CLOUD Act Opens Up User Data to Foreign Governments

Cybersecurity Digest Reports Privacy

The Clarifying Lawful Use of Overseas Data Act (CLOUD Act, S. 2383, H.R. 4943)

On March 23rd, 2018, President Trump signed the CLOUD Act into law. The Act will revamp how the U.S. shares data that could be useful in criminal investigations with other nations, and how the U.S. government will procure this information from private companies.   

The CLOUD Act changes, in several respects, how the U.S. handles data privacy across international borders. First, the U.S. will be able to collect data from companies, whether the data is stored in the U.S. or abroad. Second, foreign governments that have agreements with the U.S. will be, for the most part, able to access data held by American companies. The bill was originally introduced by Senator Orrin Hatch (R-Utah).  The bill’s purpose is to “improve law enforcement access to data stored across borders.” A summary of the history surrounding the bill is available here.

The Act disappointed many data privacy groups for procedural and substantive reasons. The CLOUD Act passed as part of the 2,232-page omnibus government spending bill; Congress did not review the text, send it to committee, or hold a hearing on it. As the Electronic Frontier Foundation wrote, “Congress has a professional responsibility to listen to the American people’s concerns, to represent their constituents, and to debate the merits and concerns of this proposal amongst themselves, and this week, they failed.” Further, the ACLU also criticized the expansion of police and executive power – as well as the possibility that foreign governments with spotty human rights records will use the Act to harm minority groups in their respective countries.

However, there are some benefits to the Act. The International Association of Privacy Professionals argued that it will improve the efficacy of law enforcement agencies (which have often suffered heavy delays because of these types of requests), and provide clarity to companies that face conflicting privacy laws. Indeed, service providers have often found themselves caught between conflicting privacy laws of the U.S. and the nations requesting the data, and employees working abroad have been threatened with jail time if they comply with U.S. warrants. These legal challenges help explain why service providers such as Apple, Facebook, Google and Microsoft supported the passage of the CLOUD Act. The Act is also a much needed update to the Stored Communications Act of 1986; however, according to New America, it fails to address many of the biggest problems with the outdated legislation.

This Act also fundamentally changes the procedure by which the executive branch reaches agreements with foreign nations. Previously, foreign governments could only access data kept on U.S. soil (and vice versa) by making diplomatic requests for the data to the United States. These arrangements operated through mutual legal-assistance treaties (MLATs). MLATs outlined the extent to which each country would share the data stored within its borders. Each MLAT had to be ratified by a supermajority vote in the Senate. The Act allows the President to make executive agreements without congressional approval. In addition, requests from foreign governments for data kept in the U.S. will only be required to follow the procedures of the requesting country; U.S. due process protections will not be applied to each request for data.

The passage of the Act likely moots United States v. Microsoft Corp. a case before the Supreme Court. The issue in the Microsoft case is whether Microsoft must turn over data stored in Ireland to the Department of Justice. According to Connor Duffy and Kathleen Porter at Data Privacy and Security Insider, the Justices signaled their reluctance to adjudicate the case by asking several questions that implied Congress would be better suited to resolve the issue. 

Niki Edmonds is a 1L student at Harvard Law School.