March 15, 2018
Sen. Orrin Hatch March 15 continued his push for a bill that would give cloud computing companies, email service providers, and the U.S. government clarification on how law enforcement can access data stored abroad related to criminal probes of foreigners.
The CLOUD Act, ( H.R. 4943, S. 2383), introduced by Hatch (R-Utah) and Rep. Doug Collins (R-Ga.), also would allow the U.S. to enter into bilateral law enforcement data sharing agreements with foreign nations and clarify that requests for such data apply abroad.
Data can be stored in databases all over the world, Hatch told reporters at a Software & Information Industry Association briefing, and the “rise of email and cloud computing providers has put data privacy laws on a collision course” with law enforcement efforts and international protections granted to foreign citizens.
Law enforcement access to data stored abroad has been a point of contention among government agencies, such as the Department of Justice and the FBI, and cloud computing companies, including Microsoft Corp. and Alphabet Inc.'s Google, that receive requests. All have struggled with how and what kinds of stored-abroad data the government can access.
“The current approach isn’t sustainable” because companies and the government struggle with the reach of the law, Megan Stifel, founder of cybersecurity policy group Silicon Harbor Consultants and former Justice Department attorney, told Bloomberg Law.
“The most important reason for the CLOUD Act is that it provides certainty” for all parties involved, Stifel, who also served as director for international cyber policy in the National Security Council at the White House, said. Cloud computing executives don’t want to have uncertainty when making business decisions in the expanding cloud market, she said.
Courts have come down on both sides of the issue. Many lower federal courts have allowed government access to data stored abroad related to criminal investigations. But the U.S. Court of Appeals for the Second Circuit has refused access because the request would be an extraterritorial application of the Stored Communications Act (SCA), which took effect in 1986.
The CLOUD Act could help solve the discrepancy among lower courts by clarifying to companies and law enforcement agencies how far the SCA reaches.
“Even if the Supreme Court is able to solve the issues related to Microsoft, Congress would still need to make new law to provide clarity to other cloud computing and communication providers,” Morgan Reed, executive director of technology policy advocacy group ACT | The App Association, told Bloomberg Law. The CLOUD Act is “a deal that Congress is likely to get done” because top lawmakers, law enforcement, and industry are all supportive of the measure, he said.
Cloud computing companies had concerns that the CLOUD Act wouldn’t benefit user privacy unless there’s a way to challenge law enforcement data requests. The inability to challenge could cause a business to decide between complying with U.S. law and the law of a foreign country.
To ease the concerns of the cloud industry, the bill provides mechanisms for companies served with orders under the SCA to contest the requests based on international conflict of law issues.
“This provision was subject to a lot of discussion, but Google is comfortable” with the final version, David Lieber, senior policy counsel for Google, said at the press briefing. The bill “ended up in a good place,” he said.
To contact the reporter on this story: Daniel R. Stoller in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Barbara Yuill at email@example.com
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.