[Congressional Record Volume 164, Number 22 (Monday, February 5, 2018)]
[Senate]
[Pages S595-S596]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                              DATA PRIVACY

  Mr. HATCH. Mr. President, I would also like to take a couple of 
minutes to

[[Page S596]]

discuss a bill that I will be introducing with Senators Coons, Graham, 
and Whitehouse called the Clarify Lawful Overseas Use of Data Act, or 
the CLOUD Act. It is a tremendously important bill that will help to 
solve the problems that have arisen in recent years with cross-border 
law enforcement requests.
  The rise of email and cloud computing has put our data privacy laws 
on a collision course with the privacy laws of other countries. 
Information in emails or in the cloud can be stored on servers 
virtually anywhere in the world. This means that when law enforcement 
seeks access to such information, the information may be located in 
another country.
  This state of affairs causes problems both for law enforcement and 
for email and cloud computing providers. It causes problems for law 
enforcement because warrants traditionally stop at the water's edge and 
because laws in other countries may prohibit disclosure to foreign law 
enforcement, and it causes problems for email and cloud computing 
providers because they find themselves caught between orders by U.S. 
law enforcement to disclose data in other countries and laws in those 
other countries that may forbid such disclosure.
  The question of whether warrants issued to U.S.-based providers may 
require providers to disclose data stored in other countries is 
currently before the U.S. Supreme Court in the United States v. 
Microsoft case. Oral argument in the case will be heard later this 
month.
  No matter how the Court rules, however, problems will remain. Either 
law enforcement will lack the ability to obtain in a timely manner 
email and documents in the cloud that are stored overseas or providers 
will find themselves caught between conflicting domestic and foreign 
laws.
  The CLOUD Act creates a clear, workable framework to resolve these 
problems. The bill has four key components.
  First, it authorizes the United States to enter into bilateral data-
sharing agreements with qualifying countries under which the United 
States agrees to lift its bar on disclosure to law enforcement in a 
qualifying country if that country similarly agrees to lift any bar it 
has on disclosure to U.S. law enforcement. The CLOUD Act sets forth 
stringent requirements for such agreements in order to ensure privacy 
and data security. In particular, it provides that any requests by 
foreign law enforcement to U.S. providers under such an agreement 
cannot target or request information on U.S. persons.
  Second, the CLOUD Act clarifies that a warrant served on a U.S. 
provider may reach data stored overseas provided the data is within the 
provider's possession, custody, or control. This will enable U.S. law 
enforcement investigating crimes to obtain information stored overseas 
without having to resort to cumbersome diplomatic channels.
  Third, the CLOUD Act gives email and cloud computing providers the 
ability to challenge a warrant issued for data stored overseas if 
complying with the warrant would cause the provider to violate the laws 
of a foreign country. The court hearing such a challenge determines 
whether, in the interests of international comity, the warrant should 
be modified or quashed.
  Finally, the CLOUD Act authorizes providers to disclose to a foreign 
government the fact that the provider has received a warrant for 
information stored in that country, provided the foreign government has 
entered into a bilateral data-sharing agreement, as previously 
described. This will enable the foreign government to assess compliance 
with the terms of the agreement and intervene diplomatically if it 
believes the request is inappropriate.
  The CLOUD Act has broad support in both the tech community and among 
law enforcement. It bridges the divide that sometimes we see between 
these two groups.
  The bill is an outgrowth of my International Communications Privacy 
Act, or ICPA, coupled with the United States-United Kingdom bilateral 
agreement framework that many of my colleagues are familiar with. 
Indeed, the United States-United Kingdom bilateral agreement framework 
outlined in the CLOUD Act is intended as a model for future agreements 
between the United States and other countries that are committed to 
privacy, human rights, and international law enforcement cooperation.
  Expeditiously implementing similar agreements with the European Union 
and other allies is critical to protecting consumers around the world 
and facilitating legitimate law enforcement investigations.
  I am pleased to be introducing this very important landmark 
legislation with my friends from Delaware, South Carolina, and Rhode 
Island, and intend to push hard to see it enacted in the very near 
future.
  I yield the floor.

                          ____________________