The CLOUD Act and Google: How it affects your data

Google Campus Logo
Google Campus Logo (Image credit: Android Central)

The CLOUD Act.pdf) — Clarifying Lawful Overseas Use of Data — is a set of regulations handling how data stored in one country can be accessed by an entity in a different country. It was signed into law on March 23, 2018 as part of the Omnibus Spending Bill.

It's been praised by technology companies and a joint letter from Apple, Facebook, Google, Microsoft, and Oath (Yahoo!) lending support to the bill was published on February 6, 2018. it states, in part:

The new Clarifying Lawful Overseas Use of Data (CLOUD) Act reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data. Introduction of this bipartisan legislation is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer.

But privacy and civil rights organizations have a different opinion of the legislation. The ACLU had this to say:

The CLOUD Act represents a major change in the law — and a major threat to our freedoms. Congress should not try to sneak it by the American people by hiding it inside of a giant spending bill. There has not been even one minute devoted to considering amendments to this proposal. Congress should robustly debate this bill and take steps to fix its many flaws, instead of trying to pull a fast one on the American people.

The Electronic Frontier Foundation has a list of objections as well:

  • Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.
  • Fails to require foreign law enforcement to seek individualized and prior judicial review.
  • Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.
  • Fails to place adequate limits on the category and severity of crimes for this type of agreement.
  • Fails to require notice on any level – to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)
  • The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation.

The two sides seem to take the language in the CLOUD Act very differently. That's to be expected with almost any legal document, and most bills introduced to Congress are written in the same type of language. It purposefully leaves things open to the interpretation of the reader, and in the case of laws, the enforcing body. We all will have our own opinion on the bill, and that's a healthy discussion to have. But it's important to know what this means for your data stored on Google's servers.

Why would Google support this?

It's important to remember that organizations like the ACLU and EFF exist to examine the worst-case scenario surrounding any rules or laws that govern our personal data. They help create a balance so that courts and legislators can make informed rulings and seeing their objection to the CLOUD Act isn't a surprise because it makes some major changes to the existing laws. It's very difficult for a foreign government to gain access to data saved on a U.S. server and for the U.S. government to obtain data stored on a foreign server because the laws vary from country to country.

An example of this in action is currently happening, as the U.S. Supreme Court is deciding if Microsoft needs to turn over data stored on an Irish server that the Department of Justice wants as evidence in a case that dates back to 2013.

Companies like Google would rather see a single set of rules adopted by the U.S. and many other countries that they do business in that might prevent this sort of costly hearings and procedures. They feel the language in the CLOUD Act serves to provide access to our data when a genuine need arises but also protects our privacy against requests that don't show a legitimate need.

A set of universal laws that protect our privacy is a great idea as long as the laws are sound and enforced.

Civil rights organizations would also like to see a single set of rules adopted around the world, but do not think the CLOUD Act sufficiently protects our information from foreign governments. They take issue with how it changes the judicial review process and the ways it may circumvent the 4th Amendment to the U.S. Constitution, as well as how the bill was introduced and packaged into a larger spending bill which won't have the scrutiny and publicity a change like this deserves before it's written as law.

Taken at face value, both sides here seem to be correct. That's because both sides are fulfilling their intended purposes. Google's legal team and privacy experts want a simple set of rules that apply in every country it operates in and thinks that circumventing a court hearing or obtaining multiple individual warrants can be done in a way that still protects it's users personal data under the CLOUD act. The ACLU and EFF are against anything that circumvents a judicial process for each individual request and they feel that the current system provides better privacy standards. It's important for lawmakers to hear both arguments.

What does this mean for me and my data?

There is no language in the CLOUD act that changes the way Google stores your data or the data it can collect. Nothing there strips away the protections of encryption nor does it prevent you from deleting your data from Google's servers at any time. The only thing the CLOUD act affects is how your data stored on a server in your country, can be shared with another nation's government. But that is something we all should be concerned about, too, so let's look at some specifics.

Are my civil liberties being protected?

The CLOUD act requires the Secretary of State and the Attorney General of the United States to certify that any country entering into the CLOUD ACT "affords robust substantive and procedural protections for privacy and civil liberties." Some specifics are mentioned in the bill to protect our rights as Americans. They include:

  • Protection from arbitrary and unlawful interference with privacy
  • Fair trial rights
  • Freedom of expression, association, and peaceful assembly
  • Prohibitions on arbitrary arrest and detention
  • Prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.

This means any country that participates in the CLOUD act can't trample the basic civil rights afforded to us as citizens of the U.S. — and that rights of citizens in other countries can't be trampled by the U.S. government. Protections against a foreign government requiring Google to place a backdoor into Android or Chrome are also in place under the CLOUD act and that Google can't be asked by any government to perform surveillance on us while we use their products.

Does the CLOUD act give the executive branch complete control over our data rights?

No. While it does allow the State Department and Attorney General's office to make agreements with foreign nations there is some Congressional oversight built in. Congress will have the power to:

  • Review new bilateral agreements for up to 180 days.
  • Review changes to existing agreements for up to 90 days.
  • Require written certification and explanation for how countries pass certification.
  • Fast-track disapproval of bilateral agreements.

