US Cloud Act ends Microsoft Dublin email case with a whimper

Act gives US ‘nearly unchecked’ power over global digital privacy rights, say critics

At the end of March, President Donald Trump signed into law the Cloud Act, which removed the ambiguity over whether a US court could demand data held extraterritorially. Photograph: Jim Lo Scalzo/EPA

At the end of March, President Donald Trump signed into law the Cloud Act, which removed the ambiguity over whether a US court could demand data held extraterritorially. Photograph: Jim Lo Scalzo/EPA

 

The Microsoft Dublin email case has ended with a whimper rather than a bang.

The case, which concerns whether the United States government may use a domestic US warrant to access emails held outside the US was the subject of a US supreme court hearing only weeks ago, still awaiting a judgment.

The case, which began in a lower court in New York state in 2014, was widely seen as a potential landmark data privacy case with far-reaching effects on the future of cloud computing.

Microsoft had argued that judges should not have the right to use domestic warrants based on a pre-web 1986 US law, to seize data held internationally. Instead, the US government should use (and ideally, improve) the existing Mutual Legal Assistance Treaty structure, a system under which nations allow internationally law enforcement access to evidence.

But this week, the US department of justice (DoJ) – which had made the referral to the supreme court – submitted a motion to have the case declared “moot”. At the end of March, President Donald Trump signed into law new legislation, the Cloud (Clarifying Lawful Overseas Use of Data) Act, which removed the ambiguity over whether a US court could demand data held extraterritorially by creating a new type of warrant and allowing fresh handover agreements between nations.

Law welcomed

Microsoft has stated that it does not object to the case being declared moot. Indeed, in a blog post company president Brad Smith said Microsoft welcomed the new law.

“The proposed Cloud Act creates a modern legal framework for how law enforcement agencies can access data across borders. It’s a strong statute and a good compromise that reflects recent bipartisan support,” he wrote.

The Act had been backed by a number of big tech companies, mostly those with a focus on the cloud computing space. Along with Microsoft, Apple, Google, Facebook, and Oath Inc signed a letter in February stating their support.

So all’s well that ends well? Only if you prefer a somewhat improved, still alarming something, rather than uncertainty and nothing.

The Cloud Act is a law ‘passed’ only in the most technical sense. The Act was never a properly considered piece of legislation before Congress. Instead, it was tacked on at the very last minute to the sprawling and, infamously, largely undebated and controversial omnibus Congressional spending Bill signed into law last week.

And it wasn’t universally supported, either before or after becoming an afterthought on page 2,212 of the doorstop 2,232-page spending Bill. Kentucky Senator Rand Paul tweeted: “But guess what? Congress can’t vote to reject the Cloud Act, because it just got stuck onto the Omnibus, with no prior legislative action or review.”

This was in reference to another of his tweets, in which he quoted from an opinion piece from American Civil Liberties Union (ACLU) legislative counsel and former department of homeland security lawyer Neema Singh Guliani: “Congress should reject the Cloud Act because it fails to protect human rights or Americans’ privacy . . . gives up their constitutional role, and gives far too much power to the attorney general, the secretary of state, the president and foreign governments.”

The Cloud Act was widely opposed by privacy organisations and activists, ranging from the ACLU and Electronic Frontier Foundation to the Centre for Democracy and Technology.

Some modifications to the Act have provided compromises that are partially welcomed by the ACLU and CDT because they do offer a framework of sorts, and some needed protections and limitations on law enforcement reach where none existed before. For example, executive branch (read: presidential) agreements to exchange data with select governments require compliance reviews, and can be revoked by Congress.

‘Extensive power’

But the Act effectively allows a US president the right to access, say, emails held abroad. At the moment, that means Trump, his attorney general Jeff Sessions and his secretary of state presumptive, former CIA director Mike Pompeo, would have “extensive and nearly unchecked power over global digital privacy rights” according to Guliani.

That certainly focuses the mind.

Meanwhile the DoJ swiftly issued a new warrant under the new system and Microsoft swiftly complied, handing over the Dublin-held emails.

Microsoft’s capitulation is disappointing, but was all but inevitable given the company’s long-time support for the Cloud Act. Nonetheless, the current position sits at odds with many of the company’s own pro-privacy arguments made in the case since 2014, which the Cloud Act does not address.

While the new framework is in some limited ways, better than no framework, a structure that enables private, non-transparent data transfer agreements between the US and other nations hardly addresses privacy and human rights concerns.

But stay tuned. The Act seems likely to run up against existing European Court of Justice rulings on data protection, as well as the incoming EU General Data Protection Regulation.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.