Surveillance & Privacy

Applying the CLOUD Act to the U.S.-U.K. Bilateral Data Access Agreement

Nathan Swire
Monday, October 28, 2019, 2:31 PM

On Oct. 3, the United States and the United Kingdom signed the first-ever executive agreement under the CLOUD Act, a 2018 law that authorizes the U.S. to enter into information-sharing agreements with other countries for the purpose of aiding criminal investigations.

Flags Flying, Plymouth Harbour, Devon (Source: Christine Matthews)

Published by The Lawfare Institute
in Cooperation With
Brookings

On Oct. 3, the United States and the United Kingdom signed the first-ever executive agreement under the CLOUD Act, a 2018 law that authorizes the U.S. to enter into information-sharing agreements with other countries for the purpose of aiding criminal investigations. The text of the executive agreement, titled the U.S.-U.K. Bilateral Data Access Agreement, is located here. Congress will now have 90 days to consider the agreement, which will come into effect at the end of that period unless Congress enacts a resolution of disapproval.

As the CLOUD Act demands that a partner nation meet certain minimum requirements before an executive agreement can go into force, the language of this first completed agreement can provide context on the standards the United States expects other partner nations to adhere to in negotiating future executive agreements. It can also provide guidance to Congress on how the CLOUD Act will be implemented in practice.

The CLOUD Act, which was signed into law on March 23, 2018, has two primary goals. The first portion of the act, codified at 18 U.S.C. § 2713, alters the Stored Communications Act to require that providers of electronic storage and communications, such as Facebook, Google and Microsoft, comply with U.S. warrants for data physically housed in other countries. This portion of the act was written in response to the ruling of Microsoft Corp. v. United States, known as the “Microsoft Ireland,” case in which the U.S. Court of Appeals for the Second Circuit found that warrants under the Stored Communications Act did not have extraterritorial reach.

The second portion of the CLOUD Act, codified at 18 U.S.C. § 2523, authorizes executive agreements, such as the U.S.-U.K. agreement, to allow a provider to share communications content with a qualifying foreign government. The U.S. generally permits such information sharing with foreign governments only pursuant to a mutual legal assistance treaty (MLAT), a system of agreements that allow law enforcement agencies to formally request data from other countries. In the United States, all MLAT requests are reviewed by the Criminal Division of the Justice Department and the U.S. attorney in the district where the witness is located; the U.S. attorney then must request a warrant or court order from a federal judge. This is a complex and time-consuming process due to the number of levels of review, and as a result, as of 2013, the average time required to fulfill a properly executed MLAT request was 10 months. American requests for data from foreign governments can take even longer or might never prompt a response at all.

The CLOUD Act authorizes a new system of data sharing that allows law enforcement agencies in partner countries to bypass the MLAT process for serious criminal investigations. The passage of this law was necessary for the U.S. to negotiate such agreements under the Electronic Communications Privacy Act of 1986 (ECPA), which bars providers from sharing records with foreign governments absent a warrant, statutory authorization or user consent. The CLOUD Act removes these statutory barriers in U.S. law, allowing partner countries that have signed an executive agreement to issue orders directly to American service providers. It also requires these partner countries to remove legal barriers that would prevent the U.S. government from issuing orders to service providers within their borders. Thus, an American judge could issue a warrant for information housed on a British server—provided that information was in the “possession, custody, or control” of a party the court has jurisdiction over—and the British service providers would honor it without requiring prior approval from their own government.

The intent of such orders is to reduce the time needed to obtain evidence (and the difficulty of doing so) through the existing MLAT process. But the CLOUD Act also grants foreign governments, for the first time, the ability to request both stored communications and real-time communications—wiretaps—directly from private American corporations. This ability of foreign governments to potentially access user data, records and real-time communications with reduced process has brought significant criticism from privacy and civil liberty advocates.

Part of the purpose of these executive agreements is to enable partner nations to conduct investigations within U.S. borders, and to remove barriers to American law enforcement abroad. Such harmonization of efforts is also taking place in Europe: The European Commission announced in February that it was beginning the process of negotiating an EU-wide system of cross-border access to electronic evidence, which it termed the “E-Evidence” framework. The United States announced the beginning of a similar negotiation process with the European Union in September and with Australia in October. With cross-border data-sharing on the agenda in both the United States and the EU, the U.S.-U.K. agreement can therefore serve as an early model for such agreements and a template of the areas that the United State prioritizes in its negotiations.

