Untapping the Full Potential of CLOUD Act Agreements

Available Downloads

In 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a law that established a process pursuant to which U.S. tech companies are permitted to disclose user data directly to certain foreign governments in response to their requests to assist investigations into serious matters and which allows companies in other jurisdictions to do the same in response to U.S. requests.[1] The law requires that there be an executive agreement between the United States and the foreign government before doing so, and there are standards the foreign government must meet to qualify for such an agreement.

The CLOUD Act is still in its early stages of being implemented. Since the legislation was enacted into law in 2018, two agreements have been concluded: one with the United Kingdom and another with Australia. This is certainly progress, but these are relatively easy deals to strike. The really hard work lies ahead, with the European Union in the queue and others in the wings.

CLOUD Act agreements remain a vital and promising tool. Deployed with proper calibration, these government-to-government agreements have the potential to play a valuable role for many agencies worldwide in conducting legitimate investigations while protecting human rights, the rule of law, and the global free flow of information. Used effectively and implemented correctly, CLOUD Act agreements provide an important avenue for law enforcement agencies and have the potential to strengthen other international evidence-collection arrangements.

This policy brief is based in part on the authors’ previous experience working on government surveillance law and policy at Google and Meta. Working with other industry representatives, academics, and members of civil society, they engaged with the U.S. and UK governments to help shape the core elements of these CLOUD Act provisions.

The authors offer three suggestions for better realizing the potential of the CLOUD Act. First, the U.S. government should conclude more agreements with more countries. Second, it should adopt practices to better evaluate the success of the agreements. Third, it should implement mechanisms to better detect and address improper use of the agreements. None of these changes require any alteration of the CLOUD Act itself and can be done by the Department of Justice (DOJ) in partnership with other governments.

A History of Blocking Statutes and the CLOUD Act

The Growing Significance of Blocking Statutes

For decades, evidence and intelligence that a country needs to enforce its laws or protect its national security has sometimes been held by companies in other jurisdictions. Over time, as the services offered by U.S. companies became massively popular around the world, this issue became much more prevalent for foreign jurisdictions than for domestic ones. U.S. law prohibits these U.S. service providers from disclosing certain types of user information unless presented with valid legal process issued by a court in the United States, with some limited exceptions, even when the information pertains to conduct and users entirely outside the country. These are laws not to be trifled with. Violations of these “blocking statutes” can constitute criminal felonies.

A blocking statute can advance important public policy goals. A democratic government has a legitimate role in regulating the behavior of companies in its jurisdiction, and Congress would not want a U.S. provider to disclose user data that violates civil liberties. For example, imagine if the Iranian government approached Microsoft with an order to wiretap the Outlook email account of a political dissident who had been organizing a political protest. The U.S. government would certainly not want a U.S. company to assist, and the blocking statute creates a legal barrier to doing so. No doubt Microsoft would not want to disclose the information either, and it could use the blocking statute to explain credibly that it is legally prohibited from doing so.

The United States is not alone in using blocking statutes to advance its values by regulating the behavior of providers in its jurisdiction. In the European Union, Article 48 of the General Data Protection Regulation serves to restrict data disclosure to non-EU member governments unless certain criteria are satisfied. France also has a blocking statute prohibiting the disclosure of information that would harm French interests. Though with far fewer dramatic consequences (given that most of the big providers are in the United States), these blocking statutes may forbid the providers subject to them from disclosing data directly to U.S. government agencies.

Prior to the CLOUD Act, providers subject to U.S. law were presumptively prohibited from honoring valid legal process for certain types of user information from government agencies outside the United States. This was so even when issued by a rule-of-law respecting government and even when the data was that of the government’s own citizens. For example, an email provider operating under U.S. law was not permitted, absent an exception, to comply with a UK order to disclose private email of a user even when the user was in the United Kingdom, the crime to which the messages related was committed in the United Kingdom, and the victim was in the United Kingdom.

