Inside the CLOUD Act: Parsing the Privacy Implications
One of biggest tech law change in decades, the CLOUD Act has been praised by the largest U.S. tech companies, but panned by privacy and civil rights groups.
March 28, 2018 at 12:55 PM
9 minute read
The original version of this story was published on Legal Tech News
In the oral arguments before the Supreme Court in United States v. Microsoft Corp., the justices couldn't help but wonder whether the parties were at the wrong government building. Wouldn't it be better, they asked, if the case at hand was rectified by Congress instead?
A few weeks later, Congress agreed, passing The Clarifying Lawful Overseas Use of Data (CLOUD) Act as part of its $1.3 trillion omnibus spending bill. The bill amends the Stored Communications Act (SCA) with language that would compel U.S. providers “of electronic communication service or remote computing” to comply with authorities' legal requests to access information belonging to U.S. persons but stored outside of the country.
It directly addresses the issue at the center of United States v. Microsoft Corp.: whether warrants issued under SCA could force Microsoft to disclose emails stored in Ireland. The CLOUD Act also compels U.S. providers to comply with similar requests from foreign nations' law enforcement authorities seeking information belonging to their citizens, though not U.S. citizens, provided the foreign nations in question have bilateral agreements with the U.S.
While in the past, such agreements were restricted to Mutual Legal Assistance Treaties (MLATS) which had to be approved by two-thirds of the U.S. Senate, the CLOUD Act now allows the executive branch to approve bilateral data transfer agreements on its own.
The CLOUD Act has received support from a host of tech companies. In a letter, Google, Microsoft, Facebook, Apple and Oath (which owns AOL and Yahoo) said the bill “would be notable progress to protect consumers' rights and would reduce conflicts of law.”
But many civil rights and privacy advocates are less than enamored with the CLOUD Act, decrying what they see as a law overstepping constitutional and administrative privacy protections and potentially enabling civil rights abuses by foreign governments.
Bilateral Agreements
Among the main privacy concerns with the law are the autonomy it gives the executive branch in approving bilateral agreements and the extent to which foreign governments without strong data privacy and civil rights protections can gain access to the personal data of their citizens.
To be sure, the law requires that bilateral agreements be only with countries whose law “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.” The law also requires officials to consider whether a foreign government's laws adhere to “applicable international human rights obligations and commitments” or demonstrate “respect for international universal human rights” before approving bilateral agreements.
However, in a letter to Congress, American Civil Liberties Union (ACLU) national political director Faiz Shakir and legislative counsel Neema Singh Guliani argued that such language was less than encouraging. They wrote, “The human rights standards that countries must meet to be eligible for an agreement are vague, weak, and unclear. For example, among other concerns, the bill does not explicitly prohibit agreements with countries that have a pattern or practice of engaging in human rights violations, nor does it require an assessment of whether a country has effective control of intelligence or law enforcement units.”
Under the CLOUD Act, it falls solely on the U.S. attorney general and the U.S. secretary of state to determine whether countries meet the law's civil rights and data privacy standards. While those officials have to provide a written certification to Congress, and Congress may block the agreement if it passes a joint resolution within 180 days, under the bill, such agreements “shall not be subject to judicial or administrative review.”
Ultimately, the process to approve such data transfer agreements between countries is less difficult than it once was. Where in the past the U.S. Senate had to affirmatively approve MLATS with a two-thirds majority, it may now only block these new bilateral agreements with a majority of its members.
“I do think in that sense it is a less-stringent requirement than you would have for a treaty,” said Sophia Brill, associate at Morrison & Foerster. “But I guess, in a sense, that since Congress enacted the bill, it took that into account and came to a judgment that they were OK with this level of review.”
Gregory Nojeim, senior counsel at the Center for Democracy & Technology, sees the new approval process as giving the executive branch too-broad authority to interpret the law and implement bilateral agreements as it sees fit. The bill “gives the Department of Justice enormous discretion to choose which countries will be able to make these direct demands on U.S. providers and, in essence, gain access to their worldwide user base,” he said.