The U.S.-U.K. Agreement

Negotiations over a U.S.-U.K. agreement have been ongoing since at least 2016 and were enabled by passage of the CLOUD Act in the United States and the Crime (Overseas Production Orders) (COPO) Act of 2019 in the United Kingdom. Like the CLOUD Act, the COPO Act creates a framework in U.K. law allowing the government to request information from service providers located abroad. Internal investigations of electronic information are governed in the U.K. by the Investigatory Powers Act of 2016.

The agreement goes beyond the minimum requirements of the CLOUD Act at multiple points, though many details of its implementation have yet to be seen. Where it does not go beyond the minimum requirements, it tends to port over the language of the CLOUD Act directly to establish a standard.

CLOUD Act Requirements

The requirements for a valid executive agreement are codified at 18 U.S.C. § 2353 and must be certified by the attorney general and secretary of state in order for such an agreement to come into effect. Compliance with these requirements can be fulfilled either by the domestic law of the partner country or by the language of the executive agreement, as any request for information (“order”) under the act draws its authority from the domestic laws of the country issuing it.

The CLOUD Act requires the attorney general and the secretary of state to certify that any executive agreement complies with the following four requirements:

  1. A partner nation must have a domestic legal system that “affords robust substantive and procedural protections for privacy and civil liberties in light of [that government’s] data collection and activities.” The determination of whether a partner nation meets this standard is based on a multifactor analysis, with no single mandatory factor.
  2. A partner nation must have adopted “appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement.”
  3. An agreement may not create an obligation for providers to decrypt data, or limit providers from decrypting data. This requirement renders any CLOUD Act agreement “encryption neutral,” so that any accord between countries regarding encryption must be concluded separately.
  4. An agreement must include a number of additional mandatory procedural and substantive requirements regarding targeting restrictions, the handling of data and the methods of issuing orders.

This certification is not subject to administrative or judicial review, but within 90 days Congress may pass a joint resolution of disapproval—subject to presidential veto—to block it from going into effect. Congress may also pass such a resolution upon recertification, which takes place every five years.

Certification Requirement 1: Adequate Protections for Privacy and Civil Liberties

The CLOUD Act requires the partner government to have “robust substantive and procedural protections for privacy and civil liberties.” The factors considered in this decision include adherence to the Budapest Convention on Cybercrime or similar domestic law, adherence to international human rights obligations, clear legality in surveillance procedures, and sufficient mechanisms for accountability and transparency.

For this requirement, the agreement recognizes in its preamble that both parties’ “respective legal frameworks for accessing electronic data incorporate appropriate and substantial safeguards for protecting privacy and civil liberties[.]” The agreement further holds in Article 3 ¶ 3 that the domestic law of each party sufficiently protects privacy and civil liberties, and further requires each party to advise the other of any changes in domestic law that affect this determination. It also notes in Article 9 ¶ 1–2 that the processing of data under orders subject to the agreement are fully compatible with each party’s respective laws on privacy and data protection, as well as the international treaties they are party to.

What the agreement does not do is discuss the overall human rights record of either party—one area that drew significant criticism from advocacy groups during the implementation of the CLOUD Act. For example, in a 2018 letter to the Department of Justice, a coalition of advocacy groups called attention to what they saw as insufficient privacy and civil liberties safeguards in U.K. law. The letter cited to a 2018 ruling at the European Court of Human Rights, Big Brother Watch and Others v. United Kingdom, which found that the U.K.’s bulk data-collection programs violated human rights laws because they did not incorporate sufficient privacy safeguards. The letter also called attention to deficiencies in the draft version of the U.K.’s COPO bill, which included a low standard for issuing warrants, lack of limits on the duration of data production orders and the ability of the U.K. government to retain data “so long as is necessary.” Other criticisms of U.S. and U.K. privacy standards, written before the signing of the agreement, are available here and here.

The U.K. government has contested the finding that its bulk surveillance programs violate human rights—through cases in both domestic courts and the European Court of Human Rights—but the U.S.-U.K. executive agreement notably does not take sides on these questions. Instead, it contains a blanket certification that the U.K. satisfies the CLOUD Act’s human rights and privacy requirements. The agreement therefore does not, by itself, provide much clear guidance for other potential partner nations about what the U.S. considers sufficient in terms of human rights, or how it weighs these factors—aside from indicating that the U.K. meets these standards even with its continuing use of mass surveillance.

The one area where the agreement explicitly addresses human rights is in allowing the U.S. and U.K. to limit certain orders on certain classes of cases that violate their respective norms. Article 8 ¶ 4 allows the U.K. to require prior permission before granting orders that could be used in cases involving the death penalty and similarly allows the U.S. to require permission on cases that would violate American conceptions of freedom of speech. These provisions are, however, dictated by other directives of the CLOUD Act and the COPO Act, rather than the CLOUD Act’s requirement of general respect for human rights.

