A bipartisan group of Senators today introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act—a bill that moots the pending Supreme Court Microsoft Ireland case and authorizes the executive to enter into bilateral and multilateral agreements so as to facilitate cross-border access to data in the investigation of serious crime. Amazingly, the legislation has the support of both the Department of Justice and Microsoft – the dueling parties in the Microsoft Ireland case. It also has the support of many other tech companies.
As it should.
Specifically, the legislation —sponsored by Senators Hatch, Coons, Graham, and Whitehouse — includes two key parts.
First, it provides an answer to the question posed to the Supreme Court in the Microsoft Ireland case: Does the Stored Communications Act (SCA) authorize US law enforcement to compel, via a warrant issued based on a finding of probable cause, a US-based provider to turn over stored communications content, that is located outside the United States’ borders? The short answer: yes. But with important caveats designed to respect foreign governments’ interests in protecting the data of their own citizens and residents.
Second, it amends blocking provisions, also included in the SCA, that prohibit US-based providers from disclosing communications content to foreign law enforcement officials, even in situations in which the foreign government is seeking data of its own citizens or residents, pursuant to lawful process, in connection with the investigation of local crime. Specifically, the bill authorizes the executive branch to enter into executive agreements that would authorize foreign governments to make direct requests to US-based providers for such data, but only if the foreign government meets certain human rights and rule of law norms and abides by a long list of substantive and procedural protections in accessing the sought-after communications content.
Most immediately, the legislation would authorize the executive to finalize a draft executive agreement with the UK that was negotiated during the Obama presidency, is supported by the Trump administration, and has been described as one of the UK’s highest diplomatic priorities vis-à-vis the United States.
Like just about everything else in this space, the legislation is the result of compromise. It won’t, as a result, satisfy everyone. But there are multiple privacy, security, economic, and diplomatic interests to consider. And it does a remarkable job of balancing these interests in ways that promise long-term gains in both privacy and security.
It is something that all members of Congress should support.
I delve into the details below, first examining the Microsoft Ireland fix and then the question of foreign government access to US held data.
The Microsoft Ireland Fix
The legislation answers the question presented in the Microsoft Ireland case: does or does not the SCA reach data that is controlled by a US-based company but stored overseas. The legislation says it does, making clear that the SCA’s warrant authority applies regardless of the location of the sought-after data.
But the rule comes with two important caveats.
First, the legislation sets out a statutory basis for providers, in specified situations involving a “qualified foreign government,” to move to quash if the warrant targets a foreigner residing outside the United States and the production of the data would generate a conflict of laws. Qualifying foreign governments are defined as those governments with which the United States has entered into an executive agreement designed to facilitate cross-border access to data (pursuant to the provisions discussed below) and provide for analogous opportunities to quash orders based on an alleged conflict with US law.
In response to such a motion, courts are direct to engage in a comity analysis in deciding whether to enforce the warrant. The statute lays out relevant factors to consider, including the location and nationality of the target, the possibility of accessing the data via other means, the interests of the United States in the data, and the interests of the foreign government in preventing disclosure.
To be sure, the list of qualifying governments is likely to be short, at least initially. The UK will almost certainly be the first — and perhaps the only for a while. But over time, the list is likely to grow. And this legislation provides a statutory mechanism to ensure that their interests are taken into account.
Second, and importantly, the legislation explicitly preserves, via a rule of construction, the availability of common law comity claims in situations involving non-qualifying countries. (For those interested, here’s the relevant language: “Nothing in this section, or an amendment made by this section, shall be construed to modify or otherwise affect the common law standards governing the availability of applicability of comity analysis to other types of compulsory process or to instances of compulsory process issued under section 2703 of title18 [and not covered under the newly created statutory right to quash created by this section].”) It thus preserves the availability of providers to raise comity claims even in situations where there is not explicit statutory authority to do so – and move to quash based on the fact that the execution of warrant will generate a conflict of laws.
Together, the explicit statutory provision establishing a motion to quash based on comity grounds, plus the explicit recognition of other possible motions to quash based on common law comity, ensure that the legitimate interests of foreign governments are taken into account if and when the application of the US’s warrant authority generates a conflict of laws. It thus sets the kind of precedent the United States would want other nations to follow if seeking access to US citizens and residents – helping to ensure that US citizen and resident data is adequately protected as well.
