes are high. This area of law affects a wide range of important matters concerning law enforcement, national security, and civil litigation. Up until now, however, policymakers in this area have failed to fully appreciate the technological distinctions between different types of data clouds. This Article develops and distinguishes between three models of cloud computing to provide greater clarity for courts when evaluating international data access requests. These models are the Data Shard, Data Localization, and Data Trust clouds. This new typology reveals how the same legal authority will lead to notably different results in data access cases depending on the technical architecture of the cloud network. To illustrate, this Article assesses the likely results for each type of cloud under the full range of American legal authorities that permit parties to seek digital information held abroad—namely, the Fourth Amendment, the Stored Communications Act, Mutual Legal Assistance Treaties, administrative or grand jury subpoenas, and the Foreign Intelligence Surveillance Act. This Article’s analysis of cloud models also points to the profound instability of current American data access rules. The writing is on the wall. Companies and individuals outside of the United States now have multiple ways, including changing their cloud management models, to shelter data beyond the exclusive reach of U.S. law, which will increase the importance of non-U.S. access rules. This trend will spell the end of unilateral decisionmaking by U.S. courts concerning the legal process to be applied when the government or civil litigants seek data stored extraterritorially. In response, this Article advances two principles for a world of omnipresent global cloud computing. First, U.S. law should treat extraterritorial data requests equally, regardless of the location of the cloud provider’s headquarters. This legal approach would foster a level playing field for global cloud companies and encourage innovation, rather than further balkanization of the internet. Second, there is a need for international cooperation to create reciprocity. The “Pax Americana” of unilateral U.S. governance in this area is ending, and the wisest course for U.S. policy is to establish new international agreements for global data access. As this Article details, the CLOUD Act of 2018 takes a major step toward incorporation of these principles in an effort to preserve the internet as a global space. But the Act also encourages a knowyour-customer regime, where the ultimate cost may be paid in users’ privacy.