I. Introduction

Imagine a person sentenced to death who is seeking to examine information about a forensic software program used to convict him. Now imagine that a court reviewing the person’s postconviction petition for relief finds that the information is material and necessary to the administration of justice and orders the software developer to disclose it. To safeguard the developer’s trade secrets and proprietary information, the court orders disclosure under a strict protective order. Even so, the developer refuses to comply. In most cases, this fact pattern would lead to a standard discovery dispute for the court to adjudicate. But now imagine two additional facts. First, the developer is located abroad and thus beyond the subpoena power of U.S. courts. Second, a U.S. cloud service provider possesses a copy of the information that the developer has stored in a private cloud account. If the person sentenced to death tries to subpoena the information from the U.S. cloud service provider, the provider will likely argue that the Stored Communications Act (SCA), a key U.S. data privacy law for the internet, categorically immunizes it from complying with the subpoena. In other words, a person’s appeal to get off of death row may depend on data that a foreign company refuses to hand over and that a U.S. company says it does not legally have to disclose.

Police or prosecutors seeking the same information could compel disclosure directly from the foreign developer through a mutual legal assistance treaty (MLAT), which entitles law enforcement to assistance from foreign governments in accessing evidence located abroad. Or they could also serve a U.S. cloud service provider with an order under the SCA, which was recently amended by the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 to expressly permit governmental entities to compel disclosures of data that U.S. cloud providers store on foreign servers. Significantly, both of these mechanisms have the potential to circumvent conflict-of-law issues that might otherwise impede cross-border evidence transfers. Yet, neither of these mechanisms is currently available to criminal defense investigators.

The thicket of domestic, foreign, and international law that affords some the power to compel cross-border access to data and others the power to keep it secret is tipping further in favor of law enforcement as compared to the criminally accused. This trend matters because it advantages the search for evidence of guilt over that for evidence of innocence. In the U.S. adversarial criminal legal system, law enforcement has no general constitutional, statutory, or ethical obligation to investigate evidence of innocence. That duty belongs to defense counsel alone, aided by defendants’ constitutional and statutory rights to see and contest the evidence against them and to compel the production of evidence in their favor. Selectively blocking defense access to evidence thus means selectively suppressing evidence of innocence. This essay examines these dynamics in the context of cross-border access to data and argues that the CLOUD Act can help to address them.

More specifically, data privacy, protection, and localization laws around the world are combining with criminal procedure rules to afford U.S. law enforcement the power to compel access to evidence of guilt while granting corporations the power to withhold evidence of innocence. A variety of dynamics contribute to this pattern, which I elsewhere term “privacy asymmetries,” or privacy laws that afford law enforcement more or better access to sensitive information than they afford to criminal defense investigators. The rise of the data economy means that corporations, rather than the government, increasingly possess digital evidence relevant to criminal investigations, including methodological details about investigative and forensic algorithms licensed for law enforcement use, as well as faceprint, DNA, and fingerprint databases that in earlier eras were created and maintained by government agencies. Corporate possession of relevant digital evidence in turn means that 20th century due process protections requiring prosecutors to inform the accused about evidence of innocence within their control are less likely to apply. At the same time, corporations are asserting privacy law and other legal entitlements to block criminal defense subpoenas for evidence within their possession. Meanwhile, law enforcement entities are negotiating expansive powers to compel private companies to disclose evidence of guilt, including cross-border data disclosures, while few if any advocate for parallel investigative powers on behalf of the accused.

Part II traces the evolution of current legal asymmetries between law enforcement and defense access to cross-border evidence. Starting in the 1970s, the U.S. government began entering into a series of MLATs that create special procedures for law enforcement to compel cross-border disclosures of evidence but expressly prohibit defense investigators from using the same procedures. Despite decades-long criticism in legal scholarship, Congress, and litigation, the Senate has continued to approve asymmetrical MLATs, and courts have consistently found them constitutional. Having described that historical backdrop, Part II then updates and contextualizes the issue of MLAT asymmetries in more recent geopolitical developments. It identifies how the rise of global “informational capitalism,” combined with developing foreign and domestic data privacy, protection, and localization laws, as well as treaties governing cross-border data transfers, risk worsening asymmetries that disadvantage U.S. criminal defendants.

Part III draws on the CLOUD Act of 2018 to help reverse the 50-year trend of growing inequity between law enforcement and criminal defense access to evidence stored abroad. It argues that courts should construe the CLOUD Act to entitle criminal defendants to subpoena U.S. corporations for data stored on foreign servers. Despite significant public policy and scholarly debates over the CLOUD Act, the statute’s potential effects on criminal defense investigations have been largely, if not entirely, overlooked. This essay begins to fill that gap, arguing that the statute should be construed to enhance defendants’ access to evidence stored abroad while avoiding the constitutional grounds that courts have used to justify denying defense access to MLAT procedures in the past.

