The CLOUD ACT is Up and signed

 25 March 2018 Bachir El Nakib (CAMS), Senior Consultant Compliance Alert LLC

The CLOUD Act — Clarifying Lawful Overseas Use of Data — is a set of regulations handling how data stored in one country can be accessed by an entity in a different country. It was signed into law on March 23, 2018 as part of the Omnibus Spending Bill.

It's been praised by technology companies and a joint letter from Apple, Facebook, Google, Microsoft, and Oath (Yahoo!) lending support to the bill was published on February 6, 2018. it states, in part:

The new Clarifying Lawful Overseas Use of Data (CLOUD) Act reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data. Introduction of this bipartisan legislation is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer. 

But privacy and civil rights organizations have a different opinion of the legislation. The ACLU had this to say:

The CLOUD Act represents a major change in the law — and a major threat to our freedoms. Congress should not try to sneak it by the American people by hiding it inside of a giant spending bill. There has not been even one minute devoted to considering amendments to this proposal. Congress should robustly debate this bill and take steps to fix its many flaws, instead of trying to pull a fast one on the American people. The legislation deals with how governments and courts request data kept outside national borders, where no single country’s court system would have a clear jurisdiction. It’s an increasingly urgent issue as cloud networks spread data across international servers.

Right now, those requests are governed by international agreements called “mutual legal assistance treaties,” in which one country will agree to abide by another country’s court system under certain conditions. But CLOUD Act proponents say that system has become unsustainable, as foreign countries grow frustrated with invoking international diplomacy to prosecute local crimes involving iCloud or Gmail.

Without legislation, foreign governments can only access content under the MLA process, even when seeking data of their own nationals in connection with a crime that occurs in that nation. The Justice Department has to review every foreign government request and then itself obtain the data, on behalf of the foreign government, pursuant to a warrant based on probable cause.

But this status quo is not sustainable. Foreign governments have become increasingly frustrated by the MLA system, which they see as an imperialist attempt to insist that foreign governments obtain a warrant issued by a U.S. judge even for data needed in the investigation of local crimes. As a result, these governments are actively seeking ways to bypass the MLA system. Without new legislation, other countries will face strong pressures to shift to data localization—requiring emails, social network posts, and other content to be stored within that country. Content currently subject to the MLA process and protected by the U.S. probable cause standard will be available to foreign governments under local laws. In many countries, that means police access without any judicial process; notably, no other country in the world has the probable cause standard of the U.S. In such situations, the United States has no say as to the standards employed in accessing that data; no say in how the data is used; and no say in how intermingled U.S. citizen data is dealt with and who it is passed onto.

In short, the United States has a time-limited moment to use its current, but perhaps fleeting, leverage as the holder of so much of the world’s data to set privacy-protective standards that foreign governments can be pushed to meet. Once foreign governments implement data localization mandates or find alternative ways to bypass the U.S. system, the U.S. leverage will be lost.

In addition, there are strong reasons to press for passage very quickly. The CLOUD Act would moot the Microsoft Ireland case, now pending before the Supreme Court, that addresses the reach of U.S. warrant authority over data that is controlled by a U.S.-based company but located overseas (in the particular case, in Dublin). That decision will be handed down by June. If the Justice Department  wins—and many observers of the recent oral argument believe it has a strong chance of victory—then the prospects for privacy-protective legislation would fade further. With a government victory and the uncertainty of a pending case out of the way, the Justice Department would be guaranteed strong authority to get the data that it seeks without regard to location and would have far less reason to agree to the numerous privacy protections in the current bill.

To reiterate, the CLOUD Act includes an impressively long list of privacy protections, many drafted with the participation of the groups now opposing the CLOUD Act. The bill sets critically important baseline substantive and procedural protections, while doing so in a way that is achievable and understandable to other rights-respecting nations. Among other things, the legislation:

