The CLOUD Act

• Background|
• Overview of the CLOUD Act|
• Resources|
• News

• Data Flow Deal Talks Fail Due to Lack of US Action on Privacy: The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. (Jun. 17, 2021)
More top news »
Data Flow Deal Talks Fail Due to Lack of US Action on Privacy » (Jun. 17, 2021)
The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court.
EPIC, Coalition Tell Biden Administration: No Data Flows Deal Until Congress Enacts Privacy Laws » (Jun. 10, 2021)
EPIC and 23 other leading civil society groups sent a letter to President Biden today urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. [PRESS RELEASE]
EPIC, NGOs Object to U.S.-U.K. CLOUD Agreement, Urge Congressional Action » (Oct. 29, 2019)
A coalition of 20 civil society organizations are objecting to the proposed U.S.-U.K. CLOUD Act Agreement, which will allow cross-border data access and wiretapping by law enforcement agencies. In a letter to Congress, the groups explained the Agreement "fails to adequately protect the privacy and due process rights of U.S. and U.K. citizens." The coalition urged Congress to block the Agreement. In testimony before the European Parliament and in an amicus brief for the Supreme Court in United States v. Microsoft, EPIC has argued that cross-border access to personal data requires robust human rights protections, including notice, judicial authorization, and transparency.
UK Releases US-UK CLOUD Act Agreement » (Oct. 7, 2019)
The UK has released the text of the US-UK CLOUD Act Agreement. The agreement permits cross-border access to personal data without judicial approval, allows for law enforcement investigations under lower standards than in the U.S., and lacks notice to data subjects who are subject to surveillance. In testimony before the European Parliament, EPIC International Counsel Eleni Kyriakides argued that cross-border access to personal data should ensure robust human rights protections, such as notice, judicial authorization, and transparency.
State Department Seeks Comment on UK Privacy Protections for CLOUD Act Certification » (Sep. 9, 2019)
The State Department is seeking comment on certification of the UK for a CLOUD Act agreement. The CLOUD Act permits the U.S. to enter into "executive agreements" that allow foreign authorities to order production of communications content stored in the U.S. without obtaining a warrant. To form an agreement, the Attorney General must certify to Congress that the country's domestic law "affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government." The State Department is required to take into account expert input for the certification and is seeking comments on the rule of law in the UK, protection of human rights, and other factors listed for consideration in the CLOUD Act Section 105(b)(1)(B)(i-vi). Comments must be submitted via email to IFBHR@state.gov by Friday, September 13th. Earlier this year, EPIC International Counsel Eleni Kyriakides argued in the European Data Protection Law Review that the CLOUD Act fails to include key human rights protections, such as notice, judicial authorization, and transparency.
U.S. Releases Annual Human Rights Report » (Mar. 14, 2019)
The U.S. Department of State has released the annual report on human rights practices across the globe. The State Dept. report reviews adherence to "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements," including the arbitrary or unlawful interference with privacy. The 2018 report highlights China's social credit system which "quantifies a person's loyalty to the government by monitoring citizens' online activity and relationships." The report also cites the Indian Supreme Court ruling that privacy is a fundamental right and Turkish authorities' investigation of more than 45,000 social media accounts between 2016 and April 2018. Two EPIC publications - The Privacy Law Sourcebook 2018 and Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide a comprehensive overview of privacy frameworks around the world and track emerging privacy challenges.
European Privacy Board Report Criticizes Privacy Shield Compliance » (Jan. 25, 2019)
A report from the European Data Protection Board, an influential independent European privacy body, criticizes U.S. oversight of the EU-U.S. Privacy Shield. The European Commission recently renewed the framework permitting the flow of European consumers' personal data to the U.S. However, the Board now states U.S. oversight of compliance lacks "substantial checks." The EU Data Protection Board encouraged the Privacy and Civil Liberties Oversight Board to review U.S. surveillance authorities, and stated that the Privacy Shield Ombudsperson could not be considered an "effective remedy" for privacy violations. During review of Privacy Shield, EPIC cited concerns about the failure of the FTC to enforce the 2011 Consent Order against Facebook, passage of the CLOUD Act, and renewal of bulk foreign intelligence surveillance.
EPIC Comments on Second Annual Privacy Shield Review » (Aug. 14, 2018)
EPIC provided comments to the European Commission to inform the second annual review of the EU-U.S. Privacy Shield, a framework that permits the processing of the personal data of Europeans in the United States. EPIC detailed the latest privacy developments in the U.S., including the extension of Fourth Amendment protection to cell phone location data in Carpenter v. United States, passage of the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the vacancies at the PCLOB, the absence of a Privacy Shield Ombudsman at the Commerce Department, and the nomination of Judge Brett Kavanaugh to the Supreme Court. The Commission approved Privacy Shield last year, but sought additional steps by the United States. The European Parliament has called for suspension of the pact if the U.S. does not fully comply by September 1st. The European Commission will make a final determination this fall.
EPIC, Coalition Call for Human Rights Protections in Cybercrime Convention Update » (Jul. 5, 2018)
EPIC and a coalition of civil society organizations urged the Council of Europe to include robust human rights protections in the proposed revision to the Convention on Cybercrime. Otherwise, the updates could enable "a race to the bottom for protection," the coalition warned. The groups opposed the CLOUD Act model for law enforcement access to data in foreign jurisdictions, calling instead for robust transparency and accountability requirements. The human rights groups also urged widespread ratification of the International Privacy Convention 108. EPIC and US consumer rights groups have long campaigned for United States ratification of Convention 108.
Zuckerberg Confirms Global Compliance with GDPR » (Apr. 11, 2018)
In response to a series of questions from Rep. Gene Green, (D-TX), Facebook CEO Mark Zuckerberg confirmed that Facebook will comply with the new European Union privacy law - "the GDPR" - in all jurisdictions. Earlier this week, the Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, sent a letter to Mr. Zuckerberg urging him to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and democratic process."
EPIC Amicus: Supreme Court Divided Over Microsoft Stored Communications Case » (Feb. 28, 2018)
This week, the Supreme Court heard arguments in United States v. Microsoft Corps., a case concerning law enforcement access to personal data stored in Ireland. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution. In an amicus brief, EPIC urged the Supreme Court to respect international privacy standards. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority." EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping).
EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees » (Feb. 13, 2018)
In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google.

