You could well be excused for not noticing the recent passage of the U.S. Clarifying Lawful Overseas Use of Data Act on March 23, 2018. Better known by its catchy acronym, the Cloud Act, the law was tacked on to the 2,232-page, US$1.3-trillion omnibus budget bill one day ahead of its vote and was signed into law by President Donald Trump without the benefit of the usual congressional scrutiny, hearings or significant public debate.
Supporters of the Cloud Act, including Senator Orrin Hatch, insisted it was a necessary “common sense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries’ differing privacy regimes.” Prior to the passage of the Cloud Act, U.S. law enforcement agencies, seeking to gain access to data stored overseas, had to seek agreement with authorities in the other country using the Mutual Legal Assistance Treaty framework. Critics argued that the MLAT process was cumbersome and time-consuming, sometimes taking years.
The Cloud Act was intended to resolve the challenges of cross-border data collection by foreign governments and U.S. law enforcement by assisting the U.S. government in accessing data outside the U.S. that is in the custody, control or possession of communication service providers subject to U.S. jurisdiction to “protect public safety and combat serious crime” and resolving conflicting legal obligations faced by technology providers when a foreign government orders production of electronic data that U.S. law may prohibit companies from disclosing.
What does the Cloud Act do? Firstly, it amends Title II of the Electronic Communications Privacy Act of 1986 to confirm that electronic-communication service and remote-computing service providers must preserve, back up or disclose the contents of a wire or electronic communication and any other record or other communication pertaining to a customer or subscriber “within such provider’s possession, custody or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” When requested “pursuant to lawful process,” such providers can now be compelled to provide such communication, regardless of the location of the data. The net result is a faster way for U.S. law enforcement officials to obtain offshore data, including email, text, metadata and phone communications of persons.
Secondly, the Cloud Act also permits the U.S. Department of Justice, the State Department and other members of the government’s executive branch to enter into reciprocal executive agreements with “qualifying foreign governments” that allow such governments to directly serve legal process requests on U.S. providers with no involvement of U.S. courts or the U.S. Justice Department. A “qualifying foreign government” means a foreign government that has entered into an “executive agreement” after the attorney general has determined (with the concurrence of the secretary of state) and certified to Congress that such government satisfies the standards set out in the Cloud Act. At first glance, these standards appear fairly extensive, requiring that the domestic laws of the foreign government contain “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of that foreign government that will be subject to agreement” (including adequate substantive and procedural laws on cybercrime and electronic evidence, respecting the rule of law, adhering to international human rights obligations, etc.). The foreign government must also adopt appropriate procedures to minimize the acquisition, retention and dissemination of information concerning U.S. persons and is explicitly forbidden from intentionally targeting U.S. persons or persons located in the U.S.
Additionally, the foreign government is precluded from using the Cloud Act to ask for information at the request of or to provide information to the U.S. government or a third-party government. Moreover, the order issued by the foreign government must be in compliance with the domestic law of that country and the production order must derive solely from that country’s domestic laws. The order must also be subject to review or oversight by a court, judge, magistrate or other independent legal authority and there are other built-in safeguards including limited scope, duration and include minimization procedures. No U.S. data can be disseminated to the U.S. authorities unless there is a significant harm (or threat thereof) to the United States or United States persons (a citizen, national, permanent resident of the United States, unincorporated association containing a substantial number of U.S. citizens or a corporation incorporated in the U.S.) for such crimes as terrorism, child exploitation or significant financial fraud, etc. The foreign government also has to agree to periodic review of compliance with the terms of the agreement to be conducted by the US government.
Any executive agreement certified by the attorney general will enter into force 180 days after it is submitted to Congress unless Congress enacts a joint resolution of disapproval in the House of Representatives and in the Senate. Subsequently, the attorney general must review the executive agreement and the underlying qualifications of the foreign country every five years and then submit a report to Congress documenting the reasons for renewal, any substantive changes to the foreign law or the agreement, any issues relating to implementation or any controversies that may have arisen.
