US passes overseas data access law

The United States has passed legislation aimed at making it easier for many countries to access email and other personal information stored beyond their own borders.

Background

Data protection laws forbid the disclosure or misuse of information about private individuals. Approximately 80 countries, including Europe and Latin America and the Caribbean, Asia, and Africa, have now adopted comprehensive data protection laws. However, the United States is known for not having enforced a comprehensive information privacy law, but instead having adopted limited sectoral laws in some areas.

These laws are based on Fair Information Practice, which were first developed in the United States in the 1970s by the Department for Health, Education and Welfare (HEW). In the United States, access to private data in third-party credit reports may be checked when seeking employment or medical care, or making automobile, housing, or other purchases on credit terms. Although there are partial regulations, there is no law regulating the acquisition, storage, or use of personal data.

Off late, lawmakers in several US states have proposed legislations to alter how online businesses handle user information. The Do Not Track legislations and the Right to Know Act (California Bill AB 1291) are two such bills. The California Right to Know Act, if passed, requires businesses that keep user information to provide its user a copy of stored information as per request. The bill faced heavy oppositions from companies such as Google, Microsoft, and Facebook, and failed to pass.

Analysis

The House of Representatives has passed controversial legislation that makes it easier for law enforcement to get access to information even if it is stored overseas. The legislation is officially known as the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The set of regulations was part of the Omnibus Spending Bill, which was signed by President Donald Trump.

Initially, CLOUD was set up to replace the existing rules for cross-border access to data, which require requests for information to be approved by the Senate and accepted by the Department of Justice (DOJ). The new rules provide the DOJ the power to access data that US-based technology companies have stored overseas, such as the Outlook emails stored by Microsoft in Ireland. It also provides the DOJ to enter agreements with foreign governments seeking data from US corporations even without authorization from Congress or the courts.

Corporations such as Microsoft, Apple, Google, Facebook, and Oath consider the CLOUD Act to be better than the one previously introduced. The companies have also sent a letter to the Senate in support of the bill. They said that it "would create a concrete path for the US government to enter into modern bilateral agreements with other nations that better protect customers."

More significantly, "the legislation would require baseline privacy, human rights and rule of law standards in order for a country to enter into an agreement." They exclaimed that CLOUD's rules would ensure that data holders are protected by their own laws and would allow authorities to examine cross-border crime and terrorism without causing legal conflicts internationally.

The provisions of this bill received strong backing from US law enforcement agencies and the tech industry. It is designed to assist investigators in dealing with online communications and cloud computing. Electronic communications are often stored on servers overseas, restricting them from domestic investigations, and leading to bureaucratic procedures to force disclosure. In the recent past, this issue has led to conflict between the US and Microsoft, after the software company challenged a New York court’s demand that it hand over information from one of its servers in Ireland to aid a US investigation.

At a Supreme Court hearing on the case last month, Microsoft’s lawyers and the US government backed the legal change. Microsoft received support from Google, Facebook, and Apple. The tech industry requires that if investigators can reach information stored abroad, countries will be less likely to require data about their citizens to be held on servers within their own borders, threatening the free flow of information that cloud computing companies depend on.

The law could leave US investigators in an even stronger position, especially considering the dominance of American internet companies worldwide. They would be able to extract information about foreign nationals, not just Americans, considering the data was held on an overseas server controlled by a US company.

Assessment

Our assessment is that the new rules, while allowing real time access to foreign law enforcement, continues to have weak standards for review, and does not provide adequate limits on the severity of the crime it can apply to. We believe that the new US law would be included in the international legal framework. To make it operational, US law enforcement agencies would require other countries to enact similar legislation and meet certain privacy and procedural standards. This would imply that any country that meets the requirements could demand information held overseas about one of its own nationals by simply getting approval from a domestic court.