The DOJ and Microsoft have both filed motions to dismiss as moot the seminal data privacy case before the Supreme Court this term, United States v. Microsoft Corp. At issue in the case is whether the warrant provisions of the Stored Communications Act (SCA) apply extraterritorially, such that they compel Microsoft, an electronic service provider to produce private electronic communications stored on servers in Ireland for the United States government.
In their respective motions, the two parties agree that there was no longer a “live case or controversy” with respect to the question presented, due to a piece of recently-enacted legislation called the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Congress attached the bipartisan legislation to an omnibus spending bill, and it was signed into law on March 23, 2018. The act states as follows:
“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”
The CLOUD Act also includes provisions governing foreign governments’ access to U.S.-held data. Human rights and privacy organizations have opposed this part of the act the most. The CLOUD Act authorizes the president to enter into reciprocal data-sharing “executive agreements” with foreign governments. Human rights and privacy organizations like the ACLU, EFF and Amnesty International have denounced the executive agreement mechanism for giving unfettered access to U.S.-held data to foreign governments.
It is worth noting, however, that the act puts forth significant requirements that foreign governments must meet in order to be considered a “qualifying foreign government” under the CLOUD Act. Among other requirements, the government in question must:
- Have domestic law that “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement;” and
- Have instituted “appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement;” as well as that;
- The government adopts procedures that guard against targeting, either direct or indirect, of a U.S. citizen or person located in the United States.
Furthermore, the act specifies further criteria for what constitutes a qualifying order for the disclosure of U.S.-held data to a foreign government. In particular, the order must:
- Be for the purpose of “obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism;”
- Identify a “specific person” or other “specific identifier” as the object of the order;
- Comply with the requesting country’s domestic law;
- Be subject to independent oversight by a judge, court, magistrate, or other legal authority; among other qualifications.
One of the best dialogues on the act unfolded in a series of response essays on Lawfare.
Jennifer Daskal and Peter Swire argued in an initial essay posted on Lawfare that the CLOUD Act will enhance, rather than dilute, privacy and human rights protections on balance. They note that the status quo for requesting evidentiary data across borders – the MLAT process – is a cumbersome diplomatic channel ill-equipped for the sheer number of crossborder data requests currently in the system. As a result, countries are growing more and more frustrated with the MLAT process, which they view as not only cumbersome, but “imperialistic,” since it often requires getting a warrant from a U.S- based judge even if the data requested concerns a local criminal investigation.
Countries are thus turning to alternative measures to bypass the MLAT system, such as data localization laws that require that data be stored within the country. Data localization laws have been accused by critics of veiling anti-democratic motivations on the part of the instituting government – such as allowing for closer surveillance and identification of the local political dissidents. Furthermore, data localization laws lead to data decentralization, which in turn leads to multiple points of vulnerability in data providers’ security and privacy infrastructure.
Daskal and Swire also note that the CLOUD Act subjects foreign governments to regular compliance reviews by U.S. officials, which they praise as a novel opportunity for the U.S. to monitor how foreign governments use the data and guard against abuse.
Neema Singh Guliani from the ACLU and Naureen Shah from Amnesty International argue in a response essay that the CLOUD Act puts the privacy and security of individuals, particularly human rights activists at risk. “The very premise of the current CLOUD Act,” they write, “the idea that countries can effectively be safe-listed as human-rights compliant, such that their individual data requests need no further human rights vetting—is wrong.” Guliani and Shah argue that the CLOUD Act has inadequate safeguards for wide range of scenarios, such as when a country experiences a “rapid deterioration in human rights,” like Turkey did in mid-2016 following a coup attempt.