DOJ Prosecutor Data Search Guide May Boost Tech, Cloud Services

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

There’s less risk of U.S. law enforcement scooping up sensitive corporate data under new Department of Justice guidance that stipulates prosecutors should request data directly from companies—not their cloud service providers, former federal prosecutors and officials told Bloomberg Law.

The DOJ’s Dec. 14 internal guidance instructing federal prosecutors to first serve requests on businesses before attempting to obtain the same data from cloud computing providers such as Microsoft Corp. and Amazon.com Inc. builds upon other recent changes to department data request policies. In October 2017, the DOJ put limits on the use of secrecy orders in legal demands for customer data.

The latest guidance intends to “reassure companies that, in the typical case, law enforcement will knock on their door first, and only go to the cloud provider if there is an unusual scenario—for example if the company itself is suspected of wrongdoing,” David Bitkower, data privacy and cybersecurity partner at Jenner & Block LLP in Washington and former principal deputy assistant attorney general for Justice’s criminal division, told Bloomberg Law.

The move is a big win for companies under government data requests because it reduces uncertainty and the risk of law enforcement accessing too much data. Cloud service companies that provide off-site data storage and processing for companies also benefit from not having to worry as much about law enforcement overreaching for personal and corporate private information.

Companies such as Microsoft and Facebook Inc. have lead the charge in seeking full transparency and protections for their customers, Matt Larson, Bloomberg Intelligence technology litigation analyst, told Bloomberg Law.

The guidance “definitely relieves a burden on cloud computing providers because they’ll face less requests for data,” Hanley Chew, privacy and data security of counsel at Fenwick & West LLP in Mountain View, Calif. and former assistant U.S. attorney in the Northern District of California, told Bloomberg Law. The onus is put back on the guardians of data—not on the cloud computing providers that merely host the data, he said.

The DOJ didn’t immediately respond to Bloomberg Law’s email request for comment.

Cloud Computing Win

The move may be a boon for the growing cloud computing industry, former DOJ officials and industry analysts said.

The guidance provides a “shot in the arm to the already booming cloud computing industry by striking a balance between the needs of law enforcement and the privacy and confidential rights of customers,” Joseph Moreno, cybersecurity partner at Cadwalader, Wickersham & Taft LLP in Washington and former prosecutor in Justice’s national security division, told Bloomberg Law.

The cloud computing boom can be attributed to companies seeing less risk of law enforcement overreach that could have stifled innovation.

The concern “is that overreach from law enforcement could chill adoption of cloud technologies,” Larson said. As cloud providers push back against law enforcement requests, the move will be seen as a “good business practice to protect customer data to the fullest extent of the law,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

For More Information

Text of DOJ's internal guidance is available at http://src.bna.com/u00.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security