In the oral arguments before the Supreme Court in United States v. Microsoft Corp., the justices couldn't help but wonder whether the parties were at the wrong government building. Wouldn't it be better, they asked, if the case at hand was rectified by Congress instead?

A few weeks later, Congress agreed, passing The Clarifying Lawful Overseas Use of Data (CLOUD) Act as part of its $1.3 trillion omnibus spending bill. The bill amends the Stored Communications Act (SCA) with language that would compel U.S. providers “of electronic communication service or remote computing” to comply with authorities' legal requests to access information belonging to U.S. persons but stored outside of the country.

It directly addresses the issue at the center of United States v. Microsoft Corp.: whether warrants issued under SCA could force Microsoft to disclose emails stored in Ireland. The CLOUD Act also compels U.S. providers to comply with similar requests from foreign nations' law enforcement authorities seeking information belonging to their citizens, though not U.S. citizens, provided the foreign nations in question have bilateral agreements with the U.S.

While in the past, such agreements were restricted to Mutual Legal Assistance Treaties (MLATS) which had to be approved by two-thirds of the U.S. Senate, the CLOUD Act now allows the executive branch to approve bilateral data transfer agreements on its own.

The CLOUD Act has received support from a host of tech companies. In a letter, Google, Microsoft, Facebook, Apple and Oath (which owns AOL and Yahoo) said the bill “would be notable progress to protect consumers' rights and would reduce conflicts of law.”

But many civil rights and privacy advocates are less than enamored with the CLOUD Act, decrying what they see as a law overstepping constitutional and administrative privacy protections and potentially enabling civil rights abuses by foreign governments.

Bilateral Agreements

Among the main privacy concerns with the law are the autonomy it gives the executive branch in approving bilateral agreements and the extent to which foreign governments without strong data privacy and civil rights protections can gain access to the personal data of their citizens.

To be sure, the law requires that bilateral agreements be only with countries whose law “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.” The law also requires officials to consider whether a foreign government's laws adhere to “applicable international human rights obligations and commitments” or demonstrate “respect for international universal human rights” before approving bilateral agreements.

However, in a letter to Congress, American Civil Liberties Union (ACLU) national political director Faiz Shakir and legislative counsel Neema Singh Guliani argued that such language was less than encouraging. They wrote, “The human rights standards that countries must meet to be eligible for an agreement are vague, weak, and unclear. For example, among other concerns, the bill does not explicitly prohibit agreements with countries that have a pattern or practice of engaging in human rights violations, nor does it require an assessment of whether a country has effective control of intelligence or law enforcement units.”

Under the CLOUD Act, it falls solely on the U.S. attorney general and the U.S. secretary of state to determine whether countries meet the law's civil rights and data privacy standards. While those officials have to provide a written certification to Congress, and Congress may block the agreement if it passes a joint resolution within 180 days, under the bill, such agreements “shall not be subject to judicial or administrative review.”

Ultimately, the process to approve such data transfer agreements between countries is less difficult than it once was. Where in the past the U.S. Senate had to affirmatively approve MLATS with a two-thirds majority, it may now only block these new bilateral agreements with a majority of its members.

“I do think in that sense it is a less-stringent requirement than you would have for a treaty,” said Sophia Brill, associate at Morrison & Foerster. “But I guess, in a sense, that since Congress enacted the bill, it took that into account and came to a judgment that they were OK with this level of review.”

Gregory Nojeim, senior counsel at the Center for Democracy & Technology, sees the new approval process as giving the executive branch too-broad authority to interpret the law and implement bilateral agreements as it sees fit. The bill “gives the Department of Justice enormous discretion to choose which countries will be able to make these direct demands on U.S. providers and, in essence, gain access to their worldwide user base,” he said.

Others, however, defended the less-stringent approval requirements, stressing the need to have a more efficient process for law enforcement data transfers. Daniel Castro, vice president at the Information Technology and Innovation Foundation (ITIF), called new process to approve bilateral agreements a “pretty good compromise” and an improvement on the cumbersome process of having to obtain Senate for approval for each agreement. The new process, he added, is something “that works—there's oversight, but it also provides what law enforcement needs.”

Data Request Oversight

Privacy advocates are also concerned about the way foreign nations are able to access such data from U.S. providers, citing a lack of transparency and oversight in how these requests are executed. Under the act, while the U.S. government may conduct periodic reviews of a foreign government's compliance with a bilateral agreement, it won't vet all the data requests the government makes on U.S. providers.

But the requests are subject to some restraints. The law requires foreign governments to “segregate, seal, or delete, and not disseminate material” that is not “relevant to the prevention, detection, investigation, or prosecution of serious crime, including terrorism.” However, foreign governments must hand over any information that “relates to significant harm” of U.S. persons or related crimes.

Though foreign governments' requests will not be reviewed by U.S. courts, the CLOUD Act requires that such requests be in compliance with the domestic law of the foreign country, subject to review by those in foreign nation's judiciary, and “may not be used to infringe freedom of speech.”

The act also states that it does not restrict the ability of U.S. tech providers “to intercept or disclose the contents of a wire or electronic communication in response to an order from a foreign government,” effectively permitting real-time wiretapping by foreign governments on their citizens, if legal in that country, and with certain time and use restrictions.

U.S. providers, however, may seek to quash such orders on the grounds that these orders would also access information on U.S. citizens or violate foreign countries' laws. But some are uneasy with the fact that only those in the private sector, and not the government, courts or individual users, are empowered under the bill to push back on such data requests, which, along with the bilateral agreements themselves, are not subject to public scrutiny.

“These agreements—they don't have to be made public, and the U.S. providers don't have to share the information they're giving or receiving from other countries,” said Debbie Reynolds, director of EimerStahl Discovery Solutions, an affiliate of law firm Eimer Stahl.

Due Process

With MLATS, a foreign government's request to access data from U.S. providers has to be approved by a U.S. judge, who will take into account applicable U.S. law such as the probable cause standard before issuing search warrants.

Under the CLOUD Act, however, foreign government requests to obtain information can be approved without a judge. Requests only need to be “based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.”

Such a change is a concern, said Reynolds, explaining that the CLOUD Act doesn't provide “the same level of due process that they typically have in these situations.”

ITIF's Castro, however, argued that it is not realistic for “U.S. protections to be extended globally.” He explained, “The reality is that every country does due process differently, and it's unlikely that everyone is going to be adopting the U.S. standards soon.”

For Nojeim though, it's not a question to expanding U.S. protections. “It is not necessary to apply the U.S. probable cause standard,” he explained. “What should have been required was a factual showing that there was a strong likelihood that a crime had occurred, would occur, is occurring, and a strong likelihood that information about that crime would be revealed in the data sought.”

What's more, some worry that getting rid of or lowering the due process requirements opens the door to infringing on the constitutional rights of those in the U.S.

A letter by dozens of civil rights organizations, including the ACLU, the Electronic Frontier Foundation (EFF), Human Rights Watch and Amnesty International USA noted that, in the process of obtaining data from U.S. providers, foreign governments may collect data on U.S. persons incidentally.

And if such data relates to a crime, foreign governments are obliged to turn over that information to U.S. authorities, even though the data was “obtained under standards lower than what the constitution requires,” the letter said.

Whether such situations will materialize remains to seen. But the possibility of eroding constitutional protections has left some felling less than enamored with the recently passed legislation.