On October 3, 2019, the United States and the United Kingdom signed the first ever Clarifying Overseas Use of Data (CLOUD) Act executive agreement, which allows cross-border sharing of electronic data with law enforcement agencies regarding serious crimes. The goal of the agreement was prompted by the countries’ interest in combating crime – including terrorism, transnational organized crime, and child exploitation – as well as increasing the speed with which access to electronic data is made available.
Congress first passed the CLOUD Act in March 2018, which amended the Stored Communications Act to clarify that providers subject to the SCA must “preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” (codified at 18 U.S.C. § 2713).
The CLOUD Act also authorized the United States to enter into bilateral executive agreements with foreign governments that meet a list of privacy and human rights requirements. It further required that these foreign governments may not target US persons.
Under this provision, the US and the UK issued this agreement on terms that lift restrictions for a broad class of serious criminal investigations. The agreement also promised to assure providers that disclosures of data under the agreement are compatible with data protection laws. The definition of “serious crime” is now defined broadly under Article 1 to include crimes with a maximum punishment of three or more years’ incarceration, which excludes misdemeanors but incorporates a wide range of felonies to which data transfer could apply.
Both countries hope that this agreement will speed up investigations drastically by removing legal barriers to the collection of electronic evidence. It allows law enforcement agencies to receive electronic data from tech companies directly (with the appropriate court authorization of their home country) rather than going through a multiple-year long government process. Specifically, the US DOJ claims that it will accelerate dozens of investigations of suspected terrorists and pedophiles, who may have been convicted of crimes in the UK.
The new agreement contains several privacy safeguards that go further than the text of the CLOUD Act. For instance, Article 5 of the US-UK executive agreement specifies that the cross-border transfers are still subject to oversight by a designed authority (in the US, the governmental entity is designated by the Attorney General). Data providers who are issued an order have the opportunity to object and resolve the issue with their country’s designated authority, which has the ultimate veto power to block implementation of the order. This provision creates an important form of quality control for both providers and consumers.
Under Article 12, which imposes key transparency requirements, each country is also required to issue an annual report with data concerning the use of the agreement. Privacy is further safeguarded under Article 7, which mandates, consistent with the requirements of the CLOUD Act, that any changes to the targeting and minimization procedures for data collection must be approved by the other party before implementation.
There are concerns that the CLOUD Act would allow the US or the UK to require a covered provider to wiretap a user located in a third country, without the approval of that nation. While there is still some debate around the interaction of the CLOUD Act and the Wiretap Act under ECPA, Article 5 does at least explicitly require that when an order is issued for data related to an individual who is located outside the territory of the issuing party, the designed authority must notify the appropriate authorities in that third country where the data subject is located.
However, there is still a risk that notice doesn’t actually fix the problem and instead only lets the third country know, before collection, that electronic surveillance is happening within its borders. Furthermore, it is not yet clear how and when any objections to surveillance could be lodged. Providers should also be cautious if notice to a third country is withheld by US or UK court authorization, remedies for a third country against a provider are not covered by immunity provisions under the CLOUD Act and could subject the provider to criminal liability for electronic surveillance.
October 30, 2019