The Clarifying Lawful Overseas Use of Data (CLOUD) Act was signed into law by the US President on March 23rd as part of the 2,000-page Spending Bill. The new piece of legislation addresses a controversial debate that has been raging in the US since the notorious United States v. Microsoft case, in which the tech giant refused to hand over data stored on its Irish servers to the FBI, first made headlines: can US law enforcement officials request access to data stored in another country by a company operating in the US?
CLOUD settles the argument firmly on the side of law enforcement by making it easier for them, whether they are local police or federal forces, to directly request that US tech companies hand over data regardless of where it is stored. The executive branch will also now have the power to sign executive agreements with foreign governments that want access to data stored in the US, all without the approval of Congress or other courts. These agreements are seen as a speedier alternative to the infamously slow application of Mutual Legal Assistance Treaties (MLATs).
Tech Giants Adopt a Pro-CLOUD Stance
A number of tech’s biggest companies including, among others, Apple, Google and Microsoft, have declared themselves in favor of CLOUD, even going so far as to send a joint letter to the Senate in support of the bill. They praised it as a way for the US government to finally enter modern bilateral agreements with other nations and to allow data subjects to be protected by the laws of their own countries while allowing law enforcement to investigate cross-border crime and terrorism without sparking international legal conflicts.
The point of the new act that they supported the most, however, is the possibility offered to companies that receive requests for data disclosure to reject them if they believe that the individual whose data is being requested is not a US citizen or permanent resident or if the company thinks that, by following the request, it would violate the laws of another country the US government has an executive agreement with. If these two arguments can be proven and the interests of justice favor the company opposing the request, a court can quash it.
In the era of the GDPR, the CLOUD Act appears to situate itself at the opposite end of the spectrum, putting law enforcement officials’ needs above individuals’ privacy rights. It is therefore no surprise that privacy advocates see the CLOUD Act as threatening privacy protection around the globe by facilitating law enforcement’s access to cross-border data and not placing adequate limits on the severity of the crime it can be applied to.
The Electronic Frontier Foundation (EFF) argues that the foreign governments that can enter into executive agreements with the US, allowing them to request access to data stored in the US, will be held to a lower standard than that required by the US Constitution. As stipulated in the CLOUD Act, these foreign governments only need to be certified by the US Attorney General and meet human rights standards stipulated in it.
Once an executive agreement is finalized, the fear is that it will give foreign governments the ability to bypass the legal safeguards and stricter human rights rules enforced by MLATs, leaving vulnerable individuals, such as dissidents, open to persecution.
As expected, the heavily pro-privacy European block has not taken the CLOUD Act lightly. An enforceable request for access to data stored overseas is seen as potentially circumventing other countries’ privacy and data protection laws, effectively breaking the principle of territoriality as set out in international law.
The European Commission submitted an amicus brief in the United States v. Microsoft case, that, while remaining impartial, argued that, when a public authority requires a company established in its own jurisdiction to produce electronic data stored on a server in a foreign jurisdiction, the principles of territoriality and comity under public international law are engaged, and the interests and laws of that foreign jurisdiction must be taken into account.
EU Justice Commissioner Vera Jourova took her grievances about the new CLOUD Act to Twitter, stating that, while she wants the EU and the US to have compatible rules for obtaining evidence stored on servers located in another country in order to solve serious crimes, she feels that the adoption of the CLOUD Act by the US Congress was rushed through on a fast-track procedure.
As a response to the CLOUD Act, the European Union authorities proposed their own legislation, the so-called E-Evidence Directive, which would require international tech giants such as Facebook or Twitter to appoint a legal representative to the EU that can be served with requests for data stored outside the EU in case of criminal or terrorist investigations.
The Battle Between Safety and Privacy
The CLOUD Act is only the latest in a series of legislative efforts to define the boundaries of data privacy. While the EU has taken a firm stand in favor of personal privacy with the GDPR, across the Atlantic, the tendency seems to be to place citizens’ safety above individual rights.
In the era of the internet, when information travels across the globe, borders are blurred and some feel that applying the principle of territoriality to data is an outdated way of looking at information. Constricting and delaying law enforcement through stifling bureaucratic processes is seen as a hazard in a world where crime, like everything else, is moving faster than ever before.
The worry is that, when authorities are slow to obtain data, they can miss chances to detain suspects or to prevent violent incidents from occurring. However, as proven by the NSA revelations, giving law enforcement liberal access to data can lead to serious abuses of power in the name of security.
A balance must be struck between the need to investigate serious crime and the protection of individual privacy. Safeguards should be put in place to reduce the possibility of abuse without considerably slowing down investigations. For now, the European and the American answers to this legal conundrum, the GDPR and the CLOUD Act respectively, are still in the early stages of implementation. The GDPR in fact will only enter into full force later this month on May 25th. It remains to be seen how both these legislations will behave in real world conditions.