US Cloud Act ends Microsoft Dublin email case with a whimper

Act gives US ‘nearly unchecked’ power over global digital privacy rights, say critics

At the end of March, President Donald Trump signed into law the Cloud Act, which removed the ambiguity over whether a US court could demand data held extraterritorially. Photograph: Jim Lo Scalzo/EPA
At the end of March, President Donald Trump signed into law the Cloud Act, which removed the ambiguity over whether a US court could demand data held extraterritorially. Photograph: Jim Lo Scalzo/EPA

The Microsoft Dublin email case has ended with a whimper rather than a bang.

The case, which concerns whether the United States government may use a domestic US warrant to access emails held outside the US was the subject of a US supreme court hearing only weeks ago, still awaiting a judgment.

The case, which began in a lower court in New York state in 2014, was widely seen as a potential landmark data privacy case with far-reaching effects on the future of cloud computing.

Microsoft had argued that judges should not have the right to use domestic warrants based on a pre-web 1986 US law, to seize data held internationally. Instead, the US government should use (and ideally, improve) the existing Mutual Legal Assistance Treaty structure, a system under which nations allow internationally law enforcement access to evidence.

READ MORE

But this week, the US department of justice (DoJ) – which had made the referral to the supreme court – submitted a motion to have the case declared "moot". At the end of March, President Donald Trump signed into law new legislation, the Cloud (Clarifying Lawful Overseas Use of Data) Act, which removed the ambiguity over whether a US court could demand data held extraterritorially by creating a new type of warrant and allowing fresh handover agreements between nations.

Law welcomed

Microsoft has stated that it does not object to the case being declared moot. Indeed, in a blog post company president Brad Smith said Microsoft welcomed the new law.

“The proposed Cloud Act creates a modern legal framework for how law enforcement agencies can access data across borders. It’s a strong statute and a good compromise that reflects recent bipartisan support,” he wrote.

The Act had been backed by a number of big tech companies, mostly those with a focus on the cloud computing space. Along with Microsoft, Apple, Google, Facebook, and Oath Inc signed a letter in February stating their support.

So all’s well that ends well? Only if you prefer a somewhat improved, still alarming something, rather than uncertainty and nothing.

The Cloud Act is a law 'passed' only in the most technical sense. The Act was never a properly considered piece of legislation before Congress. Instead, it was tacked on at the very last minute to the sprawling and, infamously, largely undebated and controversial omnibus Congressional spending Bill signed into law last week.

And it wasn't universally supported, either before or after becoming an afterthought on page 2,212 of the doorstop 2,232-page spending Bill. Kentucky Senator Rand Paul tweeted: "But guess what? Congress can't vote to reject the Cloud Act, because it just got stuck onto the Omnibus, with no prior legislative action or review."

This was in reference to another of his tweets, in which he quoted from an opinion piece from American Civil Liberties Union (ACLU) legislative counsel and former department of homeland security lawyer Neema Singh Guliani: "Congress should reject the Cloud Act because it fails to protect human rights or Americans' privacy . . . gives up their constitutional role, and gives far too much power to the attorney general, the secretary of state, the president and foreign governments."

The Cloud Act was widely opposed by privacy organisations and activists, ranging from the ACLU and Electronic Frontier Foundation to the Centre for Democracy and Technology.

Some modifications to the Act have provided compromises that are partially welcomed by the ACLU and CDT because they do offer a framework of sorts, and some needed protections and limitations on law enforcement reach where none existed before. For example, executive branch (read: presidential) agreements to exchange data with select governments require compliance reviews, and can be revoked by Congress.

‘Extensive power’

But the Act effectively allows a US president the right to access, say, emails held abroad. At the moment, that means Trump, his attorney general Jeff Sessions and his secretary of state presumptive, former CIA director Mike Pompeo, would have "extensive and nearly unchecked power over global digital privacy rights" according to Guliani.

That certainly focuses the mind.

Meanwhile the DoJ swiftly issued a new warrant under the new system and Microsoft swiftly complied, handing over the Dublin-held emails.

Microsoft’s capitulation is disappointing, but was all but inevitable given the company’s long-time support for the Cloud Act. Nonetheless, the current position sits at odds with many of the company’s own pro-privacy arguments made in the case since 2014, which the Cloud Act does not address.

While the new framework is in some limited ways, better than no framework, a structure that enables private, non-transparent data transfer agreements between the US and other nations hardly addresses privacy and human rights concerns.

But stay tuned. The Act seems likely to run up against existing European Court of Justice rulings on data protection, as well as the incoming EU General Data Protection Regulation.