In an era in which tech legislation can take years before passage, the “Clarifying Lawful Overseas Use of Data Act” (“CLOUD Act”) was introduced on February 6th and signed into law on March 23rd — without any hearing or debate.
The CLOUD Act seeks to streamline the process by which law enforcement seeks electronic information that is stored overseas. The bill provides that
A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
The emphasized language effective ends the U.S. v. Microsoft dispute currently pending at the Supreme Court over whether a U.S. subpoena to Microsoft extends to data stored outside the country.
The CLOUD Act also allows the President to enter into Executive Agreements to permit foreign governments to access data on U.S. soil. Currently, such requests are processed via a Mutual Legal Assistance Treaty (MLAT) which must be ratified by the U.S. Senate. Under the MLAT process, foreign government requests are vetted by the Justice Department of Justice and a federal judge must issue an order for production of records which may be declined if it would violate the Constitution or lead to human rights violations.
Under the CLOUD Act, the Executive Agreements are not subject to ratification but rather Congress has only 90-days to pass a resolution disapproving of a proposed Agreement. Once in place, however, foreign governments could directly request records from U.S. based companies without any review by the Justice Department or U.S. court, notice to the subject or restriction on the use or sharing of the data.
An electronic communication service provider may move to quash the request if it covers a non-U.S.. resident and the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.
The bill is a win for big tech companies who have been resisting foreign data localization requirements because of the difficulty in gaining access to such data. The CLOUD Act may blunt the push for data localization and save the industry substantial sums in data storage costs.
In a joint letter, Apple, Facebook, Google, Microsoft and Yahoo praised the bi-partisan legislation as
an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer. The CLOUD Act encourages diplomatic dialogue, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise. The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary.
Civil libertarians were very unhappy with the hastily passed CLOUD Act.
A coalition of civil liberties groups argued that the legislation would
- Allow foreign governments to wiretap on U.S. soil under standards that do not comply with U.S. law;
- Possibly facilitate foreign government access to information that is used to commit human rights abuses, like torture; and
- Allow foreign governments to obtain information that could pertain to individuals in the U.S. without meeting constitutional standards.