Because U.S. blocking statutes were restrictive and inflexible, the countries needing user content information from U.S. providers had to turn to other means. For instance, many countries have Mutual Legal Assistance Treaties (MLATs) or other agreements with the United States, which require U.S. government officials to secure legal process from U.S. courts for foreign investigations.

The first MLAT the United States entered into was with Switzerland in 1977. In the 1980s and 1990s, it concluded agreements with countries such as Australia, Canada, Israel, and Jamaica. The pace of MLAT negotiations accelerated in the wake of the 9/11 attacks, with the United States eager to use them to aid in terrorism investigations. They worked fairly well before the internet became so prevalent in daily life. This dramatically changed with the rise of U.S. companies providing internet communications services popular with people worldwide. In a matter of years, it was not the United States trying to get MLATs in place to investigate terrorism, but other countries seeking MLATs to secure information from these U.S. providers.

As the popularity of the internet skyrocketed, so did the number of requests made to the U.S. government under these treaties and arrangements. The DOJ’s Office of International Affairs, which handles such requests, was crushed by the volume. Responses became so delayed that occasionally foreign law enforcement officials could not get the data they needed in time to help with investigations. In 2013, a U.S. report estimated that MLAT requests took an average of about 10 months. Countries often did not even bother to invoke MLAT to obtain electronic records.

There are other diplomatic instruments to which the United States is a party that also have provisions for mutual legal assistance. These include the Council of Europe Convention on Cybercrime (i.e., the Budapest Convention and Second Amended Protocol), the Inter-American Convention on Mutual Assistance in Criminal Matters, the Organization for Economic Cooperation and Development Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, and several UN conventions covering corruption, organized crime, drug trafficking, and terrorism. A foreign government might also ask a U.S. agency to open a joint investigation and share information obtained from U.S. legal process. These diplomatic approaches, loosely speaking, suffer many of the same practical drawbacks as dedicated MLATs.

When foreign governments hit these roadblocks, they did not stop pursuing data. Some jurisdictions responded with aggressive, unilateral, punitive measures aimed at U.S. providers. They considered laws to force tech platforms to localize data within their borders, based on the erroneous view that changing the data storage model would expedite law enforcement processing. Most egregiously, they resorted to strong-arming the companies through employee harassment and arrests to pressure companies to turn over user data or by finding vulnerable spots in network infrastructure to capture communications directly.

Foreign governments pressured not only the tech companies, but also the U.S. government. The DOJ and Federal Bureau of Investigation (FBI) were hounded by countries, including close allies, for a more practical means to secure communications content from U.S. providers. The government, providers, and civil society were aligned on the existence of a problem.

Going back to the mid-2000s, many U.S. providers began discussing possible approaches to improve the situation with the U.S. government, including the DOJ and FBI, and with foreign governments. Providers’ suggestions included increasing the resources available to the U.S. government for MLAT compliance, working with foreign jurisdictions on how to use the MLAT process in a way that reduces churn arising from malformed requests, and even pushing for a more automated portal through which MLAT requests could be completed (with immediate error checking) and submitted. Some of these recommendations were implemented. In addition, some companies also made changes to their own policies and practices to improve response times, such as prioritizing requests that come through diplomatic channels.

All these steps undoubtedly helped reduce some of the pressure on the companies and the MLAT system. None, however, could change the reality that U.S. law was unnecessarily impeding legitimate investigations. For many years, there seemed to be little appetite within the U.S. government to pursue any big changes. With shrugging shoulders, most of the effort was spent trying to get more funding for the beleaguered and far-too-manual MLAT system.

Working toward a Solution

As conversations matured, a new legal dynamic arose. In a dispute between Microsoft and the U.S. government, the U.S. Court of Appeals for the Second Circuit held that search warrants issued under the Stored Communications Act were not valid to compel companies to produce data that was exclusively stored outside the United States. The Supreme Court agreed to hear the case, which was then fully briefed and argued. In the view of the U.S. government, a Supreme Court ruling upholding the Second Circuit’s would have hamstrung U.S. law enforcement agencies in pursuing data stored overseas.

