US, Canada to figure out rules on cops and Feds accessing people's data across borders

The US and Canada said on Wednesday that representatives are negotiating an agreement to apply the CLOUD Act to law enforcement operations that reach across their respective borders.

The US adopted the Clarifying Lawful Overseas Use of Data (CLOUD) Act in 2018 to provide signatories with expedited access to information held by foreign communications providers that's related to major crime investigations.

"Such an agreement, if finalized and approved, would pave the way for more efficient cross-border disclosures of data between the United States and Canada so that our governments can more effectively fight serious crime, including terrorism, while safeguarding the privacy and civil liberties values that we both share," said Attorney General Merrick Garland in a statement.

"By increasing the effectiveness of investigations and prosecutions of serious crime, including terrorism, in both countries, we seek to enhance the safety and security of citizens on both sides of the US-Canada border."

The CLOUD Act is intended to provide investigators with the possibility of faster access to data stored by a service provider in a foreign country than older mechanisms for cross-border cooperation. Countries can seek investigatory data through a mutual legal assistance treaty (MLAT) but that typically requires costly and time-consuming approval from a US court.

As the US Justice Department explains, "The Act permits our foreign partners that have robust protections for privacy and civil liberties to enter into executive agreements with the United States to use their own legal authorities to access electronic evidence in order to fight serious crime and terrorism."

For example, authorities in the UK seeing information about a British citizen that has been stored with a US service provider could pursue the appropriate local legal process to demand access to the relevant data and the US service provider would be allowed to comply with the demand without running afoul of US laws. The US provider in this instance could still challenge the demand under UK law.

• In huge privacy win, US Supreme Court rules warrant needed to slurp folks' location data
• CIOs across Europe add their VOICE to chorus of calls to regulate cloud gatekeepers
• Law prof: New Chinese data regulations make it 'very hard for foreign firms to comply'
• Lawmakers propose TLDR Act because no one reads Terms of Service agreements

The CLOUD Act was passed by US Congress as a result of Microsoft's refusal in 2016 to comply with a US warrant to turn over a subscriber's email messages that were stored in Ireland. Microsoft argued that the US Stored Communications Act didn't apply outside the US and a federal court sided with the company. As the US Supreme Court was considering the case, Congress passed the CLOUD Act and the government's challenge of Microsoft was dismissed as moot.

Currently the US has CLOUD Act agreements with Australia and the UK. Fast-tracked US-EU data demands have yet to be finalized. And any such agreement has become more complicated in the wake of the Court of Justice of the European Union's July 16, 2020 Schrems II judgment, which found the EU-US Privacy Shield framework for cross-border data sharing fell short of EU data laws.

What's more, a recent Supreme Court ruling that makes it harder to challenge US government surveillance could also complicate US and the EU efforts to reach an agreement on cross-border data sharing.

The CLOUD Act requires that the US Attorney General certify to Congress that partner countries have and practice laws that contain "robust substantive and procedural protections for privacy and civil liberties," as the Justice Department puts it.

This is to avoid having autocratic countries sign a Cloud Act treaty to make pretextual claims about political enemies in order to obtain access to their data.

While US laws have privacy and civil liberties protections, not everyone is convinced they're sufficiently spelled out to make the CLOUD Act work.

Stephen Smith, non-residential fellow at the Stanford Law School Center for Internet and Society and adjunct professor at Texas Southern University's Thurgood Marshall School of Law, argues that the CLOUD Act and related laws like the Stored Communications Act contain ambiguities that need to be addressed.

Longstanding concern about the ambiguity of the Computer Fraud and Abuse Act, only recently somewhat mitigated by the Supreme Court's Van Buren decision, illustrates the problems that can arise from poorly drafted laws.

In an paper published last year as part of a data protection anthology, Smith cautioned that the CLOUD Act enables real-time surveillance abroad but fails to define the types of allowable surveillance or scope of such activities.

"To the extent that the CLOUD Act authorizes US law enforcement to unilaterally engage in surveillance on foreign soil, it disregards international law," wrote Smith.

And if US courts support law enforcement agency attempts under the CLOUD Act to conduct real-time surveillance abroad through hacking and location tracking, he worries the law will harm rather than enhance foreign relations.

"In sum, the CLOUD Act should be amended to unambiguously exclude coverage of real-time surveillance techniques," he said. "Until that is accomplished, any executive agreements under the CLOUD Act should be negotiated with a clear mutual understanding of the types of surveillance orders allowed."

"Our negotiating partners should be made aware of the limits and uncertainties of US law concerning tracking and hacking, and insist upon robust substantive and procedural rules appropriate to those privacy intrusive techniques." ®