The CLOUD Act: law enforcer or global privacy threat?
June 2018 | COVER STORY | DATA PRIVACY
Financier Worldwide Magazine
June 2018 Issue
A long-overdue overhaul of outdated digital privacy and security law and a boon for enforcement agencies – that is how advocates of the Clarifying Lawful Overseas Use of Data (CLOUD) Act proclaimed the legislation as it traversed the US Congress to become law in March 2018.
For its proponents, the Act lifts existing US digital and security privacy law out of the dark ages, so that it no longer lags behind the technologies it is required to regulate. At long last, they say, the US government, cloud computing companies and email service providers have clarity as to which laws apply when access to data stored in the cloud is sought.
Less enthusiastic is the Electronic Frontier Foundation (EFF) and 23 other civil liberties organisations, including the American Civil Liberties Union (ACLU), which believe the bill to be “dangerous” and a mechanism that would tear away global privacy protections.
For a number of years, the extent to which law enforcement in the US can access data stored abroad has been a contentious issue among government agencies, such as the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI), as well as numerous multinational technology companies. Prior to the CLOUD Act, the primary legislation for dealing with privacy and security issues in the digital sphere was the 1986 Electronic Communications Privacy Act (ECPA) – law, most would agree, designed for a different era.
Indeed, the digital landscape of today – a world of cloud computing where data can move seamlessly across borders – is a very different animal from that of the 1980s. While a 2013 report, ‘Liberty and Security in a Changing World’, by the President’s Review Group on Intelligence and Communications Technologies, made some inroads toward addressing the disparity, it was the data privacy issues highlighted by United States v. Microsoft Corp. also known as the Microsoft Ireland case – the outcome of which hinges on the interpretation of the decades-old ECPA – which really paved the way for the CLOUD Act.
In 2013, Microsoft challenged a US request for a warrant to obtain private data stored on a server in Dublin, Ireland. Microsoft lost the case – the judge concluding that the ECPA was not subject to territorial limitations – but appealed the decision to the US Court of Appeals. The 2016 appeal went in Microsoft’s favour and the warrant was invalidated, the appellate finding that the ECPA did not give US law enforcement the authority to issue warrants extraterritorially.
In response, in 2017, the DOJ requested that the Supreme Court review the case. With a decision expected in June 2018, in the interim, nearly 300 groups and individuals from 37 countries signed on to 23 amicus legal briefs filed with the court to support Microsoft’s position. Furthermore, during oral arguments, justices suggested there was a need for Congress to “revise a badly outdated [digital privacy] statute”. Picking up the court’s gauntlet, in February 2018, senators Christopher Coons, Lindsey Graham, Sheldon Whitehouse, Doug Collins and Orrin Hatch introduced the bipartisan CLOUD Act legislation to the legislature.
“In today’s world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws,” said senator Hatch. “We need a common-sense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries’ differing privacy regimes. The proposals received high-profile backing, with president Trump reportedly telling UK prime minister Theresa May that passing the proposals was “vital” to the two countries’ security. Tech giants Microsoft, Google and Apple also lent their support.
Thus, on 22 March, tucked inside the 2232-page, $1.3 trillion omnibus spending bill, the CLOUD Act was duly passed by Congress and signed into law by president Trump the following day. For opponents, in addition to concerns over the Act itself, how it was passed also left a bad taste in the mouth.
“The Act was never reviewed or marked up by any committee, in either the House or the Senate,” says David Ruiz, a policy analyst at the EFF. “It never received a hearing. It was robbed of a standalone floor vote because Congressional leadership decided, behind closed doors, to attach this unvetted, unrelated data bill to the government spending bill. Congress has a professional responsibility to listen to the American people’s concerns, to represent their constituents, and debate merits and concerns. In this, they failed.”
Provisions and objectives
A culmination of previous attempts to create legislation to amend the ECPA – such as the Law Enforcement Access to Data Stored Abroad Act (LEADS Act) in 2015 and the International Communications Privacy Act (ICPA) in 2017 – the CLOUD Act, among other things: (i) sets out clear rules for the US government to access data stored abroad; (ii) provides legal clarity that strengthens personal and business privacy protections for the cloud computing era; (iii) strengthens trust in cloud computing in the US and overseas; and (iv) encourages government-to-government cooperation to protect privacy while enabling law enforcement to pursue investigations.
Boiled down, the CLOUD Act has two major components. First, it empowers US law enforcement to compel US companies to hand over data that is stored outside the US. This means law enforcers can serve a search warrant for a company’s data and the company will have to comply, even if that data is stored in a foreign jurisdiction.
Second, the Act creates new venues for cross-border data transfer called ‘executive agreements’, which will be unilaterally decided by the US executive branch. The executive agreements will be between the US and foreign governments that wish to reciprocate. Once agreements are approved, foreign governments will have a new mechanism for obtaining data directly from US companies, as long as that data does not belong to a US person or a person living inside the US.
