Law in the Internet Society

View   r6  >  r5  ...
AnthonyMahmudFirstEssay 6 - 11 Nov 2019 - Main.AnthonyMahmud
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"

Cloudy With a Chance of Eyeballs: Consequences at the Seams of Cross-Border Data Sharing

Line: 14 to 14
 

Consequences of Jurisdictional Ambiguities

Changed:
<
<
CLOUD does not explicitly limit its application to tech companies incorporated in the United States. No doubt there is a high bar for having jurisdiction over a foreign corporation, but it does not seem farfetched that a major tech communication platform would have requisite systematic and persistent business contacts that would apply the regulation within specific jurisdiction. This then posits a seemingly perverse circumstance where a foreign corporation with exclusively foreign data storage is at the mercy of American SCA warrants. Such a wide radius of authority threatens to undermine legislative sovereignty, corporate autonomy and the general integrity of data privacy. It also appears to harbor irreconcilable contentions with the GDPR data control rights. GDPR’s ‘right to be forgotten’ and “right to be informed” “where personal data are transferred to a third country” appear incongruent with the record retention, and notice-free data grabs that CLOUD can authorize.
>
>
CLOUD does not explicitly limit its application to tech companies incorporated in the United States. No doubt there is a high bar for having jurisdiction over a foreign corporation, but it does not seem farfetched that a major tech communication platform would systematically target and transact business with the US market, thus "submit[ting] to the judicial power of an otherwise foreign sovereign to the extent that power is exercised in connection with the defendant's activities." J. McIntyre? Mach., Ltd. v. Nicastro, 564 U.S. 873, 881. This then posits a seemingly perverse circumstance where a foreign corporation with exclusively foreign data storage is at the mercy of American SCA warrants. Such a wide radius of authority threatens to undermine legislative sovereignty, corporate autonomy and the general integrity of data privacy. It also appears to harbor irreconcilable contentions with the GDPR data control rights. GDPR’s ‘right to be forgotten’ and “right to be informed” “where personal data are transferred to a third country” appear incongruent with the record retention, and notice-free data grabs that CLOUD can authorize.
 

Capacity of Safeguards for Consequences of Judicial Ambiguities

Changed:
<
<
To some extent, CLOUD’s drafters account for this issue. Enumerated are conditions under which a data host can motion to quash a disclosure request: the service provider must reasonably believe that the individual whose data is sought is not an “American Person” and does not reside in the US, AND that “the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.” Through the most optimistic lens, the latter parameter appears to shield service providers from falling between Scylla and Charybdis. However, the judicial procedures for evaluating such motions, and requirement of both conditions dilutes its protective potency.
>
>
To some extent, CLOUD’s drafters account for this issue. Enumerated are conditions under which a data host can motion to quash a disclosure request: the service provider must reasonably believe that the individual whose data is sought is not an “American Person” and does not reside in the US, AND that “the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.” Through the most optimistic lens, the latter parameter appears to shield service providers from falling between Scylla and Charybdis. However, the judicial procedures for evaluating such motions, and requirement of meeting both conditions, dilutes its protective potency.
 

Bilateral Data Access Agreements

Line: 28 to 28
 

Source of Purported Necessity

Changed:
<
<
Before CLOUD’s enactment, foreign governments could seek access to US-held data either through letters rogatory, (a judicial instrument,) or far more commonly, Mutual Legal Assistance Treaties (MLATs) MLATs are binding, area-specific, legislatively developed agreements for information sharing, the legality of which are held in check by judicial review. Though already capable of facilitating the kinds of exchanges that CLOUD seeks to enable, MLATs draw ire from law enforcement and intelligence bodies whose urgent concerns lack the temporal pliancy to be bottlenecked by reviews that can stretch from months to years. Understandably, these actors bolster their capacity to act when their access to critical data nears instantaneous.
>
>
Before CLOUD’s enactment, foreign governments could seek access to US-held data either through letters rogatory, (a judicial instrument,) or far more commonly, Mutual Legal Assistance Treaties (MLATs.) MLATs are binding, area-specific, legislatively developed agreements for information sharing, the legality of which are held in check by judicial review. Though already capable of facilitating the kinds of exchanges that CLOUD seeks to enable, MLATs draw ire from law enforcement and intelligence bodies whose urgent concerns lack the temporal pliancy to be bottlenecked by reviews that can stretch from months to years. Understandably, these actors bolster their capacity to act when their access to critical data nears instantaneous.
 

Erosion and Inequities of Regulatory Autonomy

Changed:
<
<
CLOUD pushes the channel in that direction by delegating MLATesque authority to the executive. The bill allows the president, with consent from two of her appointed offices, to create bilateral political agreements with other heads of state, thus recognizing their government as statutorily “qualified.” The gravity of this designation is apparent in light of where CLOUD places it in the amendment to SCA. 2702 imparts that communication content disclosure is prohibited, but carves out exceptions for (among other things) US law enforcement agencies in emergency situations or where the contents “appear to pertain to the commission of a crime,” and “qualified foreign governments.” Thus, while the access of domestic bodies is qualified circumstantially and subject to disclosure and annual review, foreign governments face no such explicit restrictions. They can obtain US-housed communication data with notice given to neither the individual who created the data nor the US government at all.
>
>
CLOUD pushes the channel in that direction by delegating MLATesque authority to the executive. The bill allows the president, with consent from two of her appointed offices, to create bilateral political agreements with other heads of state, thus recognizing their government as statutorily “qualified.” The gravity of this designation is apparent in light of where CLOUD places it in the amendment to SCA. SCA 2702 imparts that communication content disclosure is prohibited, but carves out exceptions for (among other things) US law enforcement agencies in emergency situations or where the contents “appear to pertain to the commission of a crime,” and “qualified foreign governments.” Thus, while the access of domestic bodies is qualified circumstantially and subject to disclosure and annual review, foreign governments face no such explicit restrictions. They can obtain US-housed communication data with notice given to neither the individual who created the data nor the US government at all.
 

Implications and Constitutionality

Changed:
<
<
This creation threatens even greater implication when viewed beside existing ambiguities of jurisdictional reach. The scope of access privileges that CLOUD provides foreign governments is not given any distinction. Hence, one could construe the foreign government’s (directly) unregulated access to “US” data to include the data stored in other countries by United States companies, or even entirely extraterrestrial companies that avail themselves to US personal jurisdiction through systematic business relations.
>
>
This creation threatens even greater implication when viewed beside existing ambiguities of jurisdictional reach. The scope of access privileges that CLOUD provides foreign governments is not given any distinction. Hence, one could construe the foreign government’s (directly) unregulated access to “US” data to include the data stored in other countries by United States companies, or even entirely extraterrestrial companies that avail themselves to federal law through business-derived specific jurisdiction.
 Yes, companies can move to quash, or not comply, but often they have every incentive to appease the government of their customer base. Yes, executive agreements require vetting of foreign law, are subject to potential judicial challenge and face renewal burdens every five years, but those measures do not prevent foreign nations from being their own jury and not telling anyone about it once they qualify. Functionally, this potentially grants unmetered access to private communications data controlled by foreign bodies of law.

Revision 6r6 - 11 Nov 2019 - 18:31:08 - AnthonyMahmud
Revision 5r5 - 31 Oct 2019 - 21:34:35 - AnthonyMahmud
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM