A dozen privacy and human rights groups have opposed the bipartisan CLOUD Act regulating cross-border data access, claiming that it will erode basic liberties. They describe the bill as helping “empower” foreign governments to commit human rights abuses; endangering constitutional rights; and even, in an email sent to the Hill this week, undercutting LGBT rights around the world.
We respectfully disagree. Contrary to these claims, the bill would improve privacy and civil liberties protections compared to a world without such legislation.
This opposition to the CLOUD Act has so far focused on a provision authorizing the president to enter into executive agreements in order to facilitate cross-border access to communications content in the investigation of serious crimes. Absent such an agreement, U.S. law requires foreign governments to make a diplomatic request for any such data that is U.S.-held, employing what is known is the Mutual Legal Assistance (MLA) process. There is broad consensus, however, that the current MLA system is slow, cumbersome and in need of updating to handle the growth of online cloud services and the globalization of criminal evidence.
The bill provides that needed update. It lifts blocking provisions for certain types of requests from certain rule of law-abiding governments: Partner governments can, pursuant to a long list of qualifications, directly request data of non-U.S. persons from U.S.-based providers without going through the MLA process. If the foreign government wants to request the data of a U.S. citizen or resident, it still needs to employ the MLA system. The bill sets forth a long list of privacy and human rights criteria as to the contours of those requests.
What’s more, for the first time, the bill sets up a mechanism for the U.S. government to review what foreign governments do with data once it is turned over. This is a privacy win—something that that no foreign government has agreed to in the past. In our view, these criteria will raise privacy protections on a global scale.
We deeply share the goals of the privacy and civil liberties advocates working in this space. Both of us have worked for years, on many different issues and in multiple capacities, to support privacy, human rights and civil liberties. On the specific issue of cross-border access to data, we have researched these issues in great depth and have led and participated in numerous working groups, both domestically and internationally. Indeed, numerous privacy and human rights protections in Section 5 of the CLOUD Act were actually honed in working group discussions that included many of the groups now opposing the bill.
Perhaps our greatest disagreement with the groups critical of the bill lies in their comparison of what will happen with and without legislation. The implicit assumption in the groups’ critiques is that the vast majority of the world’s data instead will continue to be held by U.S.-based companies, under U.S. law. We disagree with this premise.
Without legislation, foreign governments can only access content under the MLA process, even when seeking data of their own nationals in connection with a crime that occurs in that nation. The Justice Department has to review every foreign government request and then itself obtain the data, on behalf of the foreign government, pursuant to a warrant based on probable cause.
But this status quo is not sustainable. Foreign governments have become increasingly frustrated by the MLA system, which they see as an imperialist attempt to insist that foreign governments obtain a warrant issued by a U.S. judge even for data needed in the investigation of local crimes. As a result, these governments are actively seeking ways to bypass the MLA system. Without new legislation, other countries will face strong pressures to shift to data localization—requiring emails, social network posts, and other content to be stored within that country. Content currently subject to the MLA process and protected by the U.S. probable cause standard will be available to foreign governments under local laws. In many countries, that means police access without any judicial process; notably, no other country in the world has the probable cause standard of the U.S. In such situations, the United States has no say as to the standards employed in accessing that data; no say in how the data is used; and no say in how intermingled U.S. citizen data is dealt with and who it is passed onto.
In short, the United States has a time-limited moment to use its current, but perhaps fleeting, leverage as the holder of so much of the world’s data to set privacy-protective standards that foreign governments can be pushed to meet. Once foreign governments implement data localization mandates or find alternative ways to bypass the U.S. system, the U.S. leverage will be lost.
In addition, there are strong reasons to press for passage very quickly. The CLOUD Act would moot the Microsoft Ireland case, now pending before the Supreme Court, that addresses the reach of U.S. warrant authority over data that is controlled by a U.S.-based company but located overseas (in the particular case, in Dublin). That decision will be handed down by June. If the Justice Department wins—and many observers of the recent oral argument believe it has a strong chance of victory—then the prospects for privacy-protective legislation would fade further. With a government victory and the uncertainty of a pending case out of the way, the Justice Department would be guaranteed strong authority to get the data that it seeks without regard to location and would have far less reason to agree to the numerous privacy protections in the current bill.
To reiterate, the CLOUD Act includes an impressively long list of privacy protections, many drafted with the participation of the groups now opposing the CLOUD Act. The bill sets critically important baseline substantive and procedural protections, while doing so in a way that is achievable and understandable to other rights-respecting nations. Among other things, the legislation:
Prohibits targeting of U.S. citizen and resident data. For such data, foreign governments would still need to go through the MLA system and obtain a warrant based on probable cause. This important provision reflects the common-sense notion that U.S. standards should continue to protect U.S. citizens and residents. Likewise, when a foreign government is seeking the data of its own nationals, the U.S. has much less justification to insist on U.S. standards, simply because the data is stored in the U.S. or is held by a U.S.-based provider;
Prohibits indirect targeting of U.S. citizen data and prohibits the foreign government from sharing that data back with the United States unless it relates to significant harm or the threat of such harm to the United States or United States persons;
Requires that requests be particularized—targeting a specific person, account, address, personal device or other identifier;
Requires that requests be based on “articulable and credible facts”—a standard that is similar to the probable cause standard, albeit stated in terms more readily understandable to non-U.S. law enforcement;
Requires that requests be subject to “review or oversight” by a court, judge, or magistrate or other independent authority;
Requires that any live intercept orders be for a “fixed, limited duration,” “not last any longer than is reasonably necessary to accomplish the approved purposes” and be issued “only if the same information could not reasonably be obtained by another less intrusive measures.” These limitations track, although are not identical to, key protections in the Wiretap Act;
Prohibits use of data to infringe on freedom of speech;
Requires the foreign government to agree to compliance reviews—a remarkable and novel development that, for the first time, would enable the United States to track how data obtained by foreign governments is used and thereby protect against abuse.
The CLOUD Act also limits which governments are eligible to enter into the kind of executive agreements that enable them to make these type of requests. Access is available only if the attorney general certifies, with the concurrence of the secretary of state, that the domestic law of the foreign government “affords robust substantive and procedural protections for privacy and civil liberties.” Congress has 90 days to object to any such agreement, under a streamlined legislative process.
Human rights and privacy groups also have criticized this approval system. And we too believe more might be done to strengthen the approval process. In particular, we agree with those commentators who have argued that the legislation should specify that the agreements be made public. And perhaps there could be an explicit role for the Privacy and Civil Liberties Oversight Board, or some other entity, in reviewing these reports and agreements. But we view these as changes to push for—not reasons to oppose the bill in its entirety.
Finally, we should note that the legislation does not actually authorize any foreign-based requests for data. It merely lifts the current legislative bar on disclosure. The bar on providing content to foreign governments would continue to apply to any request that does not meet the many standards laid out in the bill.
Having worked on these issues in many settings, there also are additional privacy protections we would prefer to the current bill. For instance, we support the provisions of the E-Mail Privacy Act, which would codify the requirement of a probable cause warrant for U.S. demands for communications content. But based on our understanding of the state of play on the Hill, we don’t think that kind of change is currently feasible as part of CLOUD Act consideration without scuttling the entire bill.
If Congress sits on the sidelines, other countries will localize data and access it under local procedures that often are less stringent than the CLOUD Act would provide. And if congressional dawdling allows the Supreme Court to rule against Microsoft before the bill is passed, bargaining power will shift to the Justice Department and against those supporting stronger privacy protections.
In short, to protect privacy and human rights, the wisest course is to promptly approve the CLOUD Act. It is sometimes painful but true: Let not the perfect be the enemy of the good