While the arguments developed here will most immediately benefit those wrestling with the law and geopolitics of cross-border data flows, the essay also aims to contribute to broader literatures on the political economy of the criminal legal system, and of information privacy and surveillance law, as well as literatures assessing the possibilities and limitations of transparency as a mechanism for substantive accountability. Legal scholars are developing urgent critiques of structural inequities in criminal procedure and evidence rules, inequities that simultaneously reflect and produce racial, economic, and other forms of oppression. This essay shows that the legal construction of these inequities is not limited to the segment of criminal procedure and evidence rules formally codified as such. To the contrary, economic laws that regulate and respond to markets, including intellectual property and data privacy and protection laws, can also operate as criminal procedure and evidence rules, despite being less typically associated with public law governance of the criminal legal system. The following discussion presents one instance of this broader reality. Put another way, cross-border privacy asymmetries exemplify how “the relationship between the state and the economy, and the interactions between capitalism and democracy” shape the criminal legal system.

II. The Problem of Cross-Border “Privacy Asymmetries”

Over the past 50 years, the U.S. government has negotiated a series of MLATs with other nations that create special procedures for law enforcement to access evidence abroad while explicitly precluding defense counsel from using those same procedures. As the following discussion shows, the MLAT system began with the goal of enabling law enforcement to circumvent foreign privacy laws, initially foreign bank secrecy laws. This expansion of law enforcement’s investigative power without comparable provisions for defense investigators has generated sustained criticism and repeated constitutional challenges. Yet, to date, those efforts have failed to stem the proliferation of MLAT asymmetries.

This part begins by providing background on the MLAT system and then argues that recent developments in the global data economy are both aggravating these asymmetries and threatening to create new ones. First, cross-border access to data matters increasingly in all types of criminal disputes, from global organized crime to common misdemeanors, even when alleged criminal acts occurred entirely within U.S. borders. The result exacerbates existing inequities in the legal structures that determine who can compel and who can withhold cross-border data. Second, the rise of the digital services economy is prompting lawmakers around the world to enact new data privacy, protection, and localization laws that risk blocking access to foreign data in U.S. criminal investigations. That erosion of access is most pronounced for defense investigators, who lack the MLAT powers to circumvent foreign laws. Further, in 2018, Congress empowered the U.S. government to enter into a new series of “CLOUD Act Executive Agreements” with other nations designed to supersede the MLAT system and create more efficient law enforcement access. By every indication, these new agreements will also exclude defense investigators. As a result, foreign data privacy, protection, and localization laws threaten to undermine criminal defense investigations and aggravate disparities of power between the government and the accused.

A. The global data economy is exacerbating existing asymmetries in law enforcement and defense investigative power


1. The evolution of cross-border privacy asymmetries

Asymmetry in law enforcement and criminal defense access to cross-border evidence is not inevitable. Prior to the Reagan administration, the primary legal mechanism to compel access to evidence located abroad, called “letters rogatory,” was available to both law enforcement and defense investigators. Litigants using this process first request discretionary assistance from a court inside the U.S. The U.S. court then transmits the letter rogatory to the U.S. State Department, which in turn transmits it to the appropriate U.S. embassy, which transmits it to the requested state’s ministry of foreign affairs, which transmits it to that state’s ministry of justice, which, finally, transmits it to an appropriate foreign court to enforce as a discretionary matter of legal reciprocity between sovereigns, or comity. Note that applications for letters rogatory require ex parte judicial review from courts in both the requesting and receiving nations before anyone can be served with process and that, after service of process, any interested parties are given notice and an opportunity to move to quash.

The letters rogatory process is notoriously unpredictable and subject to lengthy delays of a year or more. Advocating during the 1980s for a better, more efficient process for civil litigants, the U.S. secretary of state described letters rogatory as “complicated, dilatory and expensive.” Significantly, letters rogatory are generally insufficient to pierce foreign laws, including foreign data privacy, protection, and localization laws that may limit U.S. litigants’ service of legal process abroad. For example, bank secrecy laws in Switzerland and the Cayman Islands impose civil and criminal penalties on financial service providers that disclose customer information to third parties, including to foreign governments. As a result, litigants using letters rogatory generally cannot access financial information located in Switzerland or the Cayman Islands.

Beginning in the 1970s, the inability of letters rogatory to pierce foreign bank secrecy laws prompted the U.S. government to start entering into MLATs. MLATs are bilateral treaties that bind the signatory nations to assist one another in criminal investigations. Courts in the foreign jurisdiction may review MLAT requests and have limited discretion to deny those that violate the procedural or substantive domestic law of the requested state. But, crucially, MLATs often expressly waive foreign data privacy protections. For example, the first MLAT, signed with Switzerland, waived Swiss bank secrecy laws to enable U.S. investigators to access Swiss bank records. MLAT procedures are also more reliable and efficient than letters rogatory because they often bypass diplomatic channels, as well as review by U.S. courts. For instance, U.S. prosecutors using an MLAT process may send requests directly to their foreign law enforcement counterparts. In other words, the MLAT process requires pre-service-of-process ex parte judicial review solely from courts in the receiving nation.

