Implementation plans for new cross-border data law remain cloudy

In March, Congress passed the CLOUD Act, a law governing cross-border data sharing procedures, as part of the omnibus spending package. Despite having a substantial impact on how tech companies can legally store and share user communications data with the U.S. and foreign governments, the law was passed without debate.

Privacy advocates Sens. Rand Paul (R-Ky.) and Ron Wyden (D-Ore.) raised objections but ultimately didn't  attempt to block or stall the spending bill.

A new Congressional Research Services report reveals that critical questions have yet to be answered around which countries will be allowed to enter into agreements with the United States and under what conditions tech companies may rebuff a foreign government's request for data.

The CLOUD Act sped to passage in part because of an ongoing Supreme Court case that threatened to make new law on U.S. government access to data stored by U.S. companies on servers based in foreign jurisdictions. Law enforcement had long complained that existing frameworks for sharing data across borders – in particular Mutual Legal Assistance Treaties – are painfully slow and impractical..

A 2013 review of the MLAT process by the Obama administration pegged the average wait time for a single data request at 10 months, and even critics of the CLOUD Act acknowledge the process is badly in need of reform.

Christopher Painter, former coordinator for cyber issues at the State Department, said that questions remain about potential holes in the CLOUD Act, but he argued in remarks at While speaking at an April 25 Washington D.C. event that the MLAT process was pushing countries like Brazil and India to pass data localization laws requiring companies to store all their data within state borders.

"One of the things that we found, especially when I was at the State Department, is almost every country was frustrated…in getting information from providers in the U.S., where just naturally a lot of the information is," said Painter. "[MLATs], being a recovering lawyer, are never quick. You can speed them up in emergencies, but still in the normal cases, it’s hard."

Another unanswered question around the CLOUD Act is the conditions under which U.S. companies would be able to reject a foreign government's request. Under the law, a foreign country’s request for data is treated as neither a legally binding order nor a courtesy that they may reject at any time. Instead, companies must go to a court and ask for a comity analysis, a legal process that reconciles conflicting laws between the two nations and balances the competing interests at play.

The CRS report acknowledges that it is unclear exactly how this principle would apply to requests under the CLOUD Act.

"Ultimately, the comity analysis under either the CLOUD Act or common law principles is likely to be a highly fact-specific evaluation that depends on the specific circumstances of a demand for data stored overseas," the authors write.

Asaf Lubin, a resident fellow at Yale’s Information Society Project who focuses on the effects of technology on global espionage and digital privacy, told FCW this vagueness of this legal principle is inherent in the language of the CLOUD Act. Furthermore, he said, similar proposals

are gaining steam in Europe, raising the possibility that the law and its uncertainties could become an international model for cross-border data sharing policy.

"What specific factors should go into comity in the specific context of data transfers was never really discussed or addressed, and so we’re stuck with the list that the senators put together with very limited guiding rationales being provided," said Lubin.

Finally, the CRS report admits that despite a last-minute tightening of language in the law that stressed the intent to only enter into agreements with countries who have strong democratic and human rights backgrounds, there remains substantial confusion about whether those factors are legally binding and which countries would be considered out of bounds.

This was a big part of Wyden's objection to the measure. "The CLOUD Act will give Trump - or any president- far too much power to approve surveillance agreements with human rights abusing foreign governments without real oversight by Congress," he tweeted on March 12, as the House was considering folding in the measure into the omnibus.

In theory, Congress has the ability to reject agreements with countries that have problematic histories. In practice, Greg Nojeim, senior counsel and director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology, told FCW, if the executive branch decided to enter into an agreement, there aren’t many mechanisms outside of public outrage to stop it.

"The CLOUD Act gives the Department of Justice a lot of discretion to decide the countries with which the U.S. will enter into bilateral agreements giving those countries the ability to compel U.S. providers to disclose their users' communications," said Nojeim. "The chances that Congress would reverse a poor exercise of that discretion are remote."