Tag Archives: CLOUD Act

EU Introduces Competing Bill to US Cloud Act

When I wrote about the CLOUD Act last week, I expected this to happen;  I just didn’t expect it to happen so soon.

The CLOUD Act (see post) is an attempt by Congress to make it easier for U.S. law enforcement to force companies to respond to subpoenas for data when the data is not located in the U.S.  The CLOUD act is a long way from being passed; in fact it was just introduced.  The concept that underlies it is extraterritoriality, a legal concept that means that Country “A” wants its laws to apply to Country “B”.  In general, this is only enforceable in one of two ways – wage war and defeat the other country (which is kind of dicey) or negotiate a treaty with the other country.  The treaty way is generally preferred and the CLOUD Act creates a path to allow for that kind of treaty to be negotiated.

To get even with the U.S. (maybe?), the E.U. is about to introduce a similar bill – one that would force the U.S. to turn over data stored in the U.S. to EU. member nations.

For bills to become law in the E.U. takes even longer than in the U.S. – possibly two years, so neither of these bills is a done deal yet.

But, given that both sides seem interested in solving this problem, it is possible that, within our lifetimes, it will happen.

The E.U. bill has the same extraterritoriality problem as the U.S. bill, so after both sides pass a law, but not before, treaties will have to be signed and ratified.

The E.U. actually said that their plan in passing this bill was to have more leverage with the U.S. when the treaty negotiation dance starts.

I expect that the E.U. would expect any country that they sign a treaty with to agree to the basic tenants of the General Data Protection Regulation, which goes into effect in the E.U. in May.  The GDPR is at complete odds with the data privacy laws of the U.S., so if that is a cornerstone of the requirement, that would be a difficult pill for President Trump to have to swallow during the negotiations, but I expect that this is the exact intent of the bill.

The current mechanism for getting data from a foreign country is to use the Mutual Legal Assistance Treaty process which is pretty cumbersome and was created long before today’s world of trans-border data flow.

My expectation is that this likely will happen, but as is usually the case, the devil is in the details and, in this case, those details will be one hell of a devil.

Get some popcorn and stay tuned.

Information for this post came from Reuters.

CLOUD Act Bill Addresses Thorny Issue of Overseas Data Subpoenas

Microsoft has been fighting with the Justice Department for years over some data Justice wants that Microsoft says is stored in Ireland.

Justice says Microsoft can bring it back to the US and then they can subpoena it.  Microsoft says doing that will break EU laws.  The argument goes on.  The current status is that Microsoft won on appeal but it is now going to the US Supreme Court.

The CLOUD (Clarifying Lawful Overseas Use of Data) Act was introduced in the Senate this week.  If it passes, it will modify the Stored Communications Act and will require US companies to turn over emails or other information in the provider’s care, control or custody, even if it is stored outside the US.  OK, that part is clear.

Here is where it gets a bit muddy.

It also allows for the vendor to ask for the subpoena to be quashed if it believes the customer is not a US citizen and  if disclosure provides a material risk that the firm would violate the laws of another country.

Given that caveat, will anything change?  Well, I guess, if US citizens are storing data overseas under the control of a US company in an effort to keep it out of the reach of the Feds, then they aren’t very bright anyway and the Feds can compel the provider to turn over the data, even if it is stored outside the US.

The bill also provides mechanisms to notify foreign governments when a legal request involves one of their citizens and provides a way to initiate a legal challenge to the request.

That may help improve things if the mechanism is better what we have today. There is a mechanism but it is not very speedy.

The bill also will help foreign governments obtain data held in the US by allowing the US government to sign bilateral data sovereignty agreements for cross border digital evidence.  Which countries would be warm to such an idea is not clear.  And, it has provisions like the other country has robust privacy standards.  Other countries might not think WE have very robust privacy standards.

IF such an agreement is reached, the other country has to remove any impediments to US government data requests.

The US is in discussions with the UK over such an agreement right now.  This is not a big surprise given the UK’s recent passing of the new Snooper’s Charter which allows for widespread surveillance and data collection, much like our Patriot Act.

Still, it is not clear what it’s chances of passage are and unless other countries sign up for this bilateral agreement, not much will change.

What is clear is that some countries – and maybe the ones we are most interested in – like China, Russia, North Korea, Ukraine, Venezuela and others – will not agree to anything with us.

Still, it is interesting and we will see what happens to this bill in the coming months,

Information for this post came from The Register.