Keen to avoid such a ruling, the DOJ saw an opportunity to pursue a bill that would ultimately moot the pending Supreme Court case and, more importantly for the purpose of this article, give some hope to other countries that they would have an easier path to securing information from U.S. providers. Some members of Congress also reenergized legislative proposals such as 2015’s Law Enforcement Access to Data Stored Abroad Act and the iterative International Communications Privacy Act.

Ultimately, the companies and the DOJ focused on one important observation: Often the U.S. government has no interest in preventing a U.S. provider from honoring foreign legal demands. If Japan needs to obtain emails in a Gmail account sent between two citizens of Japan suspected of committing a murder that took place in Japan, then why should U.S. law stand in the way? It is hard to identify any public policy interest of the U.S. government that would be served in preventing that investigation from progressing.

From this was borne an Obama administration proposal to Congress that would ultimately become the CLOUD Act. Put simply, the United States would lower its blocking statutes under the conditions set out in the legislation and pursuant to an executive agreement for any country that meets certain minimum standards on human rights and the rule of law. This would allow, but not require, U.S. companies to honor the foreign legal process from such countries. One condition, among many, was that the other government would do the same with regard to its own blocking statutes.

Hearings were had, blog posts written, debates held. Many civil society groups were decidedly skeptical. Ultimately, and to the surprise of many, the CLOUD Act (including the provisions allowing for the lowering of blocking statutes) found its way into a must-pass appropriations bill, and President Trump signed the CLOUD Act into law on March 23, 2018.

CLOUD Act Agreements Realized

Even before the CLOUD Act became law, the U.S. government had its eye on inking a deal with the United Kingdom. Conversations between the DOJ and Home Office officials likely informed what was included in the final bill. But even with this head start and a very eager ally on the other side of the table, it takes time to negotiate and implement a law enforcement agreement.

First, the CLOUD Act agreement is a novel type of arrangement, requiring the countries to develop bespoke terms. Previous diplomatic accords such as MLATs might have a few clauses that are transferable to CLOUD Act agreements, but they differ in significant ways and do not provide easy templates.

Second, even though the United States and the United Kingdom have relatively similar legal systems, the United States understood that this agreement would likely serve as a starting point for agreements with other jurisdictions where there are much greater differences. The agreement with the United Kingdom had to take into account potential sticking points or tensions arising in negotiations with other countries.

Third, each side had to be careful to protect what is referred to in diplomat-speak as “essential interests.” The United States wanted to make sure that information provided by U.S. providers under the agreement would not be used in a manner that raises free speech concerns. The United Kingdom considered the potential impacts of direct disclosures from UK providers in U.S. death penalty cases. Both insisted that before prosecutors can use information collected from its providers as evidence in a case that implicates the respective essential interest, the prosecutors must secure permission from the other’s government.

In spite of the inherent headwinds, the U.S. government concluded the negotiations with the United Kingdom in October 2019 and those with Australia in December 2021. At least two other agreements are currently being negotiated: one with Canada and one with the European Union.[2]

Because they have CLOUD Act agreements in place, Australia and the United Kingdom now have more options for pursuing data they need to assist with important investigations. Providers now have fewer restrictions for responding to these requests and greater clarity on how the data will be treated following a disclosure. The U.S. government presumably has fewer diplomatic requests from these countries than it would have otherwise. And because of this reduction in requests from countries with agreements in place, other jurisdictions may be experiencing a relatively faster response to their requests for assistance from the U.S. government using traditional diplomatic means. This is a good start, but there is plenty of room for more.

Releasing the Potential of CLOUD Act Agreements

This brief offers three suggestions that can help the CLOUD Act reach its full potential. First, the U.S. government should work to conclude more agreements with more countries, avoiding the perception that the CLOUD Act is designed to create a “club” of countries with preferred data access. It can expand participation by using a series of “knobs and levers” to tailor agreements to specific jurisdictions. Second, it should adopt practices to better evaluate the agreements, including increasing transparency. Third, it should implement mechanisms to better detect and address improper use of the agreements.

