The Department of Justice announced yesterday that the United States and the United Kingdom have entered into the first of the international executive agreements authorized under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, permitting faster and more direct sharing of stored electronic communications in many kinds of criminal and national security investigations.1 Within seven days of certifying an executive agreement, the Attorney General must submit the agreement to the Senate and House Judiciary Committees, the Senate Committee on Foreign Relations, and the House Committee on Foreign Affairs. The agreement will become effective 180 days later, unless Congress enacts a joint resolution of disapproval pursuant to procedures established in the CLOUD Act. Once it takes effect, the agreement will permit providers of electronic communication services to the public and providers of remote computing services in the United States to receive and respond to disclosure orders issued by the United Kingdom without having to go through the often cumbersome mutual legal assistance treaty (MLAT) process. The United States will ultimately have reciprocal rights to seek stored electronic communications from providers in the United Kingdom.
The Justice Department did not release the text of the agreement, but described it as “broadly lift[ing] restrictions for a broad class of investigations, not targeting residents of the other country, and assur[ing] providers that disclosures through the Agreement are compatible with data protection laws.” The Department’s statement asserts that the two countries “committed to obtain permission from the other before using data gained through the agreement in prosecutions relating to a Party’s essential interest—specifically, death penalty prosecutions by the United States and UK cases implicating freedom of speech.”
Once the agreement takes effect, a provider of electronic communication service to the public or remote computing service may move to quash or modify a warrant issued under the Stored Communications Act (SCA) if the provider reasonably believes: (1) that the customer or subscriber is not “a United States person” and does not reside in the United States; and (2) that the disclosure would “create a material risk that the provider would violate the laws of” the United Kingdom. CLOUD Act § 103(b) (codified at 18 U.S.C. § 2703(h)).
Background and Related Developments
Enacted in March 2018, the CLOUD Act amended the SCA to clarify that providers subject to legal process under the SCA must “preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” CLOUD Act § 103(a) (codified at 18 U.S.C. § 2713). The CLOUD Act also authorized the Attorney General, with the concurrence of the Secretary of State, to enter into bilateral executive agreements providing for direct receipt by providers in each country of orders for data. In order to enter into such an agreement, the Attorney General must make a number of certifications, including that (i) the “qualifying foreign government” has privacy and civil liberties laws that are robust; (ii) it has “adopted appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons”; (iii) the terms of the agreement do “not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data”; and (iv) that the foreign government may not target U.S. persons, that orders issued by the foreign government must be related to a serious crime and must be in compliance with that country’s domestic law, and that the foreign government must take steps to preserve and secure the material collected.
The signing of the US-UK CLOUD Act agreement was made possible by the adoption earlier this year by the UK Parliament of the Crime (Overseas Production Orders) Act, which creates a framework in UK domestic law similar to that established in the United States by the SCA. Parts of that Act have taken effect, and other provisions will take effect once the UK Secretary of State issues implementing regulations.
The United States is also actively seeking to enter into a CLOUD Act Agreement with the European Union (EU), which authorized such negotiations earlier this year. The EU’s lawmaking bodies are at work on a Regulation that would facilitate cross-border sharing of electronic evidence within the EU pursuant to a system broadly similar to the SCA and CLOUD Act.
Once the US-UK CLOUD Act agreement takes effect:
- It should speed access to electronic evidence held in each country by law enforcement from the other.
- U.S. service providers will likely receive more requests from UK law enforcement authorities for stored electronic (and wire) communications, and those requests will now come straight from UK authorities. Providers may see some drop in requests from US authorities, which will now have a more efficient route to obtain records from UK providers, but any drop will be small compared to the likely increase in requests coming from the United Kingdom.
- US service providers will have a new basis on which to challenge requests from UK authorities, but the effectiveness of such challenges remains to be seen.
- The US-UK agreement will likely provide a model for other CLOUD Act agreements and will likely help speed the entering of additional agreements, perhaps next with the EU.