The CLOUD Act
- European Privacy Board Report Criticizes Privacy Shield Compliance: A report from the European Data Protection Board, an influential independent European privacy body, criticizes U.S. oversight of the EU-U.S. Privacy Shield. The European Commission recently renewed the framework permitting the flow of European consumers' personal data to the U.S. However, the Board now states U.S. oversight of compliance lacks "substantial checks." The EU Data Protection Board encouraged the Privacy and Civil Liberties Oversight Board to review U.S. surveillance authorities, and stated that the Privacy Shield Ombudsperson could not be considered an "effective remedy" for privacy violations. During review of Privacy Shield, EPIC cited concerns about the failure of the FTC to enforce the 2011 Consent Order against Facebook, passage of the CLOUD Act, and renewal of bulk foreign intelligence surveillance. (Jan. 25, 2019) More top news »
As a result of a global digital communications landscape, law enforcement increasingly seeks communications data stored outside national borders in domestic criminal investigations. However, trans-border data access can conflict with national data protection regimes and international human rights instruments.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, signed into law in March 2018, is an Act to provide trans-border access to communications data in criminal law enforcement investigations. However, the Act's history begins with a privacy dispute between Microsoft and the U.S. government.
The genesis for this bill is United States v. Microsoft, a case in U.S. Supreme Court which concerns whether law enforcement can access communications content stored in Ireland under current U.S. law. On February 27, 2018, the Supreme Court heard arguments in the case. In an amicus brief in the case, EPIC urged the Supreme Court to respect international privacy standards, citing key cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority.”
Ahead of a decision in that case, the CLOUD Act passed Congress and was signed into law by President Trump on March 23, 2018, likely mooting the case. The CLOUD Act was not debated in Congress. Instead, it was included in an amendment to an omnibus spending bill and passed without a dedicated hearing. The law creates a new subsection within the Stored Communications Act (Chapter 121 of title 18 of the United States Code) codified at 18 U.S.C. § 2713, creates a new subsection within the Wiretap Act (Chapter 119 of title 18) codified at 18 U.S.C. § 2523, and amends various sections of the Wiretap Act, Stored Communications Act.
Overview of the CLOUD Act
There are two key elements of the CLOUD Act - the provisions for U.S. access to foreign stored data, and the provisions to create executive agreements for foreign access to U.S. stored data.
U.S. Access to Foreign Stored Data
First, the Act amended U.S. law to authorize U.S. law enforcement to unilaterally demand access to data stored outside the U.S., despite widespread criticism from the international community. When the U.S. orders a company to produce communications data, the Act provides a mechanism for a communications provider to challenge the order if disclosing the data would risk violating foreign law. Under the CLOUD Act, the legal protection of an individual's rights depends on the objection by a provider. There is no direct mechanism for individuals to challenge an order under the CLOUD Act. A court will consider a provider's challenge of an order for disclosure of data data and review the request under a multi-factor "comity" analysis to assess foreign and other interests at stake. However, U.S. court can require production of that data despite the objection, even where the laws of another nation would be violated.
The Act would also permit federal officials to enter into executive agreements granting foreign access to data stored in the United States, even if that data would otherwise be protected under ECPA. Before foreign access can be authorized, federal officials must first decide that a foreign government meets certain generalized standards for sufficient protections of privacy and civil liberties. The foreign government must also agree to abide by several other limitations, including minimizing any U.S. person data collected. The initial agreement need only be certified by executive branch officials to take effect. Congress can object to the agreement, but need not formally approve the agreement. The agreement is also not subject to review by any court.
Once an agreement is in place, no federal official or court will review an incoming foreign request for access to data stored in the United States. The foreign access will be granted without review of whether the request complies with the requirements of the executive agreement or other legal standards. Only the service provider will have an opportunity to review and object to a foreign access request. However, there are no formal procedures under the CLOUD Act for a provider to object to a foreign access request made under an executive agreement.
Because the CLOUD Act permits data to be accessed by foreign nations based on each nation’s unique domestic procedures, data is accessible under the third-party countries law even when that law falls below human rights standards. The CLOUD Act does not itself set baseline human rights standards for foreign access to stored data. For example, the CLOUD Act does not require notice to be provided to the target of a request for data stored in the United States.
The CLOUD Act removes protections put in place under ECPA. Foreign access requests routed through the United States via diplomatic requests previously benefitted from legal protections for stored data, including the requirement that authorities demonstrate “probable cause” to access the content of communications. The bill would erode these incidental, yet impactful, data protection benefits.
Finally, the CLOUD Act also undermines communications privacy protections for U.S. persons. Data collected by foreign governments under the Act may be transferred to the United States and among other governments. In order to transfer U.S. persons’ communications content, the communications must merely be determined to “relate to significant harm” and non-content information may be transferred without limitation. Under these provisions, the U.S. government could access U.S. persons’ communications without satisfying existing U.S. legal standards. The law also permits realtime interception of communications by foreign governments on U.S. soil for the first time, and does so without requiring other countries meet the "supper warrant" standard laid out in the Wiretap Act.
- The Public Voice
- EPIC Amicus: United States v. Microsoft
- Madrid Declaration (2009)
- EPIC Amicus: Schrems v. Data Protection Commissioner
- EPIC: EU General Data Protection Regulation
- EPIC International Program
- Privacy Law Sourcebook (2016)