A Big Tent, Not a Private Club

Carefully crafted CLOUD Act agreements can play a positive role for many countries beyond those in the Five Eyes (consisting of Australia, Canada, New Zealand, the United Kingdom, and the United States) and the European Union. At times, the DOJ has made it harder to realize a “big tent” vision for the CLOUD Act by describing it in terms that suggest a “club” mentality. When the DOJ says that CLOUD Act agreements are only available to “trusted foreign partners,” it is telling all the others, even those that can meet the standards, that they have to find their own way.

There will be a concrete negative effect if there is a perception that the CLOUD Act creates a fast lane only for countries that have gained admission into a privileged club. If countries such as India and Brazil feel like outsiders, they are more likely to respond with measures the CLOUD Act aims to avoid, including data localization, fines, arrests, and other retributive policies.

To conclude more agreements with more countries, the U.S. government should (1) explore a broader range of agreement terms; (2) avoid suggesting that CLOUD Act agreements are only for a “club” of favored nations; and (3) devote more dedicated resources to negotiating CLOUD Act agreements.

The first step in concluding more agreements is broadening what an agreement might look like. The CLOUD Act agreements with the United Kingdom and Australia are very similar, with both nearly as expansive as the statute allows. They both apply to the broadest array of crimes permitted by the statute, can be used by a wide range of agencies in each country, apply to collecting data in a stored state as well as real-time surveillance of communications, allow targeting to the maximum extent permitted by the statute, and are subject to congressional review only within the shortest permissible time frame.

Based on these two agreements, one might mistakenly assume that all CLOUD Act agreements must look this way. The CLOUD Act itself, however, does not require that every agreement extend as far as the law permits. In fact, as expansive as the agreements with the United Kingdom and Australia are, both amend the baseline requirements of the CLOUD Act to impose restrictions on using data disclosed to U.S. authorities as evidence that could lead to the imposition of the death penalty. Just as the United Kingdom and Australia could insist on terms that make the agreements stop short of the full extent allowed by the statute, the United States can do the same in future agreements.

There are many levers and knobs that can be adjusted to accommodate for differences in legal systems and particular needs and sensitivities:

  • Covered Crimes: Agreements could apply only to specified serious crimes, with shared definitions across borders, such as investigations into acts of terrorism or cybercrimes.
  • Participant Agencies: Agreements could apply only to particular investigative agencies. For example, the blocking statutes in the United States might be lowered under an agreement only for requests from an agency that has a track record for high quality investigations and is subject to meaningful oversight.
  • Surveillance Type: Agreements could limit the nature of data acquisition. For example, an agreement could allow for collection of stored content but leave intact the U.S. blocking provisions for real-time surveillance.
  • Surveillance Duration Limits: Similarly, agreements could restrict the surveillance period. For example, stored communications could be limited to a 6-month period and real-time surveillance to 60 days.
  • Targets: Agreements could limit which users may be targeted in the requests. Although the CLOUD Act prohibits the non-U.S. country from intentionally targeting a U.S. person, an agreement could impose additional restrictions. For instance, it could limit the targeted users to only those who are reasonably believed to be located in or citizens of the requesting country, as well as in jurisdictions that have not agreed to certain international standards (such as the Second Additional Protocol to the Budapest Convention).[3]
  • Government Insight on Disputes: Agreements could expressly allow a provider to object to a request by notifying its home jurisdiction of the issue at the same time as it submits its objection to the requesting government. The authors describe this type of dispute management below.
  • Government Insights on Overall Use: For even more timely visibility into the requests made to providers, agreements could include a requirement that when an agency submits a CLOUD Act demand to a U.S. company, it must also send a copy of the demand to the DOJ.
  • Compressed Review Periods: Agreements could require shorter terms, triggering more frequent reviews of the country’s qualified status for renewal. The authors describe additional oversight options in more detail below.

