Boris Lubarsky

CLOUD Act Signed into Law with No Hearings as Part of Omnibus Spending Bill, but Grave Privacy Concerns Remain

On March 23, 2018, the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, was signed into law.1 The CLOUD Act was tacked onto the omnibus spending bill and was passed without any public hearings or input as to its impact.2 The Act eases foreign law enforcement’s access to electronic information in cloud storage.3 Civil rights organizations have panned the law as a possible end-run around the Fourth Amendment and other constitutional protections for both U.S. citizens and foreign nationals.4 On the other hand, cloud storage providers like Microsoft and Google have overwhelmingly supported it.5 The Act aims to streamline the current process for foreign law enforcement agencies to access data stored in the cloud by U.S. cloud-storage providers. Cloud storage, and subpoenaing the contents kept therein, is a hot issue both in the United States and internationally. When technological innovation outpaces the law that regulates it, it becomes Congress’ duty to update the law. The CLOUD Act attempts to do just that, but it creates grave concerns regarding privacy, due process, and the targeting of foreign dissidents and refugees in the United States by their home countries.

Cloud storage is a model of data storage that allows digital data to be stored across multiple servers, often in different locations, that a user can access online.6 Cloud storage allows data to be backed up in case a single server fails and ensures that it can be quickly accessed by the user anywhere in the world. The proliferation of cloud storage, in general, coupled with the popularity of U.S. cloud-storage providers, in particular, means that more and more foreign data is being stored on servers in the United States or controlled by U.S. companies.7

Before the CLOUD Act, foreign law enforcement that sought information from a U.S. cloud-service provider would have to go through the Mutual Legal Assistance Treaty (MLAT) process to obtain documents or data from cloud storage.8 The MLAT process strikes a balance between privacy and security by allowing foreign governments to obtain data relevant to their domestic investigation while ensuring American constitutional protections remain intact. To obtain data stored in the United States, of either a U.S. citizen or a foreign national, foreign law enforcement authorities must request the documents from the Department of Justice (DOJ).9 The DOJ then must obtain a warrant from a U.S. court supported by probable cause.10 The DOJ then executes the warrant and turns over the requested private data to the foreign agency. This process was effective because the documents a foreign agency requests were typically either physically within the United States or related to a person physically within the United States, thereby coming under the protections of the U.S. Constitution.

Foreign governments have become increasingly frustrated with the MLAT process, especially for cloud data.11 Investigations of purely local crimes can be stalled simply because the suspect happens to have data on a Google Drive, Apple iCloud, Microsoft OneDrive, or other U.S. cloud storage account. An investigation can even be curtailed if the request does not meet the high judicial burden of probable cause necessary for a warrant. Therefore, foreign governments are actively seeking a way to bypass the MLAT process—most likely through requiring all of their citizens’ data to be stored in their home country and subject to local laws, known as data localization.12

The U.S. government faces similar frustrations when a U.S. citizen’s data is stored on servers abroad by a U.S. company. The Supreme Court heard oral arguments on this very issue in Microsoft v. U.S. when Microsoft could not comply with a U.S. warrant for cloud data stored on a server in Ireland.13 Since the passage of the CLOUD Act both parties have moved to dismiss the case as moot.14

The CLOUD Act bypasses the MLAT process, allowing the Attorney General to enter into agreements with foreign governments so that they can demand data about non-U.S. persons directly from the cloud storage provider.15 The Attorney General would have to consider the foreign government’s human rights record before entering into the agreement, but can nevertheless decide to enter into agreements with those that have committed human rights abuses.16 The Act entirely bypasses Congress, allowing the Executive Branch to make the sole determination about whether, and on what terms, to enter into an agreement with a foreign government, without congressional review or oversight.17 Under the Act, foreign governments would be able to gain access to emails and other data without a court order or even individual review by the state department,18 though a government would still need to go through the MLAT process to request data about a US citizen.19

GLTR Staff Member; Georgetown Law, J.D. expected 2018; Georgetown University, B.S.F.S. 2011. ©2018, Boris Lubarsky.