Background

As a result of a global digital communications landscape, law enforcement increasingly seeks communications data stored outside national borders in domestic criminal investigations. However, trans-border data access can conflict with national data protection regimes and international human rights instruments.

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, signed into law in March 2018, is an Act to provide trans-border access to communications data in criminal law enforcement investigations. However, the Act's history begins with a privacy dispute between Microsoft and the U.S. government.

The genesis for this bill is United States v. Microsoft, a case in U.S. Supreme Court which concerns whether law enforcement can access communications content stored in Ireland under current U.S. law. On February 27, 2018, the Supreme Court heard arguments in the case. In an amicus brief in the case, EPIC urged the Supreme Court to respect international privacy standards, citing key cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority.”

Ahead of a decision in that case, the CLOUD Act passed Congress and was signed into law by President Trump on March 23, 2018, likely mooting the case. The CLOUD Act was not debated in Congress. Instead, it was included in an amendment to an omnibus spending bill and passed without a dedicated hearing. The law creates a new subsection within the Stored Communications Act (Chapter 121 of title 18 of the United States Code) codified at 18 U.S.C. § 2713, creates a new subsection within the Wiretap Act (Chapter 119 of title 18) codified at 18 U.S.C. § 2523, and amends various sections of the Wiretap Act, Stored Communications Act.

Overview of the CLOUD Act

There are two key elements of the CLOUD Act - the provisions for U.S. access to foreign stored data, and the provisions to create executive agreements for foreign access to U.S. stored data.

U.S. Access to Foreign Stored Data

First, the Act amended U.S. law to authorize U.S. law enforcement to unilaterally demand access to data stored outside the U.S., despite widespread criticism from the international community. When the U.S. orders a company to produce communications data, the Act provides a mechanism for a communications provider to challenge the order if disclosing the data would risk violating foreign law. Under the CLOUD Act, the legal protection of an individual's rights depends on the objection by a provider. There is no direct mechanism for individuals to challenge an order under the CLOUD Act. A court will consider a provider's challenge of an order for disclosure of data data and review the request under a multi-factor "comity" analysis to assess foreign and other interests at stake. However, U.S. court can require production of that data despite the objection, even where the laws of another nation would be violated.

Executive Agreements

The Act would also permit federal officials to enter into executive agreements granting foreign access to data stored in the United States, even if that data would otherwise be protected under ECPA. Before foreign access can be authorized, federal officials must first decide that a foreign government meets certain generalized standards for sufficient protections of privacy and civil liberties. The foreign government must also agree to abide by several other limitations, including minimizing any U.S. person data collected. The initial agreement need only be certified by executive branch officials to take effect. Congress can object to the agreement, but need not formally approve the agreement. The agreement is also not subject to review by any court.

