The Cloud Act Is Not a Tool for Theft of Trade Secrets

After last year’s passage of the Clarifying Lawful Overseas Use of Data Act (Cloud Act), officials and journalists in the European Union have ramped up criticism of the American desire for extraterritorial access to electronic evidence, with some accusing the United States of being motivated by the desire to conduct economic espionage for the benefit of U.S. economic interests. A February piece from the French paper Les Echos said that “[m]any observers feel that American justice could be deploying [the Cloud Act] for purposes of economic espionage.” The article quotes the CEO of a French service provider as saying that some of his French clients come to his company specifically to avoid handing payroll information to the U.S. government or other services under U.S. control.

This criticism has been echoed by numerous actors in the French private sector. For example, Servane Augier of the IT firm Outscale and Olivier Iteanu of the Hexatrust cybersecurity consortium described the Cloud Act as entailing “risks related to industrial espionage, national security, intellectual property, and the protection of personal data, and must therefore be known by the general public and users.”

The French government has expressed concerns that the Cloud Act is harmful to the country’s “digital sovereignty,” with Secretary of State for Digital Affairs Mounir Mahjoubi denouncing the act’s extraterritorial effects. In response to these concerns, the French government has asked industries to use “Cloud-Act-safe” data providers, with French lawmaker Laure de la Raudiere, saying, “[The Cloud Act] must be a wakeup call for Europe to accelerate its own, sovereign offer in the data sector.” The French intelligence agency the Direction générale de la sécurité intérieure (DGSI) is reportedly planning to publish a report accusing the U.S. of conducting economic espionage against French companies, but the report has not yet been publicized.

Despite these allegations, however, there are no public instances of such U.S. trade secret theft occurring. The Cloud Act does provide that U.S. prosecutors can gain access to evidence under the possession, custody or control of a company in the U.S., regardless of where the data are stored, meaning there may be some merit to the French government’s concerns over extraterritoriality. But the economic espionage critique is mistaken.

In our interviews with multiple Department of Justice prosecutors, none of them has been aware of any attempts to use prosecutorial powers to engage in trade secret theft. Additionally, in its recent white paper titled Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act, the Justice Department explicitly stated that it does not “use the Stored Communications Act to obtain trade secrets from foreign governments to benefit U.S. companies.” The white paper also highlights the U.S.’s championing of the international norm that “no government should in any way conduct or support the theft of intellectual property, including trade secrets, as expressed in the G7 Declaration on Responsible States Behavior in Cyberspace.”

To the extent that these concerns are motivated by a fear of extraterritorial enforcement of U.S. laws, the Cloud Act—like the European Union’s e-evidence framework—does not grant sweeping new government powers but, rather, creates a more transparent and flexible framework for exercising legal authorities that these governments have long claimed to possess. To the extent the EU is worried about the U.S. using the Cloud Act to engage in economic espionage, however, there is good reason to believe the existing laws in the United States would prevent the abuse of any economic information. Here, we use “abuse” to mean using such information to advance the interests of specific private corporations or private interests, rather than a lawful criminal investigation during which prosecutors may seek evidence about the actions of foreign companies where there is reason to believe that the companies are engaging in criminal activity that violates U.S. law.

What could abuse of economic information look like, in this context? Several types of potentially valuable information could be picked up by an information request, including documents revealing intellectual property, personally identifiable information or lists of a firm’s customers. Any of this information could conceivably be of use to a U.S. firm, but in practice it is highly unlikely that any such information would make it off the Department of Justice’s evidence servers.

This is for three primary reasons. First, the U.S. has long-standing normative and diplomatic interests in preventing the abuse of economic espionage—and though those interests are expressed primarily in its policies regarding intelligence collection, these policy reasons would extend as well to information gleaned through criminal investigations. Second, even under the Cloud Act, the United States can obtain information only via a lawful order pursuant to a criminal investigation, meaning that there would be judicial oversight of any request for information. And third, the U.S. law protecting trade secrets, the Economic Espionage Act (EEA), provides significant protections to the owners of trade secrets at issue in litigation, protections that would apply in a criminal investigation as well.

The U.S. has strict rules against the abuse of economic information developed through intelligence. While these rules to date have not been extended specifically to criminal investigations, the normative reasons behind them—for example, the desire on the part of the U.S. to refrain from implicitly endorsing industrial espionage by other nations—would appear to still apply, particularly in light of the Justice Department’s recent statements affirming its opposition to such espionage. As revealed by the Edward Snowden leaks in 2013, the U.S. has engaged in wide-scale espionage, including on international organizations such as the World Bank, and companies in friendly countries such as Brazil and Germany. The U.S., however, makes a distinction between espionage for national security purposes, contrasted with espionage to help individual private actors. The former it openly acknowledges, but the latter it considers abuse.

The U.S. formalized this policy of refraining from sharing economic information with private actors in 2014 when the White House issued Presidential Policy Directive 28 (PPD-28), instituting safeguards against the abuse of signals intelligence information gathered for authorized foreign intelligence and counterintelligence purposes, which remain in effect today. The directive states that,

The collection of foreign private commercial information or trade secrets is authorized only to protect the national security of the United States or its partners and allies. It is not an authorized foreign intelligence or counterintelligence purpose to collect such information to afford a competitive advantage [] to U.S. companies and U.S. business sectors commercially.

