President signs overseas data access bill into law

The bill was backed by a bunch of tech titans, including Apple and Google.

The House of Representatives has approved a piece of legislation (PDF) that makes it easier for law enforcement to get access to info even if it's stored in other countries. Officially known as Clarifying Lawful Overseas Use of Data Act, the set of regulations was part of the 2,000-page Omnibus Spending Bill the president has just signed. CLOUD was created to replace the current rules for cross-border access to data, which require requests for info to be ratified by the Senate and vetted by the DOJ. The new rules give the DOJ the power to obtain data US-based tech companies stored overseas, such as the Outlook emails Microsoft stores in Ireland. It also allows the agency to forge agreements with foreign governments seeking data from US tech corporations even without approval from Congress or the courts.

Apple, Google, Microsoft, Facebook and Oath (Engadget's parent company) believe CLOUD Act is better than its predecessor, though, and have sent a letter (PDF) to the Senate in support of the bill. They said that it "would create a concrete path for the US government to enter into modern bilateral agreements with other nations that better protect customers."

More importantly, "the legislation would require baseline privacy, human rights and rule of law standards in order for a country to enter into an agreement." They said CLOUD's rules would ensure that data holders are protected by their own laws and would enable authorities to investigate cross-border crime and terrorism without igniting international legal conflicts.

Privacy advocates are unsurprisingly unhappy with the changes the CLOUD Act brings. The Electronic Frontier Foundation has listed the reasons why it thinks the new set of regulations is "a dangerous expansion of police snooping on cross-border data." It said the bill is nearly identical to the US-UK Agreement for stored data and that lawmakers failed to address privacy advocates' issues with it.

According to the EFF, the new set of rules includes a weak standard for review, grants real-time access to foreign law enforcement and doesn't place adequate limits on the severity of the crime it can apply to. Further, the privacy rules protecting data belonging to US citizens and lawful permanent residents don't apply to temporary visa holders and residents without documentation.

US tech companies can refuse to hand over data under the new regulations and can ask foreign countries seeking access to information to adhere to the older set of rules. They can do that, say, if they believe those nations want to use the info they have to crack down on journalists and opposing politicians. As ACLU legislative counsel Neema Singh Guliani said, though, that means the "public is going to be largely reliant on those companies."