US bill would allow cross-border data access demands

US Democrat and Republican senators have proposed legislation that would formalise lawful US government access to data stored overseas for criminal investigations.

The bill, dubbed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, would authorise the US government to issue warrants compelling US-based providers such as Microsoft and Google to disclose user content stored outside the US.

It would also allow the US Justice department to authorise foreign governments to serve US providers directly with requests for user data.

However, the foreign government would have to meet certain human rights and legal obligations to be able to access the content; for example the production of the data cannot conflict with US law.

The CLOUD Act could provide a way to resolve a long-running legal tussle between Microsoft and the US government; the IT giant has fought to prevent access to emails stored on its servers in Ireland from a warrant based on domestic US law.

The demands that the US government should access data stored on servers in other jurisdictions is viewed as problematic by Ireland and other countries such as New Zealand.

Privacy commissioners in both Ireland and New Zealand have come out against US government access to offshore data without going through a multilateral treaty, as they say this would violate country sovereignty and potentially local laws.

Washington-based privacy and digital rights lobby group the Centre for Democracy and Technology argued the proposed law doesn't go far enough to protect internet users.

"The [US] Electronic Communications Privacy Act balances the interests of consumers, providers, and the government. The CLOUD Act throws that balance off-kilter by accommodating providers and the government but leaving consumers behind," CDT vice president for policy Chris Calabrese said in a statement.

CDT said the proposed law would erode trust in cloud storage privacy and should include a requirement for warrants for content, as is included in the US Email Privacy Act.