The U.S. CLOUD Act allows the U.S. President to enter into “executive agreements” with qualifying foreign governments in order to directly access data held by U.S. technology companies at a lower standard than required by the Constitution of the United States. To qualify, foreign governments would need to be certified by the U.S. Attorney General, and meet certain human rights standards set in the act. Those qualifying governments will have the ability to bypass the legal safeguards of the Mutual Legal Assistance Treaty (MLAT) regime.
In addition, U.S law enforcement agencies (from local police to federal agents) can now compel U.S and foreign technology companies to disclose communications data of U.S. and foreign users that is stored overseas, regardless of the data’s physical location, potentially bypassing the countries’ privacy and data protection laws. Permitting the U.S. access to data which can be located anywhere sets a dangerous precedent for other countries, who are likely to demand similar access to data held in the United States. Such expansion of U.S law enforcement power breaks the principle of territoriality, the core component of international law, and will produce a domino effect of information requests that overstep responding countries’ privacy safeguards.
The regulation would grant EU member states the power to circumvent the responding countries’ privacy laws in fulfilling information requests. If passed, countries could demand data access of technology companies within 10 days or, in the case of an “imminent threat to life or physical integrity of a person or to a critical infrastructure,” technology companies could be compelled to comply within just six hours. Such demands would apply to internet companies such as Google, social networks like Facebook, Instagram, and Twitter, as well as cloud technology providers, domain name registries, registrars and “digital marketplaces” that allow consumers and/or traders to conclude peer-to-peer transactions.
In a statement on how the European Union can “improve” cross border access to data, Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality said:
“Our current investigation tools are not fit for the way the digital world works … These tools still work within the limits of the principle of territoriality, which is at odds with the cross-border nature of e-services and data flows. As a result investigators’ work is slowed down when dealing with cybercrime, terrorism and other forms of criminal activities, even where such crimes are not cross-border in nature. This is why we launched an expert consultation in 2016.”
Similarly, EU law must currently respect U.S. privacy safeguards when seeking to access content stored by companies in the United States. Both initiatives are willing to jettison the principle of territoriality and the foreign privacy safeguards that accompany it: the U.S. CLOUD Act allows U.S. law enforcement to ignore EU privacy protections, while the EU proposals, if passed, ignore U.S. privacy protections regarding access to content stored in the United States. However, neither would be pleased with the reciprocal impact of a world without territorial privacy.