CLOUD Act: an jurisdiction and human rights case
23 de April de 2018
The Westphalian model of nation-state based on territorial sovereignty has undergone changes with the expansion and use of the internet, which is based on decentralization, openness, collaboration and cross-border movements between countries. With two very different logics, relations between states and the internet have undergone constant changes, leading to a number of discussions in courts around the world on which criteria of applicable law and how to reconcile a decentralized nature of the internet with a rigid and institutionalized nature such as that of the States.
The Internet and Jurisdiction network, which has discussed this issue in a multisectoral way, points out two challenges between the legal systems of countries that gain relevance with the cross-border nature of the Internet and its litigation:
- How to preserve the global nature of the internet while respecting national legal systems?
- How to combat misuse and abuse on the Internet while guaranteeing the protection of human rights?
Therefore, while mechanisms for investigation, criminal accountability and law enforcement need to be respected, it is essential that these mechanisms be implemented while respecting users’ fundamental rights such as privacy, protection of personal data and human rights.
Recently the United States has been one of the main responsible for raising the discussion on international legal cooperation and data based abroad, mainly due to the case United States / Microsoft, also known as “Microsoft Ireland”. The litigation began in 2013 when a judge granted a warrant authorizing investigative forces to obtain email and data content from a Microsoft service user who was suspected of drug trafficking, but the company delivered only the metadata, claiming that only they would be stored in US territory and that they could not provide the information contained in the emails because they were in a data center in Ireland, thus asserting that American norms and decisions could not have application in Irish territory. After several discussions, appeals and appeals, the case went to the Supreme Court raising arguments that the current mechanisms of international legal cooperation established in MLATs are slow, bureaucratic and ineffective in the current context of cross-border Internet relations, pointing out that many companies have the habit of changing the location of their data, making it impossible even to know to which country it is necessary to request the cooperation agreement. All this discussion led the Chief Executive of the United States (Donald Trump) to move a bill called the CLOUD Act, which seeks to change the rules of international data transfer between foreign-based companies, making police investigations easier and companies are now legally required to provide data of investigated, even if they are not based in the United States.
CLOUD Act and its procedure
In updating the legislation relating to data use (Storage Communication Act), in short, the CLOUD Act
“is a bill recently introduced to establish new standards for when governments want to obtain information stored outside their jurisdiction”
Neema Singh Guliani, The Hill
Four reasons lay the foundations of the proposed law: the anachronism of international legal cooperation mechanisms, designed in the nineteenth century, coupled with the delays of the MLATs (whose expected response to a routine request was 15 to 18 months), litigious requests for cooperation, and constant complaints from large technology companies about the contradiction between legal regimes around the globe gave rise to the Clarifying Law of Overseas Use of Data Act (HR4943, S. 2383) or just CLOUD Act. Introduced in February, by the Senate in a bipartisan coalition, and consequently approved on March 22, 2018 by the US Congress.
The law’s legislative process was harshly criticized, including as an attempt by the dark lawmakers to steal a piece of the legislature and pass a Frankenstein bill, as pointed out by Medium. Such accusations are made because the CLOUD Act was included in a $ 1.3 trillion spending bill just one day before the bill vote. On twitter, several political agents spoke about the law, with two highlights: President Donald Trump, who first published on the social network his intention to veto (although in a second tweet, he commented that he would sanction the law) and Senator Rand Paul, who affirmed that Congressional strategy of linking the CLOUD Act to the spending bill was to impose the approval of the act.
In addition to government agents, two poles make up the legislative game table on this issue: large technology companies and human rights organizations and users’ privacy. The first block is led by the famous Apple, Google, Microsoft and Oath, which issued a joint statement in favor of the law. While the representation of activist opportunities is also verified in the joint statement of organizations with global impact such as the Eletronic Frontier Foundation (EFF), American Civil Liberties Union (UCLA), OpenMedia, Amnesty International USA etc., stating that the law allows the granting without complying with constitutional standards and facilitating the use of information by foreign governments to commit human rights abuses.
The discussion in the European Union
The discussions on changes in international legal cooperation mechanisms after the intense insertion of the Internet in relations between States is not new. Europe has already discussed for some time through a multisectoral commission ways to facilitate access to electronic evidence for investigating authorities. The European Commission’s plan is to propose new rules on the sharing of evidence and the possibility for authorities to request digital proofs directly from technology companies. This discussion began in 2016 with the Commission seeking to create concrete measures based on a common approach of the European Union to make cooperation with service providers more effective, to improve mutual assistance and to propose solutions to the problems of jurisdiction on the internet.
This discussion did not gain much space at the time and the Commission did not present its final proposal, however, after the approval of the CLOUD Act the discussion is highlighted once again. The Euractiv website has published a “leaked” material which indicated that on April 17 the European Union would present a document related to the international transfer of data, facilitating the transfer of data between Business-States and changing the current mechanisms of legal cooperation (MLATs ). According to the Euractiv website, the regulation will create legal systems for authorities in EU member states to require companies to share data within 10 days or six hours if there is “an imminent threat to the life or physical integrity of a person or an infrastructure criticism”. Civil society associations struggling for privacy criticized the Commission’s plan to force companies to provide data quickly, claiming that there is a risk of arbitrary decisions harming privacy and human rights.
EU commission member Věra Jourová had signaled in 2017 that Europe and the US were discussing ways to improve international data transmission between the country and the bloc, but following the CLOUD Act’s approval these plans are uncertain. However, according to experts the new EU data protection law (General Data Protect Regulation), due to enter into force in May, companies are barred from being forced to provide data to the US authorities, unless member countries of the EU agree to bilateral agreements with the US, ie each country should close a data transmission agreement with the US, making it impossible for the bloc to have a general agreement since the GDPR would prevent this generalized forced transmission of data. It remains to wait to know how the European measure will come and how the relationship between the CLOUD Act and GDPR will take place in practice.
Changes
“The Cloud Act provides two critical fixes: First, it enables U.S. law enforcement agencies to access data held by U.S. companies that is stored overseas. Second, it would allow our government to enter into agreements — subject to review by Congress — to permit U.S. companies to respond to the same type of legal orders from countries that share our values and have legal systems that provide equivalent protection for civil rights and liberties.”
Washington Post
One of the main changes of the CLOUD Act is the increase in the geographical scope of the ACS. Thus, while it does not change who is subject to ACS requests or what type of data is subject to requests, it expands the obligation of US electronic communications service providers or remote computing service to comply with a US court order and grant data even if stored abroad.
As explained above, before the device in question was approved, the MLATs was the mechanism of international cooperation used. Such treaties were negotiated by the executive but approved by the Senate, ensuring that Congress would play its constitutional role of providing advice and consent to treaties.
The Hill criticizes this point as it withdraws Congressional and Judiciary power and transfers “virtually uncontrolled authority” to the Sessions and Secretary of State (presently occupied by Mike Pompeo) to enter into agreements. Another criticism is in relation to the lack of specificity with which the requirements for a country’s cooperation agreement with the United States are dealt with.
Conclusion
Considering that the adoption of the CLOUD Act is recent, only international legal cooperation relations can conclude whether the law will in fact fill the gaps raised by the Internet and Jurisdiction network and preserve the global nature of the internet and promote respect for national legal systems. There is no denying the openness that the normative text gives for the commission of misuse by obtaining digital data, and human rights and privacy violations are the main concern. However, since the law has already been approved – even without any popular consult – the opposition organizations remain to observe and supervise the procedures and contents delivered to governments via the CLOUD Act.
The study on Internet and Jurisdiction is a pillar of IRIS research. If you are interested in this subject, check out some materials we produce.