As the House advances a 2,232-page spending bill meant to avert a government shutdown, privacy advocates and big tech companies aren’t seeing eye to eye about a small piece of legislation tucked away on page 2,212.
The Clarifying Lawful Overseas Use of Data Act, a.k.a. the CLOUD Act (H.R.4943, S.2383) aims to simplify the way that international law enforcement groups obtain personal data stored by U.S.-based tech platforms — but the changes to that process are controversial.
As it stands, if a foreign government wants to obtain that data in the course of an investigation, a series of steps are necessary. First, that government must have a Mutual Legal Assistant Treaty (MLAT) with the U.S. government in place, and those treaties are ratified by the Senate. Then it can send a request to the U.S. Department of Justice, but first the DOJ needs to seek approval from a judge. After those requirements are met, the request can move along to the tech company hosting the data that the foreign government is seeking.
The debate around the CLOUD Act also taps into tech company concerns that foreign nations may move to pass laws in favor of data localization, or the process of storing users’ personal data within the borders of the country of which they are a citizen. That trend would prove both costly for cloud data giants and difficult, upending the established model of cloud data storage that optimizes for efficiency rather than carefully sorting out what data is stored within the borders of which country.
In a February 6 letter, Microsoft, Apple, Google, Facebook and Oath (TechCrunch’s parent company) co-authored a letter calling the CLOUD Act “notable progress to protect consumers’ rights.”
In a late February blog post, Microsoft Chief Legal Officer Brad Smith addressed the issue. “The CLOUD Act creates both the incentive and the framework for governments to sit down and negotiate modern bi-lateral agreements that will define how law enforcement agencies can access data across borders to investigate crimes,” Smith wrote. “It ensures these agreements have appropriate protections for privacy and human rights and gives the technology companies that host customer data new statutory rights to stand up for the privacy rights of their customers around the world.”