> Daskal and Swire argue that without the CLOUD Act, foreign governments with poor privacy standards will turn to data localization, which would pose greater human rights risks. But if the bill’s criteria are as strong as needed to protect privacy and human rights, those same foreign governments will not qualify for an international agreement—and so they may still push for data localization. The bill also does nothing to prevent a foreign government with an international agreement from data localization. If a technology company refused a government’s requests, the government could threaten to retaliate with localization and pressure the company to comply.
This is the critical part. The entire reason this is an issue is because foreign governments are sick of the US being a choke point for their internal law enforcement efforts. Because of this, they're pursuing things like data localization in order to short-circuit the path of data. It is in this environment that most folks are hoping that the US can exert *some* continuing influence to reduce harmful data from going to authoritarian governments. But this is a hell of a tricky dance. They have to be open enough and make the process easy enough to get a substantial number of governments to go along with the plan - once the ball really gets going on localization, it's a done deal, and the US will almost certainly lose its ability to control the situation.
This article does acknowledge several of the criteria for how the CLOUD Act would try to accomplish this balance. The authors don't think they are sufficient. Only a couple spots annoy me (where they pretend that they don't know how the practice of law works), but it's pretty reasonable to argue about where these lines should be. (...it's less reasonable to be all, "THIS VIOLATES THE FOURTH AMENDMENT!!!"...)