Congress quietly slips cloud-spying powers into page 2,201 of emergency spending bill
When Edward Snowden blew the whistle on the National Security Agency's PRISM program in 2013 and revealed what many had suspected – namely that US intelligence agencies were collecting vast amounts of data not only from US citizens, but from all around the world – public opinion received a badly needed wake-up call about the dangers of mass surveillance.
"Despite having a major impact on how tech companies can be obliged to share user data with US and foreign governments, the CLOUD Act was passed by Congress without any public debate on 21 March 2018 and entered into force two days later."In 2013, the DoJ demanded that Microsoft grant it access to emails related to a narcotics case from a Hotmail account hosted in Ireland. Microsoft refused, arguing that a warrant issued under Section 2703 of the Stored Communications Act could not compel US companies to produce data stored in servers outside the US and that compliance with the requested transfer would result in the company breaking EU data protection law.
The initial ruling was in favour of the DoJ, with the presiding judge concluding that American companies “must turn over private information when served with a valid search warrant from US law enforcement agencies". Microsoft appealed to the US Second Circuit Court of Appeals which ruled in its favour in 2016 and invalidated the warrant. In response, the DoJ appealed to the US Supreme Court.
In March 2018, while the case was pending before the US Supreme Court, the US Congress passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act which amended and extended the ECPA (Electronic Communications Privacy Act) and the SCA (Stored Communications Act).
"This highly controversial measure was buried on page 2,201 of a voluminous 2,232-page spending bill - the Consolidated Appropriations Act of 2018 - which was tabled and adopted as an emergency measure to prevent an impending government shutdown."Following agreement from both the DoJ and Microsoft, the US Supreme Court determined that the case had been rendered moot by the passage of the CLOUD Act and the issuing of a new warrant under the terms of the new legislation.
Despite having a major impact on how tech companies can be obliged to share user data with US and foreign governments, the CLOUD Act was passed by Congress without any public debate on 21 March 2018 and entered into force two days later.
This highly controversial measure was buried on page 2,201 of a voluminous 2,232-page spending bill - the Consolidated Appropriations Act of 2018 - which was tabled and adopted as an emergency measure to prevent an impending government shutdown.
Senators Rand Paul from Kentucky and Ron Wyden from Oregon raised procedural objections to the manner in which the CLOUD Act had been sneaked in as an appendage to the spending bill but ultimately they failed to block or stall the bill's adoption.
Ron Wyden complained about the CLOUD Act but failed to block its adoption
"Privacy advocates at groups like the American Civil Liberties Union, the Center for Democracy and Technology and the Electronic Frontier Foundation criticized the legislation as “a new backdoor around the Fourth Amendment" which permitted the circumvention of constitutional protections against unreasonable searches by law enforcement agencies."On the other hand, US tech giants such as Microsoft, Google, Facebook, Apple, and Oath, applauded the legislation and sent a joint letter to the US Senate proclaiming that the CLOUD Act represented “notable progress to protect consumers’ rights".
The main effect of the CLOUD Act was to strengthen the powers of US law enforcement and intelligence agencies to access data held by US companies on foreign soil.
In a nutshell, the CLOUD Act amounted to a consolidation and expansion of the arrangements established by the earlier 2001 PATRIOT Act which had significantly extended the government's powers of access to data held by US-based global providers, irrespective of the storage location of that data.
This might help to explain why those pushing for the adoption of the measure preferred to avoid public debate by sneaking it in as a hidden appendage to an emergency spending bill.
On the other side of the Atlantic, the passage of the CLOUD Act gave a new impulse to the ongoing political debate about "digital sovereignty".
A year after the passage of the Act, an article in the French paper Les Echos reported that "[m]any observers feel that American justice could be deploying [the Cloud Act] for purposes of economic espionage.”
"In a nutshell, the CLOUD Act amounted to a consolidation and expansion of the arrangements established by the earlier 2001 PATRIOT Act which had significantly extended the government's powers of access to data held by US-based global providers, irrespective of the storage location of that data."The French politician Ms Laure de la Raudiere who co-chairs a parliamentary cyber-security and sovereignty committee described the CLOUD Act as "a wakeup call for Europe to accelerate its own sovereign capabilities in the data sector".
In response to the concerns articulated by various political and business leaders, the French government called upon French companies to rely on "CLOUD-Act-safe" data providers.
In the meantime, on 25 May 2018, a few months after the adoption of the CLOUD Act by the US Congress, the General Data Protection Regulation (GDPR) entered into effect. In the next part of this series we will look at the GDPR and its implications for transatlantic data traffic between the EU and the US. ⬆