Latest in Cross-Border Data
The CJEU invalidated one principal legal method for the transfer of personal data from EU territory to the United States and cast substantial doubt on the validity of the other. What are the consequences of the ruling?
On Oct. 3, the United States and the United Kingdom signed the first-ever executive agreement under the CLOUD Act, a 2018 law that authorizes the U.S. to enter into information-sharing agreements with other countries for the purpose of aiding criminal investigations.
Editor's note: This piece is cross-posted at Just Security.
On April 23, the Hoover Institution hosted the latest iteration of the Security by the Book series, where Jack Goldsmith interviewed Henry Farrell and Abraham Newman about their new book, “Of Privacy and Power, The Transatlantic Struggle Over Freedom and Security.” They talked about how the relationship between Europe and U.S. has changed in response to regulations and other government action in the security and privacy spheres on both sides of the Atlantic.
On Wednesday, the Department of Justice released a white paper on the Clarifying Lawful Overseas Use of Data Act, or Cloud Act, which was enacted in March 2018. The white paper, entitled “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” is available here and below.
The United States, Canada and Mexico recently completed negotiations on a new trade agreement, the United States-Mexico-Canada Agreement (USMCA), to supersede NAFTA. While the treaty is pending ratification in the legislative bodies of the respective countries, the digital trade portion of the agreement has already garnered a positive response from U.S. technology trade associations.
As opposition grows in the British Parliament to the nearly 600-page agreement negotiated by Prime Minister Theresa May’s government to withdraw the United Kingdom from the European Union, it’s increasingly clear that the current text will not be the final word. But even if the British government is ignominiously sent back to the negotiating table with Brussels, it would be a mistake to dismiss the behemoth withdrawal agreement, and the accompanying 26-page political declaration on the future U.K.-EU relationship, as headed for the trash heap.
Technology firms are extraordinarily powerful. They control vast sums of money. They serve unprecedentedly large customer bases—in some instances, larger customer bases than any nation on earth (Facebook now has over 2 billion users).
Congress this fall will likely face the first executive agreement negotiated under the new Cloud Act. The U.S. and United Kingdom have been negotiating such an agreement since at least 2016.
Congress passed the Cloud Act as part of an omnibus spending bill in March over the objection of many civil society groups, including the Center for Democracy & Technology (with which I am affiliated). The legislation, formally the Clarifying Lawful Overseas Use of Data Act, empowers the Justice Department to serve legal process authorized by the Electronic Communications Privacy Act (ECPA) on U.S. providers for data those companies control, no matter where the data is located.