Moving away from a one-size-fits-all approach will expand the range of countries that could negotiate and secure a CLOUD Act agreement. Many agreements might be narrower than the ones in place with the United Kingdom and Australia, which might mean that the pool of potential CLOUD Act agreement countries would not be limited to those with legal systems similar to that of the United States. This will give a wider range of governments optimism that they can conclude such agreements and in turn incentivize them to develop options for improving their laws.

Moving away from a one-size-fits-all approach will expand the range of countries that could negotiate and secure a CLOUD Act agreement.

Obvious candidates for fine-tuned CLOUD Act agreements include India and Brazil. Both have historically issued a large number of demands on U.S. providers. The frustration their respective law enforcement and intelligence services have experienced with existing disclosure mechanisms has led to a slew of proposals that could be detrimental to security and privacy. Another candidate for an agreement is South Korea, which has had a dramatic increase in requests for user information from U.S. providers in the last few years,[4] and which the DOJ has referred to in its hypothetical CLOUD Act scenarios.

Scholars such as Peter Swire, Deven Desai, and DeBrae Kennedy-Mayo have shown that India presents an important candidate for improved data disclosure. India, like many jurisdictions, has laws and practices that may require significant changes to meet the minimum requirements of the CLOUD Act. As Swire and Kennedy-Mayo postulate, these might include India joining the Budapest Convention, forswearing the use of legal process that does not involve a judicial authority, and using a “qualified entity” to act as a moderator on behalf of requesting agencies to enforce policy requirements regarding requests to providers. On the other hand, excluding India entirely could invite more aggressive and counterproductive unilateral action, which is likely to have a negative impact on the privacy and security of people in India and beyond. Figuring out a path for a more limited agreement would reduce the likelihood that the government takes such steps and could create an incentive for it to institute domestic reforms in hopes of securing a more expansive agreement in the future.

This presents the DOJ with a very challenging objective: to aim for a “big tent” approach while also protecting U.S. interests in situations that justify interference through blocking statutes. Regulating the behavior of a U.S. company makes sense when the requesting country is corrupt and contemptuous of the rule of law or commits human rights abuses. And of course, the United States has an interest in protecting U.S. individuals who may be the subject of a request from a foreign government to a U.S. provider.

For these reasons, U.S. government officials should be clear that foreign governments must meet certain standards to participate. Of course, it is also possible that countries such as India and Brazil may balk at the prospect of entering into agreements that are more limited than others have been in the past. Hopefully, the immediate value of even a narrow arrangement and the potential for future expansion will overcome the tendency toward such a reaction.

Finally, to accelerate the pace of negotiations and conclude more agreements, the DOJ needs resources. Congress should allocate increased funding for this program, including adding personnel dedicated to negotiating CLOUD Act agreements with a greater set of countries. Devoting resources to the CLOUD Act process so it can respond to more requests would also free up resources for and complement other data access mechanisms such as MLAT and letters rogatory.

In addition, an agreement with the European Union, currently under negotiation, presents a good example of how the CLOUD Act can fill gaps left by other mechanisms. Even after EU member states have adopted the new E-Evidence Directive and Regulation so they can obtain data from the EU subsidiaries of U.S. providers established in Europe (often in Ireland), these countries’ law enforcement agencies will still need to use diplomatic mechanisms to obtain evidence about users served by the providers’ U.S. entities. For agencies in EU member states, an arrangement that takes advantage of lowered U.S. blocking statutes through the CLOUD Act could be valuable to their legitimate investigations into threats involving non-U.S. users of the U.S. providers.

CLOUD Act agreements also complement the Budapest Convention. Being a party to this convention is specifically called out in the CLOUD Act as a factor to qualify for an agreement. As a result, the desire for such agreements may incentivize more countries to sign on to it, including the Second Additional Protocol. This would be a valuable end in itself, and even more so by incentivizing countries away from other international instruments lacking in basic protections, such as the draft cybercrime treaty before the United Nations.

