Defining the Scope of 'Possession, Custody, or Control' for Privacy Issues and the Cloud Act
Journal of National Security Law and Policy, Forthcoming
42 Pages Posted: 23 Oct 2019 Last revised: 29 Jan 2020
Date Written: October 7, 2019
In 2018, the U.S. Congress passed the Clarifying Lawful Overseas Use of Data Act (Cloud Act) to address the ubiquitous need for law enforcement to access personally identified evidence stored outside of its physical jurisdiction. The Cloud Act did so in part by codifying that the U.S. government has the power to order the production of electronic evidence from U.S. service providers “regardless of whether such [evidence] is located within or outside of the United States.” Instead of location, the Cloud Act states that the determining factor of whether or not the service provider must provide the evidence specified is whether the evidence is in the provider’s “possession, custody, or control.” Yet, the Act does not define what constitutes “possession, custody, or control” of electronic evidence.
This article provides the first full analysis of the scope of “possession, custody, or control.” It introduces a new visualization tool for describing where courts have found possession, custody, or control previously. The graph has two variables: the amount of legal control the entity receiving the legal process has over the evidence, and the amount of day-to-day control the entity exerts over the evidence. While the article does not expect courts to make precise findings of the percentage of legal and day-to-day control in their opinions, the article does suggest the graph can help conceptualize key aspects of how courts interpret this doctrine.
Part II of the article examines whether the use of the “possession, custody, or control” standard in the Cloud Act expanded the U.S. Department of Justice’s previous power to require the production of electronic evidence from U.S.-based service providers. This section reviews the Bank of Nova Scotia line of cases and lower court rulings in Microsoft Ireland, as well as the different viewpoints on the scope, prior to the Cloud Act, of the U.S.’s authority to demand the production of electronic evidence stores outside the U.S.
Part III examines how the phrase “possession, custody, or control” has been interpreted under the Federal Rules of Civil and Criminal Procedure, and how that jurisprudence might inform future challenges of U.S. authority under the Cloud Act. This section also examines four additional implications from existing jurisprudence, including a warning to European data protection lawyers that the term “controller” under European law is entirely different from the word “control” under the Cloud Act.
Part IV reviews concepts similar to the “possession, custody, or control” standard in other nations, and specifically reviews the law in Belgium, where two prominent recent cases involving Yahoo! and Skype have shown an expansive view of Belgian courts’ access to evidence.
Keywords: Cloud Act
Suggested Citation: Suggested Citation