First Insights Into the U.S.-U.K. CLOUD Act Agreement

The Department of Justice recently renewed its CLOUD Act agreement with the United Kingdom. It also submitted a report to Congress, the first of its kind, offering an initial glimpse into the implementation of the agreement. The report reflects some early success, unexpected shortcomings, and several significant issues that policymakers must address.

The report has far fewer details than Matt Perault and I have previously called for, but it does appear anecdotally that the U.K. has found the agreement valuable, as has the U.S., but to a vanishingly small extent. At the same time, the agreement falls significantly short of meeting essential goals. The report suggests, in muted tones, that the U.K. bears responsibility for these shortcomings and can rectify them. When read in light of the recent reports that the U.K. is aggressively pursuing Apple in another attack against encryption, it also highlights the untapped potential that remains with these agreements, and how all of them must be fortified if they are to achieve the noble aims of the CLOUD Act and protect national interests.

A Primer on the CLOUD Act Agreement

Due to the popularity of the services they offer around the world, U.S. service providers hold an enormous amount of user data, data that is subject to U.S. law, including important privacy provisions. Foreign jurisdictions conducting criminal investigations increasingly found that evidence they needed was in the hands of these providers, and getting it was no easy task due to U.S. law blocking disclosures.

These investigators typically needed to rely on a slow diplomatic process, like mutual legal assistance treaties (MLATs) that required the U.S. government to get the information from the U.S. providers through the courts. This was true even in investigations in which the U.S. had no need to be involved. The U.S. MLAT process became even slower as an onslaught of requests came in from around the globe. (To a far lesser extent, criminal investigators in the U.S. faced similar problems seeking information from providers abroad.)

This issue led jurisdictions to consider or pass unilateral extraterritorial surveillance laws meant to reach across shores to U.S. companies and force them to disclose user data without regard to U.S. law or equities the U.S. has in when U.S. companies disclose user data. Some of these surveillance laws also imposed requirements that the companies have surveillance capabilities or localize data, or take other steps to defeat security features to the detriment of cybersecurity and privacy.

The CLOUD Act agreement provision was intended by Congress to advance the following goals:

• Allow foreign countries to more effectively investigate legitimate cases of serious crime while protecting human rights, the rule of law, and essential interests of the U.S.
• Reduce the burden on the Justice Department and U.S. courts by allowing U.S. providers to disclose data directly to jurisdictions with which the U.S. has an agreement, avoiding government-to-government mutual legal assistance processes. (Although not a primary one, another goal was to allow providers in the other jurisdiction to disclose data to U.S. authorities on the same terms.)
• Reduce the incentive foreign countries have to impose surveillance-related laws on U.S. companies.
  

To achieve these goals, the CLOUD Act changed U.S. privacy law to allow U.S. companies to disclose user data in response to legal requests from foreign jurisdictions subject to conditions, including:

• There must be an executive agreement in place between the U.S. and the other country, and to qualify for an agreement, the other country has to meet human rights standards and honor the rule of law, among other requirements.
• The demands to U.S. providers must “be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism.”
• The information demanded may not be that of someone physically in the U.S. or an American citizen, national, or permanent legal resident.
• The demands may not interfere with essential national interests, including freedom of speech.

Of course the arrangement was reciprocal, so the providers in the other jurisdiction should be able to honor similar requests from U.S. law enforcement. Given that so much of the world’s information is held by U.S. providers, it is understood that the U.S. is unlikely to use CLOUD Act agreements as much as the other parties.

The first agreement, with the U.K., went into force on Oct. 3, 2022. The only other country to enter into a CLOUD Act agreement thus far is Australia. By law, each expires after five years unless renewed.

The First CLOUD Act Report to Congress

The Department of Justice recently renewed the agreement with the U.K., as the report reflects. As part of that, it submitted a report to Congress as is required by statute. There are five key insights from the report that policymakers should consider.

1. The U.K. has availed itself of the agreement with vigor and almost entirely for intelligence gathering through wiretapping. As of October 2024, the U.K. issued 20,142 requests to U.S. service providers under the agreement. Over 99.8 percent of those (20,105) were issued under the Investigatory Powers Act, and were for the most part wiretap orders, and fewer than 0.2 percent were overseas production orders for stored communications data (37). The Justice Department characterizes this as “robust” use of the agreement. Google has begun reporting statistics on its receipt of CLOUD Act requests, and they are largely consistent with the numbers in the report.

