CLOUD Act is an about-face on constitutional rights

On March 23, President Donald Trump signed a law that could undo the very protections for privacy and autonomy that American colonists fought for in the Revolutionary War. When James Madison wrote the Constitution and the Fourth Amendment, it was to prevent the type of expansive and invasive tactics British officers committed against the American colonists and their property. But under the framework of the Clarifying Law Enforcement Overseas Use of Data (CLOUD) Act, the United Kingdom will be the first country to sign an agreement that would allow foreign law enforcement to search for data stored in the United States without a warrant.

This historic reversal, allowing the U.K. (and other foreign countries with an agreement) to once again intrude into private information stored on U.S. soil, is a disappointing about-face for Americans' constitutional rights. Although foreign governments are barred from directly targeting U.S. persons under the act, it is inevitable that our data will be swept up, especially for people in frequent communication with friends and business partners across the Atlantic.

In January 2016, The Washington Post first reported a secret agreement being negotiated between the United States and Britain that would allow British police to serve their own law enforcement orders directly on U.S. internet companies without first getting a warrant through the internationally agreed upon mutual legal assistance process.

The mutual legal assistance process, which has long been the international standard for accessing data stored in another country, ensures that privacy laws in both the requesting and storing country are upheld. But because of resource constraints, foreign countries have legitimate complaints about the length of time it can take to process a request. However, there are practical, largely funding, steps the U.S. can take to solve these issues, instead of allowing foreign police to access U.S. technology companies without the safeguards of the Constitution

Over the past few months, British officials have personally lobbied members of Congress for legislation that would allow for this type of agreement. Now that it has passed, Prime Minister Theresa May has begun discussions with President Trump to push a U.S.-U.K. agreement out the door.

But the public has never seen text for a U.S.-UK agreement. Congress voted on a framework but failed to ask about the real-life scenario that has potentially dangerous ramifications for data located in the United States and the people to whom that data belongs.

Under the CLOUD Act, the U.S. attorney general is now authorized to designate countries that can bypass the mutual legal assistance process and instead serve their own law enforcement investigative orders for data stored within the U.S., so long as those countries meet certain human rights and legal requirements. Foreign countries cannot target U.S. persons or persons located in the U.S., but if they collect U.S. persons' information while investigating a foreign target, they are allowed to use and share that information, with few restrictions.

Congress can object within the first 90 days of any announced agreement, but the president can veto any bill Congress may pass to stop it. With limited procedural oversight, the Department of Justice could effectively "whitelist" countries with questionable human rights and free speech records. And, as we have seen with the United Kingdom, foreign countries can be effective in lobbying Congress to limit U.S. privacy protections.

U.S. persons' data will naturally, and often, be tied to data collected from people living in a foreign country. The "special relationship" that makes the U.K. an attractive target for the first CLOUD Act agreement would in practice expose the multitude of communications that are exchanged between people living on opposite sides of the "pond." When a U.S. person in Indiana comments on a friend's social media post in Manchester, sells artwork on Etsy to a customer in London, and collaborates with students in Oxford on a cloud-based petition, those actions and data points would all be accessible to British police without a U.S. warrant -- so long as British police were targeting persons in the U.K. For every person you engage with online, your information is included in their online record. In this day and age, it would be hard to separate U.S. persons' information from non-U.S. persons' email, cloud storage, and internet history.

That is why it is so upsetting that Congress passed the CLOUD Act without hearings, expert testimony or the opportunity for public discussion. The Framers explicitly wrote guarantees for privacy and freedom from unreasonable intrusion into the Constitution, but those are now being bypassed to allow foreign law enforcement to use their own laws in the United States.

But there are changes that Congress can still make to the CLOUD Act to strengthen the protections for U.S. people who will be impacted. Congress can impose transparency requirements on all agreements that DOJ tries to enter into so that we can understand how frequently foreign governments demand information from U.S. companies. Congress can also require that notice be given to any person whose data has been accessed by a foreign government, particularly for people who face criminal charges based on information that was collected at a lesser standard than the Fourth Amendment. And, to protect the privacy of all U.S. persons and U.S. stored data, Congress can raise the standard for CLOUD Act requests to ensure that the Constitution applies to all law enforcement requests in the United States.