The first specific factor defining adequate protection of civil rights, adherence to the Budapest Conventions, is fulfilled by the U.K.’s adherence to the convention. This is one of several factors or requirements of the CLOUD Act that are not addressed explicitly in the agreement, because they are fulfilled by the U.K.’s domestic law.

The next specific factor is “clear legal mandate and procedures” governing the partner nation’s seeking of data under the agreement, as well as sufficient mechanisms of accountability. The U.K. met this standard in 2019 with the passage of the COPO Act, which, like the CLOUD Act, authorizes U.K. authorities to request electronic data pursuant to a cooperation agreement, such as the U.S.-U.K. agreement. The COPO Act addresses oversight of these orders by requiring that they be issued by a judge. In contrast, domestic surveillance under the Investigatory Powers Act of 2016 uses a “double-lock” system whereby any surveillance order must be approved by both a judge and a minister of the executive branch. Together, these two laws ensure that any order emanating from the U.K. would require preapproval by a member of the judicial branch, though the agreement itself requires that orders be subject to “review or oversight” rather than necessarily by preapproval.

The agreement also imposes several additional oversight mechanisms. First, any order must pass through a “designated party”—the attorney general in the U.S., and the Home Secretary in the U.K.—who will review each order for compliance with the agreement and must sign a written certification that the order is lawful. Second, the agreement requires each country’s government to have a designated point of contact that can provide legal and practical advice to service providers who are responding to orders. Upon receiving an order, these providers have the right to file a formal objection first to the issuing party and then to their home government. If the provider’s home government so chooses, it can block an order at its discretion; if not, the provider could further challenge the order only in accordance with other mechanisms of domestic law, as the agreement does not itself create or extinguish legal rights under each country’s domestic law. Additionally, the CLOUD Act itself contains comity provisions, allowing a provider to file a motion to quash legal process if it believes an order would violate the law of a foreign government.

The agreement addresses the transparency requirement in two ways. First, for any order involving the data of an individual in a third-party country, the agreement requires notification to the government of that country to allow them to respond, except in cases where doing so would be detrimental to security, impede the investigation or imperil human rights. Second, the agreement requires periodic review of each party’s compliance, which can include a review of the issuance of orders as well as the handling of data. Each party is also required to submit to the other an annual report containing aggregate data on actions under the agreement, and providers may themselves publish statistical information on the orders they have received.

The agreement acknowledges the final factor—commitment to a free and open internet—only by stating that one of its purposes is “to protect privacy, civil liberties, and an open Internet[.]” Like the human rights analysis, this determination appears to be based on a background understanding of U.K. and U.S. law, rather than any specific clause of the agreement.

Certification Requirement 2: Minimization Procedures

The second requirement, contained at 2353(b)(2), is that a partner nation must adopt appropriate minimization procedures for the acquisition, retention and dissemination of information concerning U.S. persons.

The agreement addresses these procedures in two ways. First, it includes language preventing the targeting of U.S. persons, as is required by both 2353(b)(2) and 2353(b)(3). The CLOUD Act requires that no U.S. person or person located in the U.S. may be intentionally targeted by an order; that an order may not be used to target a non-U.S. person for the purpose of conducting an investigation on a U.S. person; and that no order may be issued by a partner nation at the request of the U.S. or another country. The agreement contains these requirements in Article 4, though skeptics of the CLOUD Act have pointed out that neither the act nor the agreement contains mechanisms to prevent U.S. (or U.K.) citizens from being incidentally surveilled in investigations targeted at a third-party national. Additionally, the protections for U.S. persons are stronger than for U.K. persons, who may be targeted by American surveillance orders when they are physically located outside the U.K.

Second, the agreement applies minimization procedures to all information produced under orders, which would encompass orders that could produce information on U.S. persons. These procedures are located in Article 7 of the agreement and include the requirement that the two parties to the agreement consult and approve each other’s minimization procedures, that any information be stored on a secure server and that any subsequent changes require approval of the other party. This article further requires the U.K. to segregate, seal, delete and not disseminate any material that either is not relevant to an offense covered by the act or is necessary to protect against serious physical harm. The specific language of these sections of the agreement is drawn directly from the CLOUD Act.

These minimization requirements are designed, at least in theory, to prevent either government from being able to use orders under the agreement as a backdoor to conduct surveillance on each other’s citizens. However, Article 7 ¶ 5 does allow both parties to share information found under the agreement if they may do so without violating these minimization procedures, and if the information relates to significant harm or a serious crime. This paragraph also draws directly from language in the CLOUD Act. Additionally, nothing in the agreement stops either party from conducting surveillance on each other’s citizens or from issuing court orders for their data, through other mechanisms of domestic law.

