The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United States federal law enacted in 2018 by the passing of the Consolidated Appropriations Act, 2018, PL 115–141, Division V.
Acronyms (colloquial) | CLOUD Act |
---|---|
Enacted by | the 115th United States Congress |
Effective | March 23, 2018 |
Citations | |
Public law | Pub.L. 115–141 |
Codification | |
Acts amended | Stored Communications Act, Electronic Communications Privacy Act |
Titles amended | 18 |
U.S.C. sections amended | 2523 |
Legislative history | |
|
The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.[1]
Background
editThe CLOUD Act was introduced following difficulties that the Federal Bureau of Investigation (FBI) had with obtaining remote data through service providers through SCA warrants, as the SCA was written before cloud computing was a viable technology.[2] The situation was highlighted from a 2013 drug trafficking investigation, during which the FBI issued an SCA warrant for emails that a U.S. citizen had stored on one of Microsoft's remote servers in Ireland, which Microsoft refused to provide.
This legal challenge led to the Supreme Court in Microsoft Corp. v. United States. The FBI contended that Microsoft had full control of the data and should be compelled to turn it over in response to the warrant, but Microsoft argued that the SCA did not cover data stored outside the United States.[3] The challenge recognized that while the FBI could request a mutual legal assistance treaty (MLAT) to aid in data discovery during cross-border law enforcement, the process to acquire a new MLAT if one is not in place, or to process a request through an existing MLAT, can be slow and impede law enforcement efforts.[4]
Congress, primarily led by Senator Orrin Hatch, had attempted to create legislation prior to the CLOUD Act to amend the SCA with the concerns of Microsoft and other technology companies with respect to foreign privacy rights. The Law Enforcement Access to Data Stored Abroad Act (LEADS Act) in 2015[5] and the International Communications Privacy Act (ICPA) in 2017 were both previous bills intended to amend the SCA but which failed to gain passage.[6][7]
Provisions
editThe CLOUD Act asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.
It also provides an alternative and expedited route to MLATs through "executive agreements"; the executive branch is given the ability to enter into bi-lateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner, as long as the Attorney General, with concurrence of the Secretary of State, agree that the foreign country has sufficient protections in place to restrict access to data related to United States citizens.[8][9] The first such agreement was with the United Kingdom.[10] There is a FAQ appended to the white paper published by the U.S. Department of Justice.[11]
Support and opposition
editThe CLOUD Act received support from Department of Justice and of major technology companies like Microsoft, AWS, Apple, and Google.[12][13] The bill was criticized by several civil rights groups, including the Electronic Frontier Foundation, the American Civil Liberties Union, Amnesty International, and Human Rights Watch. These groups argued that the bill stripped away Fourth Amendment rights against unreasonable searches and seizures, since the government could enter into data rights sharing agreements with foreign countries and bypass U.S. courts, and affected users would not have to be notified when such warrants were issued.[13][14] Some of these groups feared the government would not fully review requests from foreign countries for their citizens' stored on servers in the U.S., potentially allowing such data to be used in bad faith in those countries.[15]
Passage and aftermath
editAfter being introduced in the 115th United States Congress as H.R.4943, the act was included as a section of the Consolidated Appropriations Act, 2018 (H.R. 1625), an omnibus spending bill, which passed both houses of Congress and was signed into law, P.L. 115–141, on March 23, 2018.[16]
On April 17, 2018, the Supreme Court, based on concurring briefs submitted by the Department of Justice, vacated the Microsoft Corp. v. United States and remanded it back to lower court to do the same, as the Department of Justice was able to secure a new warrant under the CLOUD Act and was no longer pursuing the initial warrant, rendering the case moot.[17][18][19]
International reactions
editThe European Data Protection Supervisor (EDPS) viewed the CLOUD Act as a law in possible conflict with the GDPR.[20][21][22] The German Commissioner for Data Protection has warned against the use of US based Amazon Web Services for storing sensitive data for the Federal Police.[23]
The law has been viewed as a parallel to China's National Intelligence Law.[24][25]
Following the CLOUD Act's passage, numerous countries have enacted measures to keep data within their borders.[26]
References
edit- ^ "The CLOUD Act and its Impact on Cross-Border Access to the Contents of Communications". 25 March 2018.
- ^ Schwartz, William; Goldstein, rew; Grooms, Daniel. "The New Data Wars: How the CLOUD Act Is Likely To Trigger Legal Challenges". New York Law Journal. Retrieved 2020-11-11.
