America’s new CLOUD Act signals the start of a new era of international data rule
On 23 March, President Trump signed into law the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), buried deep down on page 2201 of the 2232-page Omnibus Spending Bill (Omnibus Bill). The Act expands American and foreign law enforcement’s ability to target and access individual’s data across international borders, by both creating the groundwork for a new cohort of international arrangements, and retaining the rights of cloud services to guard privacy rights until new international agreements are in place.
Due to rapid technological advancements, a gulf has emerged between technological capabilities and legislation. This was made abundantly clear during the “Microsoft warrant case”, United States v Microsoft Corp., during which Microsoft argued that new legislation and international agreements were needed to reform how digital evidence is gathered by various law enforcement institutions around the world.Following an agreement from both the US government and Microsoft, The Supreme Court decided that the passage of the CLOUD Act had made the case moot and so vacated the decision. The CLOUD Act creates the potential for new rights under international agreements, whilst preserving the common law right of cloud service providers to go to court to challenge search warrants.
What the bill adds
The most important new additions to US law resulting from the CLOUD Act are the following:
- A framework to produce international agreements. If produced on a reciprocal basis, countries will be able to use this to assist with investigating and prosecuting crimes.
- Additional protection for human rights and privacy. This is done by a condition in the bill which states that any agreements made with other countries can only be made with nations that protect these features themselves. This is done subject a congressional review of the Executive Branch’s assessment of whether this standard has been reached.
- Stipulation that any international agreements made in relation to this “shall not create any obligation that [cloud service] providers be capable of decrypting data or any limitation that prevents providers from decrypting data”.
- Added legal rights for cloud service providers to protect privacy in two forms. First, allowing providers to inform foreign governments that such agreements exist when some of their citizens are the focus of an American warrant. Second, providers can go to court to raise concerns under a new process when the US government attempts to gain a warrant that is ultra vires or conflicts with law.
- Standardised methods of governing surveillance requests in relation to possible international agreements. The intention here is to encourage governments to ensure requests are narrow, accountable and transparent.
In short, these additions are intended to remove conflicts between different nations and legal processes to modernise the law in keeping with modern technology.
What the bill preserves
In addition to these changes, it also preserves the right of providers to challenge warrants in court in the event of a conflict of laws, even before any new agreements come into force. It is one of the crucial features of The CLOUD Act that this right is retained, even independent of new international agreements.
This is seen as particularly important given the immanent effective date of GDPR, which indirectly allows the EU to control the reach of US search warrants. European institutions can interpret the provisions of the GDPR to decide if there’s a legal conflict in circumstances that would mandate a comity analysis.
Reaction to the bill
The legislation has been met with opposition. 24 civil liberty groups (including, inter alia, The American Civil Liberties Union, the Electronic Frontier Foundation and Human Rights Watch) have claimed that despite some new safeguards in place, the executive of the USA government will have a great deal of power with little oversight. The CLOUD Act provides the Attorney General and Secretary of State with wide-ranging authority over digital privacy without approval from Congress and by way of example, the bill will allow foreign governments to demand real time communication data with the potential for sharing such data with third countries.
This has been compounded by the bill’s introduction on 6 February of this year, providing no opportunity for a proper debate. Indeed, it was only added to the Omnibus Bill at 8:00pm the night before the vote so there was no discussion on its provisions separately from the Omnibus Bill and no hearing of votes on the floor of congress.
There has been varying support for the Act however; technology companies and associations in particular have been generally supportive. Microsoft, for example, has praised the Act for creating a ‘modern legal framework’ by increasing legal certainty and creating responsibility for tech companies. This is because a conflict of laws across international borders is a substantial challenge for many technology firms.
What next for Europe
The European Commission had remained reasonably neutral in submitting an Amicus Brief to the Microsoft warrant case. This declined to support either side and instead made the case for territoriality under public international law. It will be necessary for the Commission to work with the US to come to a common understanding on how future agreements will work.
The CCBE also submitted an Amicus Brief which argued that USA government’s analysis in the Microsoft case was fundamentally misconceived, but did not comment on the CLOUD Act itself.
Vera Jourova, EU Justice Commissioner, has recently said that Europe hopes to pass a set of compatible rules, despite having previously been critical of the US approach and commenting that the new law ‘narrows the room for the potential compatible solution between EU-US’. If such a compromise is forthcoming, it is likely that forming a set of international agreements will take several years to achieve and may well require further congressional approval.