Surveillance & Privacy

Suggestions for Implementing the Cloud Act

Jennifer Daskal, Peter Swire
Monday, April 30, 2018, 9:00 AM

At the end of March, President Trump signed the omnibus budget bill into law.

Published by The Lawfare Institute
in Cooperation With

At the end of March, President Trump signed the omnibus budget bill into law. Tacked on at the end was the Cloud Act—legislation designed to facilitate law enforcement access to data across borders and the subject of extensive commentary on this blog and elsewhere. Both of us supported passage on two grounds: The act conditions law enforcement access to communications content with a relatively robust set of privacy protections, and we believed that it would facilitate both security and privacy--especially in comparison with the status quo.

That said, we have also long recognized that the principles underlying the Cloud Act will not be realized automatically. They depend on thoughtful and careful execution. Even the most innovative features of the legislation, such as the required compliance reviews, will only be as effective as they are robust. More fundamentally, the agreements need to be public and transparent in order to ensure effective input and accountability. And there is a need for careful thought—and work—to ensure that an increasing number of countries can meet the legislation’s baseline rule of law and privacy requirements and thereby benefit from the facilitated access promised by the legislation.

In this blog post, we set forth nine key issues the Justice Department faces as it considers, negotiates and enters into executive agreements under Section 5 of the Cloud Act. Consideration of each issue can help achieve four overarching goals that we think the legislation and agreements are meant to protect and promote:

(i) Fulfill legitimate law enforcement requests for data relevant to the investigation of serious crimes;

(ii) Protect and promote privacy and civil liberties in the United States and globally;

(iii) Provide a workable regime for the companies holding data of interest to law enforcement; and

(iv) Safeguard the Internet by resisting calls to localize data and splinter the Internet.

With these goals in mind, we offer the following more specific recommendations:

1. Expert and stakeholder input to the Justice Department

The act calls for consideration of “credible information and expert input” in deciding which countries meet the requisite standards to make them eligible for entering into a bilateral agreement. The Justice Department should establish a process to consider input from privacy and civil liberties groups, companies, and other practitioners and academics. These non-government experts can offer insight regarding the operation of the laws and law enforcement practices in other countries, and suggest agreement provisions that meet the multiple overarching goals.

2. Transparency of terms of the executive agreement

The Justice Department should make the text of executive agreements available to the public. If necessary for compelling security-related reasons, particular operational details can be contained in non-public annexes, but the general provisions and particular legal standards and structures of review should be made public.

3. Effective compliance reviews.

One of the most innovative pieces of the Cloud Act is the requirement that the foreign government agree to “periodic review of compliance.” Agreements should (a) specify the details of those compliance reviews, including how often the reviews happen (ideally at least once annually if not more), (b) lay out the kind of access and information to be provided, and (c) include the opportunity for random reviews

4. Minimization of data about U.S. persons

The legislation specifies that the foreign government is required to adopt “appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning U.S. persons.” The executive agreement and compliance reviews should provide detailed guidance on what constitutes “appropriate procedures” and acceptable results.

5. Mechanism for challenge, with Justice Department review

Agreements should specify that a company receiving a compulsory disclosure order pursuant to the terms of the executive agreement shall be permitted to seek Justice Department review if it is unsure whether or not the request complies with the terms of the agreement. During that period of review, the foreign government shall be prohibited from engaging in any enforcement action against the company.

6. Transparency reporting.

Agreements should specifically permit transparency reporting by internet service providers on the orders they receive under these agreements.

7. Possibility of executive agreements providing access for specific sub-unit of a foreign government

In some countries, there may be specific offices or sub-units that can meet the Cloud Act requirements, even if the procedures of other parts of that nation’s law enforcement do not meet all of the requirements. To facilitate compliance with the specific requirements of the act—and to enable a broader range of countries to be eligible to enter into these agreements—the Justice Department should consider the executive agreements would cover only requests from a designated office or sub-unit of that country.

8. Define at least some elements of the Justice Department “bottom line”

One goal of the Cloud Act is to ensure effective protection of privacy and civil liberties in the practices of countries that enter into an executive agreement with the U.S. As the Justice Department negotiates executive agreements with each country, it will be in a stronger negotiating position if it announces publicly specific elements that are required for each executive agreement. While much of this is already in the text of the legislation, there is still room—and need—for further clarity on things like what constitutes minimally “appropriate” minimization procedures; adequate “review or oversight” by a court, judge, magistrate or other independent authority; and the standard to be employed in determining when and in what circumstances a request will be deemed to infringe “freedom of speech.”

9. Point of contact at the Justice Department for public comment

The Justice Department should create a portal to accept comments on Cloud Act issues generally and any individual executive agreement more specifically. At a minimum, there should be a responsible official named at the Justice Department to submit any comments relevant to the law.

Jennifer Daskal is a Professor and Faculty Director of the Tech, Law, Security Program at American University Washington College of Law (WCL). From 2009-2011, Daskal was counsel to the Assistant Attorney General for National Security at the Department of Justice. She has published numerous journal articles and op-eds in, among other outlets, the New York Times, Washington Post, and The Atlantic. Daskal is currently a Scholar-in-Residence at New America.
Peter Swire is the J.Z. Liang Chair in the Georgia Tech School of Cybersecurity and Privacy, and Professor of Law and Ethics in the Georgia Tech Scheller College of Business. He is Senior Counsel to Alston & Bird LLP, and Research Director of the Cross-Border Data Forum. He served as one of five members of President Obama’s Review Group on Intelligence and Communications Technology.

Subscribe to Lawfare