The U.S. recently updated how it handles federal law enforcement data requests for foreign info stored by U.S. companies, but the full impact remains unclear.
The CLOUD Act (short for Clarifying Lawful Overseas Use of Data) passed in the omnibus spending bill on March 23, as the Supreme Court was considering arguments in a long-running case that questioned the reach of U.S. law enforcement into the foreign operations of U.S. companies.
The case of Microsoft vs. U.S. was effectively mooted by the new law, which was supported both by Microsoft and the Justice Department as a compromise that gives law enforcement an way to obtain data from companies via the subpoena process, while also offering companies an avenue to appeal such requests if compliance would force them to break local law.
"This bill is a significant step forward in the larger global debate on what our privacy laws should look like, even if it doesn't go to the highest threshold," said Hasan Ali, Microsoft’s senior attorney on national security and law enforcement, at an April 4 discussion at the Center for Strategic and International Studies.
The law provides a concrete framework and “incentivizes [foreign governments] to go and reform their laws, to elevate their standards, and human rights conditions,” Ali said.
But privacy concerns could also ramp up as state and local law enforcement seek to use the process to compel tech companies to give access to data stored overseas, said Richard Downing, the Department of Justice’s acting deputy assistant attorney general for the criminal division.
“We may well see state and local warrants that want to use this process in order to obtain compliance from foreign providers, or providers storing data overseas,” Downing said, suggesting there may need to be a centralized process so the federal government can keep apprised of such requests. "And how exactly that will work is still up in the air."
The other privacy issue is access by foreign governments to U.S. data. The law allows for the president to enter into executive agreements with foreign governments covering data collection on criminal suspects. While the CLOUD Act makes allowances for entering into agreements only with countries that respect the rule of law recognize freedom of expression and other civil liberties, some have expressed the concern that repressive governments could benefit from the legal agreements allowed under the act.
“We get requests from other countries for investigating crimes that would not be a crime and in fact would be protected speech if it were to occur in the United States,” Downing said. And because countries don’t have to adopt the U.S. speech standard, there should be “a little more flexibility applied as a general rule,” he said. However, that doesn’t guarantee that the request will be granted.
Downing said that even if a request were impermissible under a Cloud Act agreement, it could move to the Mutual Legal Assistance Treaties process.
Downing warned that the new law could create a “diplomatic headache” for the United States because there will be countries that could be denied an executive agreement because Congress may not approve.
“Countries that are not yet part of an executive agreement (with the United States) are in fact no worse off than they are today,” Downing said. Countries “may be better off” because the legal process may end up “less burdened because many more requests will be made directly to the providers,” rather than to DOJ.