Deeply embedded within the $1.3 trillion Omnibus spending bill, which was fully passed by the U.S. Congress on March 23, 2018, the Clarifying Lawful Overseas Use of Data (CLOUD) Act has become another in a series of concerns for citizens worried about the erosion of the Fourth Amendment of the Constitution.
On the heels of the personal data harvesting scandals involving Facebook and Cambridge Analytica, as well as the revelations delivered by Eric Snowden in 2013, U.S. citizens have good reason to be anxious about the continuing degradation of privacy laws.
Do citizens of other countries have any reason to pay attention to the CLOUD Act? Do businesses need to do anything to prepare for it? Does your business have anything to worry about?
It is a complicated and controversial law that deserves further review.
What Is the CLOUD Act?
Just when business leaders thought they could settle down and resume standard operating procedures after achieving GDPR compliance and having their data tracking systems in place for the CCPA, along comes even more data privacy-related policies, regulations and laws to continue keeping everyone on their toes.
You can certainly count the CLOUD Act (the Act) among the more complicated new laws for tech professionals to parse out and determine how to manage for their organizations.
The Act allows for any U.S. Law enforcement orders issued under the Stored Communications Act (SCA) to access certain data located in other countries. At a point when existing law enforcement tools and privacy laws to respond to requests for evidence in the age of cloud computing are clearly limited, the CLOUD Act establishes a set of processes and procedures to provide tools for U.S. law enforcement to work with other countries when it comes to sharing electronic information-based evidence.
Following are a few of the most important provisions of the CLOUD Act:
1. The Act allows for U.S. law enforcement orders issued under the SCA to gain access to certain data stored in other countries.
2. The Act also provides for the allowance of certain foreign governments to enter into bilateral agreements with the U.S., therefore prequalifying them to make foreign law enforcement requests directly to the U.S., bypassing the need for a mutual legal assistance treaty. All of this serves to streamline compliance with foreign law enforcement information requests.
3. The Act allows businesses to challenge any law enforcement request that they deem an infringement of privacy.
4. The Act does address civil liberty and privacy concerns by imposing certain limits on the requests of law enforcement.
What Is the Back Story Regarding the CLOUD Act?
The groundwork for the CLOUD Act has been in the works for several years, specifically going back to 2013 in the case of drug trafficking investigation. The FBI issued a SCA warrant to obtain emails that a U.S. citizen had stored on one of Microsoft’s remote servers, based in Ireland.
Microsoft refused to provide access to the information, which ultimately led to the U.S. Supreme Court’s hearing of the case in Microsoft Corp v. United States. The crux of the argument was that, according to the FBI, since Microsoft had full control of the data, the corporation should be compelled to turn it over in response to the warrant. However, Microsoft contended that the SCA did not cover data stored in facilities outside of the U.S.
For a time, Microsoft and the government agreed to monitor progress on the case, but with the passing of the CLOUD Act, there is no need since the facts fall well within the parameters of the Act.
Utah Senator Orrin Hatch led the charge on amending the SCA to more closely resemble what would become the CLOUD Act, with the Microsoft case at the forefront of his thoughts, with respect to foreign privacy rights. The Act is actually a culmination of two previously failed pieces of legislation, which were The Law Enforcement Access to Data Stored Abroad Act (LEADS Act) from 2015 and the International Communications Privacy Act (ICPA), written in 2017.
The resulting CLOUD Act asserts that all U.S. data and communications providers must provide stored data belonging to U.S. citizens, on any server they own and operate, when presented with a warrant. However, it does provide mechanisms for the businesses or courts to challenge or reject the warrant if the organization believes the request violates the privacy rights of the foreign country in which the data is stored.
How Have Various Organizations Responded to the Enactment of the Act?
Perhaps it is not surprising that the CLOUD Act has had the support of major technology corporations like Google, Microsoft and Apple. The Department of Justice has also shown clear support for the Act, as well.
Pushback against the new law has come from organizations that include the American Civil Liberties Union, Amnesty International and Human Rights Watch. These groups contend that the law chips away at citizens’ Fourth Amendment rights that are intended to protect them against unreasonable searches and seizures, especially since the Act may allow the government to enter into data rights sharing agreements with foreign countries to bypass U.S. courts and the Constitution. All of this could be done without notifying affected users when such warrants were issued. Much of the Act does leave citizens open to a variety of potential acts of bad faith.
Will the CLOUD Act Impact Your Business?
It is difficult to know if the CLOUD Act may touch any specific business since it is largely reactionary to requests for information. However, every business could be asked to provide information at any time.
If you are a cloud service provider, a data facility or colocation warehouse owner, a client-server, an internet provider, or some other entity working with clients and their data, you do stand a greater chance of facing a CLOUD-based scenario than businesses that do not retain data en masse.
Of course, everyone is concerned about protecting the rights and privacy of their clients as a bridge to mutual trust and respect for the Constitution. The response to and fallout from the CLOUD Act becomes even more complicated when adding the GDPR and CCPA into the mix, wherein customer rights are intended to take front and center stage. The Act and these relatively newly formed regulations seem to diametrically oppose one another.
With all this to consider, many businesses and governmental bodies may need some guidance in navigating these conflicting concerns.
Do You Have Additional Questions About the CLOUD Act and Your Responsibilities Related to It?
Would you like more information on the CLOUD Act and how it might impact your business? Our I.S. Partners, LLC. team has closely watched the development of the Act, along with all the facts and events leading up to its enactment. We can help you determine the best path in protecting your clients while also complying with this new law.