Evaluating Efficacy

It is important to be able to identify whether a CLOUD Act agreement is effective in removing unnecessary barriers to legitimate investigations and improving, or at least forestalling backslide, on human rights. Understanding impact will help the United States develop options to improve agreements or perhaps will suggest that investment should be made in other mechanisms. It will also enable nongovernmental organizations (NGOs) and academic researchers to evaluate the CLOUD Act process. Finally, since Congress receives reports on the operation of each agreement, understanding impact will be critical for that review process.

The DOJ posts information about related negotiations, agreements, and public communications on its CLOUD Act Resources webpage, but there is no data about the volume or type of data requests. While the UK government has provided some information, it has not yet provided much detail.

During CLOUD Act negotiations, the United States and companies discussed options for ensuring that there would be transparency about how the agreements worked in practice and accountability for violations. But in practice, transparency and accountability are difficult. Not only does it take time to collect and report data, but the agreements are still in their early stages. The first agreement, with the United Kingdom, came into force on October 3, 2022, and data requests did not immediately ensue. In addition, collecting information about how an agreement is used is challenging because of how the current CLOUD Act agreements work. If the United Kingdom uses the CLOUD Act to request data from a U.S. provider, the DOJ might never see that the request was made unless the provider raises a dispute with the United Kingdom that is not resolved, so the U.S. government gets pulled in. Removing the provider’s host government from this process, in cases where the host government does not have an interest in the request, is precisely the point.

As understandable as the challenges of transparency might be, the lack of it makes it difficult to understand the efficacy of CLOUD Act agreements. This means the DOJ and Congress would face challenges in making this assessment, as would third-party organizations and experts such as NGOs and academic researchers.

To improve transparency, CLOUD Act agreement participants should make available qualitative and quantitative information about how the agreements function in practice. The agreements in place with the United Kingdom and Australia each allow agencies in those countries to submit requests directly to U.S. companies with no notice to the DOJ. Yet there is nothing in the legislation prohibiting agreements from including a requirement that when an agency submits a CLOUD Act demand to a U.S. company, it must also send a copy to the DOJ. More detailed and timely information could help the department catch issues sooner and provide better analysis to Congress when an agreement comes up for review. This requirement should be reciprocal, necessitating that the United States also copy the central authority of the other government when it issues a request under the agreement. Of course, it is important that the DOJ not use this notification as a preapproval process for every request submitted by the host country; that would reintroduce the very pitfalls of the MLAT system.

Currently, the agreements require each government to submit annual reports providing “aggregate data” on its use of the agreement. The first such reports from the United States and the United Kingdom should have already been generated and exchanged, but so far they have not been made public. Perhaps, given that the first anniversary of the agreement with the UK going into effect was recent, the reports are still being reviewed. Regardless, the DOJ should make these reports public, including its own. The CLOUD Act does not require that the reports be kept confidential, nor do the agreements now in place. If there are good reasons not to publish them in full, the DOJ should consider releasing summaries with qualitative and quantitative data on how the agreements are working in practice. In any event, these full reports should be made available to Congress. Similarly, the CLOUD Act requires that when an agreement is up for renewal, the DOJ submits a report to congressional committees setting out how the agreement has been implemented and describing any problems or controversies encountered. As with the annual reports, the DOJ should make these publicly available to the extent it can.

In addition, companies should publish data in their transparency reports on the number of CLOUD Act requests they receive and by which country, as Meta and Google have already done, for example. (The agreements currently in place require that demands indicate they are issued pursuant to the agreement, making it relatively easy for providers to track.) But company reporting is likely to create a spotty and incomplete picture of the total impact of the CLOUD Act. The key information is the total number and type of requests from foreign governments, not the requests that each provider received.

