A Possible EU-US Agreement on Law Enforcement Access to Data?
On May 22, Attorney General Jeff Sessions will meet with senior European law enforcement officials. In the wake of the Cloud Act, enacted by Congress at the end of March, the possibility of an EU-U.S. agreement on law enforcement access to digital evidence is almost certain to be on the table.
Published by The Lawfare Institute
in Cooperation With
On May 22, Attorney General Jeff Sessions will meet with senior European law enforcement officials. In the wake of the Cloud Act, enacted by Congress at the end of March, the possibility of an EU-U.S. agreement on law enforcement access to digital evidence is almost certain to be on the table. The EU is separately moving ahead with its proposed “E-Evidence” Regulation, which would streamline law enforcement access to data among its 28 member-states.
As we have discussed at length on Lawfare and elsewhere, the Cloud Act authorizes the U.S. to enter into executive agreements with foreign governments so as to better facilitate law enforcement access to data across borders, pursuant to a long list of procedural and substantive safeguards. Countries that sign executive agreements with the United States no longer need to go through the mutual legal assistance process to request communications content from U.S.-based providers; rather they can, pursuant to a long list of substantive and procedural safeguards, directly request the data from U.S.-based providers, so long as they are seeking the data of foreigners located outside the United States. Conversely, those governments must commit to ensuring that U.S. law enforcement can directly request communications content from those countries’ local providers—also enabling the United States to bypass the otherwise applicable mutual legal assistance process.
In considering a possible EU-U.S. agreement on data transfers, the first question to ask is whether the Cloud Act allows the United States to enter into an agreement with the EU as a whole, or whether instead, negotiations must proceed country-by-country for each member-state. To reach any sort of agreement, the negotiations also would need to comply with EU law, which has a number of requirements that may be unfamiliar to U.S. lawyers and could be tricky to navigate.
In this post, we describe the key legal requirements under both U.S. and EU law. We next explore one possible approach: a framework EU-U.S. agreement so as to set key standards and resolve issues of importance across the EU. Each individual country would then need to establish (and, pursuant to the terms of the Cloud Act, be certified as complying) that it meets the requisite standards before it can join the framework agreement. From what we can determine at this early stage of negotiations, this approach appears to satisfy the legal requirements of the Cloud Act and EU law, take into account the variety of member-state legal regimes, and have the advantage of setting out significant common safeguards and procedures across the EU.
U.S. Law: The Cloud Act and “Foreign Governments”
Though the Cloud Act envisions executive agreements with “foreign governments,” it does not define what constitutes a “foreign government”—thereby raising the question as to whether and in what circumstances the U.S. would be permitted to enter into an agreement with the European Union itself, consistent with the terms of the statute. For the reasons we discuss here, we think that such an agreement is possible, but if and only if there is a separate certification for each member-state (or subdivision of a member-state).
In accordance with its ordinary understanding, a read of the rest of the Cloud Act, and use elsewhere in the U.S. code and regulations, the term “foreign government” seems to refer to a government of a particular foreign country or possibly a political subdivision of that country.
Importantly, the Cloud Act requires each “foreign government” to be certified by the attorney general, with the concurrence of the secretary of state, as affording “robust substantive and procedural protections” for privacy and civil liberties in its “domestic law,” among multiple other requirements. This suggests, at a minimum, that the U.S. must undertake and produce an inquiry, analysis, and finding with respect to the domestic legal system of each member-state or subunit thereof with which the United States would enter into an agreement. We do not see a convincing read of the statute that can bypass this requirement.
Under this approach, nothing in the Cloud Act prohibits the EU and the United States from lawfully negotiating a general framework, laying out specifics of how any such agreements would be implemented. Such a framework could, for example, set out: rules and procedures as to how minimization procedures would work, so as to protect against the dissemination of non-relevant information; procedures and standards regarding compliance reviews by the United States; and additional specificity as to baseline requirements that each member-state must meet, including things like the nature of the required judicial or independent review and protections for free speech.
