Earlier this week, two dozen civil liberties-focused organizations, including the American Civil Liberties Union (ACLU), Center for Democracy and Technology (CDT), and Amnesty International USA, wrote to members of Congress to express their opposition to The CLOUD Act.
These organizations are concerned that, if enacted, the bill would erode civil liberty protections in the United States, allowing foreign governments to circumvent U.S. legal protections while “empowering” them to engage in human rights violations. While I understand their concerns, I believe that these groups are mistaken about the impact that the act will have on civil liberty protections in both the U.S. and around the globe.
For those who have not been following The CLOUD Act, the bill aims to clarify the laws governing how law enforcement in the U.S. and other countries obtain access to data stored in the Cloud, meet the legitimate investigatory needs of law enforcement while helping to resolve the conflicts of law currently facing service providers. The act has drawn bipartisan support in Congress, as well as support from the technology community, the White House, and our allies in the United Kingdom. I’ve also expressed my support for the bill last month in the Wall Street Journal.
Jennifer Daskal and Peter Swire have done a laudable job addressing the concerns expressed in the civil liberties groups’ letter in their Lawfare piece , but I wanted to at least briefly address why the Act is necessary and the ultimately positive impact the bill is likely to have on civil liberties both here and abroad. As Jennifer and Peter observed in their piece, the primary criticism of The CLOUD Act stems from the provisions that allow for the U.S. to enter into bilateral data-access agreements with like-minded countries. Such an agreement would allow foreign law enforcement to pursue data stored in the U.S. through their own legal processes and vice-versa, provided that the country meets the necessary legal and civil liberty requirements outlined in the legislation.
These are exactly the sorts of agreements that are needed to allow law enforcement, both in the U.S. and in allied countries, to do their jobs in an era where digital evidence can be stored anywhere in the world. The system that law enforcement currently relies on, the Mutual Legal Assistance process, has proven too slow and cumbersome to accommodate the growing volume of cross-border data requests and digital investigations. Without these agreements the problem is likely to get worse. Some countries, including some of our own allies, have pursued data localization policies that would force providers to keep their citizens’ data within the borders of their own country effectively balkanizing the internet. Such a move would ultimately leave U.S. law enforcement with diminished access to investigatory data and leave the U.S. without a say in any of the applicable civil liberties protections or requisite legal standards that apply to said data.
Ultimately the civil liberties community’s objections are rooted in differences between the U.S. legal system and those of other countries. Like it or not, few countries have legal systems that closely mirror our own. Most countries rely upon civil law systems, such as the Napoleonic Code or German Law, unlike the common law tradition followed in the United States. Applicable legal standards also differ – no other country in the world has a “probable cause” standard, but most have standards that are at least somewhat similar. It is unreasonable to expect other countries to abandon their own legal systems when pursuing data belonging to their own citizens.
That said, The CLOUD Act still includes strong civil liberty protections and ensures that U.S. law applies when appropriate. It makes it clear that that U.S. law and civil liberties protections apply to data belonging to U.S. citizens. It includes a lengthy list of civil liberty, human rights, and legal requirements that any country seeking to enter into a bi-lateral data sharing agreement with the U.S. must meet. The Attorney General must certify a country’s compliance with these requirements and all agreements are subject to Congressional review. The bill does not allow for any changes in how foreign law enforcement obtains access to data stored in the U.S. outside of the system outlined in the bill.
I agree that the approval process could be strengthened and that data sharing agreements should be made public. I also agree that there is need for Congress to pass provisions of the E-Mail Privacy Act that will codify the requirement for a probable cause warrant for U.S. law enforcement to gain access to all communication data, but these are all issues that can be addressed by amendment, not issues that necessitate opposing the entire bill.
Ultimately, delaying or doing nothing are not realistic options for Congress at this point. The frustrations that law enforcement agencies are currently experiencing in trying to gain lawful access to data stored abroad are real. Other countries are already pursuing data localization requirements and are likely to accelerate their efforts should the Supreme Court rule in the government’s favor in United States vs. Microsoft. Perhaps most importantly, a ruling in the government’s favor in the case would significantly reduce the Justice Department’s incentive to negotiate, making it even more difficult to ensure strong privacy protections in a final agreement. To echo Lawfare authors Jennifer and Peter, let us not allow the perfect to be the enemy of the good.
