Congress passes intrusive data sharing law under cover of spending bill
On March 21, House Republicans released a 2,232-page omnibus spending bill. It passed both houses and was signed into law in two days. Attached to the spending provisions that made it urgent "must-pass" legislation was the completely unrelated Clarifying Lawful Overseas Use of Data Act of 2018, also known as the CLOUD Act.
"The CLOUD Act enables the U.S. government to acquire data across international borders regardless of other nations' data privacy laws and without the need for warrants," Project Censored summarized.
It also significantly weakens protections against foreign government actions.
"It was never reviewed or marked up by any committee in either the House or the Senate," the Electronic Frontier Foundation's David Ruiz wrote. "It never received a hearing. ... It was robbed of a stand-alone floor vote because congressional leadership decided, behind closed doors, to attach this unvetted, unrelated data bill to the $1.3 trillion government spending bill." Congressional leadership failed to listen to citizen concerns, Ruiz wrote, with devastating consequences:
"Because of this failure, U.S. and foreign police will have new mechanisms to seize data across the globe. Because of this failure, your private emails, your online chats, your Facebook, Google, Flickr photos, your Snapchat videos, your private lives online, your moments shared digitally between only those you trust, will be open to foreign law enforcement without a warrant and with few restrictions on using and sharing your information, privacy, and human rights," concluded Greene Robyn Greene, who reported for Just Security.
"The little corporate news coverage that the CLOUD Act received tended to put a positive spin on it," Project Censored noted. "[A glowing Washington Post op-ed] made no mention of potential risks to the privacy of citizens' personal data, [and a CNET report that] highlighted the liberties that the CLOUD Act would provide corporations by simplifying legal issues concerning overseas servers."
Because of this failure, U.S. laws will be bypassed on U.S. soil. Greene noted that the CLOUD Act negates protections of two interrelated existing laws. It creates an exception to the Stored Communications Act that allows certified foreign governments to request personal data directly from U.S. companies.
"This exception enables those countries to bypass the Mutual Legal Assistance Treaty process, which protects human rights by requiring foreign governments to work with the Department of Justice to obtain warrants from U.S. judges before they can access that data for their criminal investigations," Greene explained. "The version of the bill that was included in the omnibus does include some improvements over the earlier version to help to mitigate the risks of bypassing the MLAT process ... two changes [that] are important improvements ... many of the other changes to the bill are only partial or ineffective fixes to problems privacy advocates, human rights advocates, and even a former high-ranking official at the U.S. State Department have raised. ... Several other concerns have been left entirely unaddressed."
"While the bill sponsors did try to address some of the concerns that have been raised, the improvements are not enough to shift the balance so that the CLOUD Act will be a boon, rather than a threat, to privacy and human rights," Greene concluded.