Certification Requirement 3: Encryption Neutrality

As required by the CLOUD Act, the agreement does not contain any language that affects either country’s decryption policies.

Immediately prior to the signing of the agreement, the Sunday Times, a British newspaper, reported that the agreement would require service providers such as WhatsApp and Facebook to decrypt messages pursuant to a government order. This story turned out to be erroneous—but on the same date that the U.S. and U.K. signed the agreement, they also released a joint letter with Australia requesting that Facebook refrain from going forward with a plan to enact strong end-to-end encryption in its messaging systems. This is consistent with the CLOUD Act’s language requiring any change in decryption policy to stem from separate agreements or changes in domestic law.

Certification Requirement 4: Mandatory Procedural and Substantive Requirements

The final set of requirements in the CLOUD Act deals with a variety of mandatory substantive and procedural requirements, including the ban on targeting U.S. persons and the ban on using orders for cases that violate American norms of free speech.

Many of these requirements deal with the exact process for issuing an order. The CLOUD Act requires such an order to be related to the “prevention, detection, investigation, or prosecution of a serious crime, including terrorism,” but the agreement narrows this scope to allow orders to apply only to “Serious Crimes,” which it defines as offenses that carry a maximum prison term of at least three years. Thus an order could only be used to investigate terrorist activity that also qualifies as a “Serious Crime,” rather than the much more open-ended standard under the COPO Act that allows an order “for the purposes of terrorist investigation.”

The CLOUD Act further requires that any order identify the specific location of the data, and be based on “reasonable justifications based on articulable and credible facts, particularity, legality, and severity.” The agreement adopts this requirement verbatim. This creates a higher standard than is required under British law. the COPO Act allows an order to be issued if a judge has “reasonable grounds” to believe that the order would aid a terrorist investigation or investigation into a crime; that the person investigated has possession or control of the data; that the data would be of substantial value to an investigation; that the data are relevant; and that such an order is in the public interest. By including this requirement verbatim, the agreement addresses some of the concerns of critics over the British ability to issue “general warrants” under its “reasonable grounds” standard. But this is still a lower standard than the probable cause requirement, which is required for a U.S. judge to issue a warrant.

The next requirements governing orders apply to wiretaps or other electronic intercepts. Such orders must be of fixed duration and must last for no longer than is reasonably necessary, and there must be no less-intrusive methods available. This is a similar framework to that used in the U.S. statute that governs wiretaps, Title III of the Omnibus Crime Control and Safe Streets Act of 1968. The agreement also adopts the CLOUD Act’s language essentially verbatim.

This section of the agreement has been criticized by civil liberties advocates. Under Title III, the United States requires a higher standard than probable cause—often called a “super-warrant”—in order to conduct real-time surveillance. But the agreement would allow Britain to request such real-time data from American service providers using the U.K.’s lower evidentiary standards. Critics have also noted that the agreement does not clarify what the limits on duration or necessity mean in practice and that it does not require notice to the owner of the data, as is true under U.S. law.

The final substantive requirements of the CLOUD Act concern reciprocal rights of data access and the removal of restrictions on service providers that would otherwise prevent them from responding to orders from either party. This principle of reciprocity is discussed in Article 2 of the agreement, but it is also reflected throughout by imposing the same obligations and rights of data access on both parties. In practice, though, as more service providers are located in the U.S. than the U.K., the agreement will have more of an effect on the ability of U.K. law enforcement to access the content of communications held by U.S. service providers.

Conclusion

Going forward, the burden will now be on both nations to show that such an agreement does in fact protect privacy and civil liberties. Many details of how the agreement will work in practice remain to be seen, including what the evidentiary standards will be for the U.K. to request orders, the limitations on wiretaps and whether there are sufficient safeguards to prevent breaches of privacy against each country’s citizens. Still, the U.S.-U.K. Bilateral Data Access Agreement can serve as a useful model for both the United States and other nations as they consider how best to implement cross-border data sharing. It demonstrates how nations can use a combination of their domestic laws and the language of the CLOUD Act to craft agreements that meet their minimum standards, at least on paper.


Nathan Swire is a recent graduate of Harvard Law School. Prior to law school he served for four years as an Infantry Officer in the U.S. Army, primarily with the Second Cavalry Regiment based out of Vilseck, Germany. He holds a bachelor's degree in Government from Dartmouth College.

Subscribe to Lawfare