As the House advances a 2,232-page spending bill meant to avert a government shutdown, privacy advocates and big tech companies aren’t seeing eye to eye about a small piece of legislation tucked away on page 2,212.
The Clarifying Lawful Overseas Use of Data Act, a.k.a. the CLOUD Act (H.R.4943, S.2383) aims to simplify the way that international law enforcement groups obtain personal data stored by U.S.-based tech platforms — but the changes to that process are controversial.
As it stands, if a foreign government wants to obtain that data in the course of an investigation, a series of steps are necessary. First, that government must have a Mutual Legal Assistant Treaty (MLAT) with the U.S. government in place, and those treaties are ratified by the Senate. Then it can send a request to the U.S. Department of Justice, but first the DOJ needs to seek approval from a judge. After those requirements are met, the request can move along to the tech company hosting the data that the foreign government is seeking.
The debate around the CLOUD Act also taps into tech company concerns that foreign nations may move to pass laws in favor of data localization, or the process of storing users’ personal data within the borders of the country of which they are a citizen. That trend would prove both costly for cloud data giants and difficult, upending the established model of cloud data storage that optimizes for efficiency rather than carefully sorting out what data is stored within the borders of which country.
In a February 6 letter, Microsoft, Apple, Google, Facebook and Oath (TechCrunch’s parent company) co-authored a letter calling the CLOUD Act “notable progress to protect consumers’ rights.”
In a late February blog post, Microsoft Chief Legal Officer Brad Smith addressed the issue. “The CLOUD Act creates both the incentive and the framework for governments to sit down and negotiate modern bi-lateral agreements that will define how law enforcement agencies can access data across borders to investigate crimes,” Smith wrote. “It ensures these agreements have appropriate protections for privacy and human rights and gives the technology companies that host customer data new statutory rights to stand up for the privacy rights of their customers around the world.”
In a recent opinion piece, ACLU legislative counsel Neema Singh Guliani argues that the CLOUD Act sidesteps oversight from both the legislative and judicial branches, granting the attorney general and the state department too much discretion in choosing which governments the U.S. will enter into a data exchange agreement with.
The Center for Democracy and Technology also opposes the CLOUD Act on the grounds that it fails to protect the digital privacy of American citizens and the Electronic Frontier Foundation dismissed the legislation as “a new backdoor around the Fourth Amendment.” The Open Technology Institute also denounced the CLOUD Act’s provision to “allow qualifying foreign governments to enter into an executive agreement to bypass the human rights protective Mutual Legal Assistance Treaty (MLAT) process when seeking data in criminal investigations and to seek data directly from U.S. technology companies.”
Both organizations acknowledge that improvements to the bill do partially address some of the human rights concerns associated with not requiring an MLAT in a data sharing agreement.
“While this version of the CLOUD Act includes some new safeguards, it is still woefully inadequate to protect individual rights,” OTI Director of Surveillance & Cybersecurity Policy Sharon Bradford Franklin said of the changes.
“Critically, the bill still would permit foreign governments to obtain communications data held in the United States without any prior judicial review, and it would allow foreign governments to obtain U.S.-held communications in real time without applying the safeguards required for wiretapping by the U.S. government. ”
The Consumer Technology Association voiced its support of the altered bill in a press release issued Thursday. “CTA thanks the House of Representatives for taking steps to empower America’s digital infrastructure for the 21st century. The inclusion of the CLOUD Act and RAY BAUM’S Act in today’s legislation ensures Americans can safely create, share and collect electronic data while providing them the resources to do so.”
While some changes made aspects of the bill more palatable to digital privacy watchdogs, some are objecting to the choice to tack it onto the omnibus spending bill.
Oregon Senator Ron Wyden and Kentucky Senator Rand Paul spoke out Thursday against passing the CLOUD Act by attaching it to the spending bill.
“Tucked away in the omnibus spending bill is a provision that allows Trump, and any future president, to share Americans’ private emails and other information with countries he personally likes. That means he can strike deals with Russia or Turkey with nearly zero congressional involvement and no oversight by U.S. courts,” Wyden said. “This bill contains only toothless provisions on human rights that Trump’s cronies can meet by merely checking a box. It is legislative malpractice that Congress, without a minute of Senate debate, is rushing through the CLOUD Act on this must-pass spending bill.”
While the content of the CLOUD Act has evolved away from controversy with some modifications, the choice to pass it as part of the omnibus plan without further opportunity for public debate to examine its potential far-reaching implications is proving just as controversial as earlier forms of the legislation.