The first three MLATs—signed with Switzerland, Turkey, and the Netherlands—are silent on use by criminal defendants. As a result, some courts construed the treaties to enable access by both law enforcement and criminal defense investigators. During the 1980s, however, as the Reagan administration entered full swing, the U.S. began negotiating MLAT treaties that were expressly limited to law enforcement use. The U.S.-Israel MLAT, for instance, states that it “is intended solely for mutual assistance between the [signatory governments]” and “shall not give rise to any right … on the part of any private person to obtain … evidence.” Courts interpreting the U.S.-Israel MLAT and similar texts in the U.S.-United Kingdom MLAT, the U.S.-Nigeria MLAT, and the U.S.-Mexico MLAT, have held that the language precludes criminal defendants from using MLAT procedures. Today, nearly all U.S. MLATs lack provisions for criminal defense access to their investigative procedures.

2. The failed challenges to existing cross-border privacy asymmetries

The disparity between defendants’ letters rogatory power and law enforcement’s MLAT power has provoked sustained criticism. For some examples among many, Frank Tuerkheimer, a law professor and former assistant U.S. attorney in the Southern District of New York, described the “disparity in access to process” created by the MLAT system as “an endemic flaw in the fact-finding process.” The National Association of Criminal Defense Lawyers has repeatedly lobbied the Senate for amendments to the MLAT language that would permit judges to order the Department of Justice to use MLAT channels on behalf of the defense. Criminal defense bar publications have featured model legal arguments against the inequities. And defendants have repeatedly challenged the constitutionality of the disparities in court.

To date, these challenges have failed. The Justice Department has consistently opposed granting defendants access to MLAT processes. It has argued that permitting defense access would deter other nations from entering into MLATs, that defendants do not need such access because they have other advantages in accessing certain types of foreign evidence (namely defendants’ own financial documents and other data about themselves), and that the letters rogatory process should be sufficient for the defense despite its inadequacy for the prosecution and for civil litigants. Meanwhile, the Senate has continued to approve MLATs that explicitly block defense access to process. And, apart from a handful of federal district courts that have pressured prosecutors to “voluntarily” use their MLAT power on behalf of the defense, courts have uniformly upheld the constitutionality of these asymmetries between law enforcement and criminal defense access to foreign evidence.

3. Access to cross-border data matters more to more criminal cases

Evidence located abroad has long been relevant to criminal defendants within the U.S., particularly in cases involving alleged transnational crimes such as trafficking, terrorism, espionage, foreign corrupt practices, and global corporate crime. Some existing procedural rules recognize this fact. For instance, the Federal Rules of Criminal Procedure currently permit defendants, in “exceptional circumstances,” to ask a judge for discretionary approval to depose foreign witnesses abroad. Yet, even if defendants meet the high burden necessary to obtain judicial approval for the taking of such foreign depositions, letters rogatory remain defendants’ sole means to compel testimony from unwilling foreign witnesses.

While the issue of defense access to cross-border evidence is not new, the global data economy lends new urgency to the problem in a broader swath of cases. People anywhere can use digital services offered by companies headquartered anywhere else. Data generated or used by people within the U.S. can be stored on foreign servers. As a result, legal inequities in law enforcement and defense access to foreign evidence can now affect more and more types of criminal disputes. This is true even when alleged criminal acts occur offline and within U.S. borders. For instance, email and social media service providers may possess evidence relevant to investigating foreign co-conspirators’ participation in crimes that were conducted by local co-conspirators within the territorial U.S., to raising a self-defense or coercion defense, or to impeaching government witnesses. And that email and social media evidence may be stored exclusively on foreign servers. Location data, biometrics, health records, private communications, and more can all be relevant to criminal investigations and can all be stored abroad. Foreign trade secrets and other commercial data are additional examples. U.S. law enforcement agencies may purchase investigative and forensic software tools from foreign companies that store methodological information about their products on foreign servers. Those same companies may refuse to sell their products to criminal defense investigators and withhold methodological information about their tools from defense and public scrutiny. The increased salience of cross-border evidence in the global data economy means that legal inequities in cross-border access to data are poised to affect an unprecedented number and variety of criminal cases.

The following section explains that newly developing legal structures designed to govern the global data economy are poised to both entrench and expand the existing legal asymmetries in law enforcement and defense access to cross-border data.

B. Developing global data governance structures risks creating new asymmetries in law enforcement and defense investigative power

Trends in the global data economy are not merely making foreign evidence more urgent to more types of criminal cases; they also risk making that evidence less accessible to the criminally accused.

