When I wrote about the CLOUD Act last week, I expected this to happen; I just didn’t expect it to happen so soon.
The CLOUD Act (see post) is an attempt by Congress to make it easier for U.S. law enforcement to force companies to respond to subpoenas for data when the data is not located in the U.S. The CLOUD act is a long way from being passed; in fact it was just introduced. The concept that underlies it is extraterritoriality, a legal concept that means that Country “A” wants its laws to apply to Country “B”. In general, this is only enforceable in one of two ways – wage war and defeat the other country (which is kind of dicey) or negotiate a treaty with the other country. The treaty way is generally preferred and the CLOUD Act creates a path to allow for that kind of treaty to be negotiated.
To get even with the U.S. (maybe?), the E.U. is about to introduce a similar bill – one that would force the U.S. to turn over data stored in the U.S. to EU. member nations.
For bills to become law in the E.U. takes even longer than in the U.S. – possibly two years, so neither of these bills is a done deal yet.
But, given that both sides seem interested in solving this problem, it is possible that, within our lifetimes, it will happen.
The E.U. bill has the same extraterritoriality problem as the U.S. bill, so after both sides pass a law, but not before, treaties will have to be signed and ratified.
The E.U. actually said that their plan in passing this bill was to have more leverage with the U.S. when the treaty negotiation dance starts.
I expect that the E.U. would expect any country that they sign a treaty with to agree to the basic tenants of the General Data Protection Regulation, which goes into effect in the E.U. in May. The GDPR is at complete odds with the data privacy laws of the U.S., so if that is a cornerstone of the requirement, that would be a difficult pill for President Trump to have to swallow during the negotiations, but I expect that this is the exact intent of the bill.
The current mechanism for getting data from a foreign country is to use the Mutual Legal Assistance Treaty process which is pretty cumbersome and was created long before today’s world of trans-border data flow.
My expectation is that this likely will happen, but as is usually the case, the devil is in the details and, in this case, those details will be one hell of a devil.
Get some popcorn and stay tuned.
Information for this post came from Reuters.