As the Administration continues to issue historically large numbers of executive orders, some may wonder whether such orders could be used to contravene provisions in existing federal statutes governing U.S. government access to stored user data. More specifically, the issue is whether an executive order could contradict provisions in the Stored Communications Act (SCA) and the Foreign Intelligence Surveillance Act (FISA). In short, the answer is no.
The SCA prohibits companies subject to the law (such as email providers, social media companies and cloud service providers) from disclosing certain stored data to others, including the U.S. government, absent an applicable exception. The SCA also sets out the process by which the government can compel these service providers to disclose stored user data in criminal investigations. FISA sets out the procedural and substantive rules for when and how the U.S. government can compel service providers to disclose user information for purposes of gathering foreign intelligence information.
The executive branch, including the President of the United States, is bound by these rules. While the President can issue executive orders (EOs), EOs cannot override statutory protections, such as those found in the SCA and FISA, or constitutional rules, including those found in the Fourth Amendment. The following lays out the basics of the underlying statutory rules that govern the authority of the U.S. government to compel service providers to disclose stored user data. Of note, service providers can, and often do, contest disclosure orders that fail to comply with these rules.
The Stored Communications Act restricts service providers from sharing user data, including with the U.S. government, unless specific substantive and procedural criteria are met. First, the SCA prohibits service providers from voluntarily sharing user information with the government unless an express exception applies. 18 U.S.C. § 2702. Second, it restricts when and how government entities in the United States can compel a service provider to disclose information about a user. 18 U.S.C. § 2703. For purposes here, the latter prohibition is the most pertinent.
The specific legal process a U.S. government entity must obtain to compel production of stored user data depends on the nature of the data. For example, the SCA specifies that access to basic subscriber information (e.g., information about the identity of a subscriber, such as a name, phone number or billing information) requires, at a minimum, an administrative, grand jury, or trial subpoena. A combination of SCA and constitutional rules establish that content of communications (like the subject line and body of an email, a stored photo, or document) requires that the government secure a search warrant from a court, based on a heightened judicial finding of “probable cause” that the information sought constitutes evidence of a crime, contraband, or fruit or instrumentalities of crime. If a provider has grounds to object to the process (for example that the government is improperly trying to use a subpoena to obtain content), the provider can do so and ultimately challenge the order in court.
Some have suggested that the Clarifying Lawful Overseas Use of Data Act, or “CLOUD Act,” enacted in March 2018, overrides the SCA’s rules for how the U.S. government can compel disclosures from service providers. That is incorrect. The CLOUD Act amended the SCA to, among other things, address the situation in which a service provider covered by the SCA has control over data located outside the United States. The CLOUD Act makes clear that the U.S. government can use the SCA to compel disclosure of such data, but the U.S. government must comply with all the procedural and substantive requirements of the SCA to do so. In addition, the CLOUD Act created a new statutory basis for providers to challenge any such orders that sought the data of a non-U.S. person located outside the United States, if doing so would violate the rules of a so-called “qualifying foreign government.” 18 USC § 2703(h)(2). It also expressly preserved service providers’ pre-existing rights to move to quash other orders, including based on common-law conflict of law grounds, thus helping to ensure implementation of the law takes into account the laws of other countries.
The Foreign Intelligence Surveillance Act is the intelligence analog of U.S. surveillance authorities in criminal matters, such as the SCA. FISA sets out the rules the U.S. government must follow to compel a service provider to disclose user data for foreign intelligence purposes, and provides judicial involvement and Congressional oversight. One of the provisions in FISA, often referred to as Section 702, establishes a statutory framework, overseen by a court with reporting to Congress, through which the Attorney General and the Director of National Intelligence may authorize the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information. Criteria for Section 702 targeting, minimization and querying of data obtained must be approved by key executive branch officials and an independent court. Each targeting decision must be individualized and documented and subjected to a multi-step authorization and review process.
To compel a provider to disclose information pursuant to FISA, the government first serves legal process on a provider. If there is an issue with the order, the provider can object, including before a specialized court that deals with foreign intelligence matters.
Executive Orders are directives issued by the President to manage the internal operations of the executive branch of the federal government. They are one of the key tools the President uses to implement policies, by directing the conduct of its officers and agencies, as well as powers conferred to the executive under statute or the constitution. They cannot, however, be used to create new laws or criminal penalties (the legislature is needed for that), contradict existing statutes, impose obligations on private parties contrary to those provided for by Congress, or override the Constitution.
In both the SCA and FISA, Congress has laid out clear rules governing access to stored data, and the President does not have the constitutional or statutory authority to issue contrary rules that override these congressional pronouncements.
* * *
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