1. Foreign privacy laws risk impeding access to cross-border data

Just as U.S. policymakers are contemplating new federal and state legislation to address threats to privacy from “informational capitalism,” so too foreign lawmakers are enacting data privacy, protection, and localization laws in response to perceived privacy, security, and sovereignty threats from the global data economy. Data privacy and protection laws often impose broad nondisclosure requirements on companies that possess sensitive personal data, require those companies to notify account holders if and when the companies share sensitive data with others, and entitle account holders to demand that the companies delete certain data. Data localization laws, in turn, require that certain types of data collected within a country, or pertaining to its citizens, must be processed and stored on servers located within that country’s borders, sometimes mandating that data remain exclusively within the country and completely prohibiting cross-border data transfers.

Each of these requirements has the potential to impede U.S. criminal investigations, whether conducted by law enforcement or by defense counsel. Companies that are prohibited from disclosing data are barred from sharing relevant evidence with investigators. Notification requirements can tip off individuals that they are under investigation. When those individuals are dangerous or untrustworthy, notice can threaten someone’s life or physical safety, or risk tampering with and destruction of evidence. If account holders can force companies to delete data, then that data will no longer be available to investigators. And data localization makes it more difficult for investigators to route around these other requirements. As a result, demands for data stored abroad that are made outside of sanctioned MLAT procedures for resolving conflict-of-laws problems can, in the words of Google’s former general counsel, force companies to “risk violating either the law of the requesting country or the law of the country where we are headquartered.”

Notably, the potential effects of new foreign data privacy, protection, and localization laws on cross-border criminal investigations are, at least in part, deliberate policy features designed to regulate law enforcement access to data across borders. Post-Snowden concerns over U.S. law enforcement surveillance conducted through non-MLAT channels are playing a prominent role in ongoing international policy debates about the laws and norms governing cross-border data transfers. For instance, on July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated a “privacy shield” agreement between the U.S. Department of Commerce and the European Commission designed to regulate cross-border transfers of personal data. In Data Protection v. Facebook Ireland Limited and Maximillian Schrems (Schrems II), the CJEU held that the privacy shield did not sufficiently protect EU personal data transferred to the U.S. from access by U.S. law enforcement and intelligence agencies. By encouraging companies to store more EU personal data within the EU and out of reach of U.S. court jurisdiction, Schrems II is likely to increase investigators’ dependence on MLAT processes.

In a parallel and interlocking trend, there is substantial agreement within the U.S. that existing MLAT processes, designed as they were in the pre-internet age, are too slow for criminal investigations in an age of digital data that might be deleted before the legal process resolves, and that more efficient channels are needed to expedite law enforcement’s access to data stored in foreign jurisdictions. (Of course, law enforcement also has access to the letters rogatory process available to criminal defense investigators but generally does not use it due to its unpredictability and delay.) Efforts to develop alternative non-MLAT routes for U.S. law enforcement to more efficiently access foreign data have, in turn, raised alarm among foreign policymakers. For instance, a report by a Centre for European Policy Studies task force on cross-border data in criminal proceedings expresses concern that U.S. law will encourage “direct private-public cooperation for cross-border data gathering [that] cannot be considered a satisfactory alternative to judicial cooperation.” In response, foreign lawmakers are seeking to close off routes for cross-border data transfers outside of sanctioned MLAT agreements. The European Data Protection Board (EDPB), for example, has advised that “where there is an international agreement such as an MLAT, EU companies should generally refuse direct requests and refer the requesting third-country authority to an existing mutual legal assistance treaty or agreement.”

As explained in more detail below, these developments risk reducing U.S. criminal defense investigators’ access to cross-border data because defense counsel cannot use the sanctioned MLAT procedures, and their letters rogatory powers cannot pierce new foreign data privacy, protection, and localization laws designed to close off non-MLAT routes for access.

2. Asymmetrical effects on law enforcement versus defense investigations

Foreign data privacy, protection, and localization laws risk imposing new asymmetrical effects on law enforcement and criminal defense investigations. To start, as with domestic U.S. privacy legislation, foreign privacy laws may contain exceptions that enable law enforcement to continue accessing sensitive information without parallel provisions for defense access. India’s proposed data privacy bill of 2019, for instance, would allow public sector entities of the Indian government to compel companies to disclose data without users’ consent but includes no similar provision for defense counsel to do the same. Similarly, Brazil’s Civil Rights Framework for the Internet and its Criminal Procedure Code each permits police or prosecutors to order data preservation or compel disclosures of subscriber data in certain circumstances but contain no similar provisions for defense counsel.

Further, even when foreign privacy laws lack exceptions for law enforcement investigations and impede U.S. law enforcement efficiency—and indeed foreign lawmakers may intend precisely that effect—the laws do not risk blocking law enforcement access altogether. Channeling cross-border investigations into MLAT processes and closing off alternative access routes still leaves law enforcement with MLAT powers to route around foreign data privacy and protection laws. The same cannot be said for criminal defense investigators, who stand to lose their existing letters rogatory powers.

