CLOUD Act Bill Addresses Thorny Issue of Overseas Data Subpoenas

Microsoft has been fighting with the Justice Department for years over some data Justice wants that Microsoft says is stored in Ireland.

Justice says Microsoft can bring it back to the US and then they can subpoena it.  Microsoft says doing that will break EU laws.  The argument goes on.  The current status is that Microsoft won on appeal but it is now going to the US Supreme Court.

The CLOUD (Clarifying Lawful Overseas Use of Data) Act was introduced in the Senate this week.  If it passes, it will modify the Stored Communications Act and will require US companies to turn over emails or other information in the provider’s care, control or custody, even if it is stored outside the US.  OK, that part is clear.

Here is where it gets a bit muddy.

It also allows for the vendor to ask for the subpoena to be quashed if it believes the customer is not a US citizen and  if disclosure provides a material risk that the firm would violate the laws of another country.

Given that caveat, will anything change?  Well, I guess, if US citizens are storing data overseas under the control of a US company in an effort to keep it out of the reach of the Feds, then they aren’t very bright anyway and the Feds can compel the provider to turn over the data, even if it is stored outside the US.

The bill also provides mechanisms to notify foreign governments when a legal request involves one of their citizens and provides a way to initiate a legal challenge to the request.

That may help improve things if the mechanism is better what we have today. There is a mechanism but it is not very speedy.

The bill also will help foreign governments obtain data held in the US by allowing the US government to sign bilateral data sovereignty agreements for cross border digital evidence.  Which countries would be warm to such an idea is not clear.  And, it has provisions like the other country has robust privacy standards.  Other countries might not think WE have very robust privacy standards.

IF such an agreement is reached, the other country has to remove any impediments to US government data requests.

The US is in discussions with the UK over such an agreement right now.  This is not a big surprise given the UK’s recent passing of the new Snooper’s Charter which allows for widespread surveillance and data collection, much like our Patriot Act.

Still, it is not clear what it’s chances of passage are and unless other countries sign up for this bilateral agreement, not much will change.

What is clear is that some countries – and maybe the ones we are most interested in – like China, Russia, North Korea, Ukraine, Venezuela and others – will not agree to anything with us.

Still, it is interesting and we will see what happens to this bill in the coming months,

Information for this post came from The Register.

Leave a Reply

Your email address will not be published.