This framework approach has the advantage of allowing the U.S. to negotiate one general agreement, pursuant to which each EU member-state could individually accede. This kind of framework agreement also opens up the possibility for some other EU-wide entity such as Europol to play a role in oversight and compliance, so as to help ensure the requirements of the Cloud Act are met. In addition, consistent with the understanding of the term “foreign government” as referring either to the government of a foreign country or a political subdivision, it opens up the possibility that particular subunits within EU member-states could be certified as meeting the relevant requirements, even if the country as a whole could not. Under this approach, for example, requests from a particular government would have to be channeled through certain certified units or subdivisions, which would in turn be required to meet the requirements of the EU-U.S. agreement; this would facilitate the possibility of quality control.
Such a framework agreement could and should address the issue of how the Cloud Act’s reciprocity provision would work. The Cloud Act requires that foreign governments continue to employ the mutual legal-assistance treaty (MLAT) system if they are seeking data of U.S. persons (defined as citizens and legal permanent residents) and others located in the United States—a provision that ensures U.S. rules regarding a warrant based on probable cause continue to govern the accessing of U.S. person’s data. The act also requires “reciprocal rights of access” from the non-U.S. government. Foreign governments could read this to require that the United States go through the MLAT system if and when the United States were seeking data of that foreign government’s citizens and residents.
Potentially complex issues then arise for how an EU-U.S. agreement would operate. For instance, under a bilateral German-U.S. agreement, this approach would mean that the United States would need to employ traditional MLAT procedures if seeking the data of German citizens and residents. Under EU law, however, there is non-discrimination jurisprudence that suggests that protections offered to citizens of one nation (Germans) should apply to all EU citizens. If applicable, this would mean that the U.S. would have to go through the MLAT system any time it sought to directly access a EU citizen’s data directly from an EU-based provider.
We believe careful legal work will be needed to interpret the scope of the reciprocity provision in the Cloud Act and the related non-discrimination principles of EU law. Resolving these issues should proceed at the EU level, because these questions have ramifications for all member-states and for the ultimate stability of any such agreements, particularly if subject to legal challenge.
EU Law: “Competence” and Other Issues
EU law contains its own complexities about whether and to what extent the EU can be a counter-party for negotiations of executive agreements under the Cloud Act. These EU legal issues include: “competence” of the EU; the relationship between a possible EU-U.S. agreement and development of the proposed E-Evidence Regulation; and the obligations to protect fundamental rights while enabling new forms of law enforcement cooperation.
The issue of competence involves the allocation of power between the EU and its member-states. There are some areas where the EU has exclusive competence; some where it has shared competence with member-states; and some where it has none. To the extent that the issue of cross-border data arrangements is deemed an exclusive EU competence, it will be difficult for the U.S. to insist that negotiations take place only with the member-states. The allocation of competence between the EU and member-states, however, is the subject of ongoing debate and discussion.
As background, EU legal instruments apply generally to a wide range of commercial and government action where the EU has either exclusive or shared competence. Notably, EU law regularly applies to law enforcement activities, such as in the Law Enforcement Data Protection Directive that is going into effect this month together with the better-known General Data Protection Regulation. The Law Enforcement Directive sets EU legal rules for “competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties,” and also applies for “safeguarding against and the prevention of the threats to public security.”
By contrast, national security is outside of the competence of EU law; consequently, Recital 14 of the Law Enforcement Directive says it does not apply to “activities concerning national security” or “activities of agencies or units dealing with national security.”
The scope of EU competence also arises under the new E-Evidence regulation proposed by the Commission in April. This regulation provides support for the view that the EU has at least shared competence or a combination of exclusive competence and mixed competence, in at least some instances. Once finalized, the regulation would create a European Production Order, so law enforcement from any one of the member-states could, if lawfully requested, compel production of sought-after data from a service provider in any other member-state. For instance, a French law enforcement order could be issued directly to a company headquartered in Ireland, the home base in Europe for many service providers.