  • Prohibits targeting of U.S. citizen and resident data. For such data, foreign governments would still need to go through the MLA system and obtain a warrant based on probable cause. This important provision reflects the common-sense notion that U.S. standards should continue to protect U.S. citizens and residents. Likewise, when a foreign government is seeking the data of its own nationals, the U.S. has much less justification to insist on U.S. standards, simply because the data is stored in the U.S. or is held by a U.S.-based provider;
  • Prohibits indirect targeting of U.S. citizen data and prohibits the foreign government from sharing that data back with the United States unless it relates to significant harm or the threat of such harm to the United States or United States persons;
  • Requires that requests be particularized—targeting a specific person, account, address, personal device or other identifier;
  • Requires that requests be based on “articulable and credible facts”—a standard that is similar to the probable cause standard, albeit stated in terms more readily understandable to non-U.S. law enforcement;
  • Requires that requests be subject to “review or oversight” by a court, judge, or magistrate or other independent authority;
  • Requires that any live intercept orders be for a “fixed, limited duration,” “not last any longer than is reasonably necessary to accomplish the approved purposes” and be issued “only if the same information could not reasonably be obtained by another less intrusive measures.” These limitations track, although are not identical to, key protections in the Wiretap Act;
  • Prohibits use of data to infringe on freedom of speech;
  • Requires the foreign government to agree to compliance reviews—a remarkable and novel development that, for the first time, would enable the United States to track how data obtained by foreign governments is used and thereby protect against abuse.  

But I also see the value that Google sees in the CLOUD act. A legitimate set of rules that apply across the board for all member nations could be a great thing; not only to save money and time in courts but so that I know in advance how my data is protected both inside and outside of the U.S.

There is a lot of room for legal manoeuvring in these regulations, which leads us to the biggest question — how will this be enforced? Who will be there to make sure France (for example) follows the laws and regulations about collecting my data inside the U.S.? That's worrisome. Even more so when you replace France with Afghanistan, or if you live in Europe and replace France with the United States. Current laws are in place to protect our data and we've grown accustomed to having them. the CLOUD act would replace many of those protections.

 Civil rights organizations take issue that the CLOUD act can force data hosted inside the U.S. to be handed to another nation without being subject to our existing privacy laws. Some countries provide civil liberties that are equal or better than what the Constitution offers, but others do not. They feel that your data hosted in the U.S. should be protected by your rights as a U.S. citizen and not subject to laws and rights another country observes no matter what the review or admittance process entails.

It also states that a surveillance order issued by any member country be individually based and "subject to review or oversight by a court, judge, magistrate, or other independent authority," and that this review must be "prior to, or in proceedings regarding, enforcement of the order."It would be better to have these protections in place as part of the way agreements between participating countries are made, but they are there, and in language that's surely enforceable should a country be found to be overstepping its bounds.

This means any country that participates in the CLOUD act can't trample the basic civil rights afforded to us as citizens of the U.S. — and that rights of citizens in other countries can't be trampled by the U.S. government. Protections against a foreign government requiring Google to place a backdoor into Android or Chrome are also in place under the CLOUD act and that Google can't be asked by any government to perform surveillance on us while we use their products.

The two sides seem to take the language in the CLOUD Act very differently. That's to be expected with almost any legal document, and most bills introduced to Congress are written in the same type of language. It purposefully leaves things open to the interpretation of the reader, and in the case of laws, the enforcing body. We all will have our own opinion on the bill, and that's a healthy discussion to have. But it's important to know what this means for your data stored on Google's servers.

Why Google support this?

It's important to remember that organizations like the ACLU and EFF exist to examine the worst-case scenario surrounding any rules or laws that govern our personal data. They help create a balance so that courts and legislators can make informed rulings and seeing their objection to the CLOUD Act isn't a surprise because it makes some major changes to the existing laws. It's very difficult for a foreign government to gain access to data saved on a U.S. server and for the U.S. government to obtain data stored on a foreign server because the laws vary from country to country.

An example of this in action is currently happening, as the U.S. Supreme Court is deciding if Microsoft needs to turn over data stored on an Irish server that the Department of Justice wants as evidence in a case that dates back to 2013.

What does this mean for me and my data?

There is no language in the CLOUD act that changes the way Google stores your data or the data it can collect. Nothing there strips away the protections of encryption nor does it prevent you from deleting your data from Google's servers at any time. The only thing the CLOUD act affects is how your data stored on a server in your country, can be shared with another nation's government. But that is something we all should be concerned about, too, so let's look at some specifics.

Are my civil liberties being protected?