To illustrate this asymmetry, consider Europe’s recent General Data Protection Regulation (GDPR). The GDPR appears on its face to block legally compelled transfers of personal data to the U.S. unless the transfer is made pursuant to an MLAT or other international treaty. Specifically, Article 48 of the GDPR states that a non-EU country’s order requiring a service provider “to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty.” Hence, the GDPR expressly exempts MLAT transfers from its regulations, affording U.S. law enforcement the power to pierce GDPR restrictions on cross-border transfers of European data. To be sure, Article 49(1)(e) also exempts transfers “necessary for the establishment, exercise or defense of legal claims.” And the EDPB has affirmed that the Article 49 exemption encompasses disclosures “necessary” for pretrial discovery, so long as the data go through a predisclosure minimization process. Nevertheless, the requirement to establish the necessity of data rather than their mere relevance, and to comply with the minimization process, may prove too burdensome and expensive for indigent criminal defense teams to manage. The result would mean that U.S. law enforcement will retain its MLAT powers but the defense will have an even harder time obtaining a letter rogatory.

Notably, foreign legislators enacting data privacy and protection laws may be even less likely to account for defense investigative needs than are U.S. lawmakers because many foreign nations have inquisitorial criminal legal systems that task state officials with investigating exculpatory as well as inculpatory evidence. In these inquisitorial systems, MLAT access may also benefit the accused. Foreign policymakers responding to concerns about U.S. law enforcement’s extra-MLAT surveillance practices may be unaware that blocking non-MLAT routes for access can harm criminal defendants. Policymakers in these nations—if they are concerned at all with U.S. criminal defendants—may incorrectly assume that accommodating U.S. law enforcement’s investigative needs through MLATs or other bilateral agreements will suffice to protect the rights of the accused. If so, they would be wrong.

3. The CLOUD Act

While the combination of new foreign data privacy, protection, and localization laws with asymmetrical MLAT procedures already privileges law enforcement investigations of guilt over defense investigations of innocence, this is not the only structural legal disparity of its kind. Law enforcement’s greatest recent buffer against data economy and privacy trends that threaten cross-border access to evidence may be the CLOUD Act. The CLOUD Act has two main parts, both of which—under current judicial readings of U.S. law—aid law enforcement investigative power without providing parallel benefits to criminal defense investigators.

One part of the CLOUD Act empowers the government to enter into a new series of bilateral executive agreements with other nations designed to supersede the MLAT system and expedite law enforcement cooperation across borders. The first such “CLOUD agreement,” the U.K.-U.S. Bilateral Data Access Agreement, entered into force in July 2020. Like its MLAT predecessors, the U.K.-U.S. agreement is closed to defense investigators. It provides for “timely access to electronic data for authorized law enforcement purposes” but expressly disavows the creation of any right for “any private person … to obtain … any evidence.” Given this precedent and the Justice Department’s long-standing defense of MLAT asymmetries, there is little reason to think that future CLOUD Act agreements will account for defense investigative interests.

The other part of the CLOUD Act amended the SCA to provide law enforcement with a one-stop shop in U.S. court to compel disclosures of data stored abroad. If foreign evidence is within the control of a U.S. service provider, such as Microsoft, Google, Facebook, GitHub, or Twitter, then the CLOUD Act expressly permits law enforcement to compel the company to produce that data solely through a U.S. court order, without resort to an MLAT, even if the data are stored on a foreign server. Specifically, the CLOUD Act amended the SCA to state that electronic communications service providers “shall comply with the obligations of this chapter [the SCA] to … disclose the contents of a wire or electronic communication … within such provider’s possession, custody, or control, regardless of whether such communication … is located within or outside of the United States.”

Thus, whereas letters rogatory require judicial review by both U.S. and foreign courts, and MLATs require judicial review exclusively by a foreign court, CLOUD Act orders require judicial review exclusively by U.S. courts. CLOUD Act orders are narrower than MLATs in that they solely reach companies subject to U.S. jurisdiction but more powerful than MLATs in that they can require disclosures that violate foreign laws, including foreign laws not pierced or waived by treaty.

For a somewhat circuitous reason, this CLOUD Act-decreed application of SCA procedural rules to data stored on foreign servers once again enhances law enforcement’s investigative power without parallel benefits for the defense. This is because, under the current judicial consensus view of the SCA, explained in further detail below, SCA orders for communications contents are exclusively available to law enforcement—even for data stored within the U.S. For over a decade, nearly every state and federal court to have squarely ruled on the issue has construed the SCA to unqualifiedly bar criminal defendants from subpoenaing service providers for content data. Accordingly, under current law, the CLOUD Act amendment to the SCA entitles law enforcement seeking electronic communications data to circumvent foreign data privacy, protection, and localization laws by relying unilaterally on U.S. courts to compel access to foreign evidence but does not allow defense investigators to do the same.

