While you were reeling from the Facebook and Cambridge Analytica scandal, the U.S. government quietly passed a piece of legislation that has far bigger implications for your data.
The law is called the Clarifying Overseas Use of Data (CLOUD) Act. It's basically an update to the Electronic Communications Privacy Act (ECPA), a series of laws that regulate how U.S. law enforcement officials can access data stored overseas. Congress passed those laws in 1986, and both the U.S. government and major tech companies believe they are ill-equipped to handle today's electronic communications.
Up until last week, the U.S. could only access data stored overseas through mutual legal-assistance treaties (MLATs). With a MLAT, two or more nations put in writing exactly how they are willing to help each other with legal investigations. The Senate votes on each MLAT, and it must receive a two-thirds approval to pass.
The CLOUD Act gives the U.S. an alternative to MLATs.
Through the CLOUD Act, U.S. law enforcement officials at any level, from local police to federal agents, can force tech companies to turn over user data regardless of where the company stores the data.
The CLOUD Act also gives the executive branch the ability to enter into "executive agreements" with foreign nations, which could allow each nation to get its hands on user data stored in the other country, no matter the hosting nation's privacy laws. These agreements don't require congressional approval.
Politicians introduced the CLOUD Act to the Senate and House of Representatives on February 6. Instead of voting on it as its own legislation, however, they folded it into a $1.3 trillion catch-all bill necessary to keep the government open. Because the larger bill passed, so too do all the measures within it.
But guess what? Congress can’t vote to reject the CLOUD Act, because it just got stuck onto the Omnibus, with no prior legislative action or review. https://t.co/8b6W08goXm
— Senator Rand Paul (@RandPaul) March 22, 2018
In short, this should matter to you because the executive branch now has a lot more control over who can access your data.
Let’s say law enforcement officials in Canada want to get at your data. The Canadians can enter into an agreement with the U.S. President, the State Department, or the Attorney General granting Canada permission to directly contact Google, Facebook, or any other tech company to request access to data stored in the U.S. By skipping the step in which Canada sends every request through the U.S. government, both governments would the save time and money it would need to respond to MLAT requests.
The CLOUD Act could also keep American citizens safer. According to a 2013 report by the President's Review Group, MLAT requests take an average of 10 months to fill, and by then, the data they are requesting could prove obsolete. Through the CLOUD Act, law enforcement officials can now gain far quicker access to data stored overseas. That could help them prosecute criminals or even prevent crimes before they happen.
Of course, though, there's a trade off: your digital privacy protections. For now at least, legislators have determined that citizens' safety is more important than claims to digital privacy.
Then again, we've seen what can happen when security supplants privacy. And it doesn't ultimately leave citizens feeling safer.