“People deserve the right to a better process.” Jim McGovern, a member of the US House of Representatives’ Committee on Rules, sounded despairing on March 21.
At 8.00pm he and his colleagues had just been handed a 2,232-page bill to review by the next morning. A little over 24 hours later, President Donald Trump had signed the $1.3 trillion government spending bill into law.
Tucked at the end of it was legislation dubbed the Clarifying Lawful Overseas Use of Data (CLOUD) Act. Largely supported by large tech providers, it aims to streamline the way that international law enforcement agencies access personal data stored on US tech platforms.
Critics, however, say it gives “extensive and nearly unchecked” power for foreign police to demand data stored in the US, without prior review by a judge.
Civil liberties group the ACLU said the bill “strips power away from Congress and the judicial branch, giving [Attorney General] Mike Sessions and… and future executive branch officials virtually unchecked authority to negotiate data exchange agreements with foreign nations, regardless of whether they respect human rights or not.”
The legislation itself states: “The factors to be met in making [a] determination include whether the foreign government has adequate substantive and procedural laws on cybercrime and electronic evidence, as demonstrated by being a party to the Convention on Cybercrime… demonstrates respect for the rule of law and principles of nondiscrimination; adheres to applicable international human rights obligations and commitments or demonstrates respect for international universal human rights.”
One company immediately impacted was Microsoft.
This week it backed the Justice Department’s request the US Supreme Court dismiss a domestic warrant issued by a US judge – for emails stored on a Microsoft server in Dublin relating to a drug-trafficking investigation.
In a filing with the Supreme Court, Microsoft said it would not oppose the Justice Department’s bid to dismiss the case, filed last Friday, because the matter was now “moot” under the new law – which makes it clear that U.S. judges can, indeed, issue warrants for such data.
Microsoft President Brad Smith had earlier blogged that: “In 2013 U.S. law enforcement served on Microsoft a search warrant for customer data stored in our datacentre in Ireland. While we don’t believe that U.S. law grants the Government the right to reach across borders to obtain private information, we do believe that the U.S. should work with the Irish government to obtain the data they want. Unilateral actions like this will undermine privacy protections of customers everywhere, and are a recipe for international tensions, conflict and chaos.”
He added: “The CLOUD Act creates both the incentive and the framework for governments to sit down and negotiate modern bi-lateral agreements that will define how law enforcement agencies can access data across borders to investigate crimes. It ensures these agreements have appropriate protections for privacy and human rights and gives the technology companies that host customer data new statutory rights to stand up for the privacy rights of their customers around the world.”
It remains unclear what the EU’s data protection agencies – who have been taking an increasingly robust line on data privacy – will make of it. Computer Business Review has contacted the European Data Protection Supervisor for comment.