The Expansion And Response Of Extraterritorial Data Jurisdiction In The CLOUD Act

With the rapid development of ICT and digital economy,human life has become inseparable from the Internet,and data can be easily stored across borders,but this also means that when investigating criminal crimes,investigating authorities needs to access both domestic and foreign data to fight crimes.Therefore,electronic data is increasingly becoming the key to solving cybercrime and other Internet-derived disputes.In the trend of global data flow,countries always need to access extraterritorial electronic data,but the way of storing information changes a lot and mutual legal assistance agreements make access to extraterritorial electronic data difficult.The 2016 Microsoft case highlights the controversy over whether the U.S.Stored Communications Act(hereinafter referred to as SCA)applies to extraterritorial electronic data of domestic companies.In addition to clarifying the basis for access to the electronic data at issue,the 2018 Clarify Lawful Overseas Use of Data Act(hereinafter referred to as the CLOUD Act)authorizes the federal government to enter into administrative agreements with other countries to facilitate direct access to electronic data stored in each other’s territory.U.S.companies hold the majority of electronic data,so the CLOUD Act is designed to highlight the strong position of the United States as a major Internet power.However,the CLOUD Act is not a one-off,and many problems remain in its theoretical design and practical application.This article takes the CLOUD Act as the starting point,and through the introduction of the background of the CLOUD Act,the Microsoft case,and the latest content of the CLOUD Act,discussing the challenges brought to China by the trend of expanding data extraterritorial jurisdiction.By comparing the principles of data jurisdiction in China and other countries in Europe and the United States,I analyze the causes of conflicts,and finally make suggestions for China and Chinese enterprises to deal with the expansion of extraterritorial data jurisdiction.This paper consists of four major sections.In the introduction part,I raise the questions,this paper aims to explain the importance and relevance of its research,examine both local and international literature on the topic,outline the primary research methodologies utilized as well as the structure of the paper.Finally,the paper will highlight and address the key innovations and limitations of the study.Chapter 1 introduces the background and main functions of the CLOUD Act.Since the Microsoft case was the main motivation for accelerating the introduction of the CLOUD Act,this paper starts with the Microsoft case and analyzes its main litigation history as well as the legal conflicts arising from the different understandings between the U.S.government and Microsoft regarding the extraterritoriality of the SCA warrant and the principles of data jurisdiction.The introduction of the CLOUD Act not only ended the five-year-long litigation process and established the "data controller standard," but also reformed the cross-border e-discovery system by solving the problems of time-consuming,inefficient and difficult initiation of traditional bilateral MLA procedures.Chapter 2 analyzes the CLOUD Act sets imbalance of rights and obligations for the United States.First,there is an imbalance in the "supply and access" of data.For the U.S.itself,accessing to data outside of the United States is the principle,and restriction is the exception.However,for other countries,accessing data in the United States will meet heavy restrictions,which means a serious inequality of rights and obligations.Second,the comity analysis is limited.Although the CLOUD Act sets up a channel for enterprises to defend the orders,the initiation procedure is very harsh.Firstly,the data must be directed to a person other than the United States.Secondly,the country where the data is stored must be the "qualifying foreign government".And finally,the disclosure behavior of enterprises will conflict with the "qualifying foreign government.Even if all of these conditions are met,there are seven additional elements that a judge must consider on a case-by-case basis.The comity analysis does not bridge the negative effects of unequal access to data.Third,the potential pitfalls of administrative agreements.What appears to be a comprehensive review and congressional approval of administrative agreements leaves a great deal of discretion to the judicial branch.The lack of mandatory disclosure of the content of administrative agreements and the lack of transparency in the standards and processes for their development can result in the judiciary arbitrarily choosing the countries that enter into administrative agreements and even the terms of administrative agreements.Chapter 3 is the realistic challenge of the "Controller Standard" of the CLOUD Act.The CLOUD Act often causes conflicts during the practical application.First,the contradiction between the "data controller standard" and the "data localization standard" causes conflicts of data jurisdiction,and such expansion will accelerate construction of data localization.The EU GDPR even escalate the conflict of jurisdiction from two sides to multiple sides.Second,it poses a threat to the data privacy of U.S.citizens and citizens outside the United States."Qualifying foreign governments" can circumvent U.S.law to obtain data of U.S.citizens and share it with the U.S.government.The CLOUD Act also does not mention any protection for data stored in the U.S.for citizens of other countries.Third,the compliance dilemma for big data companies.Especially for U.S.enterprises that need to conduct cross-border business in different countries,the inconsistency of data jurisdiction standards will also increase regulatory risks and compliance costs for enterprises,which will bring troubles to normal operation and discourage enterprises.Chapter 4,China’s Response to the Expansion of Extraterritorial Data Jurisdiction.It first clarifies the multiple external pressures that China currently bears.This is mainly reflected in the criticism of data localization and the negative impact of the unbalanced setup of the CLOUD Act.Second,to address the challenges,China should adhere to the localization requirements for digital infrastructure,build a systematic and incentive-compatible legal framework for data protection,and focus on improving control over critical data.Finally,for enterprises,they should consider different dimensions to develop a compliance program,including the external process of cross-border data collaboration,the internal management program of cross-border criminal collaboration,and the emergency plan.