The US Congress has just passed legislation that will make it easier for the US authorities and those with which it has an agreement in many countries to obtain private information without a warrant.
As well as allowing the US to seize information from Microsoft’s servers in Ireland, the subject of a long-running dispute, the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), will also allow governments that have an agreement with the US to access private data held on American territory, circumventing privacy protections.
The legislation passed without a single debate by lawmakers since it was bundled in with the 2,200-page spending bill which was signed into law by President Trump on Friday.
The new law is designed to make it easier for investigators to access online communications and data held in the cloud. Currently, access to data held in a foreign jurisdiction, as in the Microsoft emails case, requires a court order. The new legislation will allow the authorities to demand Microsoft or any other US firm holding a US citizen’s data to hand it over.
In return, “qualifying foreign governments” with which the US has an agreement will also be able to demand data on their citizens held on US servers. Previously they required a “mutual legal assistance treaty” (MLAT) agreement – an arrangement by which agreements between two countries agree to help each other with criminal investigations – with individual cases being raised by a judge and signed of by the US Department of Justice .
The new Act was supported enthusiastically by the US technology industry – including Microsoft. It was also supported by Google, Facebook and Apple. American tech firms see it as a way around geolocation legislation such as that common in Europe that requires personal data to be stored in a certain jurisdiction. This they see as a threat to their dominance.
“Data is moving all over the world, it’s stored all over the world, and we don’t have an international consensus on how that data is treated,” said Victoria Espinel, president of the Business Software Association, according to the Financial Times.
The law was also welcomed by US law enforcement agencies, as it reduces dramatically the number of hoops they must jump through to obtain legally data held abroad. Number 10 voiced its enthusiasm for the Cloud Act in February.
“With it, law enforcement officials in the US and the UK will be empowered to investigate their citizens suspected of terrorism and serious crimes like murder, human trafficking, and the sexual abuse of children regardless of where the suspect’s email or messages happen to be stored,” a Government spokesperson said.
However, the Cloud Act has been fiercely opposed by civil liberties and free press groups, who are angered at how it was sneaked in on the back of other legislation by the Trump Administration and who fear it will weaken people’s online rights.
The danger to foreign activists and journalists working in authoritarian states such as Egypt and Turkey with which the US has good relations was rasied by the Free Press Foundation.
“Say that a journalist in a country like Egypt uses Gmail, and therefore some of their emails are stored on one of Google’s server farms in the United States,” the group said in a blog post. “Whenever the Egyptian government decides that it wants access to a journalist’s emails stored in the United States in order to prosecute that journalist, it could simply request that Google hand over the emails.”
Meanwhile, the Electronic Freedom Foundation called it “a dangerous expansion of police snooping on cross-border data”.
While the new law requires that qualifying foreign governments have certain privacy laws in place before the bilateral lowering of access barriers can occur. Moreover, privacy laws in the US have historically been significantly weaker than those in Europe. Moreover, the US president will be able to enter into executive agreements with foreign governments that would allow each government to acquire users’ data stored in the other country, without following each other’s privacy laws.
At a time when new privacy laws are being introduced in Europe, including the GDPR and ePrivacy, the new US rules are certain to create more friction between Europe and the US and call into question existing data transfer arrangements between the two entities.
Save this article