On Friday, U.S. President Trump signed into law the CLOUD Act as part of a broad spending package. The CLOUD Act expands law enforcement access to data stored across international borders. It both enables the United States to get direct access to data stored abroad, and allows the U.S. to enter into agreements with other countries so they can directly request data from companies in the U.S. Previously, countries have been required to use the Mutual Legal Assistance Treaty (MLAT) process. That system is not perfect but provides a higher level of privacy protection since it requires law enforcement requests for data to go through the relevant government for approval.
We’ve explained that the CLOUD Act doesn’t have vital and necessary privacy protections. Instead it allows countries to expand their surveillance authorities globally with inadequate safeguards for human rights. Even though the CLOUD Act passed (despite our warnings), that’s just the beginning of the story. The U.S. government still has to decide with which countries to make agreements. Further, since the law was very poorly drafted — leaving significant questions unanswered and raising new ones — it will likely need to be adjusted at some point.
Here’s a look at what the CLOUD Act does, what it doesn’t do, and what is likely to happen next.
What the CLOUD Act does
In our previous post, we described the two major changes the CLOUD Act makes to U.S. law:
1.) No foreign government cooperation needed for U.S. law enforcement to get data anywhere. The CLOUD Act allows U.S. law enforcement to access data stored abroad by increasing the reach of the U.S. Electronic Communications Privacy Act (ECPA), enabling access without the cooperation of foreign governments. Under the newly created standard, U.S. law enforcement can order companies to provide data regardless of where the company is located or where the individual whose data are sought resides. This means that U.S. courts can now exercise global authority.
2.) No cooperation needed for foreign law enforcement to get U.S. data. Secondly, the CLOUD Act lets the U.S. forge agreements with other countries to allow foreign law enforcement to directly request users’ data from U.S. companies, without adequate protections for privacy. When lawmakers first proposed this idea, we explored some of the many problems with it. For one, it gives more authority to law enforcement in the countries with which the U.S. makes agreements. In the United Kingdom — likely to be the first partner in these agreements — the surveillance standards under which law enforcement operates have been ruled unlawful.
What the CLOUD Act doesn’t do
It doesn’t fix many of the problems with cross-border access to data, and it doesn’t adequately protect users’ human rights.
First, the CLOUD Act does not resolve conflicts of law, one of the key reasons anyone would have wanted to support this kind of reform in the first place. Second, it increases law enforcement authorities to access data — in the U.S. and other countries — without putting in place necessary privacy protections. Third, it does not fix the problems with the MLAT system that has been the primary method for exchanging evidence across borders. Instead, the CLOUD Act bypasses that system, at the expense of human rights.
What comes next
The first country that the U.S. will likely reach an agreement with is the United Kingdom, despite the fact that the British digital surveillance regime has been ruled unlawful. The shape of this agreement will influence those with other countries. The European Union might be another early “adopter” of these agreements, risking broad expansion of the damage to human rights.
Our hope is that civil society can still have a positive impact on these deals. Unfortunately, much of what will happen will take place in the dark. The CLOUD Act permits consultation with outside experts, but it doesn’t require consultation or even mandate the public release of these agreements. There is no requirement for Congress to vote to approve each agreement and the process will be granted only limited review.
Nevertheless, Access Now and other rights groups will continue to apply pressure on the U.S. Departments of Justice and State for transparency on these agreements, urging them to adhere to standards of human rights protection above what is required by the CLOUD Act.
This fight for human rights protections will likely go global. We could see the CLOUD Act influence other governments as they consider making changes to law enforcement access to data stored in other countries. It’s not clear whether it will set countries on the path of playing entirely within a cooperative, rules-based system for cross-border access to data, or another path. The European Union is currently undergoing a process to expand law enforcement access to data within its borders and beyond. A recent report suggests that it will ultimately grant to European authorities the same kind of unilateral power to get access to data in other countries that the CLOUD Act grants to U.S. authorities. We may see other governments follow suit.
That said, as we note above, the CLOUD Act itself will likely need to be changed. It was pushed through the Congress with scant opportunity to debate or amend the legislation, and it shows. Some of these anticipated changes may be compelled by litigation. The European data protection framework is likely to cause complications if U.S. law enforcement seeks access to the data of European persons stored in the E.U.
Make it rain
The bottom line is that we’re not sure what will happen next. This CLOUD Act is dark, and it’s hard to see what’s going on. However, so much is up in the air under this poorly crafted law that we can count on uncertainty — meaning that we could see a number of opportunities ahead to positively influence how the U.S. and other countries get access to data across borders. At Access Now, we’re monitoring the debate in Europe, calling on Congress to make the necessary reforms sooner rather than later, and keeping you informed. As soon as we have a better forecast, we will let you know.