CLOUD Act Will Streamline Data Sharing but Raises Privacy Questions

The Clarifying Lawful Overseas Use of Data (CLOUD) Act was enacted as part of the Omnibus Spending Bill signed by President Donald Trump on March 23.

What You Need To Know

• The CLOUD Act allows U.S. law enforcement agencies to obtain the information of American citizens from servers located outside the U.S., provided the host country has signed an agreement to share data with the U.S.
• Privacy consequences may be far reaching as U.S. citizens' data may be shared, without their knowledge, with foreign governments.
• The CLOUD Act allows the executive branch of the U.S. government to negotiate agreements with foreign nations. This will allow each nation to access the data of the other country's citizens without congressional approval.
• Foreign governments are not required to satisfy any minimum privacy or human rights law standards as a condition of entering a data sharing agreement.
• The impact on existing Canadian privacy law remains to be seen.

Impact on Canada

The current data sharing agreement between the Canada Border Services Agency and Homeland Security allows the exchange of entry and exit information of travellers crossing the Canada-U.S. border on land. Additionally, Canada's Personal Information Protection and Electronic Documents Act and Privacy Act allow private sector organizations and government to disclose personal information in order to aid lawful investigations in Canada or abroad.

The introduction of the CLOUD Act may prompt the U.S. to approach Canada to establish another framework to facilitate data sharing between law enforcement agencies. However, the European Union's General Data Protection Regulation (GDPR) illustrates the growing trend among nations seeking to provide legislative guidance on how the data of their citizens is to be treated when being transferred cross borders. Canada will be focused on maintaining its status as a country the EU deems to provide adequate privacy protections following the introduction of GDPR in May so data can continue to flow freely between the regions. Any data sharing agreement with the U.S. involving a country that has not been deemed to provide adequate privacy protections by the EU will need to be carefully drafted to ensure it is not viewed as weakening Canada's data protection regime.

Big Tech Support

While the CLOUD Act received support from technology giants such as Apple, Facebook, Google and Microsoft, its introduction was met with criticism by civil liberty activists, including the American Civil Liberties Union and Amnesty International USA, who expressed concern over potential privacy and human rights violations.

The support of large American technology companies is not surprising. Tech giants who store personal information on servers around the world have been struggling with the uncertainty in the previous regimes regarding U.S. law enforcement requests for off-shore data. Notably, Microsoft's four-year challenge to whether a domestic U.S. warrant can be used to access emails held on a server in Ireland has been dismissed now the CLOUD Act is signed. During the hearing of that case before the Supreme Court of the United States, Justices Ginsburg, Sotomayor and Breyer hinted that Congress is better suited than the courts to reconcile the conflict between modern technology and older legislation.

Alternative to MLAT

The CLOUD Act provides an alternative to the Mutual Legal Assistance Treaty (MLAT) regime. MLAT requires two or more nations to set out the terms on which information could be exchanged to assist an investigation happening in at least one of the countries party to the MLAT.

In the U.S., each request under MLAT is voted on by the Senate and requires two-thirds approval to pass. In Canada, the Minister of Justice, by way of the International Assistance Group, grants approval of MLAT requests based on whether evidence of an offence or information that may reveal the whereabouts of a suspect will be found in Canada.

The CLOUD Act grants law enforcement agencies streamlined access to data which may be relevant to crime prevention and investigation. This is a change from MLAT requests which took around 10 months to process, a delay long enough that could render the requested data obsolete.