Bipartisan Support for the Clarifying Lawful Overseas Use of Data (CLOUD) Act
Dear Speaker Ryan, Majority Leader McCarthy, Minority Leader Pelosi, Majority Leader McConnell, and Minority Leader Schumer:
We write to you to express our strong support for S. 2383, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, introduced by Senators Orrin Hatch (R-Utah), Chris Coons (D-Del.), Lindsey Graham (R.-S.C.), and Sheldon Whitehouse (D-R.I.), and H.B. 4943, the House companion legislation, introduced by Representatives Doug Collins (R-Ga.), Hakeem Jeffries (D-N.Y.), Darrell Issa (R-Calif.), Suzan DelBene (D-Wash.), Tom Marino (R-Pa.), John Rutherford (R-Fla.), and Val Demings (D-Fla.). These bipartisan bills build upon S. 1671, the International Communications Privacy Act and the House version of the bill, H.R. 3718, which received broad support from leading technology companies, policy organizations, and experts.
We urge you to consider and pass this important legislation, which sets needed guidelines for cross-border data access by U.S. and foreign law enforcement seeking to reach personal data stored extraterritorially as part of their efforts to prevent and solve international crime and terrorism. These bills would modernize laws from last century by establishing the scope of extraterritorial reach of court-ordered data searches.
In the age of cloud computing, customers rely on service providers to store their data, and often that data is physically stored on a remote server located in another country. The last time Congress addressed the federal government’s ability to access private data was more than three decades ago in the 1986 Electronic Communications Privacy Act (ECPA). ECPA does not address cross-border data access.
Under current law, when responding to cross-border data requests by U.S. law enforcement, tech companies are left with no good options — they can either choose not to comply with the request and risk being held in contempt by the courts, or they can comply and risk subjecting themselves to criminal probes or enforcement actions abroad for disclosing customer information in violation of foreign law. Essentially, providers are caught between a rock and a hard place because the current law’s scope stops at the water’s edge.
By providing clear guidelines, the CLOUD Act takes several steps to avoid international conflicts of law and protect the privacy of citizens across the globe while prioritizing the fight against international crime and terrorism. Because it facilitates U.S. entry into bilateral agreements with other governments, the proposed legislation would encourage government-to-government cooperation.
The CLOUD Act updates the law to make it clear that U.S. warrants and similar legal processes issued for data held by service providers will likely reach data stored overseas. At the same time, the legislation would also give these providers rights to raise international comity concerns that would require a judge to determine if competing government interests weigh in favor of compelling the provider to turn over the requested data.
Disclosure is also a key component of the CLOUD Act, as the bills would permit providers to notify foreign governments when U.S. law enforcement searches data belonging to their citizens or residents or stored within their borders. These governments would then have an opportunity to engage in direct diplomatic discussions with the U.S. if they believe the request is objectionable.
In the face of an outdated legal framework and multiple failed attempts to update privacy laws, statutory silence has led to legal and marketplace uncertainty. In providing clarity and encouraging comity, the CLOUD Act is an important and overdue step forward in creating a comprehensive legislative framework for determining the extraterritorial reach of court-ordered data searches. Without such a framework, the reach will instead be determined by courts lacking the policy expertise, international perspective, and democratic mandate of Congress.
Only Congress can create the nuanced policy required to address the legal and diplomatic challenges of the digital age. We urge both the House and Senate to pass the CLOUD Act at the first possible opportunity. Members of the House and Senate should be encouraged to update American law to reflect today’s global cloud computing environment.
Committee for Justice
ACT | The App Association
Lisa B. Nelson
American Legislative Exchange Council Action
American Consumer Institute
Information Technology and Innovation Foundation
Director of Technology Policy
National Taxpayers Union
President and CEO
Small Business & Entrepreneurship Council
Taxpayers Protection Alliance
Cc: Chairman Grassley, Ranking Member Feinstein, Chairman Goodlatte, and Ranking Member Nadler