Cloud Act May Still Leave Privacy Concerns & Compliance Up in the Air

Posted by James McCarthy, Esq. • March 26, 2018

Cloud act.jpgWith bipartisan support of the US., UK and major tech companies, new legislation enacted on March 23, 2018, replaces the outdated 1986 Stored Communications Act.  The Cloud Act[1] was forged out of necessity and fast tracked after a cross border conflict erupted when U.S. authorities sought a subpoena in NY for an Irish national’s emails stored in Ireland. Microsoft promptly filed suit against the United States and the Supreme Court is poised to make a decision in that case after oral argument earlier this year, yet the Justices implored Congress to replace the prior law to avoid a decision predicated on a law that predated cloud- based computing.[2] Fueling the rush to put new laws in place is the fact that tech companies are incurring massive fines by complying with US law enforcement subpoenas that violate the privacy laws of other nations. 

While many welcome the new law, privacy groups are decidedly against what they perceive to be a “back door” for law enforcement to access emails, chat logs, videos, and photos without following local laws including the U.S. Fourth Amendment constitutional guarantees against improper searches and seizures.[3]  To be fair, the Cloud Act provides a mechanism that permits internet service providers (ISP) to object to US warrants if their application conflicts with a host country’s law. Yet, the concern expressed by these privacy advocates is that governments could be allowed to bypass the present system of making a diplomatic request of the host country (where the data is stored) to secure a warrant on behalf of the requesting country. This bypass would eliminate a delay that hinders law enforcement but would  permit foreign countries to access US nationals’ data directly from the ISP (and vice versa) causing friction between differing standards of privacy throughout the world.  One international privacy law that the new Cloud Act may collide is the European Union’s newly minted General Data Protection Regulation (GDPR) that takes effect on 25 May 2018.

Tech companies are keenly aware of the severe sanctions that GDPR violations could involve-the greater of $20 million (USD) or 4% of the data processor’s worldwide revenue-that make compliance with potentially conflicting laws an immediate concern. Article 48 of GDPR addresses investigative orders issued by foreign (including U.S.) authorities with respect to EU citizens.  The potential conflict Article 48 could create with U.S. law enforcement requests arises because a EU member’s data protection authorities can enforce Article 48 and may interpret it in different ways.  Thus, it appears necessary for the U.S. to secure separate agreements with the many different EU members. 

While no single legislation can solve all cross jurisdictional issues that could arise, we agree completely with Microsoft’s Brad Smith that the inclusion of the Cloud Act in the new budget is “an important day for privacy rights” because it “…creates a modern legal framework for how law enforcement agencies can access data across borders. It’s a strong statute and a good compromise[4]” At the same time, the present U.S. climate of favoring robust law enforcement authority and the trending of increased privacy in Europe should prove to be an interesting year for tech companies and their corporate counsel.  Stay tuned.

 

[1] The Cloud Act is an acronym for “Clarifying Lawful Overseas Use of Data,” introduced by Senators Hatch, Graham, Coons, and Whitehouse in February 2018.

[2] Read A360’s blog “The Empire Strikes Back” http://blog.archive360.com/the-empire-strikes-back about  Microsoft v. United States where SCOTUS is reviewing the Second Circuit’s decision that the SCA does not authorize courts to issue and enforce against US-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers. 

[3] See Teri Robinson and Camille Fischer’s separate articles in SC Media and EFF, https://www.scmagazine.com/rights-groups-oppose-cloud-act-citing-privacy-human-rights-compromises/article/751754/ and https://www.eff.org/deeplinks/2018/02/cloud-act-dangerous-expansion-police-snooping-cross-border-data.

 

[4] See Brad Smith’s statement; https://blogs.microsoft.com/on-the-issues/2018/03/21/microsoft-statement-on-the-inclusion-of-the-cloud-act-in-the-omnibus-funding-bill/