I'm still pretty convinced the CLOUD act is a disaster but the Lawfare article makes some persuasive points:
* There already is foreign access to US data about non-citizens under the MLA process, which is slow but has very few safeguards or privacy controls, unlike this new proposed process.
* In the absence of sustainable process, there's good evidence that foreign governments are simply going to require data localization, which completely eliminates any safeguards and also potentially puts some US citizen data at risk.
* If DOJ wins at SCOTUS in the Microsoft Ireland case, the US government will get access to foreign-server data without any of the safeguards in the CLOUD act. If CLOUD passes, it moots the SCOTUS case.
But the idea that this DOJ, in this administration, could ink a deal with any country in the world --- on its own recognizance --- to give them access to data on US servers? If you can't imagine providing that access for this administration, you shouldn't imagine doing so for any future administration either.
MLAT is slower, but in combination with ECPA, requires a U.S. judge to sign off on an order to obtain data within the U.S., and other countries get the chance to run U.S. requests through their domestic judicial process too.
The CLOUD Act would bypass that to allow the entire request process to run through the executive of each country, removing judicial review.
What the CLOUD Act has is a set of promises, and no oversight. What we have right now is oversight, which is slow because it's insufficiently funded. You can speed up the MLAT process, an internationally agreed standard that protects local processes. You can't see inside the CLOUD Act to see whether its processes are working.
(To give an example of this: we still don't know the other half of the CLOUD Act, which is the UK/US draft agreement on data-sharing. A lot of the promises of privacy and security rely on what this says. Why can't Congress, Parliament, and the British and American public see this before making a decision to switch? Maybe we can see that proposal, and then wait to see what the SCOTUS actually decides in the Microsoft Ireland case, before throwing out the entire current system?
On the executive branch overreach portion it appears congress has some review authority. I am fine with the president being able to preform some actions, but I am always a fan of having their be public or at least congressional visibility and accountability.
And what of the Judicial branch? The bill is trying to ban it from reviewing executive branch actions. The actions of both the legislative and executive branches are subject to the highest law in the land. This bill represents a fundamental attempt to bypass the highest law in the land: The Constitution of the United States of America. The judicial branch enforces a check and balance against illegal acts by the other branches.
So why is this line in here:
“(c) Limitation on judicial review.—A determination or certification made by the Attorney General under subsection (b) shall not be subject to judicial or administrative review.
So why are they attempting to claim their assertions of compliance with the highest law in the land is not subject to judicial review?
That's not how the Constitution works. There's a history of statutes that restrict judicial review over rulemaking. Statutes can say that to clarify the intent of Congress in delegating authority to the executive. To the extent that it's reasonable for them to delegate without review --- where "reasonable" means "the courts agree --- SCOTUS has upheld them.
A law that actually foreclosed on a Constitutional power of an Article III court would simply be held unconstitutional.
This "controversy" strikes me as similar to the routine controversies of Presidential executive orders "making new laws", which, of course, they cannot in general do, but people think they can because it sounds like they can.
* There already is foreign access to US data about non-citizens under the MLA process, which is slow but has very few safeguards or privacy controls, unlike this new proposed process.
* In the absence of sustainable process, there's good evidence that foreign governments are simply going to require data localization, which completely eliminates any safeguards and also potentially puts some US citizen data at risk.
* If DOJ wins at SCOTUS in the Microsoft Ireland case, the US government will get access to foreign-server data without any of the safeguards in the CLOUD act. If CLOUD passes, it moots the SCOTUS case.
But the idea that this DOJ, in this administration, could ink a deal with any country in the world --- on its own recognizance --- to give them access to data on US servers? If you can't imagine providing that access for this administration, you shouldn't imagine doing so for any future administration either.