The CLOUD Act

On July 8, 2020 the bilateral agreement between the United States and the United Kingdom on Access to Electronic Data for the Purpose of Countering Serious Crime entered into force. This agreement was the first one negotiated and agreed upon after the Clarifying Lawful Overseas Use of Data (CLOUD) Act was enacted in March 2018. With the first agreement already in place, and two more being negotiated, this blog post provides an overview of the CLOUD Act’s text, and its impact so far.

The CLOUD Act sought two main objectives: 1) to amend the Stored Communications Act to require providers to comply with their obligations to preserve, backup or disclose electronic data in their possession regardless of where that information is located; and 2) to allow the U.S. government to enter into executive agreements with foreign governments for reciprocal expedited access to electronic information held by providers based abroad.

The first part, now codified in 18 U.S.C. § 2713, states that electronic communication service or remote computing service providers must comply with the obligations in the chapter regarding stored wired and electronic communications “regardless of whether such communication, record, or other information is located within or outside of the United States.” As explained here and here, for example, a direct effect of the bill was to render moot the Microsoft Ireland case regarding the use of a U.S. warrant to request electronic data controlled by a U.S.-based company but stored in another country. In this case, since the data was stored in a data center in Ireland, Microsoft argued that an American warrant was not enough, and that the request should be made through the Irish authorities.

The bilateral agreements, on the other hand, were intended to respond to complaints by foreign governments over the lengthy process to access electronic evidence from providers based in the United States. Cumbersome requests through old-fashioned Mutual Legal Assistance Treaties (MLAT) delayed investigations and prosecutions, taking about 10 months to fulfill according to a 2013 estimate. (Find a detailed diagram on the MLAT steps here). The problem is not just the delay to overseas investigations, but also the drain on U.S. resources. In 2015 the U.S. Department of Justice requested $24.1 million in funding to respond to the fact that foreign requests for assistance “increased nearly 60 percent, and the number of requests for computer records has increased ten-fold.” In its memorandum over the need to negotiate an agreement with the United States, the EU demonstrated the scale of the problem for foreign jurisdictions: “Electronic evidence is needed in around 85% of criminal investigations, and in two thirds of these investigations there is a need to obtain evidence from online service providers based in another jurisdiction.”

Service providers have traditionally been hesitant to answer foreign government requests for data due to fears that they could be found in violation of domestic laws regarding the storage electronic data. The bilateral agreements contemplated by the CLOUD Act intend to remove these conflicts, whilst ensuring both jurisdictions share similar privacy and civil-liberties protections. Several organizations raised concerns about the harmful effects that these agreements could have for privacy and human rights, arguing that the CLOUD Act undermined the “rights of individuals both inside and outside the U.S.,” but the worries over what the agreements would allow foreign governments to do were disputed.

Besides assessing the domestic law of the foreign country and its implementation as respecting “substantive and procedural protections for privacy and civil liberties”, it also limits who can be targeted—a U.S. person or a person located in the United States, a non-U.S. person outside the United States when the purpose “is to obtain information concerning a United States person or a person located in the United States”, are not allowed targets, for example. The CLOUD Act also specifies that it will not create an obligation for providers to be capable of decrypting data. The orders issued must, most importantly, “be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism.” They are also subject to review or oversight by a judicial authority. Alarms were raised about the possibility that foreign governments might request wiretaps in the United States—however that provision should be understood under the protective umbrella of the previously stated limitations.

You can listen to past CSIS events discussing the CLOUD Act here and here for more information on the challenges and concerns over its implementation.  

The only currently existing bilateral agreement under the CLOUD Act is between the United States and the United Kingdom. Agreed upon in October 2019, it seeks to “facilitate the ability of the Parties to obtain electronic data” (Article 3.4 of the Agreement), resolving potential conflicts of legal obligations that communications service providers can face when requested to produce electronic data (Article 2.1). This is accomplished by ensuring that both nations’ domestic laws on “preservation, authentication, disclosure, and production of electronic data” allow for service providers to comply with domestic legal instruments that required the electronic data stored in a different jurisdiction. (Article 3.1). A good overview of the agreement’s details can be found here.

