A framework would be established for law enforcers to legally access email communications stored on overseas cloud-based servers, and U.S. officials would be authorized to negotiate bilateral data sharing agreements with foreign countries, under a Senate bill announced on Monday.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act would also establish a process for providers of email and cloud computing services to challenge warrants for data stored overseas. Additionally, providers would be able to disclose to a foreign government when a warrant has been issued for information stored in that country.
U.S. Sen. Orrin Hatch (R-UT), who announced the bipartisan bill on the Senate floor on Monday, said email and cloud computing has put the nation’s data privacy laws “on a collision course with the privacy laws of other countries.”
“This state of affairs causes problems both for law enforcement and for email and cloud computing providers,” Hatch said. “It causes problems for law enforcement because warrants traditionally stop at the water’s edge and because laws in other countries may prohibit disclosure to foreign law enforcement. And it causes problems for email and cloud computing providers because they find themselves caught between orders by U.S. law enforcement to disclose data in other countries and laws in those other countries that may forbid such disclosure.”
In United States v. Microsoft, the U.S. Supreme Court is considering whether U.S. warrants should be able to require service providers storing data in other countries to divulge that data. Depending on the ruling, Hatch said, law enforcers will either lack the authority to obtain data in a timely manner or will “find themselves between conflicting domestic and foreign laws.”
The CLOUD Act aims to address the issue by authorizing using officials to negotiate bilateral data-sharing agreements with certain countries to lift disclosure prohibitions in each country.
“The CLOUD Act sets forth stringent requirements for such agreements in order to ensure privacy and data security,” Hatch said. “In particular, it provides that any requests by foreign law enforcement to U.S. providers under such agreements cannot target or request information on U.S. persons.”
Also under the bill, a warrant served to a U.S. provider would pertain to information stored overseas so long as the provider has possession or control of it. The aim is to give law enforcers an avenue to access information without having to engage in diplomatic talks.
“Indeed, the US-UK bilateral agreement framework outlined in the CLOUD Act is intended as a model for future agreements between the United States and other countries that are committed to privacy, human rights and international law enforcement cooperation,” Hatch said. “Expeditiously implementing similar agreements with the European Union and other allies is critical to protecting consumers around the world and facilitating legitimate law enforcement investigations.”