One positive outcome from the misuse of Facebook user data, which came to light during the recent Cambridge Analytica scandal, is that scores of consumers have been belatedly educated on the extent of personal data being collected with their total consent. However, a new law with wider reaching consequences regarding consumer data was waved through in Congress late last week – without grabbing anywhere near as much media attention.
The Cloud Act (Clarifying Lawful Overseas Use of Data Act) has now been etched into law, the ramifications of which will be profound and global, granting government agencies outside of the US with access to unprecedented volumes of user data. Used correctly, the sharing of data intends to improve communications between countries and create a safer internet – but, understandably, there is very little faith among industry bodies that consumer data will be protected from falling into the wrong hands.
According to the ACLU (American Civil Liberties Union), the Cloud Act will, among other things, “Eliminate protections that help to prevent US technology companies from providing information to foreign governments that facilitate serious human rights abuses.”
The Cloud Act has been passed through on the premise of enhancing law enforcement, allowing the US government to more stringently monitor its own citizens, while granting foreign governments with permission to access data from US technology firms. This suggests the Cloud Act may be beneficial to the video industry, if the government agencies involved intend to use the data for applications such as cracking down on content piracy.
Addressing piracy has not been mentioned as an aspect of the bill, but we see no reason why, for example, the Indian government couldn’t make use of the Cloud Act by tapping into data from a US company such as Microsoft, to identify and reprimand an illegal content pirate operating an illegal service in India from within the US.
Microsoft is in fact one of the bill’s supporters, along with Apple, Google, Facebook and Verizon’s Oath, who wrote in a joint letter to four senators: “The Cloud Act encourages diplomatic dialog, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise. The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary. Our companies have long advocated for international agreements and global solutions to protect our customers and internet users around the world. We have always stressed that dialog and legislation – not litigation – is the best approach.”
Microsoft’s support for the Cloud Act is controversial, considering the tech giant is still tied up in a Supreme Court data privacy case with the Department of Justice (DoJ), regarding a warrant ordering Microsoft to hand over emails of a customer suspected of drug trafficking. The issue here is the customer in question is based in Ireland, not the US, and Microsoft’s refusal to cooperate with the DoJ was supported by the Irish government. The Cloud Act will change this entirely.
Legal experts have expressed uproar because the Cloud Act was slipped through as a minor attachment to the back of a 2,300-page document, the $1.3 trillion government spending bill which was never realistically going to be voted out. Therefore, a bill with such integral importance to the future of technology and media was subject to no official review or debate.
Non-profit organization the Electronic Frontier Foundation, a strong opponent of the Cloud Act, provided the following useful example of how the Cloud Act could work: “London investigators want the private Slack messages of a Londoner they suspect of bank fraud. The London police could go directly to Slack, a US company, to request and collect those messages. The London police would not necessarily need prior judicial review for this request. The London police would not be required to notify US law enforcement about this request. The London police would not need a probable cause warrant for this collection. Predictably, in this request, the London police might also collect Slack messages written by US persons communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the US person knowing about it. Those messages, if shared with US law enforcement, could be used to criminally charge the US person in a US court, even though a warrant was never issued.”