It is true that the Clarifying Lawful Overseas Use of Data (CLOUD) Act would moot the Microsoft-Ireland case now pending in the U.S. Supreme Court, “and much more.” But this bill addressing cross-border access to data is not a cause for celebration as Jennifer Daskal urges, because it fails to include fundamental safeguards to protect the rights of consumers.
The CLOUD Act would make it easier for the U.S. government to demand communications data held in other countries, and for foreign governments to access electronic data held in the United States. As Jennifer Daskal reports, the first part of the bill would resolve the legal question now pending before the Supreme Court in United States v. Microsoft in favor of the government. Under current law, as argued in an amicus brief filed by New America’s Open Technology Institute (OTI) and a broad coalition of rights organizations and trade associations, Section 2703(a) of the Stored Communications Act (SCA), cannot be used by the U.S. government to compel production of data held outside the United States. The CLOUD Act would amend the SCA, which is part of the Electronic Communications Privacy Act (ECPA), to extend its reach and authorize the government to obtain communications data “regardless of whether” the data “is located within or outside of the United States.”
The second part of the CLOUD Act would codify a proposal by the U.S. Justice Department to enable qualifying foreign governments to bypass the mutual legal assistance treaty (MLAT) process and obtain electronic data held in the United States directly from U.S. providers. Qualifying countries that meet the standards set forth in the bill would enter bilateral agreements with the United States, to be approved by the U.S. Attorney General and Secretary of State, and once an agreement was in effect, the foreign country could make data demands directly to U.S. tech companies.
The bill is designed to address real challenges. As OTI has recognized, our current system for handling cross-border requests for electronic data has been overwhelmed by the rapid growth of the internet and electronic communications. Moreover, we agree that it makes little sense for jurisdiction to be based on the location of data, given the borderless nature of cloud storage and the likelihood that the location of data may bear no relationship to the facts at issue in a criminal investigation. Without improved procedures to handle cross-border data requests, countries may try to act unilaterally to obtain the data they seek. This could include demanding that tech companies store data within their countries, or mandating that providers maintain and provide methods to access encrypted data. Indeed, one of OTI’s key objections to the U.S. government’s position in the Microsoft Ireland case is that it would enable exactly this type of unilateral action and would invite other countries to make their own unilateral demands. Yet, while we need to find a solution to the cross-border problem, our current system is a rights-protective one, and a true solution must also include robust safeguards to preserve protections for privacy and human rights.
Neither part of the CLOUD Act achieves this critical goal. The first, or Microsoft Ireland fix portion, includes a statutory procedure through which providers may challenge U.S. government data demands. Courts assessing any such challenges would be required to conduct a comity analysis, evaluating the interests of qualifying foreign governments in preventing disclosure, a process which could help mitigate the risks of unilateral cross-border data demands. However, unlike previous bills to address this extraterritoriality issue, such as the International Communications Privacy Act (ICPA, S. 1671), the CLOUD Act does not include necessary amendments to ECPA to require that the U.S. government obtain a probable cause warrant before it can access the contents of electronic communications that are over 180 days old. Rather, the CLOUD Act would provide the U.S. government with unlimited International reach for its power to demand electronic data, without ensuring that all orders for content comply with the Fourth Amendment probable cause standard. Requiring a probable cause warrant for access to communications content is a critical component of ECPA reform, that has passed the House twice as part of the Email Privacy Act, but has failed in the Senate.
The second part of the bill, which would facilitate foreign government access to U.S.-held data, increases threats to privacy and human rights, rather than mitigating them. In her piece, Jennifer Daskal outlines ten safeguards included in the CLOUD Act’s procedures for handling foreign government data requests that are designed to protect Americans’ rights. These provisions are important, but they are woefully inadequate. Last September, OTI and a coalition of twenty other privacy and human rights organizations sent a letter to Congress outlining ten threats to individual rights posed by this MLAT-bypass procedure that has now been Incorporated into the CLOUD Act. Without recounting all ten here, it is important to emphasize several of these dangers.
First, the legislation lacks fundamental privacy protections such as a requirement for prior independent judicial review of data requests. By creating a procedure to bypass the MLAT process, Congress would be removing the individualized review currently performed by the U.S. Justice Department and courts. Data requests by foreign governments would only be reviewed by those foreign governments. But there is not even a requirement for prior individualized review by those foreign governments. The bill only requires that foreign government orders for electronic data must “be subject to review or oversight by a court, judge, magistrate, or other independent authority.” This provision could allow foreign governments to rely only on generalized after-the-fact oversight.
Moreover, the CLOUD Act would permit foreign governments to seek data based on a weak standard of review. Rather than the U.S. probable cause standard that applies under current law, the bill requires only “a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.” It does not require that the “reasonable justification” be tied in any way to evidence of serious crimes or that it be a “reasonable justification” of anything in particular.
Further, this bill would allow foreign governments, for the first time, to make demands that data be produced in real-time. When the U.S. government conducts real-time or prospective surveillance, it must comply with additional safeguards under the Wiretap Act, beyond those required to seek stored communications. The CLOUD Act, however, fails to include protections comparable to those contained in the Wiretap Act to mitigate the threat posed by real-time surveillance by foreign governments.
In addition, the bill fails to include any language to prevent countries from imposing mandates that tech companies store data locally or requirements for encryption backdoors. Enabling foreign governments to submit data demands directly to U.S. tech companies creates a risk of “a backdoor to a backdoor requirement.” That is, as part of their data demands, countries could seek to require tech companies to provide “technical assistance” that would include guaranteeing access to encrypted communications – an encryption backdoor. The risk of unilateral action by individual countries to impose such mandates is a key part of the current cross-border problem. Therefore, any legislative solution should include prohibitions on such actions in order to protect consumers’ cybersecurity and internet freedom.
Finally, the CLOUD Act would provide overbroad discretion to the executive branch to enter into the bilateral agreements that form the predicate for foreign countries to demand data directly from U.S. providers. Under the bill, Congress would not need to approve these bilateral agreements. Although Congress would receive notice, if, as would be likely, Congress fails to act within 90 days after receiving notice, the agreement would automatically go into effect. In addition, the criteria that the Attorney General and Secretary of State are instructed to review in assessing agreements with foreign governments should be mandatory, rather than simply “factors to be considered.”
Although the government and tech companies have joined in supporting the proposed legislation, much more work needs to be done to address the concerns raised by OTI and other privacy and human rights groups. Congress must significantly improve the CLOUD Act to ensure meaningful protection for privacy and human rights. As we have noted before, OTI would welcome a dialogue on these issues, and the opportunity to discuss how to resolve the cross-border problem in a rights-protective manner.