Thirdly, the act also provides a process by which technology companies can challenge U.S. law enforcement requests based on the material risk of conflict with the laws of the qualifying foreign government. The tech company that is required to disclose the contents of an electronic communication under a legal process may file a motion to modify or quash the legal proceeding not later than 14 days after the day on which the provider was served, if the provider reasonably believes that the required disclosure would create a material risk that the provider would violate the laws of the qualifying foreign government; based on the totality of circumstances, the “interests of justice” dictate that the legal process should be modified or quashed; or the subscriber or customer is not a United States person and does not reside in the United States. In order for a court to approve the motion, the court must find that the required disclosure would violate the laws of a qualifying government; “the interests of justice dictate that the legal process should be modified or quashed” and the customer or subscriber is not a United States person and does not reside in the United States.
To say the Cloud Act is polarizing would be an understatement. Various large U.S. technology companies such as Apple, Google, Facebook and Microsoft have supported the legislation, possibly because the Cloud Act clarifies the process for responding to U.S. government requests, adding certainty. It also helps that the legislation immunizes providers, ensuring that there will be no causes of action against them (or their officers, employees, agents or other specified persons) for disclosing information, providing facilities or assistance in accordance with a court order under the act, request under s. 3125 or an order from a foreign government that is subject to a certified executive agreement. In fact, the act explicitly states that any company relying in good faith on a court order, a request under s. 3125 or a certified executive agreement has a complete defence against any civil or criminal action brought under the act “or any other law.”
In stark contrast, the Electronic Frontier Foundation, the American Civil Liberties Union, Human Rights Watch and the Open Technology Institute were among 24 organizations that widely derided the act, deemed by some journalists as a “privacy-stomping disaster.” Neema Singh Guliani, a legislative counsel with the ACLU, and Naureen Shah, senior director of campaigns at the U.S. arm of Amnesty International, publicly called the act “a dangerous abdication of responsibility by the U.S. government and technology companies.” The EFF was particularly pointed in its criticism, noting that many of the act’s protections were illusory or insufficient. They noted, for example, that the act does not contain any prompt mechanism for withdrawal from the executive agreements once they have been made, even if one of the participants suddenly starts to abuse civil liberties. Among other criticisms levied, the EFF also found that the legislation grants real-time access to and interception by foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act and fails to require notice on any level to the person targeted, to the country where the person resides and to the country where the data is stored. Many critics decried the act as an expansion of government surveillance in the name of “privacy and common sense” with less oversight than currently exists under most U.S. and international data protection laws.
Practically speaking, the Cloud Act also put to bed the question before the U.S. Supreme Court in the United States Department of Justice vs. Microsoft case — which began in 2013 when Microsoft challenged a domestic warrant issued by a U.S. judge to obtain emails stored on a Microsoft server in Dublin relating to a drug-trafficking investigation. Given the explicit ability of U.S. law enforcement to compel Microsoft to obtain data from a server located in Ireland, the case is now moot, and Microsoft withdrew its objections when the Department of Justice made a public filing that calls for the U.S. Supreme Court to end the case.
Perhaps the one thing that everyone can agree upon (aside from the decidedly sneaky way in which it was passed) is that the Cloud Act is one of the more controversial pieces of legislation passed in the U.S. to date and uncertainties about it continue. Will U.S. government officials continually use this act to circumvent data protection and privacy laws, particularly those in Europe? While the Australian government recently praised the act and gave the legislation two thumbs up, what will other U.S. allies say? Will the Cloud Act survive scrutiny by European lawmakers once the EU General Data Protection Regulation comes into force in May? Or the European Court of Justice? Will the passage of the Cloud Act give privacy activists even more ammunition to discredit the Privacy Shield and standard contractual clauses for the transfer of personal data cross-borders? Would the Cloud Act stand up to scrutiny under PIPEDA or other Canadian privacy legislation? Stay tuned.