However, as far as the application of the Act is concerned, Mr Ruiz sees deep flaws. “During this process, no prior, individualised review is required,” he explains. “Moreover, although foreign governments cannot target the data of US citizens or people living in the US, those persons will likely be communicating with chosen targets. They will have their data collected, though they were never targets, and there will be no requirement for them to be notified about it. That data could be offered to US authorities, who could then use it to charge US persons with crimes.”
Privacy and human rights
Clearly not short on controversy, the main concern expressed by opponents of the CLOUD Act is the extent to which it may infringe upon privacy and human rights across the globe. The legislation, they say, creates a new channel which dispenses with the data privacy protections provided by the mutual legal assistance (MLA) system – an established method of cooperation between countries for obtaining assistance in the investigation or prosecution of criminal offences.
“The CLOUD Act bypasses the current system in place for when law enforcement agencies want access to data stored across their borders,” says Mr Ruiz. “That system, governed by MLA treaties, typically requires law enforcement agencies to follow both the data protection laws of their country and the data protection laws of the country where the data is stored. Under the CLOUD Act, foreign governments could ask US companies for US-stored data, as long as that data does not belong to a US person or a person living in the US, without needing to abide by US data privacy laws. This is wrong.”
According to Peter Swire, senior counsel at Alston & Bird, LLC, the reality is that foreign governments have become increasingly frustrated by the MLA system. “Prior to the CLOUD Act, foreign governments could only access content held by US service providers by using the MLA process, even when seeking data of their own nationals in connection with a crime that occurs in that nation,” he says. “Without the new law, other countries faced strong pressures to shift to data localisation – requiring emails, social network posts and other content to be stored within that country. The CLOUD Act will expedite the process for foreign law enforcement to seek US-held evidence in investigating local crimes.”
Another concern of privacy advocates is the possibility that the executive agreements that will oversee cross-border data transfers could be turned into political tools. “Even if a foreign government is an abuser of human rights, some members of Congress would be afraid to disapprove that executive agreement because that same foreign government could be a political ally to the US,” suggests Mr Ruiz.
Prior to the passage of the Act, a coalition of privacy, civil liberties and human rights organisations – including EFF, ACLU, Campaign for Liberty and Human Rights Watch – sent a letter to Congress urging opposition to the legislation, stating their belief that it “undermines privacy and other human rights, as well as other democratic safeguards”.
The letter stated that the legislation would: (i) allow foreign governments to wiretap on US soil under standards that do not comply with US law; (ii) give the executive branch the power to enter into foreign agreements without Congressional approval, including in cases where countries have a concerning human rights record; (iii) allow foreign governments to obtain information that could pertain to individuals in the US without meeting constitutional standards; and (iv) possibly facilitate foreign government access to information that is used to commit human rights abuses, like torture.
“Some privacy advocates have claimed that the Act erodes basic liberties and helps empower foreign governments to abuse human rights,” says Mr Swire. “Contrary to these claims, the Act improves privacy and civil liberties protections by lifting blocking provisions for certain requests from certain rule of law-abiding governments. Qualifying governments directly request data of non-US persons from US providers, subject to a long list of privacy and human rights criteria as to the contours of those requests. The Act also allows the US to review what foreign governments do with data once it is turned over, something that that no foreign government has agreed to before.”
Mr Swire also notes that, perhaps as a result of the level of distrust that often surrounds law enforcement agencies and large tech companies, critics are focusing on issues that are untouched by the CLOUD Act. “One issue raised by these individuals is their support for blocking provisions for the disclosure of metadata, the information which shows who has communicated with whom,” says Mr Swire. “The existing blocking provisions apply to communications content only; no equivalent restrictions apply to non-content data. Importantly, additional blocking provisions for metadata may further incentivise foreign governments to demand data localisation in ways that undercut the ultimate privacy and human rights goals of the Act.”
United States v. Microsoft – backdoor victory?
Although the dust may have settled on the initial controversy surrounding the introduction of the CLOUD Act, protestations will most assuredly continue. Indeed, contention reared its head again shortly after the Act’s passage when the DOJ requested that the Supreme Court declare United States v. Microsoft Corp. a moot case due to the passage of the new legislation – a request also endorsed by Microsoft.
In a 16-page motion, solicitor general Noel Francisco stated that the spending bill had resolved the issue pending before the court. “Under the new warrant, which will replace the original warrant and which the CLOUD Act indisputably governs, Microsoft must produce any covered information within its ‘possession, custody or control’,” wrote Mr Francisco. “Microsoft no longer has any basis for suggesting that such a warrant is impermissibly extraterritorial because it reaches foreign-stored data, which was the sole contention in its motion to quash.”
As things turned out, on 17 April 2018, the Supreme Court did indeed dismiss the case as moot, bringing to an end a five-year privacy battle which many consider to be something of a backdoor victory for the US government.
That said, for all the claims and counterclaims as to intentions, expectations and aspirations, it of course remains to be seen whether the CLOUD Act proves to be the law enforcer its advocates purport it to be, or legislation that its critics say is susceptible to misuse by mendacious actors harbouring hidden agendas.
© Financier Worldwide