A measure signed into law Friday by President Donald Trump changes the rules for cross-border law enforcement requests to internet firms and could render moot a long-running court battle between the US government and Microsoft.
The CLOUD Act, inserted in a massive spending bill signed by the president, was designed to streamline the process for law enforcement seeking digital evidence, but it has been roundly criticized by civil liberties and digital rights activists.
US lawmakers drafted the bill in response to the court battle in which Microsoft refused to turn over the contents of an email account used by a suspected drug trafficker whose data is stored in a cloud computing center in Ireland.
The case was argued earlier this year in the Supreme Court, as government attorneys argued that a win for Microsoft could set up a scenario in which police might never be able to access digital evidence because of how it is scatted across the internet "cloud."
The legislation—Clarifying Lawful Overseas Use of Data—was backed by Microsoft and other major tech companies, which reasoned that it provides a clear legal framework for handing over data both to US authorities and to foreign governments.
Microsoft president Brad Smith said in a blog post this week the measure offers "a modern legal framework for how law enforcement agencies can access data across borders," while offering privacy protections.
By speeding up the law enforcement process with safeguards, tech firms hoped to stem a trend toward "data localization" in which some countries insist any digital information on their citizens be kept on local soil.
The new law enables the US Justice Department to establish agreements with other countries to speed up data requests, bypassing the existing lengthy diplomatic process, by certifying those countries enforce privacy and civil liberties.
Open to abuse?
But some activists said the new law could open the door to increased surveillance and erode protections for human rights activists, journalists and others.
With the new law in place, "US and foreign police will have new mechanisms to seize data across the globe," said David Ruiz of the Electronic Frontier Foundation.
"Your private emails, your online chats, your Facebook, Google, Flickr photos, your Snapchat videos, your private lives online, your moments shared digitally between only those you trust, will be open to foreign law enforcement without a warrant and with few restrictions on using and sharing your information."
Critics said the law lacks adequate safeguards against foreign governments' abuse of human rights standards.
It "fails to impose limits on foreign governments' real-time collection of communications that mirror those that would be required of the US government," said Robyn Greene of the New America Foundation.
"It also does not define what constitutes 'serious crimes' under the bill, and leaves interpretation of that inherently vague concept to the discretion of the foreign government."
Some analysts say the new law will enable the Supreme Court to sidestep a difficult choice—whether to give the US government broad authority to obtain data stored anywhere, or allowing cloud firms to keep data out of reach for law enforcement.
But law professor Jennifer Daskal of American University argues the CLOUD Act is positive for privacy and civil liberties.
"For the first time, the bill sets up a mechanism for the US government to review what foreign governments do with data once it is turned over," Daskal said in a blog post with Peter Swire of the Georgia Institute of Technology. "This is a privacy win."
The post said that "the status quo is not sustainable" because foreign governments have become frustrated by what they see "as an imperialist attempt to insist that foreign governments obtain a warrant issued by a US judge even for data needed in the investigation of local crimes."
Explore further: Reach of search warrant for emails at issue in appeals case (Update)