Governments should not be the only entities reviewing the efficacy of the agreements. With funding from foundations and governments, civil society organizations should also study their impact, including their long-run influence on human rights norms. For instance, Freedom House, a nonprofit organization, releases an annual report on internet freedom. With dedicated support, it could expand this report to include detailed analysis of the CLOUD Act’s annual impact. Freedom House or other think tanks might serve as a repository for company reporting, providing a more holistic overview of requests made pursuant to the agreements.

Enforcing against Violators

The robust process required by the statute to qualify for an agreement under the CLOUD Act is essential to its purpose. As the United States looks at other jurisdictions with which to enter more bespoke arrangements, it may need to adopt additional protections against misapplication of the agreement. It is also possible that a country might change its legal authorities after entering into an agreement, and those changes might warrant revisiting its “qualified status.” This means the United States will need a mechanism to detect whether the agreement is being misused or the law has changed and to take action in response.

One obvious way to gain such insight is by setting up a process for a U.S. company to immediately report objectionable CLOUD Act agreement requests to the DOJ. The agreements with the United Kingdom and Australia each allow a provider to raise initial objections with the issuing authority. If the objection is not resolved, the provider may bring in its host government so that the two governments can hash it out. Significantly, the agreements currently in place do not prohibit a provider from notifying its host government at the same time as it submits the objection to the requesting government. There is no process for doing so, however. To gain more visibility into the nature and volume of requests that are out of the agreements’ scope or otherwise problematic, future agreements could make this explicitly permissible and set up an intake process with the DOJ.

Once it has more timely insights into the disputes arising with U.S. providers, the DOJ could take action if it believes the foreign government is violating the terms of the agreement or decide to refrain from interfering and let the objection process in the foreign jurisdiction play out. If the DOJ does see systemic issues, it could apply pressure on the other country, noting that its qualifying status may be in peril. In addition, regardless of whether it takes action in individual cases, it could inform Congress of these objections during the review period. The DOJ could strengthen its hand in these circumstances by including a provision in each agreement that allows it to immediately suspend it on the grounds of misuse.[5]

Another accountability mechanism would be to build in more frequent opportunities to revisit the terms. The CLOUD Act provides that any agreement will expire after five years but may be renewed if the U.S. attorney general and secretary of state provide a report to Congress concluding that the other country is still “qualified.” Individual agreements could have shorter terms and require more frequent reviews. In addition, an agreement could expressly provide that it is subject to an immediate pause, suspending further submission of requests, if there is a need to address sudden material changes in circumstances. Armed with more information from periodic public reports, more frequent reviews might also incentivize faster improvements in the partner country since they could lead to a more expansive arrangement in a shorter time.

The United States will need a mechanism to detect whether the agreement is being misused or the law has changed and to take action in response.


CLOUD Act agreements have tremendous potential, alongside other diplomatic mechanisms, to facilitate legitimate investigations that require cross-border electronic evidence collection without sacrificing human rights and liberties. To get closer to that potential, a series of knobs and levers should help guide future negotiations, since a one-size-fits-all approach would unnecessarily constrain the CLOUD Act’s reach. The United States should also build in more mechanisms for transparency and accountability to help identify areas of improvement, ferret out otherwise hidden problems, and build trust.

Matt Perault is the director of the Center on Technology Policy at UNC-Chapel Hill, a professor of the practice at UNC’s School of Information and Library Science, and a consultant on technology policy issues at Open Water Strategies. Richard Salgado is a senior associate with the Center for Strategic and International Studies’ Strategic Technologies Program, teaches at Stanford Law School and Harvard Law School, and provides consultancy services through Salgado Strategies LLC.

This report is made possible by general support to CSIS. No direct sponsorship contributed to this report.

Please consult the PDF for references.

Matt Perault

Director, Center on Technology Policy, UNC-Chapel Hill and Professor of the Practice, School of Information and Library Science, UNC
Richard Salgado
Senior Associate (Non-resident), Strategic Technologies Program