New CLOUD Act, supported by major tech, trusts Sessions and Pompeo to defend our human rights
Neema Singh Guliani
What would happen if the Turkish government asked the U.S. government for the Facebook messages of Turkish human rights activists that were stored on a server in the United States?
Current U.S. law would help to protect against disclosure of information that is likely to be used to commit human rights abuses, like detention or torture. This is key given Turkey’s troubling human rights record. That’s because there is a robust process in place to ensure that the U.S. government only shares such information in cases where these requests have been closely vetted by the Department of Justice and a U.S. judge, who ensures that individuals’ rights are being protected.
But legislation is being introduced now that would allow countries’ to bypass these safeguards and give Attorney General Jeff Sessions and presumptive Secretary of State Mike Pompeo extensive and nearly unchecked power over global digital privacy rights.
The Clarifying Lawful Overseas Use of Data Act, or CLOUD Act ,is a bill recently introduced to establish new standards for when governments want to obtain information stored outside their jurisdiction. The Department of Justice and major tech companies are actively supporting the bill, erroneously suggesting it will advance consumer rights. Meanwhile, privacy and human rights organizations that have opposed the bill are rightfully pointing out that it jettisons current human rights protections in favor of vague standards that could gut individual rights.
The bill would strip power away from Congress and the judicial branch, giving Sessions and Pompeo (and future executive branch officials) virtually unchecked authority to negotiate data exchange agreements with foreign nations, regardless of whether they respect human rights or not. That’s a major shift from current law, and one that Congress should reject.
When foreign governments request content information from U.S.-based technology companies to assist with criminal and intelligence related matters, responding to these requests is not necessarily straightforward. Some requests are legitimate and come from countries with strong legal protections. Others, however, come from countries with a record of human rights abuses or weak privacy laws. For example, certain governments could seek the information of activists who use U.S. platforms, like Facebook or Twitter, to improperly arrest or detain people, or suppress their speech. In such cases, it is not in the interest of the U.S. government to facilitate the requests.
Fortunately, U.S. law today offers protections for when such requests are received. Generally, only countries that have entered into a Mutual Legal Assistance Treaty (MLAT) with the U.S. can get communications content. MLATs are generally negotiated by the executive branch, but must be ratified by the Senate. This ratification process ensures that Congress has a say in what countries we enter into agreements with, the substance of those agreements, and the role such agreements may play to our overall diplomatic approach to a particular country. Indeed, such ratification reflects Congress’ constitutional role in providing advice and consent on treaties.
But, if the CLOUD Act passes, the executive branch will be able to sidestep Congress when it comes to data sharing agreements. The bill would give the attorney general and the secretary of State the authority to enter into data exchange agreements with foreign governments without congressional approval. The country they enter into agreements with need not meet strict human rights standards – the bill only stipulates that the executive branch consider as a factor whether a government “demonstrates respect” for human rights and is similarly vague as to what practices would exclude a particular country from consideration. In addition, the bill requires that countries adopt procedures to protect Americans’ information, but provides little specificity as to what these standards must include. Moreover, it would allow countries to wiretap on U.S. soil for the first time, including conversations that foreign targets may have with people in the U.S., without complying with Wiretap Act requirements.
If those officials enter into an agreement with a country that fails to respect rights or is not in the foreign policy interest of the U.S., Congress will have little ability to stop it from going into effect. The bill requires that the Senate and House enact a joint resolution disapproving of agreement. And, even if both the Senate and House were able to do so, they would either need to convince the president not to veto such a resolution (very unlikely) or have enough votes to overcome such a veto. This doesn’t just sideline Congress – it almost kicks it out of the game completely.
The CLOUD Act also sidelines the judicial branch when it comes to responding to individual requests. Under MLAT, foreign government requests are vetted by the Department of Justice. And, a federal judge must issue an order, and can decline it if he or she believes it would lead to egregious human rights violations, like torture, which violate the Constitution. Notwithstanding complaints that lack of resourcing results in this process often being lengthy, it ensures that requests are appropriately vetted and helps to protect users.
Under the CLOUD Act, however, once an agreement is in place, U.S.-based companies would be allowed to turn over emails, chat logs, and other private communications pursuant to foreign legal demands that no U.S. authority vets on a case-by-case basis.
Make no mistake, these information requests could impact the rights of Americans and people from other nations, who may expect different protections based on their domestic laws. Moreover, if a tech company hands over information that leads to detention, torture, suppression of speech or other human rights violations, relying on an order from a country the U.S. has entered into an agreement with, the company is likely to assert they have liability protection under the bill.
Congress should reject the CLOUD Act because it fails to protect human rights or Americans’ privacy. But, even more, they should reject the CLOUD Act because it gives up their constitutional role, and gives far too much power to the attorney general, the secretary of state, the president and foreign governments.
Neema Singh Guliani is ACLU legislative counsel.