6 stories
today

New bipartisan CLOUD Act could provide a final answer to Microsoft’s Ireland data case

Positions regarding the US political climate is contentious, to say the least. The past two years of partisan rhetoric has created a visible rift among citizens and continued tribalistic devotion looks to widen that divide for some.

However, there seems to be one area were men and women can venture across the political aisle and come to a common consensus that they want to finally build out a set of agreements to adequately address cross-border data investigation.

For Microsoft, this is a good thing.

Earlier this week, US senators Hatch, Coons, Graham, and Whitehouse introduced a bipartisan legislature called the Clarifying Lawful Overseas Use of Data (CLOUD) Act which looks facilitate cross-border access to data as it pertains to the investigation of serious crimes.

Specifically, the on-the-nose titled act attempts to clarify whether or not companies such as Microsoft could be compelled to turn over internationally stored data being a US-based enterprise with caveats but ultimately validating the Stored Communications Act (SCA). The CLOUD Act would also amend blocking provisions in the SCA that currently prohibit US-based data providers from disclosing data to international law enforcement. Instead, CLOUD would enable the United States executive branch to enter into agreements authorizing international governments to make a direct request for data from US-based companies, after meeting a set of stringent requirements based on human rights laws and procedural protections in maintaining confidential data.

How does all of this help Microsoft?

On the face of it, it would seem Microsoft’s accumulated court victories would be wiped out as the US would uphold the SCA which would compel Microsoft to hand over any overseas held data during warranted investigations. However, CLOUD builds in two very important structural astricts that should help prevent abuse of SCA.

According to JustSecurity.org,

Together, the explicit statutory provision establishing a motion to quash based on comity grounds, plus the explicit recognition of other possible motions to quash based on common law comity, ensure that the legitimate interests of foreign governments are taken into account if and when the application of the US’s warrant authority generates a conflict of laws. It thus sets the kind of precedent the United States would want other nations to follow if seeking access to US citizens and residents – helping to ensure that US citizen and resident data is adequately protected as well.

Secondly, the blocking provisions are more clearly examined and laid out for international governments seeking data for investigation of domestic or local crimes.

The foreign government must make a diplomatic request to the United States for this data, via the mutual legal assistance process, even if the only US tie to the case is that relevant data happens to be US-held. This is a time-consuming process which ultimately requires a US attorney’s office to issue a warrant on behalf of the foreign government.

These data requests are also subject to numerous limitations designed to protect the interests of US citizens and residents and to ensure the application of baseline substantive and procedural protections.

In the end, this is a good thing that could help get Microsoft out of court regarding its high profile Ireland case and make the entire proceedings a non-starter going forward for many companies such as Google, Apple, IBM, Samsung and more. The CLOUD Act is a substantive first step at legitimately establishing norms for both domestic and international request for data companies with globally residing customers. CLOUD helps establish a set of procedures for accessing data of citizens using services domestic and abroad while also enabling increasing transparency in how government obtains data.

Hopefully, we’ll continue to see a growing understanding of how data, communications, and investigations are evolving and an effort by US law to accommodate international business.

Further reading: , , ,

Do you think this suffeciently covers international data requests?