Attorney’s Guide To The CLOUD Act and International Privacy Law
The president signed into law the Clarifying Lawful Overseas Use of Data Act on March 23, 2018. The CLOUD Act was passed in the 2018 omnibus spending bill. There was no committee oversight, no debate, and no public comments. Legislators had less than 24 hours to read, review and approve the 2,232-page omnibus spending bill.
Before the CLOUD Act was passed, the government employed Mutual Legal Assistance Treaties to exchange evidence and information with foreign governments in criminal and related matters. The federal government was unhappy because as stored data volume increased, the usual wait time took 10 months or longer for access to be gained. This often led to the data becoming obsolete.
The CLOUD Act was passed in the face of mounting frustration on the part of law enforcement agencies in gaining access to data stored overseas. Immediately prior to the act’s passing, the Supreme Court was set to rule on Microsoft vs. U.S. but the case was rendered moot by the Cloud Act.
Microsoft vs. U.S involved the U.S. Department of Justice’s effort to obtain data that was stored on servers located in Ireland. Microsoft believed the warrants violated the Stored Communications Act of 1986. The company asserted that if the DOJ wanted the data, it should go through the Irish government, to which Ireland agreed.
The DOJ, on the other hand, believed that if it had a valid warrant, it had a right to information stored by American companies regardless of the actual location of the servers on which the data was stored. The DOJ also put forth that MLATs took too long. Furthermore, the Stored Communications Act allowed for the disclosure of part of the data (contacts) that was stored in the United States and therefore the government should be allowed access to the rest of the data (actual emails) that were located in Ireland.
With the coming of the CLOUD Act, both parties agreed the case was moot.
At any rate, the CLOUD Act has placated one faction and enraged the other.
According to law firm Orrick, the CLOUD Act does the following:
- The Act expressly provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries.
- The Act also allows certain foreign governments to enter into new bilateral agreements with the United States that will prequalify them to make foreign law-enforcement requests directly to U.S. service providers, rather than via the U.S. government under a mutual legal assistance treaty. This should streamline compliance with foreign law-enforcement requests.
- The Act formalizes the process for companies to challenge a law enforcement request.
- The Act imposes certain limits and restrictions on law enforcement requests to address privacy and civil liberty concerns.
On the other side of the moat, civil rights activists have grave concerns. Indeed, the Electronic Frontier Foundation, “the leading nonprofit organization defending civil liberties in the digital world,” has enumerated an alarming list of recklessness that the CLOUD Act will wreak, including:
Enable foreign police to collect and wiretap people’s communications from U.S. companies, without obtaining a U.S. warrant.
Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.
Allow the U.S. president to enter “executive agreements” that empower police in foreign nations that have weaker privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.
Allow foreign police to collect someone’s data without notifying them about it.
Empower U.S. police to grab any data, regardless if it’s a U.S. person’s or not, no matter where it is stored.
Added to the mix is the recent EU General Data Protection Regulation. The CLOUD Act and the GDPR certainly seem to be pointed in opposite directions from each other.
The GDPR works to protect a citizen’s data and applies to any organization doing business in the EU. EU citizens are free to gain access to records about who, what and when access was gained over their data. Basically, the GDPR extends to citizens greater data privacy, which is in marked contrast to the CLOUD Act. How the two will co-exist remains to be seen.