*This post was co-authored by Charles Duan, Associate Director of Technology and Innovation Policy at R Street.
On Wednesday, Sens. Orrin Hatch, R-Utah; Christopher Coons, D-Del.; Lindsey Graham, R-S.C.; and Sheldon Whitehouse, D-R.I., introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which deals with law enforcement’s access to communications information stored in the cloud. We think the CLOUD Act is an important first step to dealing with the difficult problem of cloud data stored overseas and encourage policymakers to use the bill as a key component in reforming the legal procedures for law-enforcement access to online communications.
This bill arises in the context of United States v. Microsoft, currently pending at the Supreme Court. That case will consider whether U.S. law enforcement can legally obtain emails stored on Microsoft’s cloud email service when those emails are physically stored on servers in a foreign country. The underlying issues are complex yet important to every American who uses cloud services. R Street filed an amicus brief with the Supreme Court to emphasize these complexities.
The depth and difficulty of the issue also highlights the need for a legislative solution. Indeed, as global demands for cross-border data increase, frustrations with the status quo will continue to worsen. If left unaddressed, these frustrations will push nations toward undesirable policy alternatives, including data-localization and stricter controls on the internet. Allowing the Supreme Court to be the final arbiter on cloud data-access would force a choice between two extremes, neither of which is desirable. It is incumbent on Congress to think prospectively and craft a path forward that accounts for the myriad technological and international legal ramifications of cloud data storage.
If enacted, the CLOUD Act would establish a framework for U.S. law enforcement to obtain emails stored on foreign cloud servers, as in the Microsoft case. The government is expected to withdraw the case if the bill is enacted. The framework largely mirrors the International Communications Privacy Act (ICPA), which R Street previously supported.
At the same time, the larger framework for law enforcement’s access to electronic communications is decades old and widely considered outdated. The CLOUD Act currently is limited to the extraterritoriality issues discussed above, and it neglects to address whether warrants or other showings of cause ought to be required as part of the procedure for accessing cloud-stored data.
R Street has been supportive of reforming the Electronic Communications Privacy Act (ECPA) – the law governing this larger communications framework – to extend the warrant requirement to all content data, not just those less than 180 days old. There is widespread support for such reform, with the Email Privacy Act having passed the House last year by voice vote. The right way forward, in our view, is to use the CLOUD Act not as a complete solution, but rather as a component of these broader efforts to bring electronic communications law into the 21st century.