2. The report provides no information on what percentage of the 20,142 requests revealed any useful information, but does present some context-free illustrations that demonstrate the usefulness of information obtained through the agreement.

Relying on representations from the U.K., the report reflects that in the first half of 2024, the agreement “contributed directly to 368 arrests, the seizure of 3.5 tons of illicit drugs, the recovery of GBP 5 million, the seizure of 94 firearms and 745 rounds of ammunition, and the identification of 41 threats to life and 100 threats of harm.”

3. The U.K.’s implementation of the agreement has failed to advance Congress’s intended goal of alleviating the burden on the Justice Department and U.S. courts.

The CLOUD Act agreement provision establishes an alternative channel for foreign law enforcement agencies to obtain information from U.S. providers, bypassing traditional and infamously slow diplomatic routes such as MLATs. Nearly all of the requests made by the U.K. through the agreement, however, could never have been made using diplomatic procedures, since MLATs cannot be used for wiretapping authority, so they displaced none of that burden. On top of that, the U.K. has continued to use the MLAT process at the same rate as before the CLOUD Act. 

4. The U.S. has used the agreement very little (as expected), with mixed results.

The United States made 63 requests to U.K. providers between Oct. 3, 2022, and Oct. 15, 2024. All but one request was for stored information. The Justice Department report says that information obtained from U.K. providers helped “further investigations against computer intrusion, fraud, money laundering, threats and extortion, tax offenses, and customs violations, among other criminal activity.”

The low volume relative to requests from U.K. authorities to U.S. providers is expected for a few reasons. First, as the report acknowledges, unlike the U.S., the U.K. does not have many service providers with a user base that spans the globe. Most of the providers offer services only within the country. The agreement does not allow the U.S. to submit requests to those providers for information about U.K. persons, so most of the users are off limits. Second, most of the providers in the U.K. are phone companies, not email, social media, or cloud providers. Thus, the scope of information is limited. Third, related to the first two reasons, the U.K. providers have relatively fewer users overall.

One irony to note is that, as lightly as the U.S. is using the agreement, it’s likely that the agreement has decreased the burden on the U.K. MLAT system in processing U.S. requests more than it has on that of the U.S. MLAT system in processing U.K. requests. Here’s why: 62 of the requests made by the U.S. would have otherwise gone to the U.K. through the MLAT system (assuming the U.S. cared enough to invoke the MLAT process for the data). At most, only 37 of the U.K. requests under the agreement might have qualified for the MLAT process.

Something unexpected that the report revealed was the Justice Department’s various challenges in its engagements with U.K. providers. The report detailed the reluctance of some U.K. providers to cooperate with U.S. requests. This hesitancy, according to the Justice Department, comes from “lingering data protection concerns” about possible liability under U.K. law if they were to disclose data. The Justice Department also politely complains that the U.K. government has done little to make sure U.K. providers know that they are permitted to honor U.S. requests. According to the report, the U.K. government is looking to amend the data protection law to remove any doubt about the legality of honoring CLOUD Act requests.

The report also said that the U.K. Data Authority, the agency that oversees compliance with data protection law, has been slow to approve U.S. requests to share with other jurisdictions information the U.S. collected from U.K. providers under the agreement. The Justice Department and the Data Authority are in a tussle about what information the Justice Department needs to disclose to the Data Authority about the proposed onward transfer to warrant approval under U.K. law. Presumably, the Justice Department doesn’t want to tell the Data Authority as much as the Data Authority wants to know.

Overall, the United States’s light usage of the agreement should help assuage concerns in Europe and in other jurisdictions that agreements such as that of the CLOUD Act threaten to expand U.S. surveillance.

5. The agreement did not achieve the congressional objective of dissuading governments from passing dangerous surveillance laws (for example, those that threaten cybersecurity) and applying them to U.S. companies.

As reported in the press, the U.K. has sought to compel Apple to disable certain end-to-end encryption protection on all iPhone backups globally, which would make those backups available in plain text to U.K. authorities through the CLOUD Act agreement. Although the CLOUD Act requires that the report to Congress include a description of “problems or controversies” arising from implementation of the agreement, the Justice Department report is silent about this extraordinary demand to Apple. This is perhaps because the department didn’t know about it, or is respecting, U.K. requests for secrecy. Regardless, there’s no doubt the Justice Department recognizes that had Apple complied, it too would benefit from this foreign law that could likely never have passed in the United States.

