Hidden in the massive omnibus spending bill approved by Congress in February 2018 was the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018. The CLOUD Act enables the US government to acquire data across international borders regardless of other nations’ data privacy laws and without the need for warrants.
The CLOUD Act was subject to almost no deliberation as the Senate was working swiftly to avoid a prolonged government shutdown. Describing how congressional leaders decided, behind closed doors, to attach an “un-vetted, unrelated data bill” to the $1.3 trillion government spending bill, the Electronic Frontier Foundation’s David Ruiz wrote that Congress had “a professional responsibility . . . to debate the merits and concerns of this proposal amongst themselves, and this week, they failed.” Due to this failure, Ruiz continued, “U.S. laws will be bypassed on U.S. soil.” The CLOUD Act gives US and foreign police new mechanisms for seizing data—including private emails, online chats, Facebook posts, and Snapchat videos—from around the world, with few restrictions on how that information is used or shared.
Specifically, the CLOUD Act adds provisions to two existing laws that protect constitutional rights in the digital age. As Robyn Greene reported for Just Security, the CLOUD Act creates an exception to the Stored Communications Act, enabling certified foreign governments to request personal data directly from US companies. Such contracts would partially negate the Mutual Legal Assistance Treaty, which mandates that foreign governments must obtain a warrant through the Department of Justice before requesting data.
While noting that the bill passed in the omnibus spending vote included some improvements on previous versions of the CLOUD Act, Greene wrote that “the new bill failed to incorporate any changes to improve privacy protections for Americans. It still requires only that foreign governments minimize data in a manner similar to what is required under the Foreign Intelligence Surveillance Act, and it still permits foreign governments to share U.S. persons’ communications back to the U.S. government with few limitations on how the U.S. government may use that data.”
Many other provisions of the CLOUD Act also leave significant room for potential abuse. The act fails to specify which criminal behaviors might warrant a request for personal data. It also fails to specify a time frame for the approval process. This loophole allows nations to request and obtain data before receiving proper approval. By passing the CLOUD Act without critical examination, Congress failed to consider adding safeguards that could make the CLOUD Act “a boon, rather than a threat, to privacy and human rights,” Greene concluded.
The little corporate news coverage that the CLOUD Act received tended to put a positive spin on it. The Washington Post ran an opinion piece on the topic co-authored by Lisa O. Monaco, the former Homeland Security advisor to President Obama, and John P. Carlin, the former assistant attorney general for the US Department of Justice’s National Security Division. Their op-ed sang the praises of the CLOUD Act as a “promising solution” that would allow US law enforcement to access US company data being stored overseas. They made no mention of potential risks to the privacy of citizens’ personal data.
Similarly, a March 2018 CNET report also defended the CLOUD Act. The article focused on those in favor of the legislation, including Microsoft president Brad Smith, who claimed it gave “tech companies like Microsoft the ability to stand up for the privacy rights of our customers around the world,” and Senator Orrin Hatch, who praised the act for creating “a commonsense framework to encourage international cooperation to resolve conflicts of law.” Overall, the CNET report highlighted the liberties that the CLOUD Act would provide corporations by simplifying legal issues concerning overseas servers while only briefly mentioning concerns, such as those voiced by an ACLU spokesperson, Neema Singh Guliani. She expressed reservations about the CLOUD Act, questioning how it would require companies to distinguish between a national government seeking data for legitimate law enforcement purposes and requests intended for crackdowns on journalists or dissidents. The article as a whole sidelined this narrative and stood in favor of the corporations that stand to benefit from the CLOUD Act.
Robyn Greene, “Somewhat Improved, the CLOUD Act Still Poses a Threat to Privacy and Human Rights,” Just Security, March 23, 2018, https://www.justsecurity.org/54242/improved-cloud-act-poses-threat-privacy-human-rights/.
David Ruiz, “Responsibility Deflected, the CLOUD Act Passes,” Electronic Frontier Foundation, March 22, 2018, https://www.eff.org/deeplinks/2018/03/responsibility-deflected-cloud-act-passes.
Student Researcher: L. Joseph Smith (Diablo Valley College)
Faculty Evaluator: Mickey Huff (Diablo Valley College)