What is the CLOUD Act?
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a US federal law that was enacted in 2018. It regulates how law enforcement agencies can access data across borders. The CLOUD Act compels US based cloud and technology companies like Microsoft, Google, Facebook and Apple to handover data stored on offshore servers for law enforcement purposes. When requested via a warrant or subpoena, US companies must now handover customer or subscriber data regardless of whether it is stored in the US or on foreign soil. However, the Act allows companies to challenge the request if they believe the request violates the privacy rights of the foreign country in which the data is being stored. The US government decided to introduce the CLOUD Act after the FBI had difficulties in 2013 in getting Microsoft to handover information in a drug trafficking investigation. In this case, the FBI issued warrants for emails that a US citizen had stored on Microsoft servers in Ireland. Microsoft refused to provide the FBI access to the emails because it argued that the warrants did not cover data stored outside the United States. The legal challenge went as far as the Supreme Court before it was dropped due to the introduction of the first of two bills that culminated with the enactment of the CLOUD Act.
Benefits of the CLOUD Act
The Australian government has introduced the Telecommunication Legislation Amendment (International Production Orders) Bill to make it eligible to sign a bilateral agreement with the US under the CLOUD Act. The bill establishes a framework for allowing reciprocal cross-border access to communications data for law enforcement purposes. If the bill is passed and the bilateral agreement is signed, Australian law enforcement agencies would be able to serve domestic orders for data directly on US based companies and vice versa. The agreement allows governments to circumvent the Mutual Legal Assistance (MLA) mechanism currently used by law enforcement agencies. This would provide access to electronic evidence much more rapidly than is currently possible. “Noting that the United States is the largest data controller in terms of communications technologies, services, and platforms, entering such an agreement with the United States would have significant benefits to Australian law enforcement and national security efforts,” the Home Affairs department wrote. So far, the United Kingdom is the only country that has finalised a bilateral agreement with the US under the CLOUD Act. The US – UK agreement was finalised in October 2019.
Problems with the Current MLA System
According to the Home Affairs department, it takes 10 – 12 months before an Australian agency receives electronic data for a criminal matter using the current MLA system. Apparently, some matters have taken up to 18 months during which time investigations cannot be progressed and criminals continue to offend. Furthermore, these delays have led to criminals getting away with lesser charges. “For example, if electronic evidence cannot be obtained in accordance with court timeframes, this can result in charges being withdrawn, less serious charges being laid, or a weaker case going before the court which does not show the full picture of criminality, and may ultimately lead to lower sentences being imposed, if at all,” Home Affairs explained. The Home Affairs department stated that not only has the MLA system proven to be slow and cumbersome, but it does not respond “…sufficiently to this fundamental shift in the offshore storage of Australians’ data.”
Opposition to the Australian Bill and CLOUD Act
Privacy activists have voiced opposition to the government passing the bill on the grounds that it violates human rights. The Australian Privacy Foundation (APF) has called the bill a “manifestation of a drip by drip erosion of privacy protection in the absence of a justiciable constitutionally-enshrined right to privacy in accord with international human rights frameworks.” Others have pointed out that since a US company that collects data is subject to US law, the CLOUD Act would overshadow international privacy laws, such as Europe’s GDPR. The US government, and any other governments that sign the bilateral agreement, would not be required to inform data owners that their data is being accessed and used in an investigation. The APF argues that the proposed legislation disregards human rights concerns in favour of bureaucratic convenience. The Australian parliament is due to report back on the bill by June 26.