The U.S. Cloud Act amended the SCA such that U.S. providers of electronic communication services or remote computing services must comply with the obligation “to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.“
Typical scenarios where individuals are being investigated under the U.S. Cloud Act concern cybercrimes, fraud or theft of trade secrets. Both content related information (e.g. e-mails, pictures and files) and non-content related information (e.g. metadata) may be requested from the providers.
The question whether a company exercise “possession, custody or control” over information is a complex one. In this regard different aspects must be taken into account, e.g. the degree of ownership a parent company has over a subsidiary, or whether one entity has the legal right, authority or ability to access documents from the other entity, or whether the entities have common policies in place or share employees or offices etc.
Subject to bilateral agreements, the U.S. Cloud Act also provides for the possibility for foreign security authorities to directly access user data in the U.S.