Omnibus Bill riders target SEC, implements cross-border data seizure law

Last week, with little fanfare or scrutiny, Congress passed, by a vote of 256-167, a $1.3 trillion federal spending package, known as “the Omnibus Spending Bill.” The 2,200-page bill, signed with little enthusiasm by President Trump, was needed to prevent a government shutdown.

As is almost always the case with massive spending bills, the devil is in the riders.

The Securities and Exchange Commission, for example, received $1.6 billion for fiscal 2018, perpetuating the trend of multi-year level funding. The cash, however, came with a catch.

The Commission was expressly prohibited from implementing any rulemaking requiring that public companies disclose political contributions and expenditures to lobbyists or trade associations. Past budget bills have included similar prohibitions intended to block the controversial rulemaking petition.

The Commodity Futures Trading Commission, less fortunately, had its budget reduced from a $281 million request to $248 million in the spending bill.

Also included in the legislative package was legislation previously advanced by the House Financial Services Committee.

H.R. 4267, the Small Business Credit Availability Act, authored by Rep. Steve Stivers (R-Ohio), will amend SEC regulation of business development companies (BDCs) for the first time since the 1980s to streamline the offering, filing, and registration processes to eliminate significant regulatory burdens and increase a BDCs’ ability to deploy capital to small- and middle-market companies.

The committee has marked up this bill for the last three congresses. Success finally came after it was reported by the committee this congress with significant bipartisan support, and a 58-2 vote.

The Small Business Access to Capital After a Natural Disaster Act, H.R. 4792, authored by Rep. Nydia Velazquez (D-N.Y.), is a bipartisan bill that amends the Securities Exchange Act of 1934 to have the SEC’s Advocate for Small Business Capital Formation identify “any unique challenges to small businesses in areas affected by hurricanes or other natural disasters when identifying problems that small businesses have with securing access to capital.”

The bill passed the committee with unanimous support, 57-0, and the House by voice.

 “Both of these bills are important, pro-growth, bipartisan pieces of legislation that will help our small businesses access the capital they need to expand and create jobs,” said House Financial Services Committee Chairman Jeb Hensarling.

The spending bill also advance a controversial bill intended to facilitate cross-border data investigations.

Titled the CLOUD Act (Clarifying Lawful Overseas Use of Data), the legislation is an effort to update the woefully outdated Stored Communications Act of 1986, a law that predated widespread use of e-mail and website browsing but nonetheless was cited in efforts to regulate both. The Cloud Act may also influence a Supreme Court decision in U.S. v. Microsoft is the justices prefer a Congressional remedy. The case, fundamentally, asks whether a domestic technology company can refuse a court-ordered U.S. search warrant when the sought-after data is stored on servers outside the U.S. The Supreme Court case centers on Microsoft’s refusal to turn over data stored in a data center in Ireland.

Rep. Doug Collins (R-Ga.), who introduced the CLOUD Act in the House in February, praised its inclusion in the new funding bill. He introduced the bill with a bipartisan group of lawmakers including lead cosponsor Rep. Hakeem Jeffries (D-N.Y.) and cosponsors Reps. Suzan DelBene (D-Wash.), Darrell Issa (R-Calif.), Tom Marino (R-Pa.) and John Rutherford (R-Fla.). Sens. Orrin Hatch (R-Utah) and Chris Coons (D-Del.) led the introduction of the CLOUD Act in the Senate.

The legislation, he says, “would better balance the interests of cloud users while incentivizing bilateral agreements for law enforcement to fight crime.”

The CLOUD Act enables the U.S. to enter into formal agreements with other nations to set clear standards for cross-border investigative requests for digital evidence. It further identifies a series of statutory requirements that these agreements must satisfy, including privacy and security protections.

The CLOUD Act also amends U.S. law to make clear that U.S. warrants and other legal process issued for data held by communications providers reach data stored anywhere in the world. The reach of U.S. warrants and legal process, however, would be limited by international comity. The CLOUD Act would give providers, for the first time, a statutory right to challenge legal process based on international comity concerns.

When a communications provider receives a request from U.S. law enforcement related to a national or resident of a country that has entered into a bilateral agreement with the U.S, the provider will be permitted to notify that government of the existence of the request. This will allow the foreign government to assess compliance with the terms of the bilateral agreement and enable it to intervene diplomatically if it believes the request is inappropriate.