It also states that a surveillance order issued by any member country be individually based and "subject to review or oversight by a court, judge, magistrate, or other independent authority," and that this review must be "prior to, or in proceedings regarding, enforcement of the order."

It would be better to have these protections in place as part of the way agreements between participating countries are made, but they are there, and in language that's surely enforceable should a country be found to be overstepping its bounds.

Does the CLOUD act make it easier for foreign nations to access my U.S.-based data?

Yes. The CLOUD act removes many of the obstacles currently in place when another country wants your data stored on a Google server inside the United States. This is where civil rights organizations and Google disagree on the merits of the law.

Because of how any data requests must go through the court system, then be subject to appeal or approval from a higher court, countries are forming their own laws that try and force companies like Google to hand over data without any court involvement if the company wants to do business there out of frustration with the process. The U.S. also tries to claim that U.S. law requires a U.S. company to hand over data even when it's hosted outside the country like we're seeing in the Microsoft case presented to the Supreme Court.

Some countries provide civil liberties that are equal or better than what the Constitution offers, but others do not.

The CLOUD act is designed to stop these laws from being enacted and enforced by building a process all countries can agree on and adhere to when it comes to requests for our private data. This is where Apple, Google, Microsoft and other tech companies see the benefit of it. They will know what the laws are and how to follow them in all the countries that participate instead of being subject to individual laws or fighting them in courts.

Civil rights organizations take issue that the CLOUD act can force data hosted inside the U.S. to be handed to another nation without being subject to our existing privacy laws. Some countries provide civil liberties that are equal or better than what the Constitution offers, but others do not. They feel that your data hosted in the U.S. should be protected by your rights as a U.S. citizen and not subject to laws and rights another country observes no matter what the review or admittance process entails.

Does the CLOUD act give foreign countries more power to surveil U.S. citizens and target their data for collection?

No, and yes. Broader power is granted for intelligence gathering but there are restrictions and rules in place that cover any wiretapping or surveillance.

  • Foreign governments are "explicitly forbidden from surveilling a U.S. person directly or indirectly".
  • Surveillance orders must be of a fixed and of limited duration.
  • Surveillance can only happen when it has been shown to be "reasonably necessary" and there is no other way to get the information.

When collecting data for approved cases, there are rules in place that aim to protect our individual rights:

  • Direct targeting of a U.S. citizen's data by non-U.S. governments is prohibited.
  • Asking a CLOUD Act certified country to target a U.S. persons' data is prohibited.
  • The targeting a non-U.S. persons' data for the purpose of collecting a U.S. persons' data is prohibited. (A country can't target me to see the conversations you and I have in Facebook Messenger, for example.)
  • The "dissemination of a U.S. persons' data" is prohibited unless there is evidence of a serious crime presented.

There is a lot of room for legal maneuvering in these regulations, which leads us to the biggest question — how will this be enforced? Who will be there to make sure France (for example) follows the laws and regulations about collecting my data inside the U.S.? That's worrisome. Even more so when you replace France with Afghanistan, or if you live in Europe and replace France with the United States. Current laws are in place to protect our data and we've grown accustomed to having them. the CLOUD act would replace many of those protections.

Do I need to worry, and should I delete all of my data and go dark?

I'm not a legal expert so I can't form an opinion on the legality of the CLOUD act. That's what we elect officials to do. But I can express a few thoughts on it all. I'm of the opinion that my data stored in the U.S. is protected under the laws of the U.S. and secured with my rights as a U.S. citizen regardless of what France (or Afghanistan) thinks of those protections.

Guaranteed liberties like the 4th amendment (the protection against unreasonable search and seizure defined as an individual right of every U.S. citizen) or its equivalent in other countries should always apply and supersede any type of unilateral act between governments. Every instance where my privacy is to be breached is deserving of its own review in the U.S. courts, especially if I'm not proven guilty of any serious crimes.

My data is deserving of a review process every time a person or nation requests access. So is yours.

But I also see the value that Google sees in the CLOUD act. A legitimate set of rules that apply across the board for all member nations could be a great thing; not only to save money and time in courts but so that I know in advance how my data is protected both inside and outside of the U.S.

We should be able to trust our elected officials to make the right choices, and if you do then there isn't much to be concerned about here. It seems that Google trusts the "right" way to guarantee our privacy will be put in place, as does Apple and Microsoft. These three companies may have a very different set of offerings to present to us, but one thing they all have in common is the willingness to fight to protect our data. That's a good reason to assume the sky isn't falling.

The ACLU and EFF, as well as other privacy and civil rights groups, have also done a great job of making sure we know when our rights may be subject to abuse. We should pay attention to their warnings even if we think they are reaching the worst conclusion. This is a good reason to be against the CLOUD act in any form.

Right now, all we can do is watch the process in action and hope everyone involved is thinking about our individual rights when they make their decision. Once that decision is reached, we can decide how to react. What's most important is that we know and understand when the laws surrounding our personal data are going to be changed, and what the consequences may be.

Have you listened to this week's Android Central Podcast?

Android Central

Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.

  • Subscribe in Pocket Casts: Audio
  • Subscribe in Spotify: Audio
  • Subscribe in iTunes: Audio
Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.