The CLOUD Act

  • Supreme Court: Fourth Amendment for Lawful Driver of Vehicle Regardless of Rental Agreement: The U.S. Supreme Court ruled today that a driver in lawful possession of a rental car has a reasonable expectation of privacy regardless of a rental car agreement. The Court held in Byrd v. United States that, "the mere fact that a driver in lawful possession or control of a rental car is not listed on the rental agreement will not defeat his or her otherwise reasonable expectation of privacy." EPIC filed an amicus brief in the case, joined by 23 technical experts and legal scholars members of the EPIC Advisory Board, which stated that "relying on rental contracts to negate Fourth Amendment standing would undermine legitimate expectations of privacy." EPIC also urged the Court to recognize that a modern car collects vast troves of personal data and "make little distinction between driver and occupant, those on a rental agreement and those who are not." EPIC routinely participates as amicus curiae in cases before the Supreme Court, such as in United States v. Microsoft Corp., Dahda v. United States, and United States v. Jones. (May. 14, 2018)
  • More top news »
  • Zuckerberg Confirms Global Compliance with GDPR » (Apr. 11, 2018)
    In response to a series of questions from Rep. Gene Green, (D-TX), Facebook CEO Mark Zuckerberg confirmed that Facebook will comply with the new European Union privacy law - "the GDPR" - in all jurisdictions. Earlier this week, the Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, sent a letter to Mr. Zuckerberg urging him to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and democratic process."
  • EPIC Amicus: Supreme Court Divided Over Microsoft Stored Communications Case » (Feb. 28, 2018)
    This week, the Supreme Court heard arguments in United States v. Microsoft Corps., a case concerning law enforcement access to personal data stored in Ireland. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution. In an amicus brief, EPIC urged the Supreme Court to respect international privacy standards. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority." EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping).
  • EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees » (Feb. 13, 2018)
    In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google.

Background

As a result of a global digital communications landscape, law enforcement increasingly seeks communications data stored outside national borders in domestic criminal investigations. However, trans-border data access can conflict with national data protection regimes and international human rights instruments.

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, signed into law in March 2018, is an Act to provide trans-border access to communications data in criminal law enforcement investigations. However, the Act's history begins with a privacy dispute between Microsoft and the U.S. government.

The genesis for this bill is United States v. Microsoft, a case in U.S. Supreme Court which concerns whether law enforcement can access communications content stored in Ireland under current U.S. law. On February 27, 2018, the Supreme Court heard arguments in the case. In an amicus brief in the case, EPIC urged the Supreme Court to respect international privacy standards, citing key cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority.”

Ahead of a decision in that case, the CLOUD Act passed Congress and was signed into law by President Trump on March 23, 2018, likely mooting the case. The CLOUD Act was not debated in Congress. Instead, it was included in an amendment to an omnibus spending bill and passed without a dedicated hearing. The law creates a new subsection within the Stored Communications Act (Chapter 121 of title 18 of the United States Code) codified at 18 U.S.C. § 2713, creates a new subsection within the Wiretap Act (Chapter 119 of title 18) codified at 18 U.S.C. § 2523, and amends various sections of the Wiretap Act, Stored Communications Act.

Overview of the CLOUD Act

There are two key elements of the CLOUD Act - the provisions for U.S. access to foreign stored data, and the provisions to create executive agreements for foreign access to U.S. stored data.

U.S. Access to Foreign Stored Data

First, the Act amended U.S. law to authorize U.S. law enforcement to unilaterally demand access to data stored outside the U.S., despite widespread criticism from the international community. When the U.S. orders a company to produce communications data, the Act provides a mechanism for a communications provider to challenge the order if disclosing the data would risk violating foreign law. Under the CLOUD Act, the legal protection of an individual's rights depends on the objection by a provider. There is no direct mechanism for individuals to challenge an order under the CLOUD Act. A court will consider a provider's challenge of an order for disclosure of data data and review the request under a multi-factor "comity" analysis to assess foreign and other interests at stake. However, U.S. court can require production of that data despite the objection, even where the laws of another nation would be violated.

Executive Agreements

The Act would also permit federal officials to enter into executive agreements granting foreign access to data stored in the United States, even if that data would otherwise be protected under ECPA. Before foreign access can be authorized, federal officials must first decide that a foreign government meets certain generalized standards for sufficient protections of privacy and civil liberties. The foreign government must also agree to abide by several other limitations, including minimizing any U.S. person data collected. The initial agreement need only be certified by executive branch officials to take effect. Congress can object to the agreement, but need not formally approve the agreement. The agreement is also not subject to review by any court.

Once an agreement is in place, no federal official or court will review an incoming foreign request for access to data stored in the United States. The foreign access will be granted without review of whether the request complies with the requirements of the executive agreement or other legal standards. Only the service provider will have an opportunity to review and object to a foreign access request. However, there are no formal procedures under the CLOUD Act for a provider to object to a foreign access request made under an executive agreement.

Because the CLOUD Act permits data to be accessed by foreign nations based on each nation’s unique domestic procedures, data is accessible under the third-party countries law even when that law falls below human rights standards. The CLOUD Act does not itself set baseline human rights standards for foreign access to stored data. For example, the CLOUD Act does not require notice to be provided to the target of a request for data stored in the United States.

The CLOUD Act removes protections put in place under ECPA. Foreign access requests routed through the United States via diplomatic requests previously benefitted from legal protections for stored data, including the requirement that authorities demonstrate “probable cause” to access the content of communications. The bill would erode these incidental, yet impactful, data protection benefits.

Finally, the CLOUD Act also undermines communications privacy protections for U.S. persons. Data collected by foreign governments under the Act may be transferred to the United States and among other governments. In order to transfer U.S. persons’ communications content, the communications must merely be determined to “relate[] to significant harm” and non-content information may be transferred without limitation. Under these provisions, the U.S. government could access U.S. persons’ communications without satisfying existing U.S. legal standards. The law also permits realtime interception of communications by foreign governments on U.S. soil for the first time, and does so without requiring other countries meet the "supper warrant" standard laid out in the Wiretap Act.

Resources

News

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.