Tellingly, in the report, the Justice Department expresses surprisingly little concern about other recent troubling changes to U.K. surveillance law purportedly applicable to U.S. companies, saying that these changes “do not directly implicate” CLOUD Act criteria. When addressing concerns raised by providers, the report does acknowledge that providers warned the Justice Department about recent changes to U.K. law that, in combination with existing U.K. powers, could be used by U.K. authorities to “impede changes to privacy and security features that U.S. providers offer globally.” This appears to be what the U.K. has done with Apple. It likewise cites the concern of an unnamed provider that the nondisclosure provisions in U.K. law restrict its ability to inform the Justice Department about U.K. practices. This is an issue that Jim Baker and I have raised before. In its report, the Justice Department takes a minimalist view of the significance of these sorts of issues when considering agreement renewal. It looks exclusively at commitments made in the agreement or orders, and in renewal criteria in the statute. Characterizing the provider concerns as irrelevant “to the [enumerated] statutory considerations in the CLOUD Act,” the Justice Department casts them aside. 

Recommendations

The report makes it clear that changes are needed if CLOUD Act agreements are to achieve the important objectives intended by Congress. A robust discussion of how to do this is essential. Below is a summary of priority recommendations for policymakers to consider.

Relieve the Burden of Mutual Legal Assistance 

Before submitting an MLAT request, a CLOUD Act party should have at least attempted to invoke the CLOUD Act agreement to make requests. Since CLOUD Act requests aren’t compulsory in themselves, some providers may decline to honor them. That means the MLAT process remains necessary, but it should be secondary. This could be implemented through a change to the CLOUD Act and in each agreement to specify that the agreement serves as the primary mechanism for obtaining information covered by it, and that mutual legal assistance will be pursued only if the agreement process has failed or would clearly be futile.

Inhibit Extraterritorial Surveillance-Related Laws

Parties to CLOUD Act agreements should agree not to enact or enforce surveillance laws to regulate the providers in the other’s jurisdiction or their subsidiaries. These surveillance laws include compulsory orders to disclose data. But the agreements should also prohibit adoption or enforcement of often-overlooked technical capability obligations, mandates to defeat or withhold security features, minimum data retention rules, and data localization requirements. In addition, the Justice Department should notify Congress of significant surveillance-related events that are relevant to the purposes of the CLOUD Act when it becomes aware of them, and not wait for the renewal date. Both of these can be implemented by specifying in the CLOUD Act that such laws are disqualifying and require notification to Congress, and in the agreement that enactment of such laws can result in immediate suspension or termination of the arrangement, or its nonrenewal.

Protect Cybersecurity

The U.S. should assert cybersecurity as a “national interest” in the CLOUD Act and in the agreements. In the event a party to an existing agreement takes action against a provider that would “significantly affect U.S. interests in ensuring U.S. companies follow responsible cybersecurity practices,” as Sen. Alex Padilla (D-Calif.) and Rep. Zoe Lofgren (D-Calif.) wrote in their letter to the attorney general on this issue, the provider should be allowed to notify U.S. officials. The attorney general should then notify relevant committees (including the Senate and House Judiciary committees and the Senate Foreign Relations and House Foreign Affairs committees) and consider immediate action, in consultation with those committees. This too can be included in the CLOUD Act and the agreements.

Evaluate Efficacy

The reports to Congress are important, as even this rather cursory report demonstrated. These reports need to provide more information about the use of the agreement. Without more detail, it is impossible to know, for example, how many of the more than 20,000 wiretaps were of any real value, what categories of crime they covered, or how many Americans were swept up in the surveillance.

*** 

There’s no doubt that, given the aggressive action by the U.K. authorities against Apple, there will be calls to abandon CLOUD Act agreements. That would be a mistake. The Justice Department report shows the potential of these agreements as a vehicle through which the U.S. can advance its national interests (like cybersecurity, reducing unnecessary burden on the MLAT system, and advancing the rule of law and human rights). Congress and the Justice Department need to make changes to achieve this potential, but it is in reach.