The proposed E-Evidence regulation thus provides support for direct EU-U.S. negotiations under the Cloud Act in two ways. First, the legal rationale for the proposed E-Evidence Regulation supports the finding of EU competence in this area. Second, any negotiations under the Cloud Act (for U.S. to EU evidence requests) would need to be closely integrated with the E-Evidence Regulation (for evidence requests between EU member-states) so as to ensure harmonization of approaches across borders.
Separate and apart from the competency issues, legal developments in the EU have trended toward stricter protection of fundamental rights, including privacy rights. Take, for example, the 2015 Schrems case striking down the EU-U.S. Safe Harbor; the pending referral of the Schrems II case to the European Court of Justice, which involves a challenge to use of standard contract clauses for transfer of personal data from the EU to the U.S.; and the ECJ ruling striking down the EU-Canada agreement on the transfer and processing of passenger name record data for air travelers given concerns about how the data was used once transferred to Canada. Any new mechanisms for cross-border law enforcement cooperation must comply with the fundamental rights protections demanded by EU law. These too will be applicable on an EU-wide basis, further strengthening the case for negotiation with the European Commission as an institution with responsibility and expertise across the EU.
Compared with negotiating with each member-state, there could be significant advantages for the U.S. in negotiating with the EU institutions. Any agreement on law enforcement transfers of data will only succeed if it passes muster under EU law, and the EU-level institutions have the greatest expertise in the subtleties of what will likely survive judicial review. They also have previous experience negotiating in this area, as with the EU-U.S. umbrella agreement on data protection for law enforcement and the EU-U.S. Agreement on Mutual Legal Assistance.
In summary on EU law, there may well be a range of issues where the EU, rather than each member-state, is the appropriate and presumably best negotiator under EU law. That conclusion is bolstered by the issuance of the proposed E-Evidence Regulation. Negotiations also would benefit from EU-level expertise about how to comply with fundamental rights review by European courts.
The Policy Issues: Why an EU-U.S. Agreement Is a Good Idea
To succeed, any agreement on law enforcement transfers, must comply both with U.S. and EU law. There is therefore a need to reconcile Cloud Act’s requirement that executive agreements be with “foreign governments” and the EU requirements for negotiating at the EU level with respect to those areas for which the EU has exclusive competence. One promising path would be to conduct negotiations on a framework agreement at the EU level, while implementing agreements with each nation consistent with that framework and the certification requirements of the Cloud Act.
In addition to the points already discussed, we highlight three additional reasons that favor such an approach. First, the EU supports having negotiations at the EU level, as shown for instance by this statement by EU Justice Minister Jourová: “I want to see the EU and the U.S. have compatible rules for obtaining evidence stored on servers located in another country, in order to solve serious crimes.” During consideration of the Cloud Act, Sen. Orrin Hatch similarly spoke in favor of implementing an agreement with the EU.
Second, the proposed E-Evidence Regulation includes a requirement that providers offering services in the EU have a point of contact for purposes of receiving legal process under that Regulation. The U.S. could perhaps use the negotiations over an EU-U.S. agreement to secure reciprocal obligations on EU providers that serve the U.S..
Third, the U.S. can use these agreements to address, and ideally resolve, another key issue presented by the Cloud Act—namely the reach of U.S. warrants over data held in the EU. As those familiar with the Cloud Act know, the act contains two key parts. One provides for the kind of executive agreements that we have focused on here. The other part clarifies that a U.S. warrant issued to a U.S.-based provider compels disclosure of data in that provider’s custody or control, regardless of where that data is located. This, however, creates a potential conflict with EU law, given EU legal provisions that limit when data can be transferred outside of the EU. The scope of any such conflicts is still uncertain, as it depends on the yet-unknown interpretation of the soon-to-be implemented General Data Protection Regulation—an issue that one of us (Daskal) has discussed in more depth. An EU-wide agreement can address, minimize, and ideally eliminate, such conflicts.
It is likely an EU-U.S. agreement on cross-border access to data will become a topic of conversation during the upcoming ministerial meeting. We think this is something that should be pursued, although there are complex issues of both U.S. and EU law and policy to consider. Considerable analysis and discussion will undoubtedly be needed before any eventual agreement is possible.
This article is cross-posted at Just Security.