The CLOUD Act: It’s Time for Our Laws to Catch up with Our Technology
Tomorrow, the Supreme Court will hear argument in a case that illustrates a growing problem in the Internet age: our laws lag far behind the technology they’re supposed to regulate. The case is United States v. Microsoft Corp., colloquially known as the Microsoft Ireland case. I’ll be attending the argument.
The case began back in 2013, when the US Department of Justice asked Microsoft to turn over emails stored in a data center in Ireland. Microsoft refused on the ground that US warrants traditionally have stopped at the water’s edge. Over the last few years, the legal battle has worked its way through the court system up to the Supreme Court.
The applicable law in this case, the Stored Communications Act, was passed in 1986 — three years before the World Wide Web was created. Nobody had any idea at the time that data servers all around the world would one day host a digital cloud that would replace notebooks and filing cabinets and that would store countless terabytes of our emails, photos, and business records. Certainly, few people had any idea that thirty years hence our most sensitive letters, photos, and business records would all be digital, not physical, objects.
The issues the Microsoft Ireland case raises are complex and have created significant difficulties for both law enforcement and technology companies. There are also important international implications as well.
To begin with, law enforcement officials increasingly need access to data stored in other countries for investigations, yet no clear enforcement framework exists for them to obtain overseas data. Meanwhile, technology companies, who have an obligation to keep their customers’ information private, are increasingly caught between conflicting laws that prohibit disclosure to foreign law enforcement.
Equally important, the ability of one nation to access data stored in another country implicates national sovereignty. Hundreds of individuals, organizations, and government representatives from around the world, including myself, other Members of Congress, and Members of the European Parliament, have filed amicus briefs with the Supreme Court expressing concern that the issues the case raises can be adequately resolved only by Congress and by policymakers in other countries.
These are among the reasons why I joined Senators Coons, Graham, and Whitehouse, and Representatives Collins, Jeffries, and others in introducing the Clarifying Lawful Overseas Use of Data (CLOUD) Act. Our legislation will help the United States and other countries resolve the problem of cross-border law enforcement data requests in the age of email and cloud computing.
The CLOUD Act bridges the divide that sometimes exists between law enforcement and the tech sector by giving law enforcement the tools it needs to access data throughout the world while at the same time creating a commonsense framework to encourage international cooperation to resolve conflicts of law.
To help law enforcement, the bill creates incentives for bilateral agreements — like the pending agreement between the US and the UK — to enable investigators to seek data stored in other countries. The bill sets forth strict privacy, human rights, and rule of law standards that countries that enter into such agreements must meet. It also contains provisions to ensure that consumers are protected by their nation’s own laws. Expeditiously implementing similar agreements with the European Union and other allies is critical to protecting consumers around the world and facilitating legitimate law enforcement investigations.
To help technology companies, the CLOUD Act gives companies the ability to protect their customers’ data and to resolve conflicts of law if and when they arise. In particular, the bill allows tech companies to notify foreign governments when a request for data involves one of their residents and to initiate a legal challenge when necessary.
Only a modern legislative solution like the CLOUD Act that protects privacy and gives law enforcement the tools it needs can adequately resolve the problems the Microsoft Ireland case raises. No matter what the Supreme Court decides, if Congress does nothing, our antiquated laws will continue to spur international conflicts, impede law enforcement, and fail to protect Internet privacy.
This bipartisan bill will put the US and our allies on a path to safeguarding privacy and giving law enforcement the tools it needs to investigate crime and protect us from terrorism. The bill has strong bipartisan support in both the House and the Senate. The Department of Justice supports passage of the legislation, as does the tech sector.
The CLOUD Act is the kind of reform we can all agree on, and it’s a reform that’s long overdue. We cannot wait any longer for our laws to catch up with our technology.