Bill on cross-border data access needs to change, despite laudable goal

Congress is on the verge of passing the CLOUD Act as part of the forthcoming omnibus spending bill, but attaching it to must pass legislation without necessary modifications to three of its components would be shortsighted and create some potential for abuse.

For those unfamiliar with the legislation, the CLOUD Act would amend the Stored Communications Act to enable qualifying foreign governments to bypass the Mutual Legal Assistance Treaty (MLAT) process when conducting domestic investigation, and instead make direct requests of U.S. companies to access data that those providers store. Provided proper constraints, this is a laudable goal and necessary to execute our national security, foreign policy, and economic goals effectively, but it still needs work.

{mosads}The MLAT process helps us protect privacy and other human rights, but it is also cumbersome and time-consuming. Because the MLAT process makes it difficult for foreign governments to enforce their own laws, at the 2014 United Nations International Telecommunications Union (ITU) Plenipotentiary treaty conference, India, joined by other UN member states called for the world agree to contain internet communications within the countries where the communications originate or terminate. That proposal would break the basic architecture and economies of scale of the internet, but if no remedy for the shortcomings of the MLAT process is established, those calls for data localization mandates will grow.  

The CLOUD Act could be that remedy for qualifying states. It provides a reasonable structure that, with some key amendments, could dramatically improve our ability to preserve the internet as an economic and social force for growth and good without having the platform serve as a refuge for criminals or terrorists. The pilot project for this new process would be an executive agreement for this new data access process between the U.K and U.S. that would, according to British Prime Minister Theresa May’s spokesperson, empower each country’s law enforcement “to investigate their citizens suspected of terrorism and serious crimes like murder, human trafficking, and the sexual abuse of children regardless of where the suspect’s email or messages happen to be stored.”

That is the goal of the CLOUD Act not just for England, but also for executive agreements with other nations with adequate procedures in place to protect individual rights and guard against the abuse of any such new authority. But the proposed Act requires several critical changes to ensure that this new authority is limited to the purposes PM May articulates, and to ensure that it encourages nations like India that will seek similar agreements to upgrade human rights and legal procedural protections.

First, the CLOUD Act should provide greater clarity in what kinds of crimes qualify for use of the authority and transparency in the decision the executive reaches to grant the partner country the new authority. The Act currently refers to undefined “serious crimes” or terrorism as the trigger for enabling the pursuit of evidence. While there is no international definition for a serious crime, some minimal threshold must be set. Possible thresholds could include crimes carrying a prison sentence of three years or more or some other articulable baseline.  

On transparency, the bill’s current provision requiring notification to Congress that the U.S. has chosen a partner nation and judged its practices adequate for participation does not require that the executive branch provide any justification for this determination. It should require a detailed and public explanation. If some of the rationale or justification is extremely sensitive, then that portion of the justification can be classified and made available through closed session to members of Congress.

Second, the bill should be amended to require that the partner country must have judicial review or independent approval for the request of evidence prior to law enforcement issuing the order to one of our tech companies. The current language does not require prior approval for the request and doesn’t define independent oversight. There may be exceptions where time is of the essence or for some other justification where prior approval is unwise or impossible, but they should be narrow and clearly defined.

Third, Congress should strengthen the language in the bill governing the approval and renewal of these new executive agreements, including its own involvement in this process. Remember, these new agreements will serve as an alternative to mutual legal assistance treaties, a process in which Congress has much more authority. The bill currently lists only “factors to be considered” when the executive branch assesses a country’s human rights record, and it does not require any congressional approval for bilateral agreements. The bill should make compliance with the specified human rights standards mandatory in order for a country to be able to enter a bilateral agreement with the United States.

As for Congress’ own role, the options here could include an expedited process for Congressional consideration and affirmative approval. For example, Congress could model its approval process for these certifications and bilateral agreements after the Trade Promotion Authority, which allows for expedited consideration and prohibits amendments and filibusters of executive trade agreements.

In the absence of a modified CLOUD Act, domestic pressure will grow in many countries for data localization rules and a splintering of the internet to allow each nation’s law enforcement access to any data it wishes that moves through its country. That is why moving it forward is critically necessary, but not without modification. Rushing it forward as is could have terrible repercussions for both economics and justice. The CLOUD Act’s approach is necessary and its terms are close to what is needed to serve as a force for good. Let’s get it there.

Daniel Sepulveda is a non-resident fellow with the German Marshall Fund. He is a former  U.S. ambassador, deputy assistant secretary of state, and U.S. coordinator for international communications and information policy.