The US CLOUD Act and EU Law


 by Alexandre Veronese, Professor at University of Brasília

In March 2018, the President of the United States of America signed into Law a Bill approved by the Congress, which amended two parts of the US Code, the consolidation of the federal statutory norms of the country. The Clarifying Lawful Overseas Use of Data Act – CLOUD Act – was the third version of two preceding bills. Those prior bills tried to solve a grave contemporary issue: the difficulty to access electronic data that could be necessary to criminal investigations and prosecution. The new CLOUD Act changes mainly two passages of the US Code. It creates the possibility that the United States and foreign countries could sign executive agreements to grant mutual assistance in order to authorize the gathering of overseas data. In addition, the CLOUD Act creates standards to those agreements.

The United States of America have a long standing right to due process of law entrenched in the Fourth Amendment of its Constitution. The debate about the limits to access information captured by the means of new ways of communication is rather old in the US. The Federal Wiretap Act came to the US Code amidst the Omnibus Crime Control and Safe Streets Act of 1968. It was a huge alteration of the Title 18 of US Code, which is the Crimes and Criminal Procedures federal statutory law. Therefore, the federal statutory law received provisions that could regulate the lawful wiretapping in criminal investigations and the use of them between agencies and jurisdictions. Notwithstanding, the passing of time and the evolution of technologies showed the aging of those legal norms. A lot of the information that matters to seize, in order to archive effective evidence to use in investigations, came to be electronic. It was necessary to modify the Wiretap Act and, in 1986, it came the Electronic Communications Privacy Act. The new Act modernized the Law and it regulated the criminal features related to stored electronic information – the Stored Communications Act. The Patriot Act (2001 and 2006) brought to light some provisions regarding to overseas information that were made more detailed with the amendments signed into law in 2008.

It was clear after such evolution that the US government needs overseas information even to conduct proper criminal investigations over US citizens and residents. The American Internet enterprises became international giants. Actually, a huge amount of their data is shelfed in other jurisdictions.

The Fourth Amendment of the US Constitution guarantees the requirement of a previous judicial warrant in order to authorize the lawful gathering and intercepting of data. In addition, the usage of data is limited to the legal statutory norms. The US uses a lot of MLAT – Mutual Legal Assistance Treaties – with different countries to fulfil its demand of overseas data in the search of criminal evidence. The real problem was a mix of the necessity to access data hastily – since the MLAT procedures are usually slow – with a manner to solve the harsh political problem that emerged after the PRISM revelations, especially with the European Union.

The case that stated up the CLOUD Act happened when the Department of Justice asked for a warrant against Microsoft in order to access data stored by the company in Ireland. The company opposed the petition and tried to quash the demand. A lot of companies, social organizations and activists sided with Microsoft. They pledged that the Department of Justice demand was trying to force into law an overseas warrant and that the Fourth Amendment impeded such kind of measure. The local appellate court denied the petition and the Department of Justice appealed to the Supreme Court. The higher court granted the writ of certiorari and the case – Department of Justice v. Microsoft Ireland – came into motion. Meanwhile, the US Congress was debating the approval of new statutory law to solve the issue. Between 2015 and 2017, a senator made two bills: the Law Enforcement Access to Data Stored Abroad Act and the International Communications Privacy Act. Both proposals failed to pass into Law. Those bills relied upon MLAT measures. That is the crucial difference between them and the CLOUD Act. The CLOUD Act creates an executive agreement that the US government may sign with a foreign government to collect and use data stored overseas. Of course, there are some requirements to do so. The Department of Justice needs to assess the legal framework of the foreign country in order to evaluate its adherence to the comity rights and privacy standards, for example. Nonetheless, the Act grants the accountability of the executive agreements to the US Congress. The companies were happy to oblige since they now see less risks upon their American or US based consumers. They also stated that the safeguards were hard enough to protect their business. The Electronic Frontier Foundation (EFF) and some civil rights organizations, like the American Civil Liberties Union (ACLU), see a menace to the citizens. The EFF also states that the race to faster procedures is bad for both sides of the Atlantic[i]

However, what changes may occur in the European Union?

For the beginning, the European Commission reacted with cautious. Actually, the CLOUD Act is a local affair that undermined the current conversations between Brussels and the US government to solve the worldwide issue: how can the countries cooperate safely in the exchange of fast and reliable data to enable criminal evidence on ongoing investigations? The CLOUD Act provides a new local solution that tries to be international: the usage of executive agreements. The worldly solution upon to this date relies on MLAT and on judicial review and supervision.

The European Union has a well-established system of judicial cooperation[ii]. It was a necessity that came along the process of the construction of the economic and social integration. The national judicial systems have to cooperate to exchange criminal records and information in order to prevent and fight crime. The financial and corporate crimes also demand fast and reliable prosecution procedures among the many member states. The system provides accountability and even the United Kingdom desires to maintain its use after a probable Brexit.

The ongoing situation of the United Kingdom and the Brexit will provide an interesting case to observe. The negotiations to establish the terms of the UK withdrawal from EU have to deal with many issues. One of the actual defies is to maintain a clear and fast criminal cooperation system between them after the exit of the UK. The debate on the European Commission shows that the greatest problem is the necessity of the British authorities to submit to the jurisdiction of the Court of Justice of the European Union at some degree. We can imagine a legal disagreement between British courts and the EU system in a scenario where the UK has a complete usage of the system. The system will function with a legal framework that relies upon the European Law, including the Charter of Fundamental Rights, and some international treaties. If the disagreement falls under the interpretation of European Law, only the CJEU will have competence to settle the dispute. Having no recognition by the UK of the CJEU competence will grant a complicated legal situation in which the UK judicial and police authorities will have the full extent of benefits and a lesser degree of accountability. Maybe the solution could be the signature of a special treaty between the EU and the UK, with an accountability designated supervision board. However, the issue is on the negotiation table.

Right now, the CLOUD Act affair is still in debate among the European Commission[iii]. There are some formal requests of information that are still without response, but some individual opinions of representatives came into the press. This debate piles up with another still not finished policy regarding the adoption of transatlantic privacy standards. The European Union and the United States have the imperative to find a common ground to the General Protection Data Regulation standards. In addition, the member states are also involved into the transposition of the Directive 2016/680[iv]. For all that, at least for the moment, the CLOUD Act “clouded” the future of the international legal standards that may solve the grave necessity of having an effective legal framework to a contemporary and reliable cooperative system in criminal investigations.






Picture credits: Cloud computing by Jane Boyko.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s