The rules on how governments can request data from cloud service providers are long overdue for an upgrade. Most of these laws were passed decades ago, and they don’t reflect massive changes in the way people communicate, collaborate, and store information. At Dropbox, we continually advocate for updated laws that safeguard user privacy and keep up with innovation.
Reform is needed acutely in one area in particular: cross-border data requests from governments to cloud providers. The landscape here’s a mess: conflicting laws, ambiguous precedent, competing standards, clunky process, and a general failure to put user privacy rights front and center. The US Congress recently attempted to tackle part of this sprawling problem by passing the CLOUD Act. While it’s an important first step, Congress missed an opportunity to include key user privacy protections in this law. At Dropbox, protecting our users’ data is core to what we do. So we’ll advocate for strong privacy protections as this Act is implemented in the years ahead.
Before the CLOUD Act, governments outside of the US needed to use a process called the Mutual Legal Assistance Treaty (MLAT) to request data from US cloud providers. MLATs are cumbersome and time-consuming, and governments rightly complained that the inevitable delays prevented them from solving crimes in their home countries. The CLOUD Act attempts to fix this by authorizing the US Department of Justice (DOJ) to enter into bilateral agreements that allow law enforcement agencies from qualified countries to request data from US cloud providers directly. To qualify, these countries must meet criteria spelled out in the Act, including demonstrating “protections for privacy and civil liberties.”
By creating a system that allows bilateral agreements between countries that share strong privacy values, the CLOUD Act has the potential to reduce tension between countries, protect users’ privacy, and help law enforcement agencies obtain the critical evidence they need to solve crimes. But Congress attached the CLOUD Act to a 2000-page, must-pass spending bill, with no hearings or debate and with limited opportunity for input from privacy, consumer, and other stakeholders. Key privacy protections fell by the wayside as a result.
Before authorizing the executive branch to enter into agreements with other governments, Congress should have taken this opportunity to bolster privacy protections in the United States by, among other things, passing a bill with overwhelming bipartisan support: the Email Privacy Act. This bill makes it absolutely clear that the government must obtain a probable cause warrant before it may seek communications content from online services. We’re not giving up this fight, and will continue to urge Congress to pass these important privacy protections.
With the CLOUD Act now law, we’re focused on advocating that the DOJ:
- provide public notice of its intent to negotiate an agreement with a country and engage widely and openly with stakeholders during negotiations
- treat the requirements of the CLOUD Act as a floor—and not a ceiling—for privacy protection and ensure, for example, that a court or other independent authority reviews the order before a foreign government requests any data from US providers
- include a provision in each agreement that specifically permits transparency reporting by internet companies on the orders they receive under these agreements
- make the text of completed agreements public so that stakeholders can fully engage in the 180-day congressional review process that follows
- consider how best to engage with the EU to protect privacy while addressing the transatlantic tensions underlying the CLOUD Act’s passage
We also call upon Congress to provide rigorous oversight of each bilateral agreement, including public hearings to ensure transparency.
Dropbox remains committed to protecting the privacy of our users, and we'll continue to follow our government access principles at all times. We also remain committed to being as transparent as possible about any data requests we receive, including any CLOUD Act requests from governments outside of the US. And we’ll continue to fight for stronger laws that protect user privacy online.
Ensuring that the CLOUD Act protects privacy while helping law enforcement agencies solve crimes will require intense effort from all stakeholders—and we’re up to the task.