Protecting our privacy under the CLOUD: what new agreements should look like

Law enforcement officials around the world have long sought easier access to data held by U.S. companies. The Clarifying Lawful Overseas Use of Data (CLOUD) Act was intended to allow the U.S. Department of Justice to reach agreements with other governments for direct law enforcement access to data held by U.S. tech companies.

The United States is currently in a negotiation with the United Kingdom regarding a CLOUD Act agreement, and around the world many countries are watching closely. In this blog post we’ll explain how the legal landscape has changed since the CLOUD Act was passed, what that means for your rights, and what any new agreement should include to protect them.

What has happened so far under the CLOUD

Since the law was enacted in March 2018, no deals have been reached. But that doesn’t mean nothing important has taken place. Surveillance laws around the world have changed in ways that alter the landscape for law enforcement. These changes have made it more clear that CLOUD Act agreements must themselves contain safeguards to protect our privacy and digital security. Moreover, the CLOUD Act should serve as a warning for the E.U. and governments around the world that are considering their own legislation.

Developments in Australia, the European Union, and the U.K.

One example of relevant change is the Assistance and Access bill proposed in Australia. Despite being a close ally with the U.S., and so a likely candidate for an agreement, the Australian government recently introduced a bill that would undermine security in order to grant its agencies authority to demand data held by tech companies. The bill requires tech companies to comply with orders to modify their software or hardware to be able to comply with future law enforcement orders. The bill would harm security and encryption while expanding government hacking. It would have global effect, and unlike in the E.U., there is no substantial human rights system in Australia to protect users.

This is not to say that a CLOUD Act agreement with states in the E.U. would guarantee users’ rights are protected. Indeed, there are not only remaining complications that must be negotiated at the E.U. level for agreements to work, but there are also more fundamental issues that arise with regard to how the CLOUD Act conforms with data protection standards. The Police Directive established data protection rules for law enforcement use of data, and the CLOUD Act may be at odds with standards particular to law enforcement transfers. Moreover, data transferred from the E.U. to the U.S. under the “Privacy Shield” could expose more of the data of EU users to third-party government requests. There are also special concerns related to the U.K. In September, the European Court of Human Rights (ECtHR) ruled once again that parts of the U.K. surveillance regime violate human rights. It’s not clear what the Brexit negotiations will mean for the U.K. and its human rights obligations.

Why these changes matter

The world is watching, and early CLOUD Act negotiations and agreements will set a tone. If additional obligations are not placed in the initial CLOUD Act agreements, it will signal to other governments in the “pipeline” that they do not have to meet rights-respecting standards. For example, in India, there has been buzz about the potential for India and the U.S. to reach a CLOUD Act agreement. India’s government has a mixed track record on privacy. While India is currently developing a comprehensive framework to protect data, there are multiple deficiencies in the government’s proposed framework, including the lack of judicial involvement in surveillance and very narrow oversight of law enforcement requests, among other issues. The “Aadhaar” digital ID program has been shown to pose serious privacy and cybersecurity risks, and these problems persist even after the recent Indian Supreme Court ruling that limited the program. A new CLOUD Act agreement built on appropriate, rights-respecting standards could nudge the Indian government to provide better protections to the next billion users of the internet. Or the opposite could happen, with a bad CLOUD Act agreement lowering the standards and making people’s data more susceptible to access by governments that do not follow internationally recognized standards for law enforcement access to data.     

What the agreements should include to protect our rights

We previously identified the necessary elements of any “safe harbor” system — like the CLOUD Act — that allows law enforcement to go directly to companies with their requests even when the company and the data are located elsewhere. We maintain that any such system must “be based on existing international human rights standards.” Those standards were captured in the Necessary and Proportionate Principles. That means that CLOUD Act itself should be reformed to include those protections. However, absent such reform, any agreement between the U.S. and other countries should include a number of additional protections.

  1. Changes in a country’s laws impacting law enforcement access to data should trigger automatic review. The agreements should spell out that if the laws change regarding law enforcement access to data — like what may happen in Australia — the agreement must be reviewed to ensure the country’s standards continue to protect users. Currently the CLOUD Act provides for review of law enforcement standards every five years, but an automatic trigger would create a stronger incentive to protect us from drastic and potentially unlawful changes to the law.
  2. Users must be notified of law enforcement demands for their data. The agreements should have a method for notifying the people whose data are subject to demands. The international human rights system and U.S. law recognize the importance of user notice for lawful data access regimes. Moreover, law enforcement is likely often to demand data from users living in third-party countries where they do not have the protections of their own domestic law. They must nevertheless be protected. The companies responding to law enforcement demands also have an interest in making sure the users know about it. Microsoft recently published a blog post defining the key elements the company views as necessary for law enforcement access to data, and this included user notice.
  3. Agreements must have clear standards for transparency and oversight. They should spell out what these standards are. The CLOUD Act requires that a country have “appropriate transparency” in order to reach an agreement with the U.S. and it permits the U.S. Department of Justice to consult with outside experts to determine whether a country qualifies for an agreement. That’s not good enough. The agreements must be clear about when the parties must publish data on requests made possible by the CLOUD Act. The agreements should also create an accessible consultation process for reviewing the human-rights impacts of the agreements.
  4. Agreements must ensure that users whose data are subject to lawful access demands have data protection. The agreements should spell out data protection rights, including the right to access and correct one’s data; limitations on use, access, retention, and onward transfer; records of log for data access by authorized officials; appropriate security measures for transit and during storage; and deletion as soon as possible once the information is no longer useful for the original purpose.
  5. Demands for law enforcement access must have prior judicial approval. The agreements should require that a judge approve lawful access demands. The CLOUD Act mandates only judicial involvement. Prior judicial approval protects against frivolous, insubstantial, or unlawful requests.

The U.S. Congress has been granted the power to veto CLOUD Act agreements, but there is a risk they will nevertheless be implemented with minimal oversight. Absent the additional human rights protections spelled out above, Congress should be prepared to veto the agreements.

What’s next: the first CLOUD Act agreement

As we note above, we may shortly see an agreement between the U.S. and the U.K. In our next post, we take a closer look at the implications for people in both countries and for users around the world. We have noted that the larger structural problems with the CLOUD Act should prompt reexamination and reform. We’ve addressed some of the issues, including the law’s failure to resolve the Mutual Legal Assistance Treaty (MLAT) problems, U.S. unilateral demands outside agreements, and the CLOUD Act’s weak system for resolving conflicts. However, since reform is not likely in the short term, it is absolutely critical to ensure the CLOUD agreements themselves protect our rights. Stay tuned for more on how to do that.