The CLOUD act requires the Secretary of State and the Attorney General of the United States to certify that any country entering into the CLOUD ACT "affords robust substantive and procedural protections for privacy and civil liberties." Some specifics are mentioned in the bill to protect our rights as Americans. They include:

  • Protection from arbitrary and unlawful interference with privacy
  • Fair trial rights
  • Freedom of expression, association, and peaceful assembly
  • Prohibitions on arbitrary arrest and detention
  • Prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.

The CLOUD Act also limits which governments are eligible to enter into the kind of executive agreements that enable them to make these type of requests. Access is available only if the attorney general certifies, with the concurrence of the secretary of state, that the domestic law of the foreign government “affords robust substantive and procedural protections for privacy and civil liberties.” 

The Electronic Frontier Foundation has a list of objections as well:

  • Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
  • Fails to require foreign law enforcement to seek individualized and prior judicial review.
  • Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
  • Fails to place adequate limits on the category and severity of crimes for this type of agreement.
  • Fails to require notice on any level – to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
  • The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation.

Does the CLOUD act give the executive branch complete control over our data rights?

No. While it does allow the State Department and Attorney General's office to make agreements with foreign nations there is some Congressional oversight built in. Congress will have the power to:

  • Review new bilateral agreements for up to 180 days.
  • Review changes to existing agreements for up to 90 days.
  • Require written certification and explanation for how countries pass certification.
  • Fast-track disapproval of bilateral agreements. 

Does the CLOUD act make it easier for foreign nations to access my U.S.-based data?

Yes. The CLOUD act removes many of the obstacles currently in place when another country wants your data stored on a Google server inside the United States. This is where civil rights organizations and Google disagree on the merits of the law.

Because of how any data requests must go through the court system, then be subject to appeal or approval from a higher court, countries are forming their own laws that try and force companies like Google to hand over data without any court involvement if the company wants to do business there out of frustration with the process. The U.S. also tries to claim that U.S. law requires a U.S. company to hand over data even when it's hosted outside the country like we're seeing in the Microsoft case presented to the Supreme Court.

The CLOUD act is designed to stop these laws from being enacted and enforced by building a process all countries can agree on and adhere to when it comes to requests for our private data. This is where Apple, Google, Microsoft and other tech companies see the benefit of it. They will know what the laws are and how to follow them in all the countries that participate instead of being subject to individual laws or fighting them in courts.

Does the CLOUD act give foreign countries more power to surveil U.S. citizens and target their data for collection?

No, and yes. Broader power is granted for intelligence gathering but there are restrictions and rules in place that cover any wiretapping or surveillance.

  • Foreign governments are "explicitly forbidden from surveilling a U.S. person directly or indirectly".
  • Surveillance orders must be of a fixed and of limited duration.
  • Surveillance can only happen when it has been shown to be "reasonably necessary" and there is no other way to get the information. 

When collecting data for approved cases, there are rules in place that aim to protect our individual rights:

  • Direct targeting of a U.S. citizen's data by non-U.S. governments is prohibited.
  • Asking a CLOUD Act certified country to target a U.S. persons' data is prohibited.
  • The targeting a non-U.S. persons' data for the purpose of collecting a U.S. persons' data is prohibited. (A country can't target me to see the conversations you and I have in Facebook Messenger, for example.)
  • The "dissemination of a U.S. persons' data" is prohibited unless there is evidence of a serious crime presented.  

Do I need to worry, and should I delete all of my data and go dark?

I'm not a legal expert so I can't form an opinion on the legality of the CLOUD act. That's what we elect officials to do. But I can express a few thoughts on it all. I'm of the opinion that my data stored in the U.S. is protected under the laws of the U.S. and secured with my rights as a U.S. citizen regardless of what France (or Afghanistan) thinks of those protections.

Guaranteed liberties like the 4th amendment (the protection against unreasonable search and seizure defined as an individual right of every U.S. citizen) or its equivalent in other countries should always apply and supersede any type of unilateral act between governments. Every instance where my privacy is to be breached is deserving of its own review in the U.S. courts, especially if I'm not proven guilty of any serious crimes. 

My data is deserving of a review process every time a person or nation requests access. So is yours.



Download File