The Blocking Provisions and US-UK Deal
The legislation also responds to the growing frustration experienced by foreign governments seeking the communications content of foreigners in the investigation of local crime. Blocking provisions in US law currently prohibits US-based providers from turning any such data to foreign governments, even if the foreign government is seeking data of one of its own citizens in accordance with lawful process as specified in the foreign goverment’s domestic law. In such cases, the foreign government must make a diplomatic request to the United States for this data, via the mutual legal assistance process, even if the only US tie to the case is that relevant data happens to be US-held. This is a time-consuming process which ultimately requires a US attorney’s office to issue a warrant on behalf of the foreign government.
Frustrated foreign governments are being incentivized to seek alternative means of accessing such data – via ether data localization laws that ensure local access or reliance on other surreptitious means of accessing data. The blocking provisions also generate conflicts of laws if a foreign government demands data that US law prohibits companies from turning over; US executives have been detained for failing to turn over data that US law prohibits them from disclosing.
The legislation responds to this situation. It authorizes the executive to enter into bilateral and multilateral agreements so as to allow foreign governments to directly request communications content from US based companies in the investigation of serious crime. It thus provides a mechanism for those countries to bypass the mutual legal assistance process when targeting the data of their own citizens and residents, subject to a number of substantive and procedural safeguards. If, however, the target of the investigation is a US citizen or resident, the foreign government would still need to make a diplomatic request for the data and ultimately obtain a US warrant for the data with the assistance of the US government.
These data requests are also subject to numerous limitations designed to protect the interests of US citizens and residents and to ensure the application of baseline substantive and procedural protections.
First, the foreign government may not intentionally target the data of a U.S. person (defined to include US citizens and legal permanent residents) or other resident of the United States; it still needs to make a mutual legal assistance request for the data to the Department of Justice in order to directly access such data.
Second, the foreign government must have procedures in place to minimize the acquisition, retention, and dissemination of information concerning US persons.
Third, the foreign government may not target a foreigner outside the United States for the purpose of obtaining information about a US persons or other person located in the United States.
Fourth, the foreign government may not issue an order at the request of for the purpose of obtaining information for the US government or third-party government.
Fifth, the foreign government must be certified by the Attorney General, with the concurrence of the Secretary of State, as affording “robust substantive and procedural protections for privacy and civil liberties,” as related to the accessing and use of data.
Sixth, any disclosure order must meet a list of particularized safeguards:
• The request must be particularized—meaning it must identify a specific person, account, address, personal device, or other specific indicator. The request must be based on articulable and credible facts.
• The request must be approved by a judge, magistrate or other independent authority.
• The request must be lawful—meaning it must comply with the foreign government’s domestic law. This is important. It means that there has to be a basis for the order in the domestic law. In other words, the agreements don’t provide any new authorities or authorize actions that have not been approved in local legislation.
• The request can not be used to infringe freedom of speech
• In cases involving live intercepts (as opposed to requests for stored communications), the request must be for a fixed and limited duration, no longer than reasonably necessary, and subject to a finding that the same information could not reasonably be obtained by another less intrusive method.
• Any unreviewed data must be stored on a secured system accessible only to those trained in the applicable procedures
Seventh, the foreign government must agree to compliance reviews by the United States.
Eighth, the agreements sunset after five years unless renewed.
Ninth, the foreign government must ensure that the United States has a reciprocal right of data access data held by foreign-based providers.
Tenth, and finally, the executive agreements only go into force after notice to Congress and a 90-day waiting period. A joint resolution of disapproval issued during those 90 days (and subject to expedited procedures specified in the Act) will nullify the agreement. This provides a critical check, ensuring that the executive branch cannot enter into any such agreement over congressional objections.
As I and many others have written before (see here, here, and here), this is an approach that should be supported. It responds to foreign government’s growing – and legitimate – concern regarding their inability to access data regarding their own citizens in the investigation of local crimes. It sets baseline norms. It thus promotes the adoption of baseline substantive and procedural privacy protections. And it has the potential to enhance both privacy and security over the long-term.
This is not just a hypothetical claim. The UK government supported a new judicial review mechanism for intercept orders in part because it knew that this would be a precondition entering into such an agreement under US law. One can hope and expect that, over time, such legislation will incentivize other countries to adopt additional policies and practices that raise baseline privacy protections. The alternative is a free for all in which the United States is likely to have little to no say in the standards that apply.
To Congress: This bill should be supported. Pass this. Now!