The United States Senate on Thursday approved a controversial cross-border data access act, dubbed the CLOUD Act, that was part of the overall omnibus government spending bill.
Buried on page 2,201 of the government spending bill is the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), a provision that sets rules for how the government should handle accessing personal data that is stored by tech platforms abroad. For the US specifically, the bill would permit law enforcement to access citizens’ information that is stored on systems in a different country, given that they have a US court-approved subpoena.
“In today’s world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws,” said senator Orrin Hatch (R-UT), one of the founders of the bill, in a statement. “We need a commonsense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries’ differing privacy regimes.”
As it stands in the bill, the government needs to undergo a series of steps with the country in which data is stored in order to access that data – even if it data of a citizen in their own country.
Law enforcement agencies currently use the mutual legal assistance treaty (MLAT) process to request data stored outside their borders, meaning they need to abide by the data privacy laws both of their country and of the country where the requested data is stored.
“Communications-service providers face potential conflicting legal obligations when a foreign government orders production of electronic data that United States law may prohibit providers from disclosing,” according to the act.
One such famous instance is Microsoft’s continuous struggle with US law enforcement over access to data stored in a data center in Ireland.
In 2013, US authorities tried to access customer emails from Microsoft from a data center housed in Dublin, Ireland as part of a U.S. trafficking investigation. While the Justice Department argued that a warrant issued in the US is enough, Microsoft countered that US law enforcement needs to first go through Irish authorities in order to obtain data stored in an Irish country.
Several major tech companies support the act, and in a Feb. 6 letter, several companies – including Microsoft, Google, Apple, Facebook and Oath – said that “if enacted, the CLOUD Act would be notable progress to protect consumers’ rights and would reduce conflicts of law.”
Meanwhile, Microsoft chief legal officer Brad Smith tweeted his support for the bill, calling it crucial “for building trust in the technology we all rely on every day.”
Today is an important day for privacy rights around the world, for international relations, and for building trust in the technology we all rely on every day. pic.twitter.com/9afiFXmzGn
— Brad Smith (@BradSmi) March 22, 2018
While many large technology companies have strongly supported the CLOUD Act, the bill has also been scrutinized by privacy groups for its implications about data access.
ACLU legislative counsel Neema Singh Guliani argued in a statement that the act would give Attorney General Jeff Sessions “nearly unchecked power over global digital privacy rights.”
“The bill would strip power away from Congress and the judicial branch, giving Sessions and [Michael] Pompeo (and future executive branch officials) virtually unchecked authority to negotiate data exchange agreements with foreign nations, regardless of whether they respect human rights or not. That’s a major shift from current law, and one that Congress should reject,” he said.
David Ruiz, with Electronic Frontier Foundation, said that the CLOUD Act has “enormous implications for data privacy protections abroad.”
“Plainly, this bill—which is now law—will erode [data privacy] protections,” he told Threatpost. “In the [Microsoft example], where U.S. law enforcement will issue search warrants to U.S. companies for data that is stored outside the United States, we already have a legal process for that. It’s called the MLAT process. The CLOUD Act bypasses the MLAT process, and it allows U.S. law to be applied to information stored in non-U.S. countries, forgoing the data protection laws of those countries.”