eWhite House Watch - Full Article

The CLOUD Act: Privacy v. Security

By: Frank X. Wukovits



On March 23, 2018, the Clarifying Lawful Overseas Use of Data [CLOUD] Act was signed into law as a part of the Omnibus Spending Bill. In short, the legislation sets forth a myriad of provisions involving procedures and methods of storage, access, and retrieval of data between the United States and foreign governmental entities. As a result, the CLOUD Act’s provisions create a potential (and perhaps inevitable) conflict between privacy and efficient governance.


The legislation is focused on the electronic data held by communication-service providers. The legislation addresses the necessity for such providers to cooperate with both domestic and foreign government entities to foster international cooperation in protecting the public and combatting serious crimes, including terrorism. The legislation acknowledges that service-providers face conflicting legal obligations when foreign governments request the production of electronic data in which the United States has previously prohibited providers from disclosing abroad. Likewise, the legislation also knowledges conflicts that arise when the Stored Communications Act [SCA] requires the disclosure of data in which foreign law prohibits communications-service providers from disclosing to the United States government.


However, the CLOUD Act declares that such conflicts and obligations are resolved by “executive agreements” between the United States and foreign governments seeking to balancing privacy and public safety. Specifically, the CLOUD Act requires, “A provider of electronic communication service or remote computer service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication… pertaining to a customer… regardless of whether such communication… or other information is located within or outside of the United States.”


In this regard, the CLOUD Act elaborates, “It shall not be constitute a violation… for a provider of electronic communication service to the public or remote computing service to disclose to the entity within a qualifying foreign government, designated in an executive agreement… seeking the contents of a customer or subscriber who is a national or resident of the qualifying foreign government.” The CLOUD Act defines a “qualifying foreign government” as “a foreign government with which the United States has an executive agreement…”


In effect, this means that it would not be unlawful for a provider to disclose data and communications to a foreign government in which the United States has an agreement. While the CLOUD Act outlines procedures and instances in which the court may modify or quash such a request by a foreign government, the court is only permitted to do so in narrow circumstances. Likewise, the CLOUD Act prevents a cause of action against a provider, including its officers, employees, or agents, for providing information or assistance to a foreign government pursuant to an executive agreement with the United States government. While the CLOUD Act seems to grant foreign governments a wide latitude of access to providers’ data and communications of its customers and subscribers, the CLOUD Act details the requirements that foreign government must abide when seeking such data, including “reasonable justification[s] based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.”


Despite these “requirements” and “justifications”, the CLOUD Act uses language that some may consider concerning. For example, the CLOUD Act permits, “In the case of an order for the interception of wire or electronic communications, and any extensions thereof, shall require that the interception order… be issued only if the same information could not be obtained another less intrusive method…”. When contemplating this language, it seems that this could be easily argued and ruled in the foreign government’s favor if it were to be challenged in court, especially when implicating that such interception is crucial and integral to national security. When considering the CLOUD Act as a whole, a lack of customer notice, routine warrants, and initial judicial review may undermine Americans’ rights, including the right to privacy.


When compared to regulations such as the European Union’s General Data Protection Regulation [GDPR], which goes into effect May 25th, the CLOUD Act will likely find itself the center of both domestic and international debates related to data privacy, cybersecurity, and national security. In other words, while the CLOUD Act is aimed at international cooperation and efficiency in thwarting terrorism, it inadvertently threatens privacy. Nonetheless, the CLOUD Act exemplifies the current White House Administration’s goals of national security and global governance.



Leave a Reply