Congress is quietly but intensively debating the CLOUD Act, a bill which would have a serious impact on privacy rights, and it may be attached to an omnibus spending bill this month. This bill would create an exception to the Stored Communications Act (SCA) to enable foreign countries to bypass the Mutual Legal Assistance Treaty (MLAT) process. Currently, when foreign governments seek stored communications content held in the United States by U.S. providers for their criminal investigations, they must follow the MLAT process and work with the Department of Justice to obtain warrants from U.S. judges. Instead, the CLOUD Act would allow the executive branch to enter bilateral agreements with qualifying foreign governments, and then those governments could send data requests directly to U.S. companies for stored and real-time data.
The MLAT process can be extremely cumbersome and time-consuming, and there is particular pressure to amend the SCA to permit implementation of a bilateral agreement already negotiated between the United States and the United Kingdom. However, in releasing that pressure valve, the CLOUD Act may also introduce significant new risks to human rights. Congress should not pass this bill until it’s been considered in committee, and subjected to a robust floor debate and opportunity for amendment. If Congress is going to sidestep regular order and attach this bill to a must-pass vehicle, the bill sponsors should, at the very least, adopt four crucial changes to the text. These amendments would ameliorate, though not cure, some of the concerns the bill would raise, and should not threaten implementation of the US/UK agreement.
First, the sponsors should tighten up the process by which the executive branch certifies countries to enter into bilateral agreements with the United States. The bill requires that the AG make a determination that “the domestic law of the foreign government, including the implementation of that law, affords robust substantive and procedural protections for privacy and civil liberties.” It lays out factors that the AG should consider in making that determination, such as whether the country prohibits torture, guarantees fair trails and prohibits arbitrary arrests, protects against arbitrary interference with privacy, and protects free expression. However, these factors are not mandatory. If this bill, as drafted, became law, the AG would be authorized to consider the factors, determine that a country does not meet all of them, and nonetheless certify that country. Since a decision not to certify a country would inherently incur political and diplomatic costs, an AG may be inclined to err on the side of diplomacy at the cost of human rights, and certify a country that does not adequately meet human rights tests.
To address this, Congress should make the factors to be considered mandatory, and should require that the AG submit a report outlining the reasons for her or his determination that, however she or he interprets those factors, all of them have been met. It should also require the text of the bilateral agreement and this AG report to Congress be made public. This will enable the substance of these agreements and the AG’s reasoning to be subject to public scrutiny.
Second, the sponsors should amend the bill to require certified foreign governments to obtain prior independent review and approval of each surveillance order. The bill currently requires review or oversight of individual orders by an independent judicial or oversight body. This could permit only after-the-fact generalized oversight of requests, which would enable foreign law enforcement officers to exercise complete discretion in determining whether required standards have been met. This would open the door to abuse and misuse, and precludes any meaningful opportunity to prevent it.
The CLOUD Act should require that in order for countries to become parties to these bilateral agreements, they must guarantee that an independent body, preferably an independent judge, will review and approve surveillance orders on an individualized basis before these orders may be given to U.S. companies. Indeed, the United Kingdom stood up an independent judicial body to conduct prior reviews of surveillance orders in anticipation of this being required under the negotiated U.S.-UK deal. Why would Congress not require the same of other, potentially less rights-respecting countries? This is a particularly pressing question since proponents of the CLOUD Act have argued that one of the benefits of this bill is that it offers an incentive to bypass the MLAT process and could thus help raise the bar in certain countries for protection of privacy and other human rights. This would certainly not be the case if basic protections, like prior individualized review and approval of surveillance orders by an independent body, were not required.
Third, the sponsors should shorten the time-frame for certification renewals from five years to at most three years. The last five years have been a jarring education of how quickly flourishing democracies, and governments that are trending upward from a human rights perspective, can fall to totalitarianism and abuse. For example, in 2013, Freedom House, which analyzes and rates how well countries protect and respect civil liberties and political freedoms on a scale of 1 to 7 (7 being the worst), rated Turkey 3.5, deeming it “partly free.” Just four years later, Freedom House rated Turkey 5.5, deeming it “not free.” Other countries, including European Union countries that sponsors have suggested would be next on the list for certification, are not invulnerable to these kinds of dramatic changes. Poland recently passed a law making it illegal to refer to the Polish nation as being complicit in the Holocaust, which historians and human rights defenders warn threatens free expression and could be used to target Poland’s remaining Jewish population. France and Italy’s recent elections also saw a dramatic rise in representation by far-right nationalists with racist or anti-immigrant views.
While the U.S. could walk away from a bilateral agreement if the AG and Secretary of State determined, before the five-year renewal trigger, that the country was no longer meeting the requirements of the CLOUD Act, the diplomatic and political consequences of such a decision would be dramatic, making such a decision unlikely. To remedy this, the sponsors of the CLOUD Act should at least shorten the window for renewal to at most three years, and require the notification of renewal to Congress be accompanied by a public report justifying the renewal. As with the initial certifications, Congress should also be required to approve of the renewal.
Finally, the sponsors should improve the CLOUD Act by providing for meaningful Congressional oversight. To stop a bilateral agreement from going into effect, the CLOUD Act would require Congress to pass a joint resolution of disapproval within 90 days of receiving the AG’s notice. Procedures requiring a resolution of disapproval is fig leaf congressional oversight. Congressional action is highly unlikely to occur in 90 days, and any resolution of disapproval would need to be signed by the president, who would need to buck the advice of her or his AG and Secretary of State, or Congress would have to pass it with a veto-proof majority.
Instead, the bill should require Congress’ proactive approval before a certification can go into effect. There are models for compromise approaches that could ensure a bill would not get caught up in the morass of congressional procedure. For example, the Trade Promotion Authority provides that if the president enters into a trade agreement with a foreign government, the House and Senate must expedite consideration, and may not amend or filibuster it. In its reauthorization of Section 702 of the Foreign Intelligence Surveillance Act, Congress also prescribed an expedited track for consideration of a bill that would prevent a form of surveillance called “abouts collection” from restarting. There is no reason Congress should functionally abdicate its oversight authority of these certifications, as it would under the current language of the CLOUD Act. Congress could easily follow precedents to establish a framework to expedite Congressional consideration and approval for the bilateral agreements to be authorized by the CLOUD Act.
The MLAT process is a rights-respecting process that can help prevent foreign governments from gaining access to communications content that would enable human rights violations. If Congress is going to pass a bill that would enable countries to bypass that process, especially without any debate or opportunity for amendment, it should at least ensure that the bill incorporates certain critical safeguards for individual rights. While the proposed four changes would not address every concern that the CLOUD Act raises, they would at least help minimize the risk that the bill could not empower foreign governments to commit human rights abuses with data held by U.S. companies.