Following the passage of the CLOUD Act, digital rights campaigners have raised concerns that measures within the Act will undermine Internet privacy. However, some observers believe the Act will enhance privacy in the cloud in the post-CLOUD Act era, provided the Act´s privacy and human rights requirements are upheld.
In March 2018, Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, primarily amending the Stored Communications Act (SCA) of 1986. The purpose of the SCA had been to protect personal information maintained online by prohibiting ISPs and other remote computing service providers from disclosing the contents of customers´ electronic communications. An exception existed if a court approved a request from a government agency conducting a criminal investigation.
However, the process for applying for a court order in order to allow a government agency access to personal information was long-winded and cumbersome – and not necessarily successful. The Stored Communications Act only applied to the personal information of U.S. citizens maintained by U.S. companies on U.S.-based servers. If the data was maintained overseas, ISPs and remote computing service providers had to comply with the privacy rights of the country in which the data was maintained.
To overcome this conflict of law, the government could enter into a Mutual Legal Assistance Treaty (MLAT) with the country in which the data is maintained. Other countries can also apply to the U.S. for a reciprocal treaty if they want to access data relating to citizens of their countries. Each MLAT is a diplomatic process that has to be approved by Congress, delaying the release of data by up to ten months and potentially jeopardizing criminal investigations with implications for national security.
What Changed in the CLOUD Act?
Acknowledging that the Stored Communications Act was ill-equipped to cope with the demands on global law enforcement, Congress passed the CLOUD Act. The Act introduces an alternative to MLATs by allowing the U.S. to enter into executive agreements with foreign governments. These agreements bypass the MLAT process, and allow US government agencies and qualifying foreign government agencies to demand access to data without a court order.
ISPs and remote computing service providers have the right to refuse a direct request and can refer it for consideration via the MLAT process. However, digital rights groups are concerned technology companies will be unwilling to deny government requests, or will lack the resources, expertise or incentives to oppose them. They argue that, by removing Congressional approval, technology companies “would likely rely on biased assessments by foreign courts” and comply with requests.
The technology companies dispute this argument. Writing earlier this year in the Microsoft blog, the company’s Chief Legal Officer – Brad Smith – wrote the Act “creates a modern legal framework for how law enforcement agencies around the world can access data across borders”. He added the Act resolves an issue preventing governments from investigating crimes in their own countries. However, Amnesty International´s Naureen Shah was not impressed. In response she wrote:
“Under the CLOUD Act, neither Congress nor U.S. courts would be able to prompt a review or a temporary moratorium. Users, without notice, would have little practical ability to lodge complaints with the U.S. government or providers. Even if the U.S. government were to take action, the CLOUD Act fails to ensure a sufficiently quick response to protect activists and others whose safety could be threatened.”
How Privacy in the Cloud in the post-CLOUD Act Era could be Enhanced
Non-partisan observers take issue with the claims of digital rights groups, arguing that partner government are subject to a long list of requirements in order to qualify for an executive agreement. They also point to a clause in the CLOUD Act that provides a mechanism for the U.S. government to review how partner governments process any data once they have access to it. The requirements and the reviews should, they claim, enhance privacy in the cloud in the post-CLOUD Act era.
The requirements are indeed very extensive. They insist that requests for an executive agreement must be based on “articulable and credible facts” akin to the U.S. probable cause standard. They also insist that requests are “particularized”—i.e. targeting a specific person, account, device, etc.—and not indirectly targeting data of foreign residents in the U.S. Furthermore, executive agreements will only be issued “if the same information could not reasonably be obtained by another less intrusive measure.”
Each executive agreement request has to be approved by the Attorney General and Secretary of State, who are tasked with blocking requests from any country that fails to meet the U.S. standard for human rights or that may use acquired data to infringe on an individual’s right to freedom of speech. The qualifying country must also agree to compliance reviews in order to ensure data obtained via an executive agreement is protected against abuse.
Provided these requirements are fully applied – and action taken when an abuse of data is identified—privacy in the cloud in the post-CLOUD Act era could indeed be enhanced. Only one executive agreement with the United Kingdom is ready to be signed, so until further agreements are executed it will be impossible to assess the full privacy implications of the CLOUD Act. Undoubtedly the debate about privacy in the cloud will continue, but—if foreign governments comply with the requirements of the CLOUD Act—it could result in improvements in privacy and human rights around the globe.
