Cross-Border Data

Privacy and Civil Liberties Under the CLOUD Act: A Response

By Jennifer Daskal, Peter Swire
Wednesday, March 21, 2018, 7:00 AM

In a last week, Neema Singh Guliani of the ACLU and Naureen Shah of Amnesty International disagreed with our earlier arguments as to . After carefully reviewing their points, we explain here why we hold to our initial conclusions and why we fear that their approach will result in a reduction of the very privacy benefits that we, and they, so strongly support. We think that the apparent failure to include the Act as part of the omnibus spending bill, as released last night, was a mistake.

The authors say they disagree with the entire approach of the CLOUD Act and end by stating that “Congress should abandon the CLOUD Act and craft a rights-respecting solution.” This statement of overall opposition to the approach of the CLOUD Act is significant: It would appear to persist no matter how many privacy-related enhancements were added to the bill. Instead, the authors seem to prefer one of two possible results: (1) a continuation of the status quo or (2) a greatly revised CLOUD Act that essentially requires foreign governments to adopt U.S. standards, laws and policies as a precondition to accessing any content held by U.S. service providers.

For the reasons we stated previously, we think that that this is a short-term perspective that will ultimately harm privacy. The status quo is untenable. The mutual legal assistance (MLA) process through which foreign governments request communications content held by U.S. providers is under unprecedented strain because the number of requests for digital evidence is growing exponentially. Foreign nations will not continue to permit so many of their local criminal investigations to be slowed by the need to convince a distant U.S. judge that the evidence is needed. And no plausible budget increase directed at the MLA process can fix the inevitable delays or sufficiently respond to the growing demand. Absent new mechanisms to facilitate cross-border access to evidence in the legitimate investigation of serious crimes, countries will—as we discussed previously—have strong incentives to require data localization. At that point, the United States will have no say as to the standards that apply.

In addition, the laws of other nations have legitimate differences from U.S. law. Legislation requiring other countries to adopt U.S. legal standards in order to receive data would almost certainly—and understandably—be rejected as an imperialistic attempt by the U.S. to export the details of its law enforcement system around the world. That sort of revised CLOUD Act would fail to achieve any actual change to the current system, as foreign governments would be unlikely to sign executive agreements and then simply adopt U.S. practices.

As an example, consider the debate over whether the bill should require a request be subject to independent “oversight,” as currently provided, or else be authorized only with a fully independent judicial “review.” But while independent judicial review is an imperative requirement of the U.S. legal system, and many other civil law countries have a criminal justice system in which the judge presiding over a case plays an investigatory role as well. In those nations, there quite possibly is no independent judicial official with jurisdiction separate from the investigating magistrate. If the bill’s criteria are too U.S.-centric in requiring review by a fully independent magistrate, many countries with strong rule-of-law traditions and institutions would be unable to participate in any of the agreements envisioned by the CLOUD Act.

The authors also do not address how the CLOUD Act would push countries to raise privacy protections. This is not just a hypothetical claim. In 2016, the U.K. government supported the enactment of judicial review of interception orders—in large part because it wanted to ensure eligibility to benefit from the kind of executive agreements provided for in the CLOUD Act. Similarly, in meetings in India earlier this year, one of us (Swire) heard a willingness by senior officials to consider raising privacy standards significantly, such as through a specialized cyber-crime unit that would adopt the procedures and standards detailed in the CLOUD Act.

Similarly, the authors also discount a notable privacy-enhancing feature of the bill—the requirement that foreign governments consent to compliance reviews. To be sure, these reviews would only be as good as those conducting them, as the authors point out. And there is an important role for groups like the ACLU and Amnesty—as well as the rest of us—to push for such reviews to be robust and meaningful. But just the fact that compliance reviews would be newly required is itself a big deal. The reviews would provide an unprecedented opportunity for the United States to ensure that requests meet the stated requirements for accessing data and that ongoing handling of data by the foreign government involved meets the privacy standards set forward in the legislation. For example, the U.S. would gain a mechanism to ensure that returned data is accessed only by those with the authority to do so, that irrelevant data is segregated and ultimately destroyed, and that data is not used to violate free speech rights.

Some of the authors’ critiques are about current law—issues that are untouched by the CLOUD Act and will continue whether or not the legislation is enacted. They correctly note, for example, that the bill “fails to require that countries meet any standards for metadata requests” (emphasis added). But that will be the case with or without the CLOUD Act. The existing blocking provisions that the CLOUD Act seeks to address apply to communications content only; no equivalent restrictions apply to noncontent data. To the extent that the authors support additional blocking provisions for metadata, that would further incentivize foreign governments to demand data localization in ways that undercut the ultimate privacy and human rights goals of the bill.

We have a time-limited opportunity to set baseline standards by drawing on the leverage the United States currently has as home to so much of the world’s data. The CLOUD Act would prohibit using the new executive agreements to either directly or indirectly target the communications of U.S. persons, and it would also create a global baseline for privacy protections even when nations investigate serious crimes affecting their own citizens.

Given the seeming failure to fold the bill into this week’s omnibus spending bill, there may be ways to ultimately amend the bill in ways that make the system both more workable and privacy protective. As we discussed in our prior post, for example, we would like to see requirements that the text of any agreements be made public. We also support giving the Privacy and Civil Liberties Oversight Board a role in reviewing the agreements and conducting the specified compliance reviews. And we agree with those that have argued that the grounds for certifying a partner country as sufficiently human-rights compliant should be made public, among other possible improvements.

We continue to believe, however, that the approach taken in the CLOUD Act should be pushed. This will be better for privacy and civil liberties than maintaining the current, and increasingly unsustainable, status quo.