CLOUD Act

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Clarifying Lawful Overseas Use of Data Act
Great Seal of the United States
Acronyms (colloquial) CLOUD Act
Enacted by the 115th United States Congress
Effective March 23, 2018
Citations
Public law Pub.L. 115–141
Codification
Acts amended Stored Communications Act, Electronic Communications Privacy Act
Titles amended 18
U.S.C. sections amended 2523
Legislative history

The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United States federal law enacted in 2018 by the passing of the Consolidated Appropriations Act, 2018, PL 115-141, section 105 executive agreements on access to data by foreign governments. Primarily the CLOUD Act amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.

Background[edit]

The CLOUD Act was introduced following difficulties that the Federal Bureau of Investigations (FBI) had with obtaining remote data through service providers through SCA warrants, as the SCA was written before cloud computing was a viable technology. The situation was highlighted from a 2013 drug trafficking investigation, during which the FBI issued an SCA warrant for emails that a U.S. citizen had stored on one of Microsoft's remote servers in Ireland, which Microsoft refused to provide. The legal challenge led to the Supreme Court in Microsoft Corp. v. United States. The FBI contended that Microsoft had full control of the data and should be compelled to turn it over in response to the warrant, but Microsoft argued that the SCA did not cover data stored outside the United States.[1] The challenge identified that while the FBI could request a mutual legal assistance treaty (MLAT) to aid in data discovery during cross-border law enforcement, the process to acquire a new MLAT if one is not in place, or to process a request through an existing MLAT, can be slow and impede law enforcement efforts.[2]

Congress, primarily led by Senator Orrin Hatch, had attempted to create legislation prior to the CLOUD Act to amend the SCA with the concerns of Microsoft and other technologies companies with respect to foreign privacy rights. The "Law Enforcement Access to Data Stored Abroad Act" (LEADS Act) in 2015[3] and the International Communications Privacy Act (ICPA) in 2017 were both previous bills intended to amend the SCA but which failed to gain passage.[4][5]

The CLOUD Act is a culmination of these prior bills. Principally, it asserts that U.S. data and communication companies must provide stored data for U.S. citizens on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in. It also provides an alternative and expedited route to MLATs through "executive agreements"; the executive branch is given the ability to enter into bi-lateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner, as long as the Attorney General, with concurrence of the Secretary of State, agree that the foreign country has sufficient protections in place to restrict access to data related to United States citizens.[6][7]

Support[edit]

The CLOUD Act had support of the Department of Justice and of major technology companies like Microsoft, Apple, and Google.[8][9] The bill was criticized by several civil rights groups, including the Electronic Frontier Foundation, the American Civil Liberties Union, Amnesty International, and Human Rights Watch. These groups argued that the bill stripped away Fourth Amendment rights against unreasonable searches and seizures, since the government could enter into data rights sharing agreements with foreign countries and bypass U.S. courts, and affected users would not have to be notified when such warrants were issued.[9][10] Some of these groups feared the government would not fully review requests from foreign countries for their citizens stored on servers in the U.S., potentially allowing such data to be used in bad faith in those countries.[11]

Passing[edit]

After being introduced in the 115th United States Congress as H.R.4943, the act was included as section 105 of H.R.1625, the Consolidated Appropriations Act, 2018, an omnibus spending bill, which passed both houses of Congress and was signed into law, P.L. 115-141, on March 23, 2018.[12] On April 17 2018, the Supreme Court, based on concurring briefs submitted by the Department of Justice, vacated the United States v. Microsoft Corp. and remanded it back to lower court to do the same, as the Department of Justice was able to secure a new warrant under the CLOUD Act and was no longer pursuing the initial warrant, rendering the case moot.[13][14][15]

References[edit]

  1. ^ Hurley, Lawrence; Volz, Dustin (February 27, 2018). "U.S. Supreme Court wrestles with Microsoft data privacy fight". Reuters. Retrieved April 2, 2018 – via The Globe and Mail.
  2. ^ Whittaker, Zack (August 1, 2014). "How one judge single-handedly killed trust in the US technology industry". ZDNet. Retrieved April 3, 2018.
  3. ^ Maines, Patrick (March 30, 2015). "The LEADS Act and cloud computing". The Hill. Retrieved March 23, 2018.
  4. ^ Breland, Ali (August 1, 2017). "Senate bill would ease law enforcement access to overseas data". The Hill. Retrieved March 23, 2018.
  5. ^ Eggerton, John (September 15, 2017). "International Communications Privacy Bill Reintroduced". Broadcasting and Cable. Retrieved March 23, 2018.
  6. ^ "S.2383 - CLOUD Act". United States Congress. February 6, 2018. Retrieved April 3, 2018.
  7. ^ Johnson, Ericka (March 19, 2018). "The CLOUD Act, Bridging the Gap between Technology and the Law". The National Law Review. Retrieved April 3, 2018.
  8. ^ Foley, Mary Jo (March 22, 2018). "Microsoft bullish on Congress' inclusion of CLOUD Act in funding bill". ZDNet. Retrieved April 2, 2018.
  9. ^ a b Mak, Aaron (March 22, 2018). "Congress Put the CLOUD Act in Its Spending Bill. What Does That Mean For Data Privacy?". Slate. Retrieved April 2, 2018.
  10. ^ Brandom, Russell; Lecher, Colin (March 22, 2018). "House passes controversial legislation giving the US more access to overseas data". The Verge. Retrieved April 2, 2018.
  11. ^ Watters, Jackie (March 31, 2018). "Microsoft email privacy case no longer needed, DOJ says". CNN. Retrieved April 2, 2018.
  12. ^ Wagner, John; DeBonis, Mike (March 23, 2018). "Trump signs $1.3 trillion spending bill despite veto threat on Twitter". The Washington Post. Retrieved March 23, 2018.
  13. ^ Stohr, Greg (March 31, 2018). "Justice Department Asks Court to Drop Microsoft Email Case". Bloomberg Businessweek. Retrieved April 2, 2018.
  14. ^ Nakashima, Ellen (March 31, 2018). "Justice Department asks Supreme Court to moot Microsoft email case, citing new law". The Washington Post. Retrieved April 2, 2018.
  15. ^ "Supreme Court rules that Microsoft email privacy dispute is moot". Reuters. April 17, 2018. Retrieved April 17, 2018.