New CLOUD Act splits industry, civil liberty orgs

A revamped bill that seeks to clarify the conditions under which U.S. law enforcement can legally access data owned by domestic companies but stored overseas is causing a rift in the uneasy alliance that has formed between tech giants and data privacy advocates.

The Clarifying Lawful Overseas Use of Data (CLOUD) Act was introduced Feb. 6 by Sens. Orrin Hatch (R-Utah), Chris Coons (R-Del.), Lindsay Graham (R-S.C.) and Sheldon Whitehouse (D-R.I.). A House companion bill was offered the same day by Rep. Doug Collins (R-Ga.).

The legislation is in large part an attempt to resolve lingering legal questions around a major case pending before the Supreme Court, Microsoft Corp. v. United States. At its heart, the case deals with whether the provisions of the 1986 Electronic Communications Privacy Act that allow the government to compel disclosure of wire and electronic communications are subject to geographical and territorial limitations.

In 2013, Microsoft resisted a U.S. warrant for emails stored in company servers in Ireland, arguing the data existed outside the jurisdiction of U.S. law. The case has bounced between lower courts over the years and is set to be ruled on by the U.S. Supreme Court in the current term.

The question of how to treat data jurisdiction in the era where cloud computing and cross-border data storage is the norm has vexed policymakers, including those at the White House.

The CLOUD Act seeks to address this problem by allowing the U.S. to enter into bilateral information sharing agreements with countries that would give both parties access to foreign data stored within their borders. In previewing the legislation, Hatch said the status quo is unworkable for both law enforcement and industry, and that any resolution through the courts will leave unresolved legal holes.

"No matter how the court rules, problems will remain," Hatch said. "Either law enforcement will lack the ability to obtain in a timely manner email and documents in the cloud that are stored overseas, or providers will find themselves caught between conflicting domestic and foreign laws."

The bill is causing a split between major tech and communications companies -- including Microsoft -- that have thrown their weight behind the proposal, and data privacy organizations, which largely panned the measure.

In a Feb. 6 letter to the bill's sponsors, Microsoft, Google, Facebook, Apple and Verizon subsidiary Oath, called the bill "a logical solution for governing cross-border access to data."

In particular, the companies argue the bill provides adequate protections customer privacy, highlighting a provision that would require the U.S. to take into account a country's human rights, privacy and rule of law record before entering into any data sharing agreements.

"The CLOUD Act encourages diplomatic dialogue, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise," wrote the companies. "The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary."

In a Feb. 8 post on the Electronic Frontier Foundation's DeepLinks blog, Camille Fischer, a former Obama administration technology advisor and current EFF fellow, argued that the CLOUD Act as drafted represents "an enormous erosion of current data privacy laws."

In particular, she highlighted provisions in the bill that impose weaker review standards below that of traditional warrant requirements under the Fourth Amendment, grant real-time access and data interception to foreign nations without having to meet the same evidentiary standards as U.S. law enforcement and a failure to provide any notice to a target that their data is being requested by a foreign government.

"Sadly, some major U.S. technology and legal scholars support the legislation. But, to set the record straight, the CLOUD Act is not a 'good start.' Nor does it do a 'remarkable job' of balancing these interests in ways that promise long-term gains in bothprivacy and security," wrote Fischer. "Rather, the legislation reduces protections for the personal privacy of technology users in an attempt to mollify tensions between law enforcement and U.S. technology companies."

The Center for Democracy and Technology, a think tank focused on Internet freedom issues, also has come out against the legislation, arguing the new version would allow the Department of Justice to authorize foreign governments to demand wiretaps on U.S. companies absent a warrant, something the center believes is inconsistent with American rule of law.

"The Electronic Communications Privacy Act balances the interests of consumers, providers, and the government. The CLOUD Act throws that balance off-kilter by accommodating providers and the government but leaving consumers behind," said Chris Calabrese, CDT's vice president for policy.