The Clarifying Lawful Overseas Use of Data Act, commonly referred to as the “CLOUD Act,” a last-minute addition to the $1.3 trillion federal spending bill, has been signed into law by President Donald Trump. The Act allots the United States government more access to Americans’ overseas data for law enforcement purposes and helps foreign governments access domestic data from their own citizens.
The Act was added to the 2,232-page omnibus spending bill one day ahead of its vote. The bill passed 256-167 in the House, and 65-23 in the Senate.
The law is essentially an update to the Electronic Communications Privacy Act, a series of laws that regulate how U.S. law enforcement officials can access data stored overseas. Congress passed the ECPA in 1986 which, due to obvious advances in technology over the past 30 years, is ill-equipped to handle today’s variety of electronic communications and related data.
Prior to the CLOUD Act, the United States could only access data stored overseas through mutual legal-assistance treaties (“MLATs”). With a MLAT, two or more nations are required to put in writing how they are willing to accommodate each other with legal investigations. Each proposed MLAT must receive a two-thirds approval from the Senate to pass.
Through the Act, law enforcement officials at any level, including local police, can require companies to turn over user data regardless of where the data is stored.
The Act also gives the executive branch the ability to enter into “executive agreements” with foreign nations. These agreements, which do not require congressional approval, could allow each nation to acquire stored personal data from other nations, regardless of the hosting nation’s privacy laws.
Through the CLOUD Act, electronic data stored overseas is now far more accessible to law enforcement officials. According to a 2013 report by the President’s Review Group, the average MLAT request took an average of ten months to fill. Under the new regime, this turnaround time undoubtedly will be shorter.