Once an agreement is in place, no federal official or court will review an incoming foreign request for access to data stored in the United States. The foreign access will be granted without review of whether the request complies with the requirements of the executive agreement or other legal standards. Only the service provider will have an opportunity to review and object to a foreign access request. However, there are no formal procedures under the CLOUD Act for a provider to object to a foreign access request made under an executive agreement.

Because the CLOUD Act permits data to be accessed by foreign nations based on each nation’s unique domestic procedures, data is accessible under the third-party countries law even when that law falls below human rights standards. The CLOUD Act does not itself set baseline human rights standards for foreign access to stored data. For example, the CLOUD Act does not require notice to be provided to the target of a request for data stored in the United States.

The CLOUD Act removes protections put in place under ECPA. Foreign access requests routed through the United States via diplomatic requests previously benefitted from legal protections for stored data, including the requirement that authorities demonstrate “probable cause” to access the content of communications. The bill would erode these incidental, yet impactful, data protection benefits.

Finally, the CLOUD Act also undermines communications privacy protections for U.S. persons. Data collected by foreign governments under the Act may be transferred to the United States and among other governments. In order to transfer U.S. persons’ communications content, the communications must merely be determined to “relate[] to significant harm” and non-content information may be transferred without limitation. Under these provisions, the U.S. government could access U.S. persons’ communications without satisfying existing U.S. legal standards. The law also permits realtime interception of communications by foreign governments on U.S. soil for the first time, and does so without requiring other countries meet the "supper warrant" standard laid out in the Wiretap Act.

Resources

• The Public Voice
• EPIC Amicus: United States v. Microsoft
• Madrid Declaration (2009)
• EPIC Amicus: Schrems v. Data Protection Commissioner
• EPIC: EU General Data Protection Regulation
• EPIC International Program
• Privacy Law Sourcebook (2016)

News

• Nina Totenberg, A Needle In A Legal Haystack Could Sink A Major Supreme Court Privacy Case, National Public Radio (Mar. 28, 2018)
• Mariella Moon, President signs overseas data access bill into law, Engadget (Mar. 24, 2018)
• Robyn Greene, Somewhat Improved, the CLOUD Act Still Poses a Threat to Privacy and Human Rights, , Just Security (Mar. 23, 2018)
• Steve Pociask, The CLOUD Act Is Up For Vote and What It Means For Consumers, Forbes (Mar. 22, 2018)
• Taylor Hatmaker, As the CLOUD Act sneaks into the omnibus, big tech butts heads with privacy advocates, , TechCrunch (Mar. 22, 2018)
• Neema Singh Guliani, Naureen Shah The CLOUD Act Doesn’t Help Privacy and Human Rights: It Hurts Them, , Lawfare (Mar. 16, 2018)
• Jennifer Daskal, Peter Swire, Privacy and Civil Liberties Under the CLOUD Act: A Response, , Lawfare (Mar. 21, 2018)
• Nina Totenberg, Court Seems Unconvinced of Microsoft's Argument To Shield Email Data Stored Overseas, National Public Radio (Feb. 27, 2018)
• Pete Williams, Supreme Court seems set to rule against Microsoft in email privacy case, NBC News (Feb. 27, 2018)
• Selena Larson and Lydia DePillis, Microsoft argues data privacy case is one for Congress to decide, CNN (Feb. 27, 2018)
• Julia Fioretti, Europe seeks power to seize overseas data in challenge to tech giants, Reuters (Feb. 26, 2018)
• Matthew Kahn, Microsoft-Ireland Oral Argument Preview: Will the Supreme Court Stave Off Data Localization?, Lawfare (Feb. 26, 2018)
• Jennifer Daskal, Supreme Court take heed: briefs raise conflict of laws issue in Microsoft Ireland, Just Security (Dec. 18, 2017)
• Jennifer Daskal, Why Microsoft Challenged the Right Law: A Response to Orin Kerr, Just Security (Dec. 8, 2017)
• Orin Kerr, 'Microsoft Challenged the Wrong Law. Now What?', The Washington Post (Dec. 4, 2017)
• Jennifer Daskal, There’s no good decision in the next big data privacy case, The New York Times (October 18, 2017)