Last week, as part of the omnibus spending bill that avoided another government shutdown, Congress passed the Clarifying Lawful Overseas Use of Data Act. The inclusion of the CLOUD Act in the omnibus received little attention from the mainstream press. However, in passing this legislation, Congress voted to enact a law that poses new threats to privacy and human rights for Americans as well as millions of people abroad who use the services of U.S. tech companies. Going forward, the task now falls to Congress to hold the executive branch accountable and ensure that the bill’s provisions are enforced in a way to maximize protections for individual rights. And U.S. tech companies, in turn, need to be transparent and stand up for their users’ rights.
The CLOUD Act is designed to make it easier for both the U.S. and foreign governments to gain access to electronic communications data held outside their borders. The first section of the legislation amends the Stored Communications Act to authorize the U.S. government to obtain communications data from American providers regardless of whether the data are held inside or outside the United States. It therefore should make the United States v. Microsoft (Microsoft Ireland) case now pending before the Supreme Court moot, by enabling the U.S. government to demand data held in Microsoft’s data center in Ireland.
The second portion of the CLOUD Act also amends the Stored Communications Act, to establish a procedure through which qualifying foreign governments may bypass the Mutual Legal Assistance Treaty process. Under that system, when foreign governments seek communications data held in other countries in connection with their criminal investigations, they must work with the U.S. Department of Justice to obtain a probable cause warrant from a U.S. judge. Governments have complained for years that the Mutual Legal Assistance Treaty system is cumbersome and causes inordinate delays. The CLOUD Act, in contrast, authorizes the U.S. Department of Justice, if the secretary of state agrees, to enter into bilateral agreements with other countries. Then those qualifying countries can send demands for communications data directly to U.S. providers. It will be much more efficient—but the streamlining process has carved away some critical safeguards.
Although the version of the CLOUD Act that Congress enacted included some improvements over the original, it still poses threats to privacy and human rights. In particular, there are two key problems with the enacted bill. First, the CLOUD Act fails to require foreign governments to conduct prior independent reviews of data requests before they are sent to U.S. providers, opening the door to abuse and misuse of this new process. Prior independent review is critical to avoiding improper demands by overzealous law enforcement investigators, such as data requests that would violate free speech rights. Second, the legislation permits foreign countries, for the first time, to demand that U.S. tech companies provide communications data in real time. But these foreign nations are not required to comply with privacy protections comparable to the rules the U.S. government must follow when it engages in wiretapping. For example, under the Wiretap Act, wiretaps may only last for 30 days unless reauthorized, and the government must follow strict rules to ensure it does not collect or retain information unrelated to its investigation.
There are some important safeguards in the legislation. Before entering into a bilateral agreement under the CLOUD Act, the U.S. government must determine that the other country meets the human rights standards included in the law. Whereas the earlier version of the bill only set forth a list of human rights criteria as “factors to be considered,” the final CLOUD Act states that these are “factors to be met.” The enacted version of the CLOUD Act also requires that before a bilateral agreement can become final, the executive branch must submit a written report to Congress explaining how the standards have been met.
The important thing is that the executive branch and Congress see these safeguards as a floor, not a ceiling. Although the CLOUD Act fails to require congressional approval for bilateral agreements, these requirements still provide tools that Congress can use to demand accountability. The bilateral agreements authorized by the CLOUD Act are required to contain certain elements, including specifying that a foreign government’s data request identifies a specific person, account, or other specific identifier—so no mass surveillance—and that it not be used to infringe freedom of speech. Congress has the duty to review these agreements and can block them. If a country does not currently meet all the standards, the opportunity to bypass the Mutual Legal Assistance Treaty process should be an incentive for it to improve privacy protections under its domestic law.
Indeed, the United Kingdom has already strengthened its laws in anticipation of the passage of legislation like the CLOUD Act. Although the European Union provides strong safeguards for consumer privacy, including the General Data Protection Regulation, which will go into effect May 25, in many respects, the U.S. Constitution provides more robust protections against government intrusions. As the United States was developing a bill to permit foreign countries to demand data directly from U.S. providers—legislation that was ultimately incorporated into the CLOUD Act—the United States and the U.K. negotiated a bilateral agreement to take advantage of this new process. To ensure that the U.K. could meet the expected requirements of the new U.S. law, the U.K. included provisions in its new Investigatory Powers Act to improve privacy safeguards, such as establishing a new requirement for prior independent review of surveillance orders by newly created judicial commissioners.
Although some civil liberties advocates have questioned whether these amendments to U.K. law are sufficient, this model of using the new Mutual Legal Assistance Treaty bypass as an incentive for improving privacy and human rights safeguards is one that should be repeated. Congress can ensure that the executive branch encourages other countries to adopt such improvements, rather than seeking to qualify a foreign government that does not meet the bar. There are certainly countries that will want to take advantage of this new cross-border process but are not yet able to meet the bill’s standards. They should not be entitled to any shortcuts.
U.S. tech companies also need to do their part in providing transparency on how this new process is implemented and in safeguarding their users’ rights. Most major U.S. providers already file transparency reports, providing statistics on the various types of government requests they receive each year for their customers’ data. Companies should include and identify these new direct requests from foreign governments in their reports, breaking out the requests received by country. Many tech companies supported enactment of the CLOUD Act to create a clear process for handling cross-border data requests that will help them avoid conflicting demands under the laws of different nations. In providing their support, they have asserted that they can and will oppose any foreign country data demands that do not appropriately protect individual rights. They will now have the opportunity—and the obligation—to do so, particularly if public pressure is brought to bear.
Now that the CLOUD Act is law, we know that the already-negotiated U.S.-U.K. agreement is likely to be finalized soon. But many other countries will want in on the deal, too. The government and the tech companies got the bill they wanted. They now have a responsibility to make sure that the real-world process lives up to the promises they made.