Even as a years-long fight over government access to foreign data heads to the Supreme Court, Congress still needs to solve the problem of cross-border information requests.
On Tuesday, the Supreme Court will hear arguments in U.S. v. Microsoft, a case about the tech company’s challenge to a U.S. warrant for data that was stored on a server in Ireland. A federal court ruled in 2016 that a U.S. warrant can’t compel a company to turn over users’ data that is stored on servers located abroad.
U.S. tech companies have complained for years that they’re caught between a rock and a hard place when it comes to data stored abroad. Complying with a U.S. government request for user data stored in another country might violate that country’s laws, and complying with a foreign government request for data would violate U.S. law.
Earlier this month, lawmakers introduced the Clarifying Lawful Overseas Use of Data, or CLOUD, Act, which attempts to solve this problem by allowing the U.S. government to enter into bilateral agreements with other governments setting standards for cross-border data requests. These bilateral agreements are open to countries that meet certain privacy, security, and other standards. It was introduced by Sen. Orrin Hatch (R-Utah) and Sen. Chris Coons (D-Del.) in the Senate and by Rep. Doug Collins (R-Ga.) and Rep. Hakeem Jeffries (D-N.Y.) in the House.
Engine supports this legislation because it would remove the current obstacles that cloud computing companies, including startups, face when they want to comply with foreign government requests for data and empower companies to determine whether other governments’ requests are reasonable. It would also simplify the way companies deal with U.S. requests for user data, allowing companies to challenge U.S. requests that pertain to non-U.S. persons and would force the company to violate another country’s laws.
Several privacy and civil liberties groups have raised concerns that while compliance with government requests is at a company’s discretion, it could open the door for countries without adequate civil liberties and human rights protections to issue unreasonable requests for data or new real-time wiretaps. These concerns are valid, and the bill would be improved by boosting privacy protections, including assurances that countries have standards for data requests that are on par with requirements for U.S. warrants.
Of course, a debate about government access to communications wouldn’t be complete without talking about the Electronic Communications Privacy Act, or ECPA. That’s the 1986 law that allows law enforcement to get stored emails without a warrant. Congress has been debating reforming this law for years so that law enforcement would need a warrant to access emails, the same way they need a warrant to get the papers stored in a desk.
After a 2010 court decision, law enforcement officers usually obtain—and companies usually require—a warrant to access electronic communications, but many lawmakers have pushed to have that standard written into law. In recent years, the House has twice unanimously passed an ECPA reform bill to require a warrant, called the Email Privacy Act. Unfortunately, a companion bill stalled in the Senate after some lawmakers tried to attach controversial, privacy-decreasing language to it.
If Congress is going to take up the issue of law enforcement access to data, it needs to also address this long-overdue, widely supported update to a decades old law.