Two Department of Justice officials defended the CLOUD Act, legislation buried in last week’s $1.3 trillion spending bill that could upend both the tech industry and a U.S. Supreme Court case.
Speaking Wednesday afternoon at the International Association of Privacy Professionals Conference in Washington, D.C., Justice Department representatives said the CLOUD Act will make it easier to collect evidence stored electronically in other countries.
The Cloud Act allows U.S. law enforcement at all levels — from local police to federal agents — to force tech companies to turn over user data even if it is stored on servers located outside the United States.
It also gives the executive branch the ability to negotiate one-on-one agreements with foreign governments permitting those nations to access user data stored in the United States. Under a reciprocity agreement, the U.S. could then get the data stored in that country as well.
The agreements do not require congressional approval. A country could directly subpoena Google, Facebook or any other company to request its data stored in the U.S. by negotiating an agreement directly with the president, U.S. Department of State or the U.S. Attorney General.
Prior to the CLOUD Act’s passing, the U.S. could only access data stored overseas through mutual legal-assistance treaties, or MLAT. Those treaties spelled out exactly how two countries would help each other with legal investigations. But each MLAT required two-thirds approval from the U.S. Senate to pass. Some countries were also slow to act once a treaty was passed. Ireland, for example, took as long as 14 months to respond to a legal request under its MLAT, said Richard Downing, acting Deputy Assistant Attorney for the Justice Department’s Criminal Division.
“MLATS are a very useful tool, but slow and difficult to use especially in an age where so much crime moves rapidly,” Mr. Downing said.
Critics of the CLOUD ACT, which include tech companies and some lawmakers, have charged the legislation effectively gives foreign governments permission to invade the privacy of U.S. citizens.
Sen. Rand Paul, Kentucky Republican, is one of the CLOUD Act’s most vocal critics.
“Congress should reject the CLOUD Act because it fails to protect human rights or Americans’ privacy…gives up their constitutional role, and gives far too much power to the attorney general, the secretary of state, the president and foreign governments,” Mr. Paul tweeted earlier this month.
Associate Deputy Attorney General Sujit Raman said the CLOUD Act has numerous privacy protections, including requiring foreign governments to meet a number of standards to be eligible for an agreement. Those criteria include a strong human records, assure fair trial rights and has prohibitions on arbitrary arrests and unlawful detention.
“It is very significant to understand that we won’t be allowing providers to turn over user data to totalitarian governments,” he said. “To even qualify you have to meet very high standards.”
The CLOUD Act could have implications for a case currently pending before the U.S. Supreme Court. Last month, attorneys for Microsoft argued that it did not have to turn over a customer’s email data to U.S. officials because it was digitally stored in Ireland. U.S. law enforcement requested the data in 2013 saying it was necessary for a narcotics investigation.
Microsoft attorneys argued that the U.S. would have to work with Irish authorities to obtain it. They also argued that Congress, not the courts, should have the power to determine how overseas data disputes are resolved.
It is not known when the Justices could render an opinion or how the CLOUD Act would factor into their decision. Currently, the U.S. has only one data-storing agreement under the CLOUD Act and that is with the United Kingdom.
• Jeff Mordock can be reached at firstname.lastname@example.org.
Copyright © 2022 The Washington Times, LLC.