| |
| META TOPICPARENT | name="SecondEssay" |
|---|
| |
<
< | The Application of the CLOUD Act and its Relatio to Corporate Infrastructure | >
> | The Application of the CLOUD Act and the International Politics Over Data Localization | | | | |
<
< |
Proofread much?
| | | -- By AmyTang - 14 Dec 2021
Introduction | |
<
< | There is no debate that the United States government has spent significant money, time and effort in the pursuit of “greater good”, interpreted as democracy, fighting crime and terrorism, both abroad and domestically. U.S. Congress had passed many laws that are alleged to violate privacy, civil liberties and human rights under the pretence of advancing this goal. One of the more recent technological-oriented statutes that was adopted, the Clarifying Lawful Overseas Use of Data (CLOUD) Act enacted in March 2018, purports to help “investigations of serious crime, ranging from terrorism and violent crime to sexual exploitation of children and cybercrime”. | >
> | There is no debate that the United States government has spent significant money, time and effort in the pursuit of “greater good”, interpreted as democracy, fighting crime and terrorism, both abroad and domestically. In pursuit of, and fixated by this goal, U.S. Congress had passed numerous laws that are claimed to violate privacy, civil liberties and human rights under the pretence of “democracy”. One of the more recent technological-oriented statutes that were adopted, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted in March 2018, purports to help “investigations of serious crime, ranging from terrorism and violent crime to sexual exploitation of children and cybercrime” according to the Department of Justice. | | | | |
<
< | This paper highlights the disadvantages and weaknesses of the Cloud Act and suggests that there are ways to benefit from particular corporate organizational structures to protect foreign privacy. | >
> | This paper highlights the disadvantages and weaknesses of the Cloud Act and discusses the consequences of the Act on international politics over data localization. | | | The Cloud Act | |
<
< | The Cloud Act allows U.S. law enforcement to access and obtain electronic communications, documents stored in the cloud, and to certain types of transmission and account information from servers located outside the U.S. by forcing U.S. companies to give up such data, even if they store it abroad, once a warrant is issued by a U.S. judge:
A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
The measure was introduced by Congress consequently to Microsoft Corp. v. United States, where the Second Circuit held that law enforcement was not authorized to access data stored abroad, under the then-existing Stored Communications Act (“SCA”). The Cloud Act therefore implemented new procedures for U.S. law enforcement to request such data, facilitating and legalizing the process. It does so by amending the SCA, an act aimed initially to protect “the privacy of stored Internet communications”.
The Cloud Act also provides for reciprocity measures, amending the existing provisions of the Electronic Communications Privacy Act (ECPA) to structure an exchange of domestically-stored data by U.S. service providers to certain foreign countries, under lawful foreign orders.
The Cloud Act would allegedly “preserve law and order, advance the United States’ leadership in cybersecurity, ease restrictions on American businesses and enhance privacy standards globally.” While the Cloud Act claims to attain such noble goals in principle, one can only ponder on the of potential violations of privacy caused by such an invasive and overreaching practice, by both U.S. and foreign partner law enforcement agencies. Currently, the dominating electronic communication provider are arguably Google, Amazon, Facebook, Apple, and Microsoft (“GAFAM”), with user bases in the billions and a combined market value of over four trillion U.S. dollars. Coincidentally, the GAFAM are all headquartered in the U.S., therefore under the purview of the Cloud Act.
The weaknesses of the Cloud Act are numerous, but can be summarized as follows:
1- It is overreaching and can violate the rule of sovereignty : there are limited mechanism for providers to challenge warrants allowing for the disclosure of electronic data located outside the U.S., violating sovereignty in jurisdictions where applying the Cloud Act to such data might create conflicting obligations when foreign law prohibits providers from such disclosure. Prior to the Cloud Act, law enforcement must proceed under the mechanism of Mutual Legal Assistance Treaty to obtain evidence abroad.
2- There are no checks and balances: the Cloud Act gives too much latitude to the executive branch to form executive agreements between the U.S. and another jurisdiction under the CLOUD Act. The certified foreign jurisdiction can then go directly to U.S. providers to request access to contents of their users’ communications. There are few infrastructures in place to prevent abuse, such as Congress oversight.
