US and Australia enter into crime data sharing agreement under the CLOUD Act

On December 15, 2021, the United States and Australia signed an agreement facilitating access to electronic data under the Clarifying Lawful Overseas Use of Data (CLOUD) Act.  The CLOUD Act was passed in the US Congress in 2018.  It allows federal law enforcement to compel U.S.-based technology companies to provide requested data regardless of whether the data is stored domestically or internationally.  It amends the Stored Communications Act (SCA) of 1986, which had been put in place to preserve privacy rights.

The SCA limited the ability of the government to compel an internet service provider (ISP) to turn over information.  It also limited the ability of commercial ISPs to reveal content information to nongovernment entities.

In a time of growing privacy rights, the CLOUD Act seems to go against the grain, amending the pro-privacy SCA, to instead allow federal law enforcement to compel private entities to provide data.   Surely, there must be an explanation.

First, let’s see what the justifications are for the CLOUD Act, then we’ll look at what steps they take to mitigate this potential reduction in privacy.  Congress made several findings that motivated the passage of the CLOUD Act.

They are:

1. Timely access to electronic data held by communications-service providers is essential to efforts to protect public safety against crime and terrorism.
2. When data is stored outside the United States, the government struggles to get the data, even if the provider is subject to the jurisdiction of the United States.
3. Foreign governments also seek electronic data to combat crime.
4. The communications-service providers themselves are subject to conflicting legal obligations when ordered to produce electronic data by a foreign government but prohibited in doing so by US law.
5. Foreign law puts communications-service providers in the same bind, when the United States government asks them to provide data.
6. International agreements can provide a solution so that the governments get the data they need and the companies can comply without negative legal consequences.

So, the CLOUD Act is a more efficient way for governments to combat terrorism and crime and gain compliance from communications-service providers.  But what about the people who were benefiting from the laws such as the SCA, which restrict communications-service providers from sharing data with government and non-governmental actors?

The CLOUD Act does have some safeguards in place.  The CLOUD Act allows for executive agreements between governments, but it has certain requirements that must be met before the US government can make an executive agreement under the CLOUD Act.  First, the Attorney General, with the concurrence of the Secretary of State, must submit a written certification and explanation of how the agreement will satisfy each of four criteria.

The first criteria that needs to be satisfied is that the domestic law of the foreign government affords robust substantive protections for privacy and civil liberties in light of the data collection and activities of the foreign government.  Secondly, the foreign government has adopted appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons.  Thirdly, the agreement doesn’t create an obligation on providers to decrypt data or prevent them from decrypting data.  Finally, the agreement limits how foreign governments can use the agreement, notably, not permitting them to intentionally target United States persons directly or indirectly.

So, there are safeguards in the process of screening foreign governments with which the United States government can enter into an agreement.

Individuals, too can take important safeguards through use of data subject rights.  They can exercise the right of erasure/deletion.  The CLOUD Act doesn’t prevent individuals from having their data deleted.

At Clarip, we help facilitate this kind of privacy protection.  Our tools help companies to fulfill data subject requests, such as deletion, access, correction, portability, opt-out, restriction of processing, and limitation of disclosure and use.  Our data subject request fulfillment is fully automated, end-to-end.  We also provide automated data mapping, website scanning, and vendor and consent management.  Visit us at www.clarip.com or call us at 1-888-252-5653 for more information.