Last night, House and Senate leaders released their draft Omnibus appropriations bill. The bill not only sets spending levels for the various Federal government agencies and departments, but also includes several important updates to the laws and policies governing lawful access to data. Among them is a revised version of The CLOUD Act, which includes changes designed to strengthen privacy protections and Congressional oversight made in response to concerns raised by civil liberties and privacy groups upon review of an earlier version of the bill.
In a piece posted here last week, Chertoff Group Executive Chairman Michael Chertoff argued that the best way to address many of the civil liberties communities’ concerns was via amendments to The CLOUD Act rather than outright rejection of the legislation. To that end, Congress has amended The Cloud Act to bolster both Congressional oversight of the bi-lateral data sharing agreements authorized by the Act and the civil liberties protections therein. Changes to the legislation include:
- an extension of the Congressional review period for bi-lateral data sharing agreements from 90 to 180 days;
- an expedited procedure for Congress to reject bi-lateral agreements negotiated by the Department of Justice;
- a requirement that all revisions to bi-lateral agreements be subject to the same Congressional oversight as new agreements; and
- further reporting requirements for how a foreign country meets human rights and rule of law requirements for bilateral agreements.
Perhaps most notably, the legislation now also includes language that specifically prevents these bilateral agreements from being used by foreign countries to compel service providers to be able decrypt their users’ data.
While these changes may not address the full scope of concerns raised by the civil liberties community, they do further enhance the privacy and civil liberty protections within the Act. These enhanced protections can only add to the value of a bill that will help ensure that law enforcement is able to lawfully access data as part of a criminal investigation.
Not all of the civil liberties community’s objections could be addressed in these amendments. As Michael Chertoff pointed out last week, many of the objections of the civil liberties community are rooted in fundamental differences between U.S. law and the legal systems of other countries, including those of our close allies. Many countries do not follow the common law system used in the U.S., and few, if any, have the same legal standards. As such, it is unreasonable to expect foreign countries to adopt U.S. legal principles, effectively abandoning their own, to gain access to data belonging to their own citizens. Jennifer Daskal and Peter Swire, whose earlier Lawfare piece was cited by the Secretary, made this point in a post addressing the concerns of the civil liberties community earlier this week.
While amendments to The CLOUD Act found in the omnibus may not address all the concerns raised by the civil liberties community, they do further enhance the privacy and civil liberty protections within the Act. Overall, The CLOUD Act remains an important piece of legislation that directly addresses important and immediate problems facing both law enforcement and technology providers in the U.S and is a laudable first step toward addressing the important question of how law enforcement and service providers address cross-border law enforcement data requests.
Alan Wehler is a Director at The Chertoff Group, a global security and risk management advisory firm, where he advises clients on technology and security policy issues.
