Industry Applauds Omnibus Cloud Act Inclusion; Privacy Groups Fear Abuse; Some on Hill Split
Privacy groups warned against a surge in human rights abuses after inclusion of the Clarifying Lawful Overseas Use of Data Act (Cloud) (S-2383/HR-4943) in the omnibus spending bill (see 1803210068 and 1803220048). Some within industry praised it as a vital step in freeing tech companies stuck between conflicting, outdated international laws. A congressional opponent told us he won't back down, while a supporter said it would have been better to have regular debate on the bill.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
American Civil Liberties Union Legislative Counsel Neema Singh Guliani told us it’s “pretty astounding” that a bill of “this magnitude” wasn't debated in regular order. She described the Cloud Act as a “sea change” in how tech companies respond to government orders and international standards for law enforcement access to data. ACLU joined two dozen groups, including the Center for Democracy & Technology and Electronic Frontier Foundation, last week in writing a letter to Congress opposing the bill.
BSA, the Software & Information Industry Association and TechNet were among those applauding. BSA Vice President-Legislative Strategy Craig Albright said there have been multiple iterations of similar legislation, from the Law Enforcement Access to Data Stored Abroad Act (HR-1429) to the International Communications Privacy Act (S-1671), and the Cloud Act is an improvement. Tech companies can't fully exercise the benefits of cloud computing, and law enforcement is hindered by the current mutual legal assistance treaty (MLAT) framework governing access to data abroad, SIIA said. “For too long we have operated under these outdated laws, it is critical for this legislation to be enacted quickly,” SIIA Senior Vice President-Public Policy Mark MacCarthy said in a statement. BSA said the bill includes strong privacy protections and clear human rights protections and “maintains a robust role for Congress and the judicial system in overseeing agreements to obtain data.” TechNet CEO Linda Moore called it “a golden opportunity for Congress” to bring the legal framework up to speed.
Sens. Ron Wyden, D-Ore., and Rand Paul, R-Ky., are among lawmakers opposed to the legislation, which was crafted by Sens. Orrin Hatch, R-Utah, and Chris Coons, D-Del., and Reps. Doug Collins, R-Ga., and Hakeem Jeffries, D-N.Y. Wyden and Paul wrote an opposition letter to Sens. Thad Cochran, R-Miss., and Patrick Leahy, D-Vt., earlier this month. The pair asked appropriators not to include the Cloud Act in the spending bill, raising concerns about foreign governments circumventing the MLAT process, which requires a warrant from a federal judge to obtain access to emails and other user data. Wyden told us he will do everything he can to prevent the government from mandating weaknesses to encryption and privacy technology, which keep Americans safe from hackers and criminals. “This isn’t about security versus privacy,” he said. “It’s about whether Americans will have more security or less security. Attacks on strong encryption and calls for government backdoors by officials like [FBI] Director Chris Wray and [Deputy Attorney General Rod] Rosenstein fundamentally misunderstand how the technology works.”
Coons told us he agrees it’s a bad trend that legislation is increasingly being considered through spending bills and respects concerns from privacy groups about the bill not going through regular order. The urgency with the Cloud Act is a pending Supreme Court decision (see 1802270052) and “deep concerns” about U.S.-U.K. data-sharing and counterterrorism partnerships, he said. Regular order is “the better path for any legislation, but in this particular instance, I think there are compelling reasons to move ahead now rather than wait until the Senate returns to regular order, for which we’ve been waiting for eight years.”
Guliani said the MLAT process doesn't allow foreign governments to wiretap on U.S. soil in real time, though law enforcement can lawfully access stored data by meeting MLAT standards. She said that could change under the Cloud Act and raised concerns the human rights language isn't strong enough and could allow the executive branch to sign agreements with foreign partners that have dubious human rights records.
Coons said potential partners will need to meet U.S. standards for civil liberties and criminal justice protections: “This is not meant to turn into a vehicle for data-sharing agreements with countries of a very wide range of levels of privacy protection.”
CDT Senior Counsel Greg Nojeim said what’s missing are provisions like those in the Email Privacy Act (HR-387) that would require government agencies to obtain a warrant to access online communications. That bill passed the House but hasn't been considered in the Senate. The Cloud Act creates risks that countries with poor human rights records can get access to U.S. data with lower standards, he said.
Following House passage of the omnibus spending bill, House Judiciary Committee Chairman Bob Goodlatte, R-Va., said the act will “allow law enforcement to share data with our friends and partners in other nations and thereby combat serious crime and terrorism.” A compromise in the House protects Congress’ constitutional oversight powers in the process, he said.