3- There may be violations of civil liberties: prior to “the cloud” and online hosting of data, if U.S. law enforcement wanted evidence, it would not be allowed to access a party’s residence overseas. This rule should not differ for data hosted overseas. Further, the provider has no obligation to challenge any warrant or requests for customer data even if they are overbroad or otherwise inappropriate.
4- Lack of transparency for users: nothing in the Cloud Act would force the provider to reveal to the user that their data is disclosed.
How structuring corporate structure can shield a provider of electronic communication service from the Cloud Act | >
> | The Cloud Act allows U.S. law enforcement to access and obtain electronic communications, documents stored in the cloud, along with certain types of transmission and account information from servers located outside the U.S. by forcing U.S. companies to give up such data, even if they store it abroad, once a warrant is issued by a U.S. judge. The Act was introduced by Congress consequently to Microsoft Corp. v. United States, where the Second Circuit held that law enforcement was not authorized to access data stored abroad, under the then-existing Stored Communications Act (“SCA”). The Cloud Act, therefore, implemented new procedures for U.S. law enforcement to request such data, facilitating and legalizing the process. It does so by amending the SCA, an act aimed initially to protect “the privacy of stored Internet communications”. The Cloud Act also provides for reciprocity measures, amending the existing provisions of the Electronic Communications Privacy Act (ECPA) to structure an exchange of domestically-stored data by U.S. service providers to certain foreign countries, under lawful foreign orders. | | | | |
<
< | Under the Cloud Act and the SCA, it is clear that only providers subject to U.S. jurisdiction must comply with the obligation of disclosing of data when requested. While for GAFAM, a significant number of data centers are located in the U.S., and jurisdiction can therefore be presumed, there are ways to structure corporate entities to escape the overreaching claws of the Cloud Act. | >
> | The Cloud Act applies to “provider of electronic communication service” and “remote computing service”. These providers may be obliged to “preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber”. The scope of providers under the reach of the Cloud Act is broad and may apply to a variety of messaging, social media and cloud storage and processing platforms. | | | | |
<
< | The key word in the Cloud Act is that a provider must disclose the data within its “possession, custody or control”. If the provider’s corporate subsidiaries remain independent, U.S. law enforcement cannot therefore force disclosure using the Cloud Act, even if the U.S. subsidiary shares are 100% held by the foreign corporation, or vice-versa. | >
> | The Cloud Act would allegedly “preserve law and order, advance the United States’ leadership in cybersecurity, ease restrictions on American businesses and enhance privacy standards globally.” While the Cloud Act claims to attain such noble goals in principle, one can only ponder on the potential violations of privacy caused by such an invasive and overreaching practice, by both U.S. and foreign partner law enforcement agencies. Currently, the dominating electronic communication provider are arguably Google, Amazon, Facebook, Apple, and Microsoft (“GAFAM”), with user bases in the billions and a combined market value of over four trillion U.S. dollars. Coincidentally, the GAFAM are all headquartered in the U.S., therefore under the purview of the Cloud Act. | | | | |
<
< | Pragmatic means to ensure said lack of “possession, custody or control” by foreign corporations include refraining from conducting any business in the U.S.; ensuring that their U.S. entity is a separate legal person; using different and disconnected computer networks from their U.S. entity; building operations, corporate strategy, management and marketing team independently from those of the U.S. entity; and maintaining a computer structure that would not allow U.S. entity’s employees from accessing any data belonging to foreign subsidiaries stored abroad. | | | | |
<
< | Not only will this be deemed preferable by many users concerned with their privacy and freedom of choice, this will also better shield companies from the numerous disadvantages of the Cloud Act, including the potential irreconcilable obligations under two different countries' laws. | >
> | The Consequences of the Act on the International Politics Over Data Localization
The weaknesses of the Cloud Act are numerous. Its overreaching nature allows for the violation of the rule of sovereignty in situations where the laws of the foreign jurisdiction where the electronic data is located conflict with the obligations imposed by the Cloud Act. Further, there is a lack of transparency for users: nothing in the Cloud Act would force the provider to reveal to the user that their data is disclosed. | | | | |
<
< |
This draft seems to me to present an accurate, if rhetorically a little overheated, summary of the arguments offered against the legislation. That summary is combined with the observation that if multinational companies wanted to reorganize themselves solely with regard to their liability to CLOUD Act orders, they could shield data from US process overseas. This overlooks the fact that the companies by no means want to insulate themselves from the CLOUD Act, which—you might want to remember—Microsoft supported. | >
