Future Tense

Congress Put the CLOUD Act in Its Spending Bill. What Does That Mean For Data Privacy?

Microsoft and the DOJ won't have to argue before the Supreme Court if the Cloud Act passes.
Microsoft and the DOJ won’t have to argue before the Supreme Court if the Cloud Act passes. GERARD JULIEN/AFP/Getty Images

The omnibus spending bill released on Wednesday night includes a provision that may allow Microsoft and the Department of Justice to avoid a messy legal battle before the Supreme Court.

The Clarifying Lawful Overseas Use of Data (CLOUD) Act grants law enforcement the right to request data held in other countries and offers the DOJ and the tech industry much clearer guidelines for dealing with foreign laws. The Supreme Court is currently considering these issues in U.S. v. Microsoft, which concerns a search warrant that authorities served to Microsoft in a drug trafficking case. The warrant called for Microsoft to give the government emails held at its data center in Dublin, Ireland, where a person connected to the case signed up for an Outlook account. Microsoft argued that retrieving the emails would violate Ireland’s privacy laws and pushed the DOJ to directly negotiate with Ireland’s authorities using a treaty that the U.S. has with the country.

The DOJ, however, does not consider international borders to be an obstacle, since Microsoft is able to remotely retrieve the data while still on U.S. soil even though it’s being hosted on a server in Ireland. The Stored Communications Act, which the DOJ used to serve the warrant, compels third parties like Microsoft to provide law enforcement with electronic communications. However, Congress passed the act in 1986 before cloud servers allowed companies to keep data in far off locales.

As The Verge points out, the stakes of this case extend far beyond the DOJ’s drug trafficking investigation. Microsoft fears that providing authorities with the emails will scare off foreign customers, who may be more inclined to use local data and communications services that are not under the purview of U.S. law enforcement. And by acquiescing to the DOJ’s demands, Microsoft may open the door for other countries to demand data hosted in the U.S. The DOJ, on the other hand, doesn’t want to waste its time and effort dealing with foreign governments when it can just compel American tech companies to divulge the data. In fact, the DOJ hasn’t even asked Ireland for help retrieving the emails in the five years since this legal conflict began.

The CLOUD Act included in the House’s omnibus spending bill offers a compromise.
It extends the scope of the Stored Communications Act to include cloud data in foreign countries and sets up a streamlined process for the DOJ to request said data through the use of reciprocal treaties. The CLOUD Act also provides Microsoft and other tech companies with a legal route through which to challenge a warrant if it requires them to break another country’s laws.

Though the government and the tech industry appear to be happy with this solution, advocacy groups like Amnesty International, the ACLU, Human Rights Watch, and the Electronic Frontier Foundation worry that the CLOUD Act allows authorities to circumvent the Fourth Amendment and violate similar protections in other countries. Plus, the groups argue, the human rights benchmarks are too vague for vetting countries that are allowed to request data from the U.S. As press release from the Electronic Frontier Foundation reads, “The CLOUD Act would be a dangerous overreach into our data. It seeks to streamline cross-border police investigations, but it tears away critical privacy protections to attain that goal. This is not a fair trade. It is a new backdoor search loophole around the Fourth Amendment.”

Yet, a debate addressing these concerns with the CLOUD Act will not likely take place on the floor before Congress votes on it, since the act is attached to the much larger spending bill.