US Congress Nears Passage of Controversial CLOUD Act on Data Interception

American lawmakers have included funding for a bill that could fundamentally change how authorities access data stored on foreign servers and in cloud storage in this year’s federal budget proposal. On March 22, the US House of Representatives passed the 2018 federal budget, which allocates funds for the implementation of the “Clarifying Lawful Overseas Use of Data” Act, known as the CLOUD Act. First introduced by senators on February 6, 2018, the CLOUD Act amends and supplements the 1986 Stored Communications Act.

The issue of accessing data stored on foreign servers is a major challenge for US law enforcement, as companies that own this data are often reluctant to comply with government requests, fearing violations of foreign laws. Many refusals have led to lengthy court battles.

One of the most high-profile cases was the legal dispute between the US government and Microsoft. Five years ago, the US Department of Justice issued Microsoft a warrant to hand over personal data of a client suspected of illegal activity. The problem was twofold: the request concerned an Irish citizen, and the data was stored on servers located in Ireland. The prolonged legal battle, which eventually reached the US Supreme Court, raised important questions about consumer privacy and security in the digital age.

The CLOUD Act was developed to address such situations. As its name suggests, the bill aims to clarify the process for transferring personal data stored in various jurisdictions at the request of foreign governments.

The bill has support in both chambers of Congress and has received positive feedback from experts and IT industry representatives. Supporters believe the CLOUD Act will significantly simplify law enforcement’s work with personal data and reduce the time and financial costs of legal proceedings.

By specifying procedures for data transfer between the US and foreign countries that have signed special agreements with the US, the CLOUD Act would allow law enforcement agencies in both countries to access user data stored within their territories, as well as in cloud storage outside the jurisdiction of any court system.

Key Aspects of the CLOUD Act

• The CLOUD Act eliminates existing protections for data stored abroad.

  The law clearly states that electronic communication service providers must hand over data to authorized agencies regardless of the jurisdiction where it is stored. Currently, US courts and law enforcement cannot directly request such data from companies and must use the cumbersome Mutual Legal Assistance Treaty (MLAT) system. These treaties, signed at the international level, allow law enforcement in two countries to exchange data stored within their territories, but do not specify the mechanism for data transfer, which is governed by each country’s national laws. This creates contradictions that often lead to court cases.

• Top US officials (including the President) will be able to directly sign agreements with foreign governments for data exchange.

  The bill gives the Attorney General, Secretary of State, and President the authority to enter into data-sharing agreements with foreign governments without Congressional approval. The data transfer procedures outlined in the CLOUD Act can only be used within such bilateral agreements, which are likely to be made with US-friendly countries. However, not all US allies are democratic or uphold the rule of law. The bill states that executive agencies may consider a foreign country’s human rights record when entering into agreements, but it does not clearly define what violations would disqualify a country. Currently, MLATs must be ratified by the Senate after executive branch review, ensuring legislative oversight. If the CLOUD Act passes as written, both chambers of Congress could only send a joint resolution to the President to cancel a bilateral agreement. If the President vetoes this resolution, a two-thirds majority in both chambers would be required to override the veto, which is a high bar.

• Companies will still have some ability to challenge data requests.

  This will be possible in two cases: (a) if the requested personal data does not concern US citizens or residents; (b) if transferring the data would directly violate the laws of the country where the data is stored. The current version of the bill does not clarify whether both conditions must be met or if just one is sufficient to refuse the request.

• Digital rights advocates are actively fighting against the bill.

  The Electronic Frontier Foundation (EFF) has expressed concerns that the CLOUD Act would lead to “dangerous expansion of police control over cross-border data” and highlighted several reasons why the bill violates privacy rights:

  • It would allow foreign law enforcement to obtain and view users’ private communications from US companies without a US court order.
  • It would let foreign governments demand personal data stored on US servers without prior judicial review.
  • It could allow foreign law enforcement to obtain a person’s data without notifying them.
  • It authorizes US law enforcement to intercept any data, regardless of whether it concerns US citizens or where it is stored.

The passage of the CLOUD Act could fundamentally change the entire framework of international data-sharing agreements between law enforcement agencies. The current version of the bill poses significant risks to the rights of both US citizens and those from countries with poor human rights records whose data is stored in the US. While further discussions may lead to important changes and clarifications, the inclusion of CLOUD Act funding in the budget suggests lawmakers are confident it will soon become law.