To address the lack of extraterritorial scope under their existing framework, the UK passed the Crime (Overseas Production Orders) Act 2019 in February 2019. The government assessed that the existing MLA’s slowness contributed “to negative consequences on UK investigations and prosecutions,” and a more streamlined process would allow law enforcement officers to receive timely information.  The UK’s new law allows certain officers to apply to a judge to issue an order requiring foreign providers to produce electronic evidence when necessary for the investigation or prosecution of a serious crime.

Knowing how many overseas production orders are issued from the UK will be a good metric to measure the concrete progress in investigations and prosecutions of serious crimes thanks to the CLOUD Act and the agreements under it.

Additionally, the United States is currently negotiating agreements under the CLOUD Act with the European Union and Australia.

In June 2019, the EU Council adopted a mandate allowing the European Commission to negotiate an electronic evidence sharing agreement with the United States, and in September 2019, representatives from the U.S. Department of Justice and the European Commission agreed to begin formal negotiations.
When the CLOUD Act was first announced, there were concerns about how providers would comply with both the American bill and the European GDPR. An initial assessment of the impact of the CLOUD Act on the EU legal framework identified Article 48 of the GDPR, on transfers or disclosures not authorized by Union law, as a main conflicting point. The provision states that a foreign court order would not be sufficient to make a transfer lawful, unless “based on an international agreement.” The objectives for this agreement, set out by the European Commission, include enhancing the legal certainty between the two jurisdictions, and allowing for the direct transfer of electronic evidence on a reciprocal basis while ensuring respect for EU law.

Negotiations are ongoing, and how the privacy protections are balanced remains to be seen. With 27 governments involved, a careful assessment of how each of them satisfies the requirements to qualify for a bilateral agreement—1) adequate substantive and procedural laws on cybercrime and electronic evidence, 2) respect for the rule of law and principles of nondiscrimination, 3) the adherence and respect of applicable international human rights obligations, 4) clear legal mandates and procedures government agencies authorized to request data, 5) accountability and transparency mechanisms for collection and use of electronic data, and 6) commitment to the promotion and protection of the global free flow of information and an open Internet—is of the outmost importance. A broad understanding with the entire bloc should not undermine the principles and protections required.
In October 2019 the U.S. Department of Justice announced that the United States and Australia entered into formal negotiations for a bilateral agreement under the CLOUD Act. In March, the Australian government introduced the Telecommunications Legislation Amendment (International Production Orders) Bill 2020, which would allow them to enter into an “bilateral and multilateral agreements for cross-border access to electronic information and communications data.”

Introducing an International Production Order would ensure law enforcement agencies can more quickly access data necessary to their work that is held in a foreign country. The motivation behind this legislation remains the same as in the UK and EU situations: an overwhelming amount of data needed to investigate and prosecute serious crimes “is held by companies located overseas,” and using the traditional MLAT systems is time consuming and directly impacting their ability to  do so efficiently.

The CLOUD Act’s influence cannot be denied. The appeal of expedited data access is clear from the fact that both the UK and Australia introduced new legislation enabling these agreements. With much of the world’s data being stored in the United States, delays in receiving electronic evidence from U.S. providers has become an increasing challenge to overseas investigators. This should be considered an incentive for other countries to increase their privacy and civil liberties protections. This has arguably already happened; Daskal and Swire argue that “In 2016, the U.K. government supported the enactment of judicial review of interception orders—in large part because it wanted to ensure eligibility to benefit from the kind of executive agreements provided for in the CLOUD Act.” As long as the safeguards are properly implemented and respected, and the access to this process remains limited to serious cases, subsequent bilateral agreements can be beneficial across the globe.
Image
Eugenia Lostri

Eugenia Lostri

Former Associate Fellow, Strategic Technologies Program