Cloudy With a Chance of Eyeballs: Consequences at the Seams of Cross-Border Data Sharing

-- By AnthonyMahmud - 11 Oct

The “Clarifying Lawful Overseas Use of Data Act” (“CLOUD”) radically altered the climate for data privacy in the United States and abroad. CLOUD expanded the parties to whom and circumstances in which private technology companies disclose their customer’s private messages, social media data, and other personal information.

Access to Foreign Servers Controlled Domestically

At the tip of the iceberg, CLOUD achieves this by lengthening the reach of government entities to request such data. The Stored Communications Act (SCA) already specified the situations in which corporations must, may, and may not comply with any given request. However, CLOUD codifies that SCA requests are now enforceable even upon data outside of the United States. Consequentially, private user data stored within the borders of foreign jurisdictions is fair game for government grabs with neither (necessarily) a say nor a notice to the officials of that territory.

On the thin most surface, this measure plausibly assuages a legitimate national security concern: facilitating timely access to sensitive data on which law enforcement can act. However, deeper inquiry into the statutory language contemplates ramifications not quite as sunny.

Consequences of Jurisdictional Ambiguities

CLOUD does not explicitly limit its application to tech companies incorporated in the United States. No doubt there is a high bar for having jurisdiction over a foreign corporation, but it does not seem farfetched that a major tech communication platform would systematically target and transact business with the US market, thus "submit[ting] to the judicial power of an otherwise foreign sovereign to the extent that power is exercised in connection with the defendant's activities." J. McIntyre? Mach., Ltd. v. Nicastro, 564 U.S. 873, 881. This then posits a seemingly perverse circumstance where a foreign corporation with exclusively foreign data storage is at the mercy of American SCA warrants. Such a wide radius of authority threatens to undermine legislative sovereignty, corporate autonomy and the general integrity of data privacy. It also appears to harbor irreconcilable contentions with the GDPR data control rights. GDPR’s ‘right to be forgotten’ and “right to be informed” “where personal data are transferred to a third country” appear incongruent with the record retention, and notice-free data grabs that CLOUD can authorize.

Capacity of Safeguards for Consequences of Judicial Ambiguities

To some extent, CLOUD’s drafters account for this issue. Enumerated are conditions under which a data host can motion to quash a disclosure request: the service provider must reasonably believe that the individual whose data is sought is not an “American Person” and does not reside in the US, AND that “the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.” Through the most optimistic lens, the latter parameter appears to shield service providers from falling between Scylla and Charybdis. However, the judicial procedures for evaluating such motions, and requirement of meeting both conditions, dilutes its protective potency.

Bilateral Data Access Agreements

While the apathetic nationalist may not lose sleep over compromises to foreign autonomy, they would certainly object to how Americans are paying for it with their own privacy. The second wave of CLOUD act provisions purport to give foreign governments similar reach over US-held data, and problematically relegate disclosure discretion beyond what the US itself possesses.

In essence, the CLOUD act enables certain foreign governments to enjoy the same privileges to US-held data that Uncle Sam has to theirs. It makes sense that friendly nations would want to collaborate on symbiotic national security efforts. However, the way this is accomplished offends the conscious of constitutionality and compromises central tenants of privacy jurisprudence.

Source of Purported Necessity

Before CLOUD’s enactment, foreign governments could seek access to US-held data either through letters rogatory, (a judicial instrument,) or far more commonly, Mutual Legal Assistance Treaties (MLATs.) MLATs are binding, area-specific, legislatively developed agreements for information sharing, the legality of which are held in check by judicial review. Though already capable of facilitating the kinds of exchanges that CLOUD seeks to enable, MLATs draw ire from law enforcement and intelligence bodies whose urgent concerns lack the temporal pliancy to be bottlenecked by reviews that can stretch from months to years. Understandably, these actors bolster their capacity to act when their access to critical data nears instantaneous.

Erosion and Inequities of Regulatory Autonomy

CLOUD pushes the channel in that direction by delegating MLATesque authority to the executive. The bill allows the president, with consent from two of her appointed offices, to create bilateral political agreements with other heads of state, thus recognizing their government as statutorily “qualified.” The gravity of this designation is apparent in light of where CLOUD places it in the amendment to SCA. SCA 2702 imparts that communication content disclosure is prohibited, but carves out exceptions for (among other things) US law enforcement agencies in emergency situations or where the contents “appear to pertain to the commission of a crime,” and “qualified foreign governments.” Thus, while the access of domestic bodies is qualified circumstantially and subject to disclosure and annual review, foreign governments face no such explicit restrictions. They can obtain US-housed communication data with notice given to neither the individual who created the data nor the US government at all.

Implications and Constitutionality

This creation threatens even greater implication when viewed beside existing ambiguities of jurisdictional reach. The scope of access privileges that CLOUD provides foreign governments is not given any distinction. Hence, one could construe the foreign government’s (directly) unregulated access to “US” data to include the data stored in other countries by United States companies, or even entirely extraterrestrial companies that avail themselves to federal law through business-derived specific jurisdiction.

Yes, companies can move to quash, or not comply, but often they have every incentive to appease the government of their customer base. Yes, executive agreements require vetting of foreign law, are subject to potential judicial challenge and face renewal burdens every five years, but those measures do not prevent foreign nations from being their own jury and not telling anyone about it once they qualify. Functionally, this potentially grants unmetered access to private communications data controlled by foreign bodies of law.

When privacy regulation sees such a seismic shifting of authority in all three branches of government, concern for 4th amendment violations become inevitable. If they are legitimate, would CLOUD not be a delegation of authority which Congress was never conferred in the first place?

• #Set ALLOWTOPICVIEW = TWikiAdminGroup, AnthonyMahmud
• #Set DENYTOPICVIEW = TWikiGuest

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.