US Cloud Act: implications and reactions

In the USA, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is proposing to establish a new framework for authorities to access data stored abroad and thus amend the Stored Communications Act (SCA). We look at the salient features of the bill, and its implications.

The draft bill, introduced to the US Congress on 6 February 2018, highlights electronic data held by companies as essential for authorities to investigate crime and prevent threats. Currently, authorities claim they are largely unable to access data stored outside the USA in an effective way; companies are also facing conflicting legal obligations across various jurisdictions. The proposed bill therefore aims ‘to improve law enforcement access to data stored across borders’.

Preservation and disclosure of communications and records

One of the key parts of the proposed bill introduces a new provision in Chapter 121 of the SCA:

A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.

Chapter 121 regulates how and to what extent a public authority can request US providers to disclose data and communications stored online. The amendment would authorise governmental authorities to force US companies to disclose information, even if held in another country.

If approved, this bill could be seen as an exercise of extraordinary jurisdiction, though remaining consistent with the longstanding notion of state authority to legislate in areas that have domestic effects. However, the proposed bill would give providers a ‘statutory right’ to challenge warrants or other legal processes and establish international committees that could limit their reach.

Finally, the CLOUD Act would give the right to providers to notify foreign governments when they receive a legal data request from US authorities about one of their nationals/residents, provided that these foreign governments have entered into agreements with the US government.

Support and criticism

Reactions to the bill have been mixed. Among the actors favouring this bill are the tech companies; human rights organisations and NGOs are strongly opposed to it. Tech companies, including Apple, Facebook, Google, Microsoft, and Oath, signed a letter supporting the bill, stating that it ‘reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data.’

However, the Electronic Frontier Foundation (EFF) argues that the draft bill constitutes ‘a dangerous expansion of police snooping on cross-border data’. In EFF’s view, the bill would provide US law enforcement agencies with access to content about individuals wherever they live or the information is stored.

The bill would offer to the US President the possibility to enter into ‘executive agreements’ with foreign governments, and thus provide them with data on users regardless of the respective privacy laws of these countries. It would also lead to the failure of Mutual Legal Assistance Treaties (MLATs), systems that would better guarantee data protection.

Other privacy groups such as the Open Technology Institute (OTI) and Access Now also oppose the bill, claiming that sufficient safeguards for privacy, civic liberties, and human rights are lacking.

CLOUD Act in context: the Microsoft Ireland case

The CLOUD Act needs to be understood in the light of past legal cases that have shone a spotlight on the issue of the extraterritorial application of US law.

The dispute in the Microsoft Ireland case emerged when the US Department of Justice issued a warrant requesting Microsoft to hand over the details and content of an e-mail account – related to a suspected drug trafficker ­– stored in Ireland. Initially, Microsoft denied to comply: Since the data and communication requested was located in Microsoft’s Dublin data centre, Microsoft has argued that US authorities should have used their legal international channel with Irish authorities in order to obtain these communications. A federal judge initially upheld the warrant, but then the Second Circuit determined that ‘that execution of the warrant would constitute an unlawful extraterritorial application of the Act’. The US authorities, however, considered the warrant valid, since it had international reach, and counter-appealed the Second Circuit decision to the Supreme Court.

The decision of the Supreme Court will have profound implications for US laws regarding data requests, and in all likelihood for the CLOUD Act.

CLOUD Act and the GDPR

Though the CLOUD Act and the GDPR are essentially different in their aim and scope, the CLOUD Act may enter into conflict with certain provisions of the GDPR. Experts believe that the GDPR (article 48) addresses foreign – including US – investigations and prohibits the transfer or disclosure of personal data unless pursuant to an MLAT or other international agreement.

This example tends to illustrate the seemingly diverging dynamics of Europe and the USA in dealing with privacy and data requests.

The CLOUD Act will likely be the subject of further discussions at national and international levels. It constitutes a strong stance by the US government and also reflects the partial obsolescence of current national legal frameworks and the challenges of international regulations in the digital era.

Stefania Grottola is a Master’s student in International Affairs at the Graduate Institute of Geneva and an intern at Diplo and the Internet Platform in Geneva. Clement Perarnaud is a PhD candidate in political science at the University of Pompeu Fabra in Barcelona and a curator at the GIP Digital Watch observatory. This post was originally published as an article in the February issue of the Geneva Digital Watch newsletter.