While there are many issues Congressional Republicans and Democrats do not agree on, they both recognize that the Electronic Communications Privacy Act should be amended, as evidenced by bi-partisan bills recently introduced in both the House and Senate, known as the Clarifying Lawful Overseas Use of Data, or “CLOUD,” Act.
The CLOUD Act seeks to resolve the extent of ECPA’s extraterritorial reach — amending the Stored Communications Act to specifically authorize a government entity to compel a U.S. provider that stores customer communications (such as emails, texts, and chats) to turn over the content of those communications when stored in another country. This issue has been the primary focus of reform efforts in recent years and, after years of working its way through the lower courts, is now set to be addressed by the U.S. Supreme Court in a case that pits Microsoft against the U.S. government, which is seeking access to data stored by Microsoft on a server in Ireland.
During oral argument in the case on Tuesday, the Court referenced the pending legislation with Justice Sotomayor even questioning whether the Court should wait to make its decision, pending passage of the bill. In wrestling with the alleged extra-territorial effects of producing data in the U.S. that is stored abroad, counsel addressed whether a warrant under the SCA authorized a traditional “search” of a location or was more like a compelled disclosure in response to a subpoena or court order. Some Justices still thought allowing the warrant to be effective in the U.S. for data stored abroad would affect the foreign nation’s interests, but the solicitor general reminded the Court that a comity analysis would be required in that situation. Interestingly, Sen. Orrin Hatch, R-Utah, the lead Senate sponsor of the CLOUD Act, was in attendance at the argument.
If passed, the CLOUD Act would effectively moot the pending case, although passage before decision (end of June) is unlikely, especially in its current form. Prior bills, known as the International Communications Privacy Act (S. 1671 and H.R. 3718, 115th Cong. (2017), have not progressed.
While the CLOUD Act would provide much needed clarity, and is supported by both major U.S. technology companies and the Department of Justice, it has been criticized by consumer advocates that argue it does not contain proper safeguards for consumer privacy. Here we take a look at some of what the CLOUD Act would do, as well as the criticism and potential international conflicts that would need to be addressed.
The CLOUD Act’s Provisions
The CLOUD Act would amend the SCA to require service providers to “preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” Providers could move to quash or modify if the target is not a U.S. person and if compliance would conflict with the law of the country where the data is stored. In considering such a motion, a court would be required to conduct a comity analysis and, among other things, consider the possibility of accessing the data via other means, the relative degree of U.S. interest in the data, and the interests of the foreign government and its laws.
The CLOUD Act would also give “qualifying” foreign governments access to records stored in the U.S. that pertain to foreign citizens, including foreign citizens here in the U.S. illegally. It would also allow foreign governments to obtain wiretap, trap and trace, and pen register orders in the same manner as U.S. law enforcement, but without the warrant requirements. To implement this, the president would be authorized to make arrangements with foreign governments that would allow those foreign governments to use their legal process to retrieve data about their citizens directly from U.S. providers. To “qualify,” a foreign government must both be approved by the attorney general and secretary of state and also abide by “robust” substantive and procedural protections for “privacy and civil liberties.” All agreements with qualifying foreign governments would be effective 90 days after notice to Congress if no joint resolution of disapproval is enacted and would have to be renewed every five years.
Foreign government orders would be limited to “obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism,” must have “reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation,” and are subject to judicial review.
Criticisms of the CLOUD Act
Despite the CLOUD Act’s requirements for a privacy analysis, critics of the proposed legislation have condemned its discriminatory application to foreign citizens living in the U.S., lack of notice provisions, and the omission of any requirement to obtain a warrant. Privacy groups have long advocated for an amendment to ECPA to require the government to obtain a warrant prior to accessing the content of any stored emails, texts or online chats, not just those less than 180 days old, as the SCA is currently written. After the Warshak decision, in which the 6th Circuit held that ECPA was unconstitutional to the extent it allowed production of any communication content, regardless of time in storage, the Justice Department adopted a policy to always use warrants when seeking the content of communications. Additionally, Congress has introduced numerous bills to clearly address the warrant requirement, with one effort receiving unanimous support in the House in 2016. Here, the CLOUD Act not only fails to address the 180-day issue and conform the SCA, but critics argue it will exacerbate the problem by permitting additional warrantless government requests — both from the U.S. and foreign governments.
Other criticism focuses on the effect the CLOUD Act will have on the existing Mutual Legal Assistance Treaty process. That said, many believed the MLAT process broken, and with the need to have timely access to records for criminal investigations here and abroad, the CLOUD Act would provide a valuable tradeoff allowing quicker access with the elimination of many intricacies and difficulties due to the fact that data can be stored almost anywhere and moved rapidly. A foreign government’s alternative without the benefits of access to records in the U.S. under the CLOUD Act would be to force providers to maintain data on foreign residents locally, which could possibly diminish privacy protections for citizens and non-residents alike.
Additionally, it is not clear whether the bill, in its current form, would meet legal requirements under the EU’s impending General Data Protection Regulation Act. Article 48 of the GDPR addresses foreign (including U.S.) investigations and prohibits the transfer or disclosure of personal data unless pursuant to an MLAT or other international agreement. One possible resolution would be for the U.S. to enter into an agreement with the EU or for the EU to agree that the U.S. investigations and subsequent transfers or disclosures in compliance with the CLOUD Act procedures do not conflict with Article 48.
Despite the fact that the CLOUD Act was introduced with bipartisan support in Congress and the support of the tech industry, there are still many issues to be addressed. In the event Congress can actually pass a bill to fix the long-outdated provisions of ECPA and the SCA, it is likely that any final law will look different from this current version.
If you want to comment on this post, you need to login.