Early Thoughts on the Possible Impacts of the CLOUD Act
The Clarifying Overseas Use of Data (CLOUD) Act was introduced earlier this year by Senator Orrin Hatch with relatively little attention. The bill did not go through the normal process of committee debates and a floor vote, but rather was attached to the Omnibus budget that passed last week. As a result, both its potential benefits and drawbacks are just now being fully understood and discussed.
Bring the law into the 21st Century
The Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA), which the CLOUD Act modifies, were largely regarded as outdated. Prior to the CLOUD Act, these laws allowed for stored electronic information, including emails that had already been opened but kept in remote storage in the United States, to be requested by law enforcement for investigatory purposes with a subpoena rather than a warrant. These definitions of stored records and communications were based on the 1980s view of user privacy when information had been shared with a third party like a phone company.
When American companies started storing data overseas with greater regularity, it was unclear whether the provisions allowing access to data with only a subpoena applied to data stored outside the U.S. or if accessing that content required a warrant. Under the current law, the U.S. could only access such data overseas without a warrant when a Mutual Legal Assistance Treaty (MLAT) had been entered into. Such treaties required a two-thirds vote of approval in the Senate. The process for approving new treaties and gaining data has been viewed as overly cumbersome by some. Clarifying and updating these laws to reflect the modern digital age was generally agreed to be well needed.
The CLOUD Act provides an alternative that executive agreements can be entered into regarding data sharing without going through the Senate approval process necessary for an MLAT. Once these agreements are entered into with the foreign government, then the Department of Justice may request the data stored in that jurisdiction without a warrant during the course of its investigation under the same standards as it would for U.S. law. The new law also allows for foreign countries to engage in similar processes for gaining data that is stored in the United States. Advocates of such agreements point to the proposed U.S.-U.K. data sharing agreement as an exemplar of the actions possible under the new law. Advocates of the proposed changes argue that increasing the ease of gaining such information and promoting data safety will increase safety of American citizens.
The CLOUD Act also answers many of the questions before the Supreme Court in Microsoft v. United States. As a result, many have pointed out the clarification of these laws will likely aid the Department of Justice’s arguments in the case and nullify many of the issues at hand. By clarifying what information is needed for a law enforcement request for overseas data and what is needed, the CLOUD Act settles the concerns companies may have about choosing to or failing to comply with such requests. This has been viewed as a much needed modernization by its proponents. As a result, the law was largely supported by tech giants such as Microsoft, Apple, and Google.
Concerns about privacy and what might have been
It’s uncertain what changes might have been made if the law had gone through the traditional committee and debate route. It is clear, however, that there are justifiable concerns about the potential privacy violations of the system proposed under the CLOUD Act.
As the Electronic Frontier Foundation pointed out, the law makes it easier for foreign governments to collect and obtain communications data from American citizens without a warrant and for American investigators to collect data on both Americans and non-Americans from a foreign country without a warrant. This situation, as the ACLU notes, is particularly troublesome when considering interactions with governments who have either violated or ignored violations of human rights. Similarly, the Committee to Protect Journalists opposed the legislation on the grounds that allowing for easier collection of data would potentially put journalists and their sources at greater risk. Furthermore, they worry about allowing other countries to potentially violate Americans privacy rights merely because of where the information was stored or the other party was located. Additionally, the law does not apply only to federal investigations, but also provides the ability to gain such data to state and local law enforcement agencies. All of these privacy concerns are further amplified by the fact that two cases concerning privacy rights for data collected via the Stored Communications Act, the aforementioned Microsoft case and Carpenter v. United States, are pending before the Supreme Court.
The passage of the CLOUD Act also raises questions about whether it is better or worse than awaiting a possible outcome in the Microsoft case. As mentioned above, it certainly clarifies many of the issues at the heart of the matter. (I have previously discussed the Microsoft and Carpenter cases in more detail.) Clearly, a ruling in favor of the Department of Justice could result in a far broader interpretation that would create an even greater privacy risk. However, given the Court’s recent trajectory it is also possible that the rulings could further limit the use of the Stored Communications Act to reflect a more modern understanding of digital privacy in the smartphone age. Given that the CLOUD Act nearly nullifies these questions for the Microsoft case, it is unlikely we will know what decision would have been reached had the common law responded in the existing legal framework.
It is unlikely the CLOUD Act will play the same role in determining an interpretation of the Stored Communications Act in the Carpenter case. As a result, we are likely to get further clarification from the Court on the ability of law enforcement to obtain stored data without a warrant on a particular individual in the era of the Internet of Things and smartphones. This ruling might be able to arrive at an interpretation of the Stored Communications Act that helps alleviate at least some of the privacy concerns about the CLOUD Act.
What can we learn about how Congress acts on technology from the CLOUD Act?
As Ryan Hagemann, Adam Thierer, and I point out in a forthcoming paper, there has been a growing trend for technology regulation to occur through an informal, soft law process between innovators and policymakers. The CLOUD Act represents one of the rare incidents where the legislature acted to regulate technology rather than delegating to an administrative agency or just not acting at all.
Still, even in this action Congress chose to forgo its typical processes. As Senator Rand Paul pointed out in a series of tweets, the bill was not subjected to normal legislative review such as the committee process or amendments. By attaching it to the Omnibus bill, members of Congress were left with little choice but to approve it, because otherwise they risked a government shutdown.
This circumvention of traditional processes shows that even when Congress does act the deliberation that is seen as one of the key advantages of regulating in such a way does not always take place. One of the reasons for delegation is typically the need for expertise on a subject. But without deliberation or debate, there is little chance for members of Congress or their staff to develop the necessary expertise to arrive at a decision, particularly for a rapidly emerging and evolving technology. This lack of deliberation is particularly concerning in cases such as the CLOUD Act that have the strong potential to impact both innovation and civil liberties. The failure to engage in debate and conversation around the issue risks making hard law that is far worse than the potential soft law or common law alternatives. A bad hard law is typically far more difficult to overturn or modify than the collaborative soft law process.
