The CLOUD Act, inserted at the very end of the 2,232-page omnibus spending bill, will make substantial amendments to the Electronic Communications Privacy Act (ECPA). It grants U.S. law enforcement entities new powers to compel U.S. companies to disclose communications and data on U.S. and foreign users that is stored overseas. It also empowers foreign governments to demand the stored and real-time data and communications of users outside the U.S. The CLOUD Act omits the Email Privacy Act, legislation unanimously passed twice by the U.S. House of Representatives, which would amend ECPA by requiring the government to obtain a warrant before accessing email content. The Center for Democracy & Technology (CDT) has long advocated for this protection to become law.
“While the passage of the CLOUD Act will help the U.S. Department of Justice and foreign governments access evidence and communications content held outside of the U.S., it’s a shame that the bill does nothing to extend long-overdue privacy rights for the digital age to ordinary Americans. This is a lost opportunity for what could have been a win-win-win, especially at a time when Congress should be looking for clear ways to protect the privacy of Americans’ data,” said CDT Vice President for Policy Chris Calabrese. “While it’s too late to include in this spending bill, the Senate should take up the Email Privacy Act to complement this legislation.”
To guide DOJ determinations as to which countries will benefit from bilateral agreements authorizing direct surveillance demands on U.S. providers, the bill as introduced established several broadly-phrased human rights “factors.” Last-minute improvements to the bill make meeting each of those factors mandatory. The changes also require DOJ to explain to Congress why it believes the factors were met, but it is not clear that these explanations will become public.
Furthermore, the bill omits key human rights protections that foreign governments should be required to extend in order to make direct surveillance demands. It does not require that surveillance be authorized by a judge, nor that surveillance targets be notified, even after the fact, that their communications were disclosed.
“While we appreciate the late improvements to the legislation, it is now in the hands of the Department of Justice to determine whether countries that have weak surveillance standards and procedures will be empowered to serve direct surveillance demands on U.S. providers,” said Greg Nojeim, Director of CDT’s Freedom, Security & Technology Project. “DOJ could use this legislation to diminish privacy rights worldwide, or to persuade other governments to raise their surveillance standards in order to qualify for an agreement. We fear the U.S. Congress hasn’t done enough to require DOJ to make the right decisions,” he added.
CDT has also expressed concern that the orders foreign governments would be authorized to serve on U.S. providers could contain mandates for provider assistance that would undermine encryption. The bill includes a partial fix: the agreements themselves cannot contain decryption mandates, but it is not clear that a foreign government’s orders under the agreements cannot contain such mandates.
More information about CDT’s effort to reform ECPA is available here.