Buried on page 2,201 of the 2,232-page 2018 Omnibus Spending Bill, the CLOUD Act was signed into law on March 23, 2018. The bill allows U.S. law enforcement to obtain U.S. citizens’ private data from servers anywhere in the world, provided that an agreement exists with that country on data sharing. However, the CLOUD Act has already received tough criticism that raises 4th Amendment concerns.
Bridging the gap between technology and the law
In the modern era of smart phones, driverless cars, and social media, the 115th Congress rocketed the Stored Communications Act (SCA) into the 21th Century by passing the Clarifying Lawful Overseas Use of Data (CLOUD) Act. Originally enacted in 1986 by the 99th United States Congress, the SCA governs U.S. authority to compel disclosure of electronic communications or data stored with a service provider (i.e., telephone records), without setting regulations for accessing digital information stored internationally (i.e., cloud storage).
The chasm between the rapid advancements in technology and outdated legislation was readily apparent when the U.S. Supreme Court heard oral arguments on February 27, 2018, in United States v. Microsoft Corp. Microsoft contested its obligation to disclose Content Information stored exclusively in its datacenter in Ireland, in response to a U.S. government issued search warrant under the SCA.
During oral arguments, Justices Ruth Bader Ginsburg, Sonia Sotomayor, and Stephen Breyer signaled that Congress, and not the Court, might best be situated to reconcile this gap.
Concerns of civil liberty groups
Critics of the CLOUD Act note that the bill was only introduced in Congress on February 6, 2018, by Senator Orrin Hatch (R-Utah) and Representative Doug Collins (R-Georgia), negating any opportunity for meaningful debate to refine the legislation. There had not yet been a hearing or vote on the floor of Congress on the Act. It was only added to the omnibus bill at 8:00 pm the night before the Congressional vote, meaning that there was no separate discussion on its provisions.
Civil liberty groups have come out strongly against the bill, arguing that it will make it easier for countries with poor human rights records to obtain data on dissidents. The American Civil Liberties Union, the Electronic Frontier Foundation (EEF), Human Rights Watch and 21 other groups said the Act will give the executive branch too much power and not enough oversight. Under the CLOUD Act, the Attorney General and Secretary of State have extensive power over digital privacy without Congressional approval.
In addition, the CLOUD Act could allow foreign governments with which the U.S. has a sharing agreement to contact U.S. companies directly to obtain personal data without notifying the individual. While the CLOUD Act specifically outlaws foreign governments intentionally targeting U.S. persons, EEF argues that the intertwined nature of this data makes it impossible to separate data of non-U.S. targets from U.S. nationals. Indeed, the Act itself seems to recognize this, stating that a foreign government must adopt appropriate procedures to minimize the acquisition of information concerning U.S. persons subject to the agreement. The Act also requires a foreign government to “demonstrate respect for international universal human rights.”
Concerns of legislators
“Congress should reject the CLOUD Act because it fails to protect human rights or Americans’ privacy,” said Senator Rand Paul (R-Kentucky). For instance, the legislation allows foreign governments to demand real time communications data, not requiring that they follow U.S. laws on wiretapping (e.g., 30-day authorization).
As Senator Ron Wyden (D-Ore) observed, “tucked away in the omnibus spending bill is a provision that allows Trump, and any future president, to share Americans’ private emails and other information with countries he personally likes. That means he can strike deals with Russia or Turkey with nearly zero congressional involvement and no oversight by U.S. courts.”
EU taking a cautious approach
The European Commission had previously submitted an amicus brief in the Microsoft case, supporting neither side in the case, but arguing for territoriality under public international law:
“In the European Union’s view, from the perspective of public international law, when a public authority requires a company established in its own jurisdiction to produce electronic data stored on a server in a foreign jurisdiction, the principles of territoriality and comity under public international law are engaged, and the interests and laws of that foreign jurisdiction must be taken into account.”
Pointing to the rushed nature of the law, EU Justice Commissioner Vera Jourova stated that they hoped to secure compatible rules under a proposed EU electronic evidence bill.
Support for the CLOUD Act
Despite these criticisms, technology companies have come out supporting the CLOUD Act. In fact, Microsoft itself has stated that this was a “critical step” forward and created a “modern legal framework” for law enforcement. Interestingly, Microsoft encourages the Government to establish these data agreements with “like-minded countries.” The conflict of laws scenario appears to be a significant challenge for many technology companies.
Either way, the new law has likely mooted United States v. Microsoft Corp. Microsoft has joined the U.S. government is asking the U.S. Supreme Court to vacate the case because the CLOUD Act makes the case, concerning cross-border, digital privacy, a moot point. For now, it appears to be settled law that U.S. authorities can obtain U.S. digital information stored internationally.
 See Microsoft Corp. v. United States (In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp.), 829 F.3d 197, 204.