Ahead of US v. Microsoft, CLOUD Act offers glimpse at proposed legal changes for data storage

Dive Brief:

In early February, Sen. Orrin Hatch, R-UT, introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act with the support of co-sponsors Sens. Christopher Coons, D-DE, Lindsey Graham, R-SC, and Sheldon Whitehouse, D-RI. The bill seeks to "help solve the problems that have arisen in recent years with cross-border law enforcement requests" relating to data stored in the cloud, according to Hatch.
The bill seeks bilateral data-sharing agreements with other countries for data disclosure to law enforcement, the extension of warrants served to ISPs to overseas data and the ability for ISPs to challenge such warrants if they violate laws of the country the data is hosted in. The legislation would also call for disclosure of warrants for data stored overseas to countries that have entered into bilateral agreements, according to Hatch's statement on the Senate floor.
On Thursday, Google's Senior VP of Technical Infrastructure Urs Hölzle offered support for the CLOUD Act because of the clarification it will offer to pending legal cases on data disclosure. Citing how distributed networks are a necessity for modern information sharing, Hölzle called for legislative solutions that do "not use data location as a way of determining whether a particular country can exercise jurisdiction over a service provider."

Dive Insight:

Technology professionals and data experts are not solely focusing on GDPR this year. On Tuesday, the Supreme Court will hear arguments for United States v. Microsoft Corp., a case that has steadily worked its way up the judicial totem pole for the last four years.

The case centers around whether Microsoft has to turn over electronic communications under a probable-cause-based warrant. The email in question was stored on a server in Ireland, prompting the company to dig in its heels turning it over. Had it been stored domestically, few dispute that Microsoft would have turned the email over.

The controversy has, for the most part, arisen from severely outdated statutory provisions on electronic records. The Stored Communications Act handles the free, willing or compelled disclosure of electronic communications by third parties, such as an ISP like Microsoft. But the law was enacted in 1986 — during a time when computers still took up an entire desk and "the cloud" was just a mass of condensation in the sky.

The narrative of outdated laws in need of congressional action may strike a familiar chord with the net neutrality versus internet freedom debate, in which both sides at least agreed the U.S. should have broadband legislation more modern than the Telecommunications Act of 1996.

In a case of camaraderie normally reserved for immigration topics or net neutrality regulations, tech companies — including the counsels for Google, Reddit, Amazon, Apple, Dropbox, eBay, Cisco, Facebook, HP Inc., Mozilla, Salesforce and SAP, among others — filed an amicus brief on Jan. 18 in support of Microsoft, calling for congressional action to resolve the fuzzy legal areas.

Regardless of outdated laws, the Microsoft case and CLOUD Act center around an increasingly prominent problem: Few businesses, let alone individuals, can operate in the modern world without digital platforms like the cloud.

But as U.S. enforcement seeks access to data stored abroad, and foreign enforcement seeks access to data held domestically, mounting pressure may just bring about a tipping point. The intersection of this necessity with Fourth Amendment protections may change following a Supreme Court decision or, in the long-term, with the examination of the CLOUD Act or similar legislation.