III. The CLOUD Act Solution to Cross-Border “Privacy Asymmetries”

The CLOUD Act amendment to the SCA has provoked substantial public policy debate. From one perspective, the amendment effects an extraterritorial application of U.S. law enforcement’s search and seizure power and is an example of the U.S. unilaterally bypassing the multisovereign-endorsed MLAT frameworks for transnational cooperation in gathering evidence. From another perspective, the amendment merely codifies the status quo rule that persons and entities subject to U.S. jurisdiction can be compelled to produce documents within their “possession, custody, or control,” regardless of where they choose to store those materials. Despite this sustained attention, debates over the CLOUD Act appear to have entirely overlooked its potential effect on criminal defense investigations.

This section seeks to remedy that oversight. It builds on an argument I advance in depth elsewhere that, properly construed, the SCA’s statutory text should yield to defendants’ otherwise valid subpoena power. This essay extends the analysis to contend that a proper reading of the CLOUD Act should grant both law enforcement and criminal defense investigators access to foreign data controlled by U.S. companies. Construing the statute in this manner is doctrinally correct. It would help to reverse the 50-year inequity in cross-border evidence gathering that MLAT asymmetries have imposed while avoiding the constitutional grounds that courts have relied on to justify those MLAT asymmetries. And it would afford defense investigators parallel access to at least one of the buffers that law enforcement enjoys against trends in the global data economy and foreign privacy laws that might otherwise impose disparities based on who has power to access evidence and who to withhold it. This solution is, admittedly, a partial one; it will enhance criminal defendants’ access to evidence that U.S. corporations store abroad, but not to data possessed by foreign entities not subject to U.S. court jurisdiction. Nevertheless, it is a productive step toward greater parity in the truth-seeking process, and it is within the power of courts to implement immediately.

A. The plain text of the CLOUD Act’s SCA amendment should help criminal defendants access cross-border evidence

As mentioned above, courts across the U.S. have nearly uniformly ruled that the SCA bars technology companies from complying with criminal defense subpoenas seeking certain types of data—specifically communications contents from another user’s account—even when that data could establish innocence and are unavailable from other sources. The pertinent language in the SCA statute states that electronic communication service providers “shall not knowingly divulge to any person or entity the contents of a communication,” and then enumerates a series of express exceptions for permissible disclosures, including to law enforcement pursuant to certain forms of legal process. There is no express exception for disclosures to criminal defense investigators. Courts have applied an expressio unius canon of statutory interpretation to this language and concluded that the presence of an enumerated exception permitting disclosures to law enforcement and the absence of a similar enumerated exception for defense investigators means that Congress must have intended to bar disclosures to the defense. As a result, current judicial consensus holds that the SCA permits law enforcement to compel service providers to disclose content data but prohibits defense counsel from doing the same. Under this interpretation of the statutory text, the CLOUD Act’s extension of SCA procedures to cover data that U.S. corporations store abroad will asymmetrically enhance law enforcement’s access to cross-border data without similar benefit for the defense.

However, as I have argued in depth elsewhere, the current consensus view that the SCA bars criminal defense subpoenas is wrong. This consensus reading erroneously construes silence in the SCA’s text to create a statutory evidentiary privilege that blocks otherwise valid legal process. Reading statutory silence in this manner violates binding interpretive rules for evidentiary privileges. Specifically, the Supreme Court has repeatedly declared that courts must construe privileges narrowly because they are “in derogation of the search for truth,” and must not read federal statutes to “suppress otherwise competent evidence unless the statute, strictly construed, requires such a result.” Ambiguous silence in statutory text does not require such a result. Thus, courts should read the SCA’s ambiguous silence as to disclosures to defense investigators to yield to criminal defendants’ otherwise valid compulsory legal process rights. In other words, they should construe the statutory language commanding that electronic communication service providers “shall not knowingly divulge to any person or entity the contents of a communication” as a mere confidentiality rule that, like banks’ or accountants’ duties of confidentiality, yields to judicial compulsory process.

Applying this strict construction privilege interpretation to the SCA would mean that the CLOUD Act amendment does not merely permit law enforcement to compel U.S. companies to disclose data stored on foreign servers; it also permits criminal defendants to do the same. There are two reasons for this. The first is readily apparent; construing the SCA privacy provision as a confidentiality rule, rather than a privilege rule, would mean that the SCA no longer blocks criminal defense subpoenas to U.S. technology companies seeking communications contents. And, under the normal subpoena rules, a nongovernmental litigant can compel a company that is subject to U.S. court jurisdiction to disclose evidence within its possession, custody, or control, even if the company stores that evidence abroad. Hence, if defense subpoenas to U.S. technology companies seeking communications contents are SCA-compliant, then they should also be able to reach data stored abroad.

