19 May 2020 – originally published as a guest post at nsucyberlaw.org.
In March 2018, the US Congress passed an amendment to the Stored Communications Act (SCA)[1] and Wiretap Act[2] in an attempt to facilitate access to electronic data stored outside the US in criminal investigations. Known as the Clarifying Lawful Overseas Use of Data (CLOUD) Act,[3] this legislation endeavors to more quickly resolve conflicting legal obligations of companies faced with a request to release customer data, which access might ordinarily be prohibited by law. The CLOUD Act was the result of the legal challenge to a 2013 warrant issued by the FBI requesting the Ireland-stored email correspondence of a Microsoft customer implicated in a drug trafficking investigation. A lawsuit ensued and made its way to the Supreme Court on appeal,[4] but before the case was resolved, the US passed the CLOUD Act to address this sort of issue.
The CLOUD Act sets forth requirements relating to US access to data stored outside the US as well as a detailed proposed path for other nations’ access to electronic communications data stored within the US.[5] Under the Act, (1) US government and law enforcement officials may direct an overseas company to produce customer communications data pertaining to a US person; and (2) non-US law enforcement officials may gain access to data stored in the US, but only in conjunction with investigations involving “serious crime, including terrorism”[6] and only when an “executive agreement”[7] is in place between the US and the relevant non-US governments prior to a release of access to the requested data.
This Act applies to providers of remote computing services and electronic communication services (ECS). Significantly, once a CLOUD Act executive agreement is in place, data requests for transfers that implicate the conditions of national laws such as the EU’s General Data Protection Regulation (GDPR)[8] and the UK’s Data Protection Act 2018 will need careful consideration.[1] It is not yet known if EU authorities will find terms of executive agreements sufficient to meet a data protection exception under Article 49 GDPR.
Currently, no executive agreements are in place under the CLOUD Act, although the US and the UK negotiated and signed such an agreement[9] that is set to go into effect this summer, absent objection by US Congress.[10] Until the US-UK executive agreement takes effect, all requests from a US authority to the EU, including the UK during the Brexit transition period, are subject to the traditional Mutual Legal Assistance Treaty (MLAT) process unless a bilateral executive agreement is pursued.[11]
The US-UK Agreement is set to enter into force beginning on July 8, so a request prior to its effective date from the US government to the UK regarding a US person – or to US from the UK government regarding a UK person – will be managed pursuant to that executive agreement. This agreement is in compliance with the CLOUD Act framework and is anticipated to serve as a model for future agreements,[12] so it will be important for businesses to monitor its application. Of course, for all requests under CLOUD Act executive agreements as with any cross-border data request, it will continue to be crucial to refer requests to legal counsel for a full analysis.
Although the agreement is quite comprehensive, some of the key considerations for counsel will be to determine that:
- A warrant or subpoena that relates to a serious crime[13] is issued in compliance with the domestic law and is reasonably justified, as well as limited to a fixed, limited duration not longer than is reasonably necessary[14]
- A provider’s representatives are prepared only to produce the requested data directly to the Issuing Party’s Designated Authority[15]
- Processing and access to data are compatible with the nations’ respective laws addressing privacy, data protection and civil liberties[16]
- Safeguards are in place to minimize targeting of persons who are not subject to the request, particularly nationals of the non-requesting nation[17]
ECS providers may raise specific objections when they believe an order might not conform with the executive agreement, and government authorities may confer to resolve the outstanding issues.[18] It is worth noting regarding future requests that the CLOUD Act permits providers to bring a motion to quash a request based on the risk of violating law to which they are beholden.[19] The specific terms of the objection process may be addressed within the individual agreements, as is the case with the US-UK agreement. As referenced above, it will be important to reconcile CLOUD Act orders with requirements of the GDPR and the use of objections will be a key to the protection of individual interests.
Executive agreements under the CLOUD Act are designed to address US requests for foreign-held data regarding US persons and foreign requests for US-held data regarding its own persons. Non-US requests for data regarding US persons are not covered by the CLOUD Act and will continue to require the MLAT process.[20]
Based on the complicated and agreement-specific nature of the CLOUD Act, it will continue to be crucial to refer government data requests to legal counsel to determine the validity of the request. It will be particularly important to challenge orders that appear to run afoul of data privacy requirements, at least until authorities have determined the extent of compatibility with CLOUD Act mandates. From a broader perspective, having been as-yet untested, the future of cross-border data access compliance is far from clear. Company policies addressing customer data requests from all sources needs to continue to evolve to account for the dynamic nature of cross-border data requests as the laws of all nations grapple with the rapid increase in the global volume of data.
[1] Title 18 U.S.C. Chapter 121.
[2] Title 18 U.S.C. Chapter 119.
[3] H.R. 4943, amending Title 18 U.S.C Chapter 121, Section 2713, Title 18 U.S.C Chapter 121, Section 2523.
[4] United States v. Microsoft Corp. (“Microsoft Ireland”), 138 S. Ct. 1186 (2018).
[5] This access potentially would be granted notwithstanding the protections available under the US Electronic Communications Privacy Act of 1986 (ECPA), Title 18 U.S.C., Sections 2510-2523.The ECPA, protects electronic communications during creation, in transit, and when stored.
[6]Title 18 U.S.C Chapter 121, Section 2523 (b)(3)(D)
[7]Title 18 U.S.C Chapter 121, Section 5.
[8] 2016/679
[9] The “Agreement Between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime” was signed by the US Attorney General and the UK Home Secretary on 3 October 2020, was certified by the Attorney General on November 27, 2019, was noticed by the Department of Justice to all relevant Congressional committees by January 10, 2020, and currently is under a 180-day review period by the US Congress. The text of the agreement is available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/836969/CS_USA_6.2019_Agreement_between_the_United_Kingdom_and_the_USA_on_Access_to_Electronic_Data_for_the_Purpose_of_Countering_Serious_Crime.pdf.
[10] Department of Justice AG Order No. 4645–2020, Clarifying Lawful Overseas Use of Data Act; Attorney General Certification and Determination 85 FR 12578 (March 3, 2020).
[11] Given that the MLAT process has been estimated to take six months to two years, a request subject to a bilateral executive agreement under the CLOUD Act is anticipated to significantly speed up the access to data. UK Home Office, “UK and US sign landmark data access agreement,” gov.uk (4 October 2019), available at: https://www.gov.uk/government/news/uk-and-us-sign-landmark-data-access-agreement[12] Daskal, Jennifer and Swire, Peter, “The UK-US CLOUD Act Agreement id=s Finally Here, Containing New Safeguards,” LAWFARE (8 October 2019), available at: https://www.lawfareblog.com/uk-us-cloud-act-agreement-finally-here-containing-new-safeguards
[13] Under the bilateral agreement, “Serious Crime means an offense that is punishable by a maximum term of imprisonment of at least three years,” Supra note 8, at Article 1, para. 14.
[14] Supra note 8, at Article 5.
[15] Id. at Article 6.
[16] Id. at Articles 9, 10.
[17] Id. at Article 4.
[18] Id. at Article 5.
[19] CLOUD Act Section 2713 (h)(2).
[20] US Department of Justice, “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” White Paper (April 2019), p. 8, available at: www.justice.gov/CLOUDAct.