The legislation would also require participating countries to remove legal restrictions that prevent compliance with data requests from U.S. law enforcement.

To qualify for the statutory benefits of the legislation (removal of the U.S. blocking statute, a right for providers to object based on international comity and a right for providers to notify the government of the existence of requests), a foreign government must provide reciprocal rights and benefits to U.S. law enforcement and communications providers.

“The CLOUD Act paves the way for the U.S. to forge bilateral agreements establishing frameworks for fighting crime and terrorism and for guarding information stored electronically. It’s encouraging to see both bodies of Congress and both sides of the aisle join the Justice Department and tech community in supporting a wise, balanced approach to information storage in the 21st century,” Collins said in a statement. "In a globalized world, we need clear rules governing access to data stored abroad."

“The CLOUD Act is landmark legislation that addresses an increasingly pressing problem,” Sen. Hatch said in a statement. “In today’s world of email and cloud computing, where data is stored across the globe, law enforcement and tech companies find themselves encumbered by conflicting data disclosure and privacy laws. We need a commonsense framework to help law enforcement obtain critical information to solve crimes while at the same time enabling email and cloud computing providers to comply with countries’ differing privacy regimes. The CLOUD Act creates such a framework and will also help set a precedent for our allies as they deal with this problem too.”

Some of the nation’s tech companies, despite various legal battles, are also applauding the Cloud Act’s inclusion in the Omnibus Spending Bill. A supportive letter to legislators was signed by Apple, Facebook, Google, Microsoft, and Oath

“The new CLOUD Act reflects a growing consensus in favor of protecting Internet users around the world and provides a logical solution for governing cross-border access to data,” the companies wrote. “Introduction of this bipartisan legislation is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer.”

 If enacted, the CLOUD Act “would create a concrete path for the U.S. government to enter into modern bilateral agreements with other nations that better protect customers,” they added. “Importantly, the legislation would require baseline privacy, human rights and rule of law standards in order for a country to enter into an agreement. That will ensure customers and data holders are protected by their own laws and that those laws are meaningful. The legislation would further allow law enforcement to investigate cross-border crime and terrorism in a way that avoids international legal conflicts. 

 The CLOUD Act, they concluded, “encourages diplomatic dialogue, but also gives the technology sector two distinct statutory rights to protect consumers and resolve conflicts of law if they do arise.”  The legislation provides mechanisms to notify foreign governments when a legal request implicates their residents, and to initiate a direct legal challenge when necessary.

Opposing views? There are many of them.

“While the passage of the CLOUD Act will help the U.S. Department of Justice and foreign governments access evidence and communications content held outside of the U.S., it’s a shame that the bill does nothing to extend long-overdue privacy rights for the digital age to ordinary Americans,” says Center for Democracy & Technology Vice President for Policy Chris Calabrese. “This is a lost opportunity for what could have been a win-win-win, especially at a time when Congress should be looking for clear ways to protect the privacy of Americans’ data.”

CDT has also expressed concern that the orders foreign governments would be authorized to serve on U.S. providers could contain mandates for provider assistance that would undermine encryption. “The bill includes a partial fix: the agreements themselves cannot contain decryption mandates,” it says, “but it is not clear that a foreign government’s orders under the agreements cannot contain such mandates.”

The Electronic Freedom Foundation describes the legislation as “a new backdoor around the Fourth Amendment.”

“This backdoor is an insidious method for accessing our emails, our chat logs, our online videos and photos, and our private moments shared online between one another,” it wrote. “This backdoor would deny us meaningful judicial review and the privacy protections embedded in our Constitution…. U.S. police could obtain Americans’ data, and use it against them, without complying with the Fourth Amendment.”

With similar flourish, the American Civil Liberties Union describes the CLOUD Act as “a sinister piece of legislation.”

“The under-the-radar bill threatens the civil liberties and human rights of global activists and US citizens alike,” wrote Neema Singh Guliani, ACLU legislative counsel. “Despite its fluffy sounding name, the CLOUD Act is far from harmless. It threatens activists abroad, individuals here in the U.S., and would empower Attorney General Sessions in new disturbing ways.”