The second reason is somewhat less obvious and pertains to the broad context in which Congress enacted the CLOUD Act. As explained in further detail below, the Act resolved an ongoing ambiguity as to whether law enforcement orders compelling technology companies to disclose the contents of stored communications were warrant-like or subpoena-like for purposes of an extraterritoriality analysis. By ordering technology companies to comply with those orders for data stored abroad, the CLOUD Act favors a subpoena-like view. And the more subpoena-like these orders are, the more squarely they fall within defense investigators’ standard tool set.

In short, law enforcement’s latest buffer against the erosion of its own access to foreign data—the CLOUD Act amendment of the SCA—should also buffer defense subpoenas.

B. Defense access to data under the CLOUD Act would avoid the grounds that courts have relied on to reject defense access to MLAT procedures

CLOUD Act-enabled defense subpoenas should increase defense access to evidence stored abroad while avoiding the constitutional grounds that courts have relied on to uphold MLAT asymmetries in the past. To date, challenges to the constitutionality of MLAT asymmetries have failed for two key reasons. First, courts have reasoned that defendants’ Sixth Amendment right to compulsory process does not generally extend beyond U.S. borders. Second, courts have reasoned that defendants’ Sixth Amendment and due process rights to present a defense merely entitle them to access the compulsory process powers of the judiciary, not those of the executive branch, and that law enforcement’s exclusive access to cross-border data derives from the latter. Both lines of constitutional reasoning are irrelevant to the SCA portion of the CLOUD Act because that part of the CLOUD Act is premised on the notion that court orders to U.S. corporations are not extraterritorial, even when the orders require cross-border productions of data. Hence, under the CLOUD Act logic, defense subpoenas for evidence stored abroad would be supported by defendants’ constitutional as well as statutory rights to compulsory legal process. The following section lays out these arguments in greater detail.

1. Avoids extraterritorial reach of defendants’ compulsory process rights

Courts have held repeatedly that criminal defendants’ lack of access to MLAT procedures does not violate the Sixth Amendment right to compulsory process because defendants’ compulsory process rights do not normally reach beyond the territorial U.S. There are some exceptions to this rule that are triggered by governmental misconduct. For instance, courts may find a Sixth Amendment or due process violation if the government caused the loss of defense access to foreign evidence, such as by deporting material defense witnesses or by denying such witnesses entry into the country to testify voluntarily. But absent such misconduct, courts reason that defendants lack compulsory process rights to evidence “when a court itself cannot compel” access to that evidence. Courts themselves generally lack power to compel cross-border evidence disclosures. As a result, courts have found that “a defendant’s constitutional right to compulsory process is not implicated by a court’s refusal to order the Executive Branch to invoke [an] MLA Treaty in favor of a defendant.”

The CLOUD Act should flip this logic because the Act establishes that subpoenas to U.S. corporations for data stored abroad are not extraterritorial applications of compulsory process. This result is clear from the plain text of the CLOUD Act, which states that corporations “shall comply” with SCA orders “regardless of whether such communication, record, or other information is located within or outside of the United States.” To more fully understand the rejection of extraterritoriality that this language embodies, it will be helpful to provide some additional context about the history of the CLOUD Act.

The story of the CLOUD Act began years before its enactment, in December of 2013, when law enforcement officers investigating a drug-trafficking case served Microsoft with an SCA order for the contents of emails from one of its web-email service’s customer accounts. Microsoft refused to comply, arguing that the email contents were stored exclusively on a server in Ireland and that the order lacked extraterritorial effect. Microsoft and the Justice Department fought this case, United States v. Microsoft (Ireland), all the way up to the Supreme Court. Before the Court could decide the issue, Congress mooted the case by enacting the CLOUD Act of 2018.

Microsoft (Ireland) focused on certain provisions of the SCA that regulate government access to electronic communications contents. All parties agreed that under the normal subpoena rules, “an entity lawfully obligated to produce information in its control must do so regardless of the location of that information,” including data stored abroad. The disagreement focused on whether the SCA procedures for government access qualified as a subpoena, in which case the normal subpoena production rule should apply and permit access to data stored abroad, or whether those procedures instead qualified as a warrant that conscribes the recipient into an agent of law enforcement who must execute a search and seizure, in which case a presumption against extraterritorial searches and seizures should apply and block access to data stored abroad. The CLOUD Act dictated the result that SCA orders are subpoena-like, at least for purposes of an extraterritoriality analysis.

While criminal defense investigators have well-established subpoena power, their entitlement to court orders that compel conduct similar to a law enforcement search or seizure is more ambiguous. By adopting a subpoena-like characterization of SCA orders, rather than a search-like characterization, the CLOUD Act supports the view that defense investigators should be able to subpoena technology companies for stored communications contents. Hence, the CLOUD Act adds further reason to construe the SCA to yield to defense subpoenas, both defense subpoenas in general and, specifically, defense subpoenas to U.S. companies for data stored abroad. Further, if courts do not construe the SCA to yield to these defense subpoenas, the CLOUD Act lays the groundwork for a constitutional challenge. Specifically, the CLOUD Act dictates the conclusion that SCA orders for data stored abroad do not reach beyond the ordinary jurisdiction and powers of the courts. Hence, unlike with MLATs, even current doctrine would support the claim that categorically denying defense access to such orders may violate defendants’ Sixth Amendment right to compulsory process.

