The CLOUD Act
- U.S. Releases Annual Human Rights Report: The U.S. Department of State has released the annual report on human rights practices across the globe. The State Dept. report reviews adherence to "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements," including the arbitrary or unlawful interference with privacy. The 2018 report highlights China's social credit system which "quantifies a person's loyalty to the government by monitoring citizens' online activity and relationships." The report also cites the Indian Supreme Court ruling that privacy is a fundamental right and Turkish authorities' investigation of more than 45,000 social media accounts between 2016 and April 2018. Two EPIC publications - The Privacy Law Sourcebook 2018 and Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide a comprehensive overview of privacy frameworks around the world and track emerging privacy challenges. (Mar. 14, 2019) More top news »
As a result of a global digital communications landscape, law enforcement increasingly seeks communications data stored outside national borders in domestic criminal investigations. However, trans-border data access can conflict with national data protection regimes and international human rights instruments.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, signed into law in March 2018, is an Act to provide trans-border access to communications data in criminal law enforcement investigations. However, the Act's history begins with a privacy dispute between Microsoft and the U.S. government.
The genesis for this bill is United States v. Microsoft, a case in U.S. Supreme Court which concerns whether law enforcement can access communications content stored in Ireland under current U.S. law. On February 27, 2018, the Supreme Court heard arguments in the case. In an amicus brief in the case, EPIC urged the Supreme Court to respect international privacy standards, citing key cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority.”
Ahead of a decision in that case, the CLOUD Act passed Congress and was signed into law by President Trump on March 23, 2018, likely mooting the case. The CLOUD Act was not debated in Congress. Instead, it was included in an amendment to an omnibus spending bill and passed without a dedicated hearing. The law creates a new subsection within the Stored Communications Act (Chapter 121 of title 18 of the United States Code) codified at 18 U.S.C. § 2713, creates a new subsection within the Wiretap Act (Chapter 119 of title 18) codified at 18 U.S.C. § 2523, and amends various sections of the Wiretap Act, Stored Communications Act.
Overview of the CLOUD Act
There are two key elements of the CLOUD Act - the provisions for U.S. access to foreign stored data, and the provisions to create executive agreements for foreign access to U.S. stored data.
U.S. Access to Foreign Stored Data
First, the Act amended U.S. law to authorize U.S. law enforcement to unilaterally demand access to data stored outside the U.S., despite widespread criticism from the international community. When the U.S. orders a company to produce communications data, the Act provides a mechanism for a communications provider to challenge the order if disclosing the data would risk violating foreign law. Under the CLOUD Act, the legal protection of an individual's rights depends on the objection by a provider. There is no direct mechanism for individuals to challenge an order under the CLOUD Act. A court will consider a provider's challenge of an order for disclosure of data data and review the request under a multi-factor "comity" analysis to assess foreign and other interests at stake. However, U.S. court can require production of that data despite the objection, even where the laws of another nation would be violated.
The Act would also permit federal officials to enter into executive agreements granting foreign access to data stored in the United States, even if that data would otherwise be protected under ECPA. Before foreign access can be authorized, federal officials must first decide that a foreign government meets certain generalized standards for sufficient protections of privacy and civil liberties. The foreign government must also agree to abide by several other limitations, including minimizing any U.S. person data collected. The initial agreement need only be certified by executive branch officials to take effect. Congress can object to the agreement, but need not formally approve the agreement. The agreement is also not subject to review by any court.
Once an agreement is in place, no federal official or court will review an incoming foreign request for access to data stored in the United States. The foreign access will be granted without review of whether the request complies with the requirements of the executive agreement or other legal standards. Only the service provider will have an opportunity to review and object to a foreign access request. However, there are no formal procedures under the CLOUD Act for a provider to object to a foreign access request made under an executive agreement.
Because the CLOUD Act permits data to be accessed by foreign nations based on each nation’s unique domestic procedures, data is accessible under the third-party countries law even when that law falls below human rights standards. The CLOUD Act does not itself set baseline human rights standards for foreign access to stored data. For example, the CLOUD Act does not require notice to be provided to the target of a request for data stored in the United States.
The CLOUD Act removes protections put in place under ECPA. Foreign access requests routed through the United States via diplomatic requests previously benefitted from legal protections for stored data, including the requirement that authorities demonstrate “probable cause” to access the content of communications. The bill would erode these incidental, yet impactful, data protection benefits.
Finally, the CLOUD Act also undermines communications privacy protections for U.S. persons. Data collected by foreign governments under the Act may be transferred to the United States and among other governments. In order to transfer U.S. persons’ communications content, the communications must merely be determined to “relate to significant harm” and non-content information may be transferred without limitation. Under these provisions, the U.S. government could access U.S. persons’ communications without satisfying existing U.S. legal standards. The law also permits realtime interception of communications by foreign governments on U.S. soil for the first time, and does so without requiring other countries meet the "supper warrant" standard laid out in the Wiretap Act.
- The Public Voice
- EPIC Amicus: United States v. Microsoft
- Madrid Declaration (2009)
- EPIC Amicus: Schrems v. Data Protection Commissioner
- EPIC: EU General Data Protection Regulation
- EPIC International Program
- Privacy Law Sourcebook (2016)