> | A glaring shortcoming of the Act is that there are no checks and balances. Therefore, it gives too much latitude to the executive branch to form executive agreements between the U.S. and another jurisdiction under the Cloud Act. The law enforcement agencies can then go directly to providers abroad to request access to contents of their users’ communications with few infrastructures in place to prevent abuse, such as congressional oversight. For instance, between January and June 2021, Microsoft received 101 warrants from US law enforcement seeking to obtain data stored outside the U.S. that allegedly lacked legal justification. Further, a number of obligations imposed by the Act conflict with the European Union's General Data Protection Regulation. | | | | |
<
< | The legislation is no longer being debated; it is law. The way to make the draft stronger is to move away from arguing over whether it is good or bad to discovering what it does. You discuss the crucial issue of intergovernmental relations as though MLATs had not previously existed. This obscures one actual effect of the legislation, which is the disempowerment of diplomats to the benefit of spooks and cops. Hence the complexities of bureaucratic side-taking about the Act and its administration, on which you don't presently comment. Assessment of the role of the US act in the international politics over data localization, which for the platform companies is a much larger question for their business than responding to US law enforcement requests, would also be useful. This is where, for the largest private and public players, the action really is.
| >
> | Given the above, the choice of data localization for companies becomes subject to international politics given that the Act and its administration open the door for complexities of bureaucratic side-taking due to the reciprocity measures and to the GDPR. The application of the Cloud act created new opportunities for European-based managed service providers. | | | | |
<
< | Sources | >
> | Under the Cloud Act, it is clear that only providers subject to U.S. jurisdiction must comply with the obligation of disclosing data when requested. While for GAFAM, a significant number of data centres are located in the U.S. and jurisdiction can therefore be presumed, there are ways for a company to structure corporate entities to escape the overreaching claws of the Cloud Act, that is if the company wishes to do so. Some companies choose to shield themselves from the Act as a means of competitive advantage in countries outside of the U.S. These corporate manipulations demonstrate political choices over data localization centres for providers of “electronic communication service” and “remote computing service”. | | | | |
<
< |
Why aren't these links in the text? You're writing for the web. Use links. Read the TWiki documentation if you need to learn how, or just use the link button at the top of the editing window, and learn from the markdown it inserts in the text.
| >
> | The keyword in the Cloud Act is that a provider must disclose the data within its “possession, custody or control”. If the provider’s corporate subsidiaries remain independent and store data outside of the U.S., U.S. law enforcement cannot, therefore, force disclosure using the Cloud Act, even if the U.S. subsidiary’s shares are 100% held by the foreign corporation, or vice-versa. Pragmatic means to ensure said lack of “possession, custody or control” by foreign corporations include refraining from conducting any business in the U.S., by ensuring that their U.S. entity is a separate legal person, by using different and disconnected computer networks and structures from their U.S. entity and by building operations, corporate strategy, management and marketing team independently from those of the U.S. entity. | | | | |
>
> | Data localization then becomes a political choice for providers who may also choose to segregate their corporate structures in countries that have signed bilateral agreements with the U.S. under the Cloud Act, such as Australia and the United Kingdom. | | | | |
<
< | https://www.aclu.org/other/surveillance-under-usapatriot-act
https://www.justice.gov/dag/cloudact
18 U.S.C. § 2703.
18 U.S.C. § 2713.
United States v. Microsoft Corp., 138 S. Ct. 356 (2017)
Congress Enacts the Clarifying Lawful Overseas Use of Data (Cloud) Act, Reshaping U.S. Law Governing Cross-Border Access to Data, 112 Am. J. Int'l L. 487 (2018)
Idem.
https://www.nytimes.com/2018/02/14/opinion/data-overseas-legislation.html
https://www.statista.com/topics/4213/google-apple-facebook-amazon-and-microsoft-gafam/#dossierKeyfigures
https://www.justsecurity.org/54242/improved-cloud-act-poses-threat-privacy-human-rights/ | >
> | Avoiding the application of the Cloud Act will better shield companies from its numerous disadvantages and providers who do so may be deemed preferable by users concerned with their privacy. | | |
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.
To restrict access to your paper simply delete the "#" character on the next two lines:
Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.
\ No newline at end of file |
|