The CLOUD Act
- Data Flow Deal Talks Fail Due to Lack of US Action on Privacy: The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. (Jun. 17, 2021) More top news »
As a result of a global digital communications landscape, law enforcement increasingly seeks communications data stored outside national borders in domestic criminal investigations. However, trans-border data access can conflict with national data protection regimes and international human rights instruments.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, signed into law in March 2018, is an Act to provide trans-border access to communications data in criminal law enforcement investigations. However, the Act's history begins with a privacy dispute between Microsoft and the U.S. government.
The genesis for this bill is United States v. Microsoft, a case in U.S. Supreme Court which concerns whether law enforcement can access communications content stored in Ireland under current U.S. law. On February 27, 2018, the Supreme Court heard arguments in the case. In an amicus brief in the case, EPIC urged the Supreme Court to respect international privacy standards, citing key cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority.”
Ahead of a decision in that case, the CLOUD Act passed Congress and was signed into law by President Trump on March 23, 2018, likely mooting the case. The CLOUD Act was not debated in Congress. Instead, it was included in an amendment to an omnibus spending bill and passed without a dedicated hearing. The law creates a new subsection within the Stored Communications Act (Chapter 121 of title 18 of the United States Code) codified at 18 U.S.C. § 2713, creates a new subsection within the Wiretap Act (Chapter 119 of title 18) codified at 18 U.S.C. § 2523, and amends various sections of the Wiretap Act, Stored Communications Act.
Overview of the CLOUD Act
There are two key elements of the CLOUD Act - the provisions for U.S. access to foreign stored data, and the provisions to create executive agreements for foreign access to U.S. stored data.
U.S. Access to Foreign Stored Data
First, the Act amended U.S. law to authorize U.S. law enforcement to unilaterally demand access to data stored outside the U.S., despite widespread criticism from the international community. When the U.S. orders a company to produce communications data, the Act provides a mechanism for a communications provider to challenge the order if disclosing the data would risk violating foreign law. Under the CLOUD Act, the legal protection of an individual's rights depends on the objection by a provider. There is no direct mechanism for individuals to challenge an order under the CLOUD Act. A court will consider a provider's challenge of an order for disclosure of data data and review the request under a multi-factor "comity" analysis to assess foreign and other interests at stake. However, U.S. court can require production of that data despite the objection, even where the laws of another nation would be violated.
The Act would also permit federal officials to enter into executive agreements granting foreign access to data stored in the United States, even if that data would otherwise be protected under ECPA. Before foreign access can be authorized, federal officials must first decide that a foreign government meets certain generalized standards for sufficient protections of privacy and civil liberties. The foreign government must also agree to abide by several other limitations, including minimizing any U.S. person data collected. The initial agreement need only be certified by executive branch officials to take effect. Congress can object to the agreement, but need not formally approve the agreement. The agreement is also not subject to review by any court.
Once an agreement is in place, no federal official or court will review an incoming foreign request for access to data stored in the United States. The foreign access will be granted without review of whether the request complies with the requirements of the executive agreement or other legal standards. Only the service provider will have an opportunity to review and object to a foreign access request. However, there are no formal procedures under the CLOUD Act for a provider to object to a foreign access request made under an executive agreement.
Because the CLOUD Act permits data to be accessed by foreign nations based on each nation’s unique domestic procedures, data is accessible under the third-party countries law even when that law falls below human rights standards. The CLOUD Act does not itself set baseline human rights standards for foreign access to stored data. For example, the CLOUD Act does not require notice to be provided to the target of a request for data stored in the United States.
The CLOUD Act removes protections put in place under ECPA. Foreign access requests routed through the United States via diplomatic requests previously benefitted from legal protections for stored data, including the requirement that authorities demonstrate “probable cause” to access the content of communications. The bill would erode these incidental, yet impactful, data protection benefits.
Finally, the CLOUD Act also undermines communications privacy protections for U.S. persons. Data collected by foreign governments under the Act may be transferred to the United States and among other governments. In order to transfer U.S. persons’ communications content, the communications must merely be determined to “relate to significant harm” and non-content information may be transferred without limitation. Under these provisions, the U.S. government could access U.S. persons’ communications without satisfying existing U.S. legal standards. The law also permits realtime interception of communications by foreign governments on U.S. soil for the first time, and does so without requiring other countries meet the "supper warrant" standard laid out in the Wiretap Act.
- The Public Voice
- EPIC Amicus: United States v. Microsoft
- Madrid Declaration (2009)
- EPIC Amicus: Schrems v. Data Protection Commissioner
- EPIC: EU General Data Protection Regulation
- EPIC International Program
- Privacy Law Sourcebook (2016)
- Nina Totenberg, A Needle In A Legal Haystack Could Sink A Major Supreme Court Privacy Case, National Public Radio (Mar. 28, 2018)
- Mariella Moon, President signs overseas data access bill into law, Engadget (Mar. 24, 2018)
- Robyn Greene, Somewhat Improved, the CLOUD Act Still Poses a Threat to Privacy and Human Rights, , Just Security (Mar. 23, 2018)
- Steve Pociask, The CLOUD Act Is Up For Vote and What It Means For Consumers, Forbes (Mar. 22, 2018)
- Taylor Hatmaker, As the CLOUD Act sneaks into the omnibus, big tech butts heads with privacy advocates, , TechCrunch (Mar. 22, 2018)
- Neema Singh Guliani, Naureen Shah The CLOUD Act Doesn’t Help Privacy and Human Rights: It Hurts Them, , Lawfare (Mar. 16, 2018)
- Jennifer Daskal, Peter Swire, Privacy and Civil Liberties Under the CLOUD Act: A Response, , Lawfare (Mar. 21, 2018)
- Nina Totenberg, Court Seems Unconvinced of Microsoft's Argument To Shield Email Data Stored Overseas, National Public Radio (Feb. 27, 2018)
- Pete Williams, Supreme Court seems set to rule against Microsoft in email privacy case, NBC News (Feb. 27, 2018)
- Selena Larson and Lydia DePillis, Microsoft argues data privacy case is one for Congress to decide, CNN (Feb. 27, 2018)
- Julia Fioretti, Europe seeks power to seize overseas data in challenge to tech giants, Reuters (Feb. 26, 2018)
- Matthew Kahn, Microsoft-Ireland Oral Argument Preview: Will the Supreme Court Stave Off Data Localization?, Lawfare (Feb. 26, 2018)
- Jennifer Daskal, Supreme Court take heed: briefs raise conflict of laws issue in Microsoft Ireland, Just Security (Dec. 18, 2017)
- Jennifer Daskal, Why Microsoft Challenged the Right Law: A Response to Orin Kerr, Just Security (Dec. 8, 2017)
- Orin Kerr, 'Microsoft Challenged the Wrong Law. Now What?', The Washington Post (Dec. 4, 2017)
- Jennifer Daskal, There’s no good decision in the next big data privacy case, The New York Times (October 18, 2017)
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.