With government access to foreign communications on the minds of Washington legislators these days--particularly a FISA Act warrant related to a Trump Administration official--a bipartisan group of congress members on both sides of the Hill is introducing the Clarifying Lawful Overseas Use of Data (CLOUD) Act.
Its backers say the act is meant to encourage governments the world over to come up with a "clear" framework for technology companies--like ISPs--to follow when governments make cross-border demands for data stored in the cloud.
“The CLOUD Act is landmark legislation that addresses an increasingly pressing problem,” said Sen. Orrin Hatch (R-Utah), one of the sponsors of the Senate version of the bill. “In today’s world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws."
Rep. Hakeem Jeffries (D-N.Y.), who was among those introducing the House version, said, “The CLOUD Act paves the way for the United States to enter modern bilateral agreements for effective investigations of cross-border crime and terrorism - without international legal conflicts - and ensures that customers and data holders are protected by their own nation’s privacy laws."
The keys to the bill, according to Hatch's office, are:
"Bilateral Agreements: The CLOUD Act enables the United States to enter into formal agreements with other nations to set clear standards for cross-border investigative requests for digital evidence. The CLOUD Act further identifies a series of statutory requirements that these agreements must satisfy, including privacy and security protections.
"Extraterritoriality of US Warrants and International Comity: The CLOUD Act amends US law to make clear that US warrants and other legal process issued for data held by communications providers reach data stored anywhere in the world. The reach of US warrants and legal process, however, would be limited by international comity. The CLOUD Act would give providers, for the first time, a statutory right to challenge legal process based on international comity concerns.
"Transparency: When a communications provider receives a request from US law enforcement related to a national or resident of a country that has entered into a bilateral agreement with the United States, the provider will be permitted to notify that government of the existence of the request. This will allow the foreign government to assess compliance with the terms of the bilateral agreement and enable it to intervene diplomatically if it believes the request is inappropriate.
"Reciprocity: The CLOUD Act would also require participating countries to remove legal restrictions that prevent compliance with data requests from US law enforcement. To qualify for the statutory benefits of the legislation (removal of the US blocking statute, a right for providers to object based on international comity and a right for providers to notify the government of the existence of requests), a foreign government must provide reciprocal rights and benefits to US law enforcement and communications providers."
“The current laws regulating government access to cloud data are unworkable," said CCIA president Ed Black. "They reduce the trust users have in the privacy of their digital information, place U.S. companies in the midst of conflicting laws, and leave U.S. and international law enforcement agencies without legal recourse. The CLOUD Act would help address these issues by establishing a clear mechanism for U.S. law enforcement to seek some data stored abroad, while also providing a balanced legislative framework that permits requests from foreign investigators whose countries remove conflicts of law, raise privacy standards, and respect human rights."
TechNet president Linda Moore agreed. “Passing the CLOUD Act would be a critical step to safeguard our citizens’ privacy rights, ensure law enforcement has the tools they need to protect us, and enhance cooperation between governments.”
The Center for Democracy and Technology, which advocates for internet user privacy and stronger controls on government surveillance, said it supports Electronic Communications Privacy Act Reform, but that the CLOUD Act does not sufficiently protect privacy.
"Unlike previous iterations of related legislation, the CLOUD Act omits the requirement of a warrant, issued on the basis of a finding of probable cause, for the disclosure of communications content to governmental entities in the U.S.," the group said in a statement. "CDT believes any reform to ECPA should include a warrant for content requirement, such as the one included in the the Email Privacy Act, which unanimously passed the House twice."