The Cloud Requires Clear Legislation

FreedomWorks Vice President for Research Wayne Brough has noted that the “major law governing privacy and the government’s ability to access personal data online -- the Electronic Communications Privacy Act [ECPA] -- was written in 1986.” Yet, as a pending Supreme Court case involving Microsoft indicates, such a decades-old, pre-internet law is grossly inadequate for 21st-century internet commerce and demands forthcoming legislation introduced by Senator Orrin Hatch.

The Supreme Court has taken for review a case involving a federal search warrant served against personal data stored on a Microsoft cloud server in Ireland. Microsoft’s Supreme Court brief notes the principle that “statutes apply only domestically unless Congress clearly indicates otherwise” guides American jurisprudence. Accordingly, lower appellate courts have ruled in Microsoft’s favor against Department of Justice (DoJ) arguments asserting that American law enforcement search and seizure powers extraterritorially supersede Irish law.

Microsoft’s Irish warrant case illustrates the June 2017 congressional hearing testimony of University of Kentucky law professor Andrew Keane Woods. He observed that ECPA internationally “is the greatest source of conflicts of laws in the technology sector today.” Meanwhile Mutual Legal Assistance Treaties (MLATs) designed to overcome such conflicts present a “notoriously slow procedure.” Fellow witness Richard Salgado, Google’s Director for Law Enforcement and Information Security, noted government studies under President Barack Obama that determined MLAT requests “average approximately 10 months to fulfill.”

Accordingly, Salgado observed that some countries “are considering more aggressive and potentially dangerous unilateral approaches” to cloud information legal regimes. His fellow witness, Center for Democracy & Technology Vice President for Policy Chris Calabrese, confirmed this threat. Unilateral legal initiatives worldwide would place cloud “providers in an impossible position between conflicting legal regimes.”

Brough has elaborated upon this “data localization.” Globally “policymakers are considering a host of different policies that would tether data to the country of its origin, drastically reducing the efficient exchange of information across the world.” Woods has observed that “Brazil and India, for example, might simply pass a law requiring any company operating on their soil to store local records locally -- where they can more easily be searched and seized.” Additionally, foreign governments are demanding that cloud providers allow for easier government monitoring by foregoing encrypted services.

Meanwhile Woods has noted that “overwhelming agreement” exists over ECPA’s inadequacies. Brad Smith, Microsoft’s president and chief legal officer, has observed that “current laws were written for the era of the floppy disk, not the world of the cloud.” ECPA stipulations, for example, currently allow for warrant-free legal searches of emails older than six months under the astonishing theory that they are “abandoned.” He has testified before Congress that a Microsoft Supreme Court loss would “literally take us back to a law that was passed when Mark Zuckerberg was two years old.”

Microsoft’s brief direly warns “U.S. companies are the world leaders in cloud storage. That lead is built on trust.” This “will evaporate entirely the moment this Court directs that U.S. companies must disclose emails stored in foreign nations when doing so would violate the data-privacy laws of those nations.” Meanwhile such extraterritoriality “would instigate a global free-for-all, inviting foreign governments to reciprocate by unilaterally seizing U.S. citizens’ private correspondence from computers in the United States.”

Smith has noted a consensus among all involved with information technology over “real problems that need real solutions. But they need to be crafted with a scalpel, not a meat cleaver.” Yet political “[i]naction means that important policy decisions about electronic privacy and government access fall by default to the courts,” Salgado has stated. As Microsoft’s brief indicates and Smith has observed, this is a “blunt instrument. The courts are not able to write a new law.”

Microsoft’s brief elaborates:

only Congress has the authority and tools to rewrite the statute to strike a new, 21st-century balance between law-enforcement interests, our relations with foreign nations, the privacy of our citizens, and the competitiveness of our technology industry.

Overwhelming support for Microsoft’s position has come in 23 amicus briefs. Their 289 signatories represent millions across 37 countries. These include American and European lawmakers, leading technology companies, media organizations, legal scholars, computer scientists, trade associations, and advocacy groups.

Fortunately, Orrin Hatch’s Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018 uniquely addresses the challenges highlighted by Microsoft’s case. The law establishes a formal American legal framework for bilateral agreements that avoid international conflict of laws problems and gives American companies various statutory rights. According to various sources, President Donald Trump supports CLOUD and its passage is expected to prompt the DOJ to withdraw from Microsoft’s case. America’s global edge in rapidly developing information technologies cannot wait any longer.