Update: April 2018
On March 23, 2018, after a multi-year advocacy effort, the Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) was signed into law as part of omnibus legislation.
Passage of the CLOUD Act represents a milestone for digital privacy. U.S. privacy law now better reflects today’s cloud computing technology—not the era of the floppy disc.
While the CLOUD Act advances digital privacy and provides important legal clarity, it also represents just one step in building a global data privacy framework. The U.S. must now enter into bilateral agreements with partner nations to protect privacy and strengthen law enforcement.
For additional insight into the CLOUD Act, please read “The CLOUD Act is an important step forward, but now more steps need to follow” by Microsoft President and Chief Legal Officer Brad Smith.
Voices for Innovation will continue to keep our members up to date about the progress of digital privacy policies.
Background: Microsoft Warrant Case
In a July 2016 U.S. Court of Appeals ruling in a case in which Microsoft challenged the U.S.’s request for private data held in Ireland, the three-judge appellate panel ruled that existing laws did not give U.S. law enforcement the authority to issue warrants extraterritorially. The court’s decision underscored the “need for congressional action to revise a badly outdated [digital privacy] statute.”
In January 2017, the Court of Appeals denied the government’s request for an en banc rehearing, leaving the decision in place—and allowing the government to petition the U.S. Supreme Court. The U.S. Department of Justice then filed to have the case heard by the Supreme Court. In October, the Supreme Court granted the DOJ’s request to review the case.
In January 2018, nearly 300 groups and individuals from 37 countries signed on to 23 amicus legal briefs that were filed with the U.S. Supreme Court to support Microsoft’s position. Oral arguments were heard by the Supreme Court on February 27. Notably, Justices raised the need for Congress to update the law. Justice Ruth Bader Ginsburg observed, “All agree that in 1986 no one heard of the cloud…. Wouldn’t it be wiser to let Congress regulate in this brave new world?”
On April 17, 2018, in light of passage of the CLOUD Act and motions from the DOJ and Microsoft, the Supreme Court dismissed the case, which was rendered moot by the CLOUD Act.
The CLOUD Act
The CLOUD Act represents an important step in addressing the digital privacy concerns of businesses and consumers while also enabling law enforcement to engage in actions that protect public safety. The CLOUD Act:
- Provides clear rules for U.S. government access to data stored abroad.
- Provides legal clarity that strengthens personal and business privacy protections for the cloud computing era.
- Strengthens trust in cloud computing in the U.S. and overseas.
- Encourages government-to-government cooperation to protect privacy while enabling law enforcement to pursue investigations.
- “The CLOUD Act is an Important Step Forward” by Brad Smith on Microsoft on the Issues
- “A Problem Congress Should Solve,” by Brad Smith on Microsoft on the Issues
- Video: Remarks of Brad Smith after Supreme Court oral arguments in Microsoft’s warrant case
- Joint Business and Tech Organization Letter of Support for the CLOUD Act
- “The CLOUD Act: It’s Time for Our Laws to Catch up with Our Technology,” by Senator Orrin Hatch (R-UT)
- Lawfare: “The CLOUD Act: A Welcome Legislative Fix for Cross-Border Data Problems”
- VFI blog post: “Senate Hearing Highlights Need to Update Data Privacy and Access Laws”
- “Something extraordinary happened in Washington, D.C., yesterday,” by Brad Smith on Microsoft on the Issues
- Microsoft Data Law Site
- A Twenty-First Century Framework for Digital Privacy, a Microsoft-supported project of the National Constitution Center
- “Our search warrant case: An important decision for people everywhere,” by Brad Smith
- “In The Cloud We Trust: It’s Time to Rebuild the World’s Faith in the Technology That Empowers Us All, by Brad Smith
- FITS News: Steve Sherman: Lindsey Graham Should Stand For Privacy Rights
- Bloomberg BNA: Cloud Companies Hit Hard by Languishing Email Privacy Update
- Law360: Senate Hears Microsoft’s Take On Overseas Data Warrants
- Lawfare: Senate Judiciary Committee Hearing on Law Enforcement Access to Data Stored Across Borders
- International Association of Privacy Professionals: Reverse Microsoft v. US? Judiciary subcommittee wrestles with cross-border data sharing
- The Hill: DOJ pitches agreements to solve international data warrant woes
- Lawfare: Why Cross-Border Government Requests for Data Will Keep Becoming More Important
What Experts, Analysts, and Lawmakers are Saying
“Customers want their rights protected by their own country’s laws. Americans want that, citizens everywhere want that. So the fundamental challenge that we’ve been dealing with is concerns by other people that their rights are not being protected by laws when you have these extraterritorial warrants.”
– Brad Smith, president, Microsoft
“If Congress does nothing, our antiquated laws will continue to spur international conflicts, impede law enforcement, and fail to protect Internet privacy.”
– Senator Orrin Hatch (R-UT)
“Implemented in 1986, years before the cloud was even invented, the Electronic Communications Privacy Act (ECPA) is outdated and ambiguous and proving harmful to the success of our business, the trust of our customers, and the ability of law enforcement to do their jobs effectively. Because of the ambiguities codified within this statute, companies providing cloud services are caught precariously between international legal jurisdictions.”
– Jeff Hadfield, founder, 1564b
“Just how far around the world does a U.S. warrant reach? Obviously, it can’t reach across borders without another country agreeing to respect the warrant. If warrants are issued to other countries, will that impact the way South Carolinians feel about the safety from federal government eyes on their emails, pictures and data stored in the “cloud?” When the government has a legitimate interest in seizing data for national security purposes, do they have a way to get that data today or do they need new tools? Are there ways to seize data that they have no right to see? All of these issues should be explored at the hearing.”
– Steve Sherman, conservative commentator
“In order to accomplish this urgent requirement, it will require Congress taking the necessary legislative steps to allow it to happen… While we are starting with our closest ally, the framework may allow future expansion to other like-minded countries.”
– Homeland Security Advisor Tom Bossert
“It is essential to ensure that legal safeguards are maintained when reforming an existing model of cooperation such as the Mutual Legal Assistance Treaties. Otherwise, reform has the potential to weaken civil rights by seeking the lowest common denominator among systems.”
– Susan Vergnolle, assistant professor, Pantheon-Sorbonne University