2. Avoids the compulsory process powers of the executive branch

The second reason courts have repeatedly upheld the constitutionality of MLAT asymmetries is related to the first; defendants’ compulsory process rights do not generally reach the compulsion powers of the executive branch. Accordingly, courts in the Eastern District of Virginia explained in one case that “the right to compulsory process … cannot be stretched to include compelling the invocation of treaty process powers available only to the executive branch,” and in another case that “a defendant’s constitutional right to compulsory process is not implicated by a court’s refusal to order the executive branch to invoke the MLA Treaty in favor of a defendant.” Meanwhile, balance of powers concerns discourage courts from ordering police and prosecutors to exercise executive branch powers on behalf of the defense. For instance, the U.S. Court of Appeals for the D.C. Circuit held that the government had no obligation to use its MLAT powers on behalf of the defense to secure tapes and transcripts from an alleged co-conspirator’s trial abroad because the mere authority “to seek” evidence does not impose any disclosure obligations on the government.

The MLAT opinions are thin on reasoning about the relationship between judicial and executive powers, but this relationship is illuminated further in related case law on selective immunity. A witness who asserts the Fifth Amendment privilege against self-incrimination can be compelled to testify if the government immunizes that witness from future criminal prosecution based on the testimony. In current doctrine, neither the court nor the defense has a similar power to grant immunity to defense witnesses. Nonetheless, courts have consistently found that the prosecution’s refusal to immunize a defense witness in order to enable a defendant to compel exculpatory testimony from that witness does not violate the Constitution. In other words, selective immunity is an asymmetrical investigative power, and courts have upheld that asymmetry as constitutional. Here too, government misconduct may trigger some exceptions. Courts may find a due process violation if prosecutors withhold a grant of selective immunity with the bad faith intent of distorting the fact-finding process. But, in general, courts have upheld the prosecution’s exclusive power to compel testimony from witnesses who assert their Fifth Amendment privilege.

Once again, the CLOUD Act should flip this logic to favor defense subpoenas to U.S. companies in general, and specifically to favor such subpoenas seeking data stored abroad. By construing SCA orders as subpoena-like rather than warrant-like, the CLOUD Act has characterized these orders as a form of legal process that lies squarely within the powers of the judiciary. Hence, defendants serving CLOUD Act subpoenas need not petition for assistance from the prosecution. Instead, they can rely on their own constitutionally grounded and statutorily endorsed subpoena rights to request compulsory process from the courts.

IV. Conclusion

Debates about global data privacy have largely overlooked the criminally accused. Data privacy laws may appear as private laws regulating consumer protection for the global data economy. Or they may appear as public laws regulating law enforcement investigations. Both can be true. But myopic focus on either ignores the distributional distortions and democratic harms of data privacy laws that grant more power to law enforcement seeking evidence of guilt than to defense investigators seeking evidence of innocence. This essay has begun to rectify the awareness gap by documenting that, and how trends in the global data economy, combined with foreign data privacy laws, risk selectively suppressing criminal defense access to evidence of innocence. The essay has also taken an initial step toward fixing these harms by arguing that the U.S. CLOUD Act supports not only law enforcement’s but also criminal defense investigators’ entitlement to judicial process to compel U.S. companies to disclose data stored on foreign servers. We should not grant law enforcement the power to compel private companies to disclose evidence of guilt while granting those same companies the power to suppress evidence of innocence. At this moment of overdue national reckoning with police violence, mass incarceration, racism, classism, and other structural disparities in the criminal legal system, data privacy law must do better.


Thank you to Ayodele Akenroye, Julie Cohen, Seth Davis, Jim Dempsey, Andrew Ferguson, Jameel Jaffer, Amy Kapczynski, Paul Ohm, and Kate Weisburd for helpful comments and discussion. A special thank you is due to Katy Glenn Bass for comments on prior drafts and for shepherding this essay to publication. Alexa Daugherty, Chelsea Hanlock, Joseph Kroon, Ping Liu, and Nivedita Soni provided excellent research assistance. Marci Hoffman and Dean Rowan provided invaluable reference support. This essay benefited from presentations at the Yale Law School and Knight First Amendment Institute’s “Data and Democracy” symposium, the American Bar Association “Criminal Justice Workshop,” and the “Technology Law and Policy Colloquium” at Georgetown Law School.


Printable PDF


© 2022, Rebecca Wexler.


Cite as: Rebecca Wexler, The CLOUD Act and the Accused, 22-05 Knight First Amend. Inst. (July 19, 2022), https://knightcolumbia.org/content/the-cloud-act-and-the-accused-2 [https://perma.cc/YQ77-HRJ8].