CIPP/US Study Guide
Chapter 13: Privacy Issues in Civil Litigation and Government Investigations

Evidence Stored Abroad - CLOUD Act and Budapest Convention

The CLOUD Act (2018) lets the DOJ compel U.S. providers to produce data regardless of where it is stored (mooting the Microsoft Ireland case) and lets qualifying foreign governments go directly to U.S. providers, bypassing the slow MLAT process. The Budapest Convention's Second Additional Protocol addresses the same problem internationally.

Part 1 of the CLOUD Act mooted United States v. Microsoft (the Ireland case) by providing that compelled-disclosure orders apply "regardless of whether such communication, record, or other information is located within or outside of the United States." Part 2 creates a mechanism for qualifying foreign governments to access content held by U.S. providers.

Normally ECPA bars U.S. providers from disclosing content except via warrant or a Mutual legal assistance treaty (MLAT), where the foreign request must meet U.S. probable cause despite a foreign crime - a process averaging about 10 months. Under a CLOUD Act executive agreement, a qualifying foreign government can go directly to providers for communications of non-U.S. citizens and residents, without the MLAT process or a U.S. judge's probable-cause finding. Agreements are only authorized for countries meeting human rights and rule-of-law requirements; the U.S./UK and U.S./Australia agreements have been negotiated.

The Budapest Convention (2004) was the first cybercrime-focused treaty; over 60 countries including the U.S. have ratified it. Its Second Additional Protocol (signed by the U.S. in 2022) addresses the globalization of criminal evidence through expedited production, direct disclosure of subscriber and domain information, and emergency requests - while requiring data-protection safeguards.

Key terms - quick answers

What is “CLOUD Act”?
The 2018 Clarifying Lawful Overseas Use of Data Act; Part 1 lets U.S. orders reach data wherever stored, Part 2 lets qualifying foreign governments access content held by U.S. providers via executive agreements.
What is “Mutual legal assistance treaty (MLAT)”?
The traditional, slow mechanism (about 10 months on average) for foreign law enforcement to obtain U.S.-held evidence, requiring a showing of U.S.-standard probable cause.
What is “Budapest Convention”?
The 2004 Council of Europe Convention on Cybercrime, the first treaty focused on cybercrime; its Second Additional Protocol (signed 2022) addresses cross-border access to evidence.