Inside the CLOUD Act: Parsing the Privacy Implications
One of biggest tech law change in decades, the CLOUD Act has been praised by the largest U.S. tech companies, but panned by privacy and civil rights groups.
March 28, 2018 at 12:55 PM
9 minute read
In the oral arguments before the Supreme Court in United States v. Microsoft Corp., the justices couldn't help but wonder whether the parties were at the wrong government building. Wouldn't it be better, they asked, if the case at hand was rectified by Congress instead?
A few weeks later, Congress agreed, passing The Clarifying Lawful Overseas Use of Data (CLOUD) Act as part of its $1.3 trillion omnibus spending bill. The bill amends the Stored Communications Act (SCA) with language that would compel U.S. providers “of electronic communication service or remote computing” to comply with authorities' legal requests to access information belonging to U.S. persons but stored outside of the country.
It directly addresses the issue at the center of United States v. Microsoft Corp.: whether warrants issued under SCA could force Microsoft to disclose emails stored in Ireland. The CLOUD Act also compels U.S. providers to comply with similar requests from foreign nations' law enforcement authorities seeking information belonging to their citizens, though not U.S. citizens, provided the foreign nations in question have bilateral agreements with the U.S.
While in the past, such agreements were restricted to Mutual Legal Assistance Treaties (MLATS) which had to be approved by two-thirds of the U.S. Senate, the CLOUD Act now allows the executive branch to approve bilateral data transfer agreements on its own.
The CLOUD Act has received support from a host of tech companies. In a letter, Google, Microsoft, Facebook, Apple and Oath (which owns AOL and Yahoo) said the bill “would be notable progress to protect consumers' rights and would reduce conflicts of law.”
But many civil rights and privacy advocates are less than enamored with the CLOUD Act, decrying what they see as a law overstepping constitutional and administrative privacy protections and potentially enabling civil rights abuses by foreign governments.
Bilateral Agreements
Among the main privacy concerns with the law are the autonomy it gives the executive branch in approving bilateral agreements and the extent to which foreign governments without strong data privacy and civil rights protections can gain access to the personal data of their citizens.
To be sure, the law requires that bilateral agreements be only with countries whose law “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.” The law also requires officials to consider whether a foreign government's laws adhere to “applicable international human rights obligations and commitments” or demonstrate “respect for international universal human rights” before approving bilateral agreements.
However, in a letter to Congress, American Civil Liberties Union (ACLU) national political director Faiz Shakir and legislative counsel Neema Singh Guliani argued that such language was less than encouraging. They wrote, “The human rights standards that countries must meet to be eligible for an agreement are vague, weak, and unclear. For example, among other concerns, the bill does not explicitly prohibit agreements with countries that have a pattern or practice of engaging in human rights violations, nor does it require an assessment of whether a country has effective control of intelligence or law enforcement units.”
Under the CLOUD Act, it falls solely on the U.S. attorney general and the U.S. secretary of state to determine whether countries meet the law's civil rights and data privacy standards. While those officials have to provide a written certification to Congress, and Congress may block the agreement if it passes a joint resolution within 180 days, under the bill, such agreements “shall not be subject to judicial or administrative review.”
Ultimately, the process to approve such data transfer agreements between countries is less difficult than it once was. Where in the past the U.S. Senate had to affirmatively approve MLATS with a two-thirds majority, it may now only block these new bilateral agreements with a majority of its members.
“I do think in that sense it is a less-stringent requirement than you would have for a treaty,” said Sophia Brill, associate at Morrison & Foerster. “But I guess, in a sense, that since Congress enacted the bill, it took that into account and came to a judgment that they were OK with this level of review.”
Gregory Nojeim, senior counsel at the Center for Democracy & Technology, sees the new approval process as giving the executive branch too-broad authority to interpret the law and implement bilateral agreements as it sees fit. The bill “gives the Department of Justice enormous discretion to choose which countries will be able to make these direct demands on U.S. providers and, in essence, gain access to their worldwide user base,” he said.
Others, however, defended the less-stringent approval requirements, stressing the need to have a more efficient process for law enforcement data transfers. Daniel Castro, vice president at the Information Technology and Innovation Foundation (ITIF), called new process to approve bilateral agreements a “pretty good compromise” and an improvement on the cumbersome process of having to obtain Senate for approval for each agreement. The new process, he added, is something “that works—there's oversight, but it also provides what law enforcement needs.”
Data Request Oversight
Privacy advocates are also concerned about the way foreign nations are able to access such data from U.S. providers, citing a lack of transparency and oversight in how these requests are executed. Under the act, while the U.S. government may conduct periodic reviews of a foreign government's compliance with a bilateral agreement, it won't vet all the data requests the government makes on U.S. providers.
But the requests are subject to some restraints. The law requires foreign governments to “segregate, seal, or delete, and not disseminate material” that is not “relevant to the prevention, detection, investigation, or prosecution of serious crime, including terrorism.” However, foreign governments must hand over any information that “relates to significant harm” of U.S. persons or related crimes.
Though foreign governments' requests will not be reviewed by U.S. courts, the CLOUD Act requires that such requests be in compliance with the domestic law of the foreign country, subject to review by those in foreign nation's judiciary, and “may not be used to infringe freedom of speech.”
The act also states that it does not restrict the ability of U.S. tech providers “to intercept or disclose the contents of a wire or electronic communication in response to an order from a foreign government,” effectively permitting real-time wiretapping by foreign governments on their citizens, if legal in that country, and with certain time and use restrictions.
U.S. providers, however, may seek to quash such orders on the grounds that these orders would also access information on U.S. citizens or violate foreign countries' laws. But some are uneasy with the fact that only those in the private sector, and not the government, courts or individual users, are empowered under the bill to push back on such data requests, which, along with the bilateral agreements themselves, are not subject to public scrutiny.
“These agreements—they don't have to be made public, and the U.S. providers don't have to share the information they're giving or receiving from other countries,” said Debbie Reynolds, director of EimerStahl Discovery Solutions, an affiliate of law firm Eimer Stahl.
Due Process
With MLATS, a foreign government's request to access data from U.S. providers has to be approved by a U.S. judge, who will take into account applicable U.S. law such as the probable cause standard before issuing search warrants.
Under the CLOUD Act, however, foreign government requests to obtain information can be approved without a judge. Requests only need to be “based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.”
Such a change is a concern, said Reynolds, explaining that the CLOUD Act doesn't provide “the same level of due process that they typically have in these situations.”
ITIF's Castro, however, argued that it is not realistic for “U.S. protections to be extended globally.” He explained, “The reality is that every country does due process differently, and it's unlikely that everyone is going to be adopting the U.S. standards soon.”
For Nojeim though, it's not a question to expanding U.S. protections. “It is not necessary to apply the U.S. probable cause standard,” he explained. “What should have been required was a factual showing that there was a strong likelihood that a crime had occurred, would occur, is occurring, and a strong likelihood that information about that crime would be revealed in the data sought.”
What's more, some worry that getting rid of or lowering the due process requirements opens the door to infringing on the constitutional rights of those in the U.S.
A letter by dozens of civil rights organizations, including the ACLU, the Electronic Frontier Foundation (EFF), Human Rights Watch and Amnesty International USA noted that, in the process of obtaining data from U.S. providers, foreign governments may collect data on U.S. persons incidentally.
And if such data relates to a crime, foreign governments are obliged to turn over that information to U.S. authorities, even though the data was “obtained under standards lower than what the constitution requires,” the letter said.
Whether such situations will materialize remains to seen. But the possibility of eroding constitutional protections has left some felling less than enamored with the recently passed legislation.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250