Legal Insights

No country is an island, especially in cyberspace: the US CLOUD Act and its international reach - part 3

• 20 June 2018 • 5 min read
  • Share

In this third and final post in the series we take a look at reactions to the US CLOUD Act and offer some concluding thoughts

Welcome to this third and final part of our series on the CLOUD Act.

Parts 1 and 2 can be found here and here.

In the first post of the series, Part one, “Introduction and context”, we looked at some of the catalysts for the changes introduced by the CLOUD Act.

In our last post, Part two, “Key features of the Act”, we looked at the Act’s extraterritorial application and the new “executive agreements” mechanism under the Act.

In this third and final post of the series we take a look at reactions to the Act and offer some concluding thoughts.

Reactions to the Act

The tech sector

Generally speaking, the tech sector has welcomed the Act, mainly due to the certainty it has the potential to provide for corporates on the receiving end of a request (or warrant) from a government agency for access to data held offshore.

In a coordinated push in the lead-up to the Act being signed into law by President Trump, various industry players wrote to Senators and representatives involved in sponsoring or considering the then Bill, advocating its enactment.

On 6 February 2018 tech heavyweights including Apple, Google, Microsoft and Facebook, co-authored a supportive letter to the Bill’s political sponsors. That letter stated that the Act would provide “a logical solution for governing cross-border access to data” and would be “an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer”. Furthermore, it would “allow law enforcement to investigate cross-border crime and terrorism in a way that avoids international legal conflicts”.

Also on 6 February 2018, various internet and cyber related trade associations banded together to write a letter commending the Bill by stating it “would establish a clear statutory right for providers to challenge an order that would [otherwise] create a conflict of law”.

Following President Trump’s signing of the Cloud Act into law, Microsoft’s Brad Smith wrote in one of his “Microsoft in the Issues” blog posts that the Act is “an important milestone in the journey to modernize the law, enable enforcement officials to do their jobs and protect people’s privacy right across borders.”

In that blog post Mr Smith focused on the comity of international laws as an important safeguard – we’ll come back to that later in this post.

Mr Smith’s post also helpfully provides a link to a document setting out numerous statements of support for the Act, including the letters referred to above and other statements or comments from the UK and Australian governments, members of Congress, academics and various other tech industry lobby groups and associations.

Human rights and privacy groups

Groups with an interest in the fields of human rights and privacy have not necessarily been so supportive.

The Electronic Frontier Foundation (EFF), for example, has been critical of a number of aspects of the Bill.

EFF and others are opposed to a new mechanism that circumvents the Mutual Legal Assistance Treaty (MLAT) process on the basis that MLAT contained more robust safeguards against the abuse of state power and the infringement of civil liberties.

As noted in part two of this series of TechKnowChat blogs, it is likely that the UK will be one of the first countries to execute an executive agreement with the US. The EFF considers that such an arrangement would be “a backwards step for privacy, because UK law makes it easier than US law for police to seize data form service providers”.

A similar range of concerns was flagged by the EFF together with a coalition of 20 other privacy advocates in a letter to the US Congress dated 20 September, 2017.

Controversy over the Bill’s entry into law

Somewhat controversially in the eyes of some, the CLOUD Bill was included in an omnibus Bill rather than being submitted as a stand-alone piece of legislation. This led some to argue that the CLOUD Bill did not face the same level of scrutiny it would otherwise have attracted.

Microsoft’s Brad Smith noted that, “[a]lthough the CLOUD Act resulted from successive drafts over several years, its passage surprised many. And the speed with which it happened was a bit of a shock.”

Given the bipartisan support behind the Bill, it is difficult to say whether the level of debate would have been significantly greater had the Bill ben submitted alone.

Concluding comments

Now that the Act is law, it will be interesting to see how the executive agreement power is exercised. Bilateral executive agreements are likely to be limited to America’s trusted friends and allies – one only needs to consider the criteria for entry into such agreements set out in the Act (see the discussion of executive agreements in part two of this series).

In our own domestic arena, the Australian government is certainly interested in concluding an executive agreement under the Act. When that eventuates we speculate there will be increased interest in the impact of the Act and how it sits with safeguards for privacy and civil liberties under Australian domestic law.

Need advice on the CLOUD Act?

Contact the Cyber & Date Resilience team.

  • Share

Recent articles

Online Access