Others, however, defended the less-stringent approval requirements, stressing the need to have a more efficient process for law enforcement data transfers. Daniel Castro, vice president at the Information Technology and Innovation Foundation (ITIF), called new process to approve bilateral agreements a “pretty good compromise” and an improvement on the cumbersome process of having to obtain Senate for approval for each agreement. The new process, he added, is something “that works—there's oversight, but it also provides what law enforcement needs.”
Data Request Oversight
Privacy advocates are also concerned about the way foreign nations are able to access such data from U.S. providers, citing a lack of transparency and oversight in how these requests are executed. Under the act, while the U.S. government may conduct periodic reviews of a foreign government's compliance with a bilateral agreement, it won't vet all the data requests the government makes on U.S. providers.
But the requests are subject to some restraints. The law requires foreign governments to “segregate, seal, or delete, and not disseminate material” that is not “relevant to the prevention, detection, investigation, or prosecution of serious crime, including terrorism.” However, foreign governments must hand over any information that “relates to significant harm” of U.S. persons or related crimes.
Though foreign governments' requests will not be reviewed by U.S. courts, the CLOUD Act requires that such requests be in compliance with the domestic law of the foreign country, subject to review by those in foreign nation's judiciary, and “may not be used to infringe freedom of speech.”
The act also states that it does not restrict the ability of U.S. tech providers “to intercept or disclose the contents of a wire or electronic communication in response to an order from a foreign government,” effectively permitting real-time wiretapping by foreign governments on their citizens, if legal in that country, and with certain time and use restrictions.
U.S. providers, however, may seek to quash such orders on the grounds that these orders would also access information on U.S. citizens or violate foreign countries' laws. But some are uneasy with the fact that only those in the private sector, and not the government, courts or individual users, are empowered under the bill to push back on such data requests, which, along with the bilateral agreements themselves, are not subject to public scrutiny.
“These agreements—they don't have to be made public, and the U.S. providers don't have to share the information they're giving or receiving from other countries,” said Debbie Reynolds, director of EimerStahl Discovery Solutions, an affiliate of law firm Eimer Stahl.
Due Process
With MLATS, a foreign government's request to access data from U.S. providers has to be approved by a U.S. judge, who will take into account applicable U.S. law such as the probable cause standard before issuing search warrants.
Under the CLOUD Act, however, foreign government requests to obtain information can be approved without a judge. Requests only need to be “based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.”
Such a change is a concern, said Reynolds, explaining that the CLOUD Act doesn't provide “the same level of due process that they typically have in these situations.”
ITIF's Castro, however, argued that it is not realistic for “U.S. protections to be extended globally.” He explained, “The reality is that every country does due process differently, and it's unlikely that everyone is going to be adopting the U.S. standards soon.”
For Nojeim though, it's not a question to expanding U.S. protections. “It is not necessary to apply the U.S. probable cause standard,” he explained. “What should have been required was a factual showing that there was a strong likelihood that a crime had occurred, would occur, is occurring, and a strong likelihood that information about that crime would be revealed in the data sought.”
What's more, some worry that getting rid of or lowering the due process requirements opens the door to infringing on the constitutional rights of those in the U.S.
A letter by dozens of civil rights organizations, including the ACLU, the Electronic Frontier Foundation (EFF), Human Rights Watch and Amnesty International USA noted that, in the process of obtaining data from U.S. providers, foreign governments may collect data on U.S. persons incidentally.
And if such data relates to a crime, foreign governments are obliged to turn over that information to U.S. authorities, even though the data was “obtained under standards lower than what the constitution requires,” the letter said.
Whether such situations will materialize remains to seen. But the possibility of eroding constitutional protections has left some felling less than enamored with the recently passed legislation.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Apple Files Appeal to DC Circuit Aiming to Intervene in Google Search Monopoly Case
3 minute read
Trump RTO Mandates Won’t Disrupt Big Law Policies—But Client Expectations Might
6 minute read
Trump's RTO Mandate May Have Some Gov't Lawyers Polishing Their Resumes
5 minute read
Trending Stories
- 1Commentary: Tort Reform Is a Misleading Promise
- 2The Lawyers Waging the Legal Fight Against the Trump Administration
- 3McDermott's Onetime London Leader Headed to Pillsbury
- 4A&O Shearman To Lose Another Five Lawyers to EY
- 5Pearl Cohen Enters San Francisco Market Via Combination With IP Boutique
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
