Supreme Court Punts on Data Privacy Case, Thanks to the Terrible CLOUD Act
Lawmakers passed a bill requiring American firms to comply with warrants for data stored overseas, ending a legal fight.
Thanks to a broad new law granting the feds access to American data stored in foreign countries, the Supreme Court just punted a case that was supposed to address the question.
In United States v. Microsoft, federal drug-trafficking investigators were trying to force Microsoft to comply with a warrant demanding access to a customer's emails and other private data. But the data they wanted were stored on a server in Ireland. Microsoft fought the warrant, arguing that the government's demands couldn't reach that far under the Stored Communications Act.
The Supreme Court agreed to take on the case last fall and heard arguments in February. But in March, legislation buried deep in the federal omnibus spending bill granted the feds access to data and communications from Americans being held on servers in foreign countries. So today the Supreme Court ruled that the case was moot and kicked it back down to the lower courts for dismissal.
That bill, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, did not get much attention outside of privacy and civil liberties quarters. (We covered it here at Reason.) The CLOUD Act not only gives the feds access to Americans' data being held overseas, but also allows other countries to demand access to their citizens' private data when it's stored here in America. The American Civil Liberties Union warned that poor and limited oversight of the cooperation system could have significant human rights consequences in countries with despotic leaders:
The bill would give the attorney general and the secretary of State the authority to enter into data exchange agreements with foreign governments without congressional approval. The country they enter into agreements with need not meet strict human rights standards—the bill only stipulates that the executive branch consider as a factor whether a government "demonstrates respect" for human rights and is similarly vague as to what practices would exclude a particular country from consideration. In addition, the bill requires that countries adopt procedures to protect Americans' information, but provides little specificity as to what these standards must include. Moreover, it would allow countries to wiretap on U.S. soil for the first time, including conversations that foreign targets may have with people in the U.S., without complying with Wiretap Act requirements.
But none of that was connected to the case the Supreme Court was considering. They were just examining the limits of what the feds could request. The CLOUD Act was passed specifically for the purpose of making it clear that the feds could demand American tech companies pass along data no matter where it was stored. So the case is indeed moot, even if the underlying concerns and fears are still very relevant.