- ^ Hurley, Lawrence; Volz, Dustin (February 27, 2018). "U.S. Supreme Court wrestles with Microsoft data privacy fight". Reuters. Retrieved April 2, 2018 – via The Globe and Mail.
- ^ Whittaker, Zack (August 1, 2014). "How one judge single-handedly killed trust in the US technology industry". ZDNet. Retrieved April 3, 2018.
- ^ Maines, Patrick (March 30, 2015). "The LEADS Act and cloud computing". The Hill. Retrieved March 23, 2018.
- ^ Breland, Ali (August 1, 2017). "Senate bill would ease law enforcement access to overseas data". The Hill. Retrieved March 23, 2018.
- ^ Eggerton, John (September 15, 2017). "International Communications Privacy Bill Reintroduced". Broadcasting and Cable. Retrieved March 23, 2018.
- ^ "S.2383 - CLOUD Act". United States Congress. February 6, 2018. Retrieved April 3, 2018.
- ^ Johnson, Ericka (March 19, 2018). "The CLOUD Act, Bridging the Gap between Technology and the Law". The National Law Review. Retrieved April 3, 2018.
- ^ Christakis, Theodore (October 17, 2019). "21 Thoughts and Questions about the UK-US CLOUD Act Agreement: (and an Explanation of How it Works – with Charts)". blog. Retrieved July 20, 2020.
- ^ "Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act, White Paper". U.S. Department of Justice. April 2019. Retrieved October 21, 2019.
- ^ Foley, Mary Jo (March 22, 2018). "Microsoft bullish on Congress' inclusion of CLOUD Act in funding bill". ZDNet. Retrieved April 2, 2018.
- ^ a b Mak, Aaron (March 22, 2018). "Congress Put the CLOUD Act in Its Spending Bill. What Does That Mean For Data Privacy?". Slate. Retrieved April 2, 2018.
- ^ Brandom, Russell; Lecher, Colin (March 22, 2018). "House passes controversial legislation giving the US more access to overseas data". The Verge. Retrieved April 2, 2018.
- ^ Watters, Jackie (March 31, 2018). "Microsoft email privacy case no longer needed, DOJ says". CNN. Retrieved April 2, 2018.
- ^ Wagner, John; DeBonis, Mike (March 23, 2018). "Trump signs $1.3 trillion spending bill despite veto threat on Twitter". The Washington Post. Retrieved March 23, 2018.
- ^ Stohr, Greg (March 31, 2018). "Justice Department Asks Court to Drop Microsoft Email Case". Bloomberg Businessweek. Retrieved April 2, 2018.
- ^ Nakashima, Ellen (March 31, 2018). "Justice Department asks Supreme Court to moot Microsoft email case, citing new law". The Washington Post. Retrieved April 2, 2018.
- ^ "Supreme Court rules that Microsoft email privacy dispute is moot". Reuters. April 17, 2018. Retrieved April 17, 2018.
- ^ European Data Protection Supervisor (10 July 2019). "EDPB-EDPS Joint Response on the US Cloud Act" (PDF).
- ^ "21 Thoughts and Questions about the UK-US CLOUD Act Agreement: (and an Explanation of How it Works – with Charts)". October 17, 2019.
- ^ Whitworth, Martin (2018). "Don't Get Spooked by the CLOUD Act" (PDF). International Data Corporation.
- ^ Delcker, Janosch (April 4, 2019). "German watchdog says Amazon cloud vulnerable to US snooping". POLITICO.eu.
- ^ "As Huawei frightens Europe's data protectors, America does too". The Straits Times. February 24, 2019. Archived from the original on 2024-03-14.
- ^ Maartje Wijffelaars. "The transatlantic trade war: Plenty of topics to be upset about". RaboResearch - Economic Research. Archived from the original on 2021-02-25.
- ^ Zhang, Angela Huyue (2024). High Wire: How China Regulates Big Tech and Governs Its Economy. Oxford University Press. p. 248. doi:10.1093/oso/9780197682258.001.0001. ISBN 9780197682258.
Further reading
edit- Hemmings, Justin; Srinivasan, Sreenidhi; Swire, Peter (2019-10-07). "Defining the Scope of 'Possession, Custody, or Control' for Privacy Issues and the Cloud Act". Journal of National Security Law and Policy. 10 (3): 631. SSRN 3469808 – via SSRN.
External links
edit- 18 U.S. Code § 2713 (Stored Communications Act)
- Consolidated Appropriations Act, 2018 as amended (PDF/details) in the GPO Statute Compilations collection
- Consolidated Appropriations Act, 2018 as enacted (PDF/details) in the US Statutes at Large