On 19 March 2018, European Digital Rights (EDRi) co-signed a letter with three other civil society organisations, asking the US Congress to ensure that the “Clarifying Lawful Overseas Use of Data Act” (the US “CLOUD Act”) is not attached to the omnibus bill.
If the CLOUD Act is attached to the omnibus bill, it would mean it would be passed without discussion or modification of very problematic provisions that will impact individuals’ rights worldwide. The US legislator would give up its power to the executive branch of government. The CLOUD Act would authorise the US Government to unilaterally issue executive agreements with a “qualifying foreign government”, such as the European Union and/or its Member States, without “following each other’s privacy laws” and without review by Congress. This decision would have global implications that we urge the US Congress to consider:
First, executive decisions of this kind would facilitate law enforcement access to individuals’ data directly from companies. They, however, would seriously weaken and erode privacy and other rights of citizens around the world, including Europeans. For instance, under the CLOUD Act, a US police department could request access to “the contents of a wire or electronic communication and any record or other information” about a European citizen without necessarily following EU privacy laws. If the EU enters into an agreement with the US, European citizens would have to rely on the company subject to the data access request to challenge the order before a US court within 14 days following a complicated “comity” procedure whereby a US court would decide to modify or quash the legal process.
Second, as currently drafted, the US CLOUD Act has no review mechanism in the event of democratic backsliding in a third country. This means that, once a government has entered into an agreement with the US Government, it would be almost impossible for the US to revoke this status. In the letter, we point out US Congress about the procedures that the European Commission initiated against Hungary and Poland and ongoing legal proceedings due to rule of law and human rights violations, including threats to judicial independence and civil society organisations. It would be problematic for the US legislator to allow such agreements to be entered into, particularly without robust mechanisms for withdrawing from them.
Giant tech companies such as Microsoft have been lobbying for the CLOUD Act. However, the bill does not adequately protect individuals’ rights – including those of US persons. In addition, the bill ignores the current, long-established system for dealing with cross-border access to data requests, Mutual Legal Assistance Treaties (MLATs). MLATs are often misrepresented as never being suitable for dealing with electronic evidence. The reality is that significant improvements to MLAT procedures are possible and, indeed some have already been made – as evidenced by the recent major improvements in the efficiency of the US Department of Justice (DoJ). Thanks to the “MLAT Reform” programme, the US DoJ recently reduced the amount of pending cases by a third.
On 19-21 March 2018, the European Commissioner Věra Jourová will be in Washington to discuss the CLOUD Act and cross-border access to data in general. We hope she will raise concerns about the global implications of the CLOUD Act for people around the world.
You can read the letter here.