Facing the threat of another government shutdown, legislators are racing to pass an omnibus bill that would fund the federal government for the rest of the fiscal year and tackle several of the important issues on Congress's plate, including immigration and gun safety. Among those issues is one borne of our increasing reliance on the cloud, in which our personal data – email, photos, and the like – is stored on servers around the world. Specifically, Congress is grappling with the law governing how law enforcement officials obtain our data when it is stored on a server in another country.
The best approach to this important privacy issue should be determined by the government officials we elect. But until now, Congress has failed to update the governing statute, the 1986 Stored Communications Act (SCA), which was enacted long before the cloud existed.
Now the Supreme Court has stepped into that void and is on the verge of doing Congress's job for it. The justices are set to decide U.S. v. Microsoft – Microsoft's legal challenge to a federal search warrant compelling it to turn over the contents of emails stored on its server in Ireland – no later than June.
If the justices are forced to take on the nuanced task of modernizing the SCA in the face of Congressional inaction, it will be unfortunate because courts lack the policy expertise, global perspective, and democratic mandate of Congress. Not to mention that the Constitution explicitly grants all legislative power to Congress.
With a High Court decision nonetheless looming, a bipartisan group of Senate and House members introduced the CLOUD (Clarifying Lawful Overseas Use of Data) Act last month with the aim of modernizing the SCA before the Court rules. Negotiators' decision this week to include the CLOUD Act in the omnibus bill now presents Congress with a golden opportunity to update America's antiquated privacy laws to reflect the new world of global cloud computing. If they succeed, the Microsoft case will be become moot or result in a narrow decision that has little impact.
Like all omnibus bills, this one has provoked the inevitable squawking about what was and wasn't included. While no one can deny that such catchall bills often contain add-ons that are neither important nor urgent and deserve further debate rather than expedited enactment, the CLOUD Act is precisely the opposite.
Our growing reliance on the cloud makes this Act undeniably important. Likewise, a badly outdated statute causing legal and industry uncertainty plus an imminent Supreme Court decision that could make the problem worse makes passage urgent. Finally, many years of discussion about how to update the statute and more than four years of litigation in U.S. v. Microsoft mean that further debate would add little.
Moreover, the current state of the law is unsustainable. Microsoft went to court because it and other technology companies often lack any viable options when responding to cross-border data requests by U.S. law enforcement. If a company complies, it may be subject to criminal or civil sanctions under the law of the country where the server is located. If it refuses to comply, it can be held in contempt by an American court.
The CLOUD Act would remove this catch-22 by creating a modern, comprehensive legal and political framework governing how law enforcement agencies in the U.S. and abroad can access data across borders as part of their efforts to prevent and solve crime and terrorism in the age of cloud computing. By facilitating bilateral agreements with other governments and creating mechanisms for resolving disagreements among nations, the Act would encourage the government-to-government cooperation and comity necessary to fight international crime.
Consumers would benefit as well. As the App Association notes, through "bilateral agreements with other countries, this legislation enables consumers to benefit from their home countries’ due process protections, wherever their data may be stored." In fact, "the CLOUD Act legislation includes an impressively long list of privacy protections [here and abroad]," according to Georgia Tech Professor Peter Swire, the former Chief Counselor for Privacy in the U.S. Office of Management and Budget, and American University Law Professor Jennifer Daskal.
No wonder the CLOUD Act is supported by both sides in the Microsoft case, as well as by the National Association of Attorneys General and a broad array of tech companies.
Passage of the CLOUD Act would make the Supreme Court happy as well. At oral argument in U.S. v. Microsoft last month, it was unclear how the Court will rule if Congress fails to act. However, most of the justices made it clear that the question before them was better left to Congress. Justice Sonia Sotomayor observed that they were being asked "to imagine what Congress would have done or intended in a totally different situation today."
Justice Ruth Bader Ginsburg noted that Congress "can write a statute that takes account of various interests," whereas "there's nothing nuanced about" what a court can do.
As Microsoft said in its brief to the Justices, only Congress possesses the "tools to rewrite the statute to strike a new, 21st-century balance between law-enforcement interests, our relations with foreign nations, the privacy of our citizens, and the competitiveness of our technology industry." With the inclusion of the CLOUD Act in the omnibus bill, Congress is on the verge of striking that very balance.