Cloud Act Buried In The Omnibus Bill
The 2,232-page spending bill that has been in the news lately is intended to avoid yet another government shutdown. Big tech companies do not see eye-to-eye with privacy advocates on a portion of this bill known as The Cloud Act (H.R.4943, S.2383).
The bill attempts to simplify the way international law enforcement obtains personal data stored by US-based tech companies. The changes to that process are what’s controversial.
Currently, if a foreign law enforcement agency needs to obtain data for an investigation, they must go through a series of steps first.
- There must be a Mutual Legal Assistant Treaty (MLAT) with the U.S. These treaties are ratified by the Senate.
- Then the foreign law enforcement agency can send a request to the U.S. Department of Justice
- Next, the DOJ needs to seek approval from a judge.
Then the request can go to the tech company that is hosting the data that is being sought.
Tech Company Concerns
The debate around the CLOUD Act also taps into tech company concerns that foreign nations may move to pass laws in favor of data localization, or the process of storing users’ personal data within the borders of the country they are a citizen of. That trend would prove both costly for cloud data giants and difficult, upending the established model of cloud data storage that optimizes for efficiency rather than carefully sorting out what data is stored within the borders of which country.
last month, Microsoft, Apple, Google, Facebook and TechCrunch’s parent company Oath sent a letter in favor of the CLOUD Act and stated that is was “notable progress to protect consumers’ rights.”
“February 6, 2018
Dear Senators Hatch, Coons, Graham, and Whitehouse:
The new Clarifying Lawful Overseas Use of Data (CLOUD) Act reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data. Introduction of this bipartisan legislation is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer.
If enacted, the CLOUD Act would create a concrete path for the U.S. government to enter into modern bilateral agreements with other nations that better protect customers. Importantly, the legislation would require baseline privacy, human rights and rule of law standards in order for a country to enter into an agreement. That will ensure customers and data holders are protected by their own laws and that those laws are meaningful. The legislation would further allow law enforcement to investigate cross-border crime and terrorism in a way that avoids international legal conflicts.
The CLOUD Act encourages diplomatic dialogue but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise. The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary.
Our companies have long advocated for international agreements and global solutions to protect our customers and Internet users around the world. We have always stressed that dialogue and legislation – not litigation – is the best approach.
If enacted, the CLOUD Act would be notable progress to protect consumers’ rights and would reduce conflicts of law. We appreciate your leadership championing an effective legislative solution, and we support this compromise proposal.