PPD-28 is not all-encompassing. It applies only to signals intelligence, and it prevents only the collection, rather than the dissemination, of commercial information to benefit private firms. PPD-28 is binding on the executive branch, however, and codifies the long-standing historical policy of the United States to collect intelligence in order to allow the government to make decisions concerning “foreign, defense and economic policy, and the protection of United States national interests from foreign security threats,” while drawing the line at aiding private corporations.

Underlying this long-standing policy is America’s desire to discourage and punish such trade theft by other countries. The U.S. has unveiled multiple indictments against Chinese nationals in the past year, accusing them of stealing trade secrets for the benefit of Chinese state-owned corporations. These indictments came after a 2015 agreement between China and the United States appeared to have reduced the levels of espionage, though those levels have risen as tensions between the two nations have increased. In a 2018 report, the National Counterintelligence and Security Center also identified Iran and Russia as major threats to American intellectual property.

In short, the U.S. has sought the moral high ground regarding the abuse of economic espionage. The U.S. has historically championed the international norm that no government should engage in intellectual property theft to benefit its own economy or companies, the leaked information from Snowden did not reveal anything more than mere contemplation of economic espionage, and U.S. policy protections against such abuse have only grown stronger since 2013.

The Cloud Act is also unlikely to lead to economic espionage because a warrant or subpoena is an ill-suited vehicle for sharing information unrelated to a criminal prosecution. The Cloud Act maintains or extends the U.S.’s reach for criminal investigations utilizing electronic surveillance—the Pen Register and Trap-and-Trace Statute, the Stored Communications Act and the Wiretap Act. While these statutes have different evidentiary standards depending on the type of data requested, all require a signature from an independent judge, who would oversee the ensuing investigation.

Judges do not look kindly on what they see as the improper use of information obtained in a criminal investigation. Bad faith on the part of a prosecutor is a violation of the constitutional right to due process. When criminal investigators have worked with civil counterparts on the same case, courts have carefully policed the line between good-faith cooperation and cooperation that crossed the line. Judges are on the lookout for the government using civil actions as a “pretext” to advance a criminal case, or vice versa, and the same principle would apply if a judge believed the government was using a criminal case as a pretext to gather economic information for the commercial gain of a particular company.

If trade secrets were discovered instead by investigators pursuing a legitimate criminal investigation, and those prosecutors then desired to share that information with private parties, there are numerous barriers preventing disclosure. Any information obtained at the grand jury stage must be kept confidential and secret prior to the filing of an indictment, and the Justice Department Office of Professional Responsibility will investigate disclosure of grand jury information as an ethics violation. After the filing of an indictment, information that could constitute trade secrets may be considered classified, depending on its contents, subject area and method of acquisition. Sharing classified information with a noncleared party is a violation of criminal law, and such information can be shared outside the government only under limited circumstances involving the advising of private parties of threats. Finally, investigations are a long, slow process that can take years. While some trade secrets may still be valuable even after languishing on Justice Department servers for the entirety of an investigation, many would become obsolete—making investigations an unreliable method of releasing any discovered information.

Together, these rules do not make disclosure of information completely impossible if the executive were determined to do so. They do, however, make criminal investigations an unwieldy, slow and ineffective manner of gathering trade or commercial secrets to benefit U.S. companies.

Finally, a Cloud Act investigation is unlikely to reveal a firm’s trade secrets because the U.S. laws on the defense of trade secrets could apply in a case where those sensitive data are at risk of disclosure. Section 1835(b) of the EEA grants courts the authority to take actions that may be “necessary and appropriate to preserve the confidentiality of trade secrets,” and courts can exercise this authority at their discretion or at the request of a party to litigation. This section was included in the EEA in order to encourage private corporations to come to the government for assistance, by providing a mechanism for them to protect their secrets from public disclosure. Among the tools available to a court for protecting trade secrets are protective orders, limiting discovery, altering the presentation of evidence and closing criminal proceedings to the public.

No case has yet been brought where it is the defendant, rather than the plaintiff, trying to protect trade secrets. Yet, the overarching goal of the EEA’s confidentiality protections—to ensure “trade secrets are to be protected to the fullest extent during EEA litigation”—would still likely lead a judge to demand high protections for any information that could potentially be released during investigation or litigation. It would also likely allow the defendant corporation to understand the extent to which its own trade secrets would have been compromised.

In the past, these methods have commonly been used by the victim corporation or the government as a way of preventing the defendant from revealing stolen trade secrets in the course of prosecution. For example, in U.S. v. Liew, the court approved a protective order allowing the defendants to view sensitive trade secret material only in the presence of their counsel, and forbade them from retaining material. In U.S. v. Pu, the court ordered that the defendant could view the material only in a location of the government’s choice and allowed only defense counsel to take notes. In a case where the defendant corporation is the owner of the discovered trade secrets, it could file a motion requesting a similar protective order under § 1835.

There is no reason to think that U.S. prosecutors spoke inaccurately when they told us that they have never heard of an instance of the U.S. government abusing its criminal investigative powers to steal trade secrets for U.S. companies. Due to judicial supervision and the safeguards of trade secret litigation, the Cloud Act would be an ineffective vehicle for jump-starting such a policy.