New U.S. CLOUD Act is a threat to global privacy

The internet is great, in part, because it lacks borders. You can just as easily chat with a friend in Nairobi as next door. We count on law enforcement to help protect users against criminal threats that take advantage of that openness. We also expect law enforcement to operate under frameworks that protect privacy. However, while we can transfer data around the world with the click of a button, it’s not so easy for law enforcement to access the data that they might need if it is stored abroad. There is a system in place to facilitate access for law enforcement called the Mutual Legal Assistance Treaties (MLATs). This complicated series of bilateral and multilateral treaties has numerous problems that we’ve documented repeatedly. The biggest problem is that it is just too slow.

Yesterday, a new bill  was introduced in the United States Congress that would circumvent the MLAT process and create a new legal framework to access data stored abroad. Access Now is not fundamentally opposed to improving the MLAT process. We’ve previously identified the goals for such reform. This bill, however, would give law enforcement around the globe — though particularly in the U.S. — more access to users’ private data without sufficient privacy protections.  As it is currently written, the deceptively titled CLOUD (Clarifying Lawful Overseas Use of Data) Act lacks vital safeguards for users or respect for the law of other countries.

There are two ways the CLOUD Act would increase law enforcement’s global reach:

  • The bill would allow U.S. law enforcement to access data stored abroad by increasing the reach of the law that federal law enforcement uses to access data, the Electronic Communications Privacy Act (ECPA), without the cooperation of foreign governments (that cooperation is now standard). Under the newly created standard, law enforcement could order companies to provide data regardless of the location of the data or data subject. This would mean that U.S. courts would claim global authority.
  • Secondly, the bill would enable agreements between the U.S. and other governments whose law enforcement would be permitted to directly request data from U.S. companies without adequate protections for user privacy. When this idea was previously proposed, we addressed some of the problems with it. For one, it would extend the reach of law enforcement in places like the U.K., whose surveillance standards were recently ruled unlawful.

We have supported the idea of updating and streamlining the system for cross border data access, but this is not the way to do it. This proposal might be the worst attempt yet to modify the existing system.

First, the proposed legislation would not resolve conflicts of law, one of the key reasons to support reform to begin with. Right now, many companies have a problem. Government A might issue a subpoena for data stored in Country B. However, Government B might require a more protective warrant rather than a subpoena. This puts the company in a difficult spot, complying with one country’s laws would violate the laws of another. Under this new proposal, the U.S. government would be empowered to request data even when there would be a conflict with foreign law. Only when the U.S. has reached a data sharing agreement with the other country would companies receiving requests — not Government B itself — be able to challenge them. The CLOUD Act might be worse than the status quo. Again, previous bills better handled such conflicts.

Second, the proposed legislation would extend the reach of U.S. law enforcement without updating the law to require a warrant for content. While the U.S. has a high constitutional privacy standard — requiring a showing of probable cause that a crime was committed — current law does not impose that standard over electronic communications, a problem recognized by the government’s highest law enforcement officer and fixed in similar bills. Previous bills that required this fix were broadly supported in both Chambers of Congress, including a 2016 effort that was co-sponsored by nearly ¾ of the House of Representatives..

Third, the proposed legislation does little to help fix the mutual legal assistance treaty system that is currently the primary method for exchanging evidence across borders. The MLAT system is built on privacy protections and reciprocity that are largely missing from the CLOUD Act, and therefore leaves the future of MLATs uncertain.

Congress should seek solutions to real problems, but the CLOUD Act is the wrong approach. We hope to work with lawmakers to instead find a solution that protects human rights, provides legal clarity, and promotes an efficient internet.