Today, Senators Hatch (R-UT), Graham (R-SC), Coons (D-DE), and Whitehouse (DRI) introduced the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). This bill incorporates a rights-invasive proposal by the Department of Justice to grant foreign governments easy access to U.S.-held electronic communications. New America’s Open Technology Institute (OTI) joined a coalition letter last year opposing this proposal before it was introduced as legislation, and we continue to oppose it today.
The CLOUD Act is intended to provide easier pathways both for the U.S. government to access electronic data held overseas, and for qualifying foreign governments to obtain data held in the United States. Foreign governments must currently rely on the Mutual Legal Assistance Treaty (MLAT) process to obtain user data from U.S. technology companies that are relevant to their domestic investigations, and they have complained that this process is too cumbersome and time-consuming. However, the CLOUD Act does not increase resources for, or otherwise improve, the MLAT process. Instead, it would create a new exception to the Electronic Communications Privacy Act (ECPA) to allow certain certified foreign governments to bypass the MLAT process altogether by allowing U.S. companies to voluntarily respond to those foreign governments’ requests for their users’ stored and, for the first time, real time communications.
The CLOUD Act’s protections for privacy, civil liberties, and human rights are deficient. Among other things, it:
Lacks necessary oversight of Executive Branch decisions to certify countries;
Permits foreign governments to obtain data under a weaker standard than the probable cause requirement that is currently required under MLATs;
Fails to adequately protect Americans’ privacy if their communications are incidentally collected by allowing some contents and all metadata to be shared back to the U.S. government without any legal process or judicial oversight;
Does not require surveillance orders to be reviewed and authorized by an independent body prior to their issuance; and
Does nothing to prevent foreign governments from establishing data localization or encryption backdoor mandates.
The bill would also change the law to enable the U.S. government to compel U.S. providers to hand over users’ data even if the data are held outside the United States. However, unlike previous bills to address this issue, such as the International Communications Privacy Act (S. 1671), it does not include necessary amendments to ECPA to impose a requirement that the U.S. government obtain a warrant before it can access the contents of electronic communications that are over 180 days old.
The following statement can be attributed to Sharon Bradford Franklin, Director of Surveillance & Cybersecurity Policy, New America’s Open Technology Institute:
“Congress is long overdue in updating our laws regarding law enforcement access to electronic data, but the CLOUD Act would move the law in the wrong direction, by sacrificing digital rights. This bill creates new privacy threats by allowing real-time surveillance by foreign governments for the first time, and fails to include fundamental safeguards like a requirement for prior independent judicial review of data requests. We urge Members of Congress to reject this bill, and work with the advocacy community to ensure that any legislation regarding cross-border access to data includes meaningful safeguards for privacy and human rights.”