The CLOUD Act was previously floating around Congress earlier this year. While facially innocuous, it has some very worrisome implications.
The law allows any country with which the US has an executive agreement to request that data held on US soil about non-residents be turned over to that government. No judicial process needed. First, this of course poses a danger to dissidents abroad who may be using U.S.-based services (Google?) for communications.
But more directly for Americans, there's another ugly tidbit. The law acknowledges that data belonging to Americans may inadvertently (with varying degrees of scare quotes) be pulled with whatever data is actually targeted. The foreign government is then free to turn that data over to the U.S. if it "relates to significant harm, or the threat thereof, to the United States or United States persons."
At least there's a standard, right? But the problem is that there's no one to enforce it, as the bill specifically precludes court review. As the EFF explains:
That's just for content; for metadata, they don't even have to show harm.
This was originally proposed as a separate thing, but it has now been added onto the omnibus spending bill that's under consideration this week. See page 2,201 of the PDF.
If I didn't already have a reason to ditch GMail, I sure do now.