The CLOUD Act, passed in March 2018, creates the foundation for a new generation of international agreements and preserves the rights of cloud service providers such as Microsoft to protect privacy rights until such agreements are in place.
But Brad Smith, president and CLO at Microsoft, believes further action is needed to ensure that data remains protected.
“Like any foundation, the CLOUD Act will be of lasting importance only if we build strong structures on top of it,” said Smith in a recent blog post. “That is why the act is an important stepping stone and not the end of the journey. Like all the issues of the past four years, this will require important and even urgent action by many in both the public and private sectors.”
Before cloud computing, individuals stored their digital information on a computer at home and companies stored their information on server computers in their offices. This meant that if the government obtained a warrant to search someone’s information on a computer, officials had to enter the premises to access a device. Now information has moved to the cloud, governments can search digital information by serving warrants to a cloud service provider rather than to the individual who owns the information.
“The protection of common law comity rights is of even greater importance given the effective date next month of Europe’s General Data Protection Regulation (GDPR),” Smith added. “This indirectly but effectively puts the European Union (EU) in a position to help control its own destiny when it comes to the reach of US search warrants. The EU institutions can interpret the GDPR’s relevant provisions and thereby determine whether there is a conflict of laws in specific circumstances that would mandate a comity analysis. Especially as the EU does so, cloud service providers such as Microsoft can then use our common law rights to go to court to raise comity issues and protect European customers.”
Furthermore, the CLOUD Act has resulted in a number of changes to data privacy laws, including creating the authority for the US to establish international agreements that will enable law enforcement agencies to access data in other countries. It also protects privacy and other human rights by establishing that these international agreements can only be created with countries that protect privacy and other human rights.
The act allows strong norms to be created to govern surveillance requests. These incentivise governments to update their digital privacy laws to ensure that law enforcement requests are narrow, incorporate specific rule of law protections, and are subject to judicial review or oversight.
“Most importantly, the passage of the CLOUD Act is an important milestone in the journey to modernise the law, enable enforcement officials to do their jobs and protect people’s privacy rights across borders,” explained Smith. “It has strong and broad support. But it’s not the end of the road. There remains important and urgent work ahead of us.”