Surveillance & Privacy

Recommendations for the Potential U.S.-U.K. Executive Agreement Under the Cloud Act

Peter Swire, Justin Hemmings
Thursday, September 13, 2018, 10:22 AM

Congress this fall will likely face the first executive agreement negotiated under the new Cloud Act. The U.S. and United Kingdom have been negotiating such an agreement since at least 2016.

(Wikimedia/Rennett Stowe)

Published by The Lawfare Institute
in Cooperation With
Brookings

Congress this fall will likely face the first executive agreement negotiated under the new Cloud Act. The U.S. and United Kingdom have been negotiating such an agreement since at least 2016. Recently, the British government introduced a new bill designed to create the legal structure for the U.K. side of the agreement. The Justice Department this summer has met with academic experts, civil-society members, and others who have been involved in issues related to the agreement. As part of the Cross-Border Data Forum’s ongoing work on these issues, this article explains key points for the Justice Department and Congress to consider if, as we expect, an agreement is presented for consideration on the Hill.

Background

Congress passed the Cloud Act as part of the March 2018 omnibus budget bill. The Cloud Act was designed to facilitate law-enforcement access to data stored in foreign countries, consistent with privacy and civil liberties protections, and to alleviate pressure on the existing mutual legal-assistance treaty (MLAT) system. The Cloud Act authorizes the U.S. to enter into “executive agreements” with foreign governments to create streamlined procedures for each country’s law-enforcement officials to access data held in the other’s jurisdiction. The attorney general and secretary of state must certify to Congress that any agreement meets a series of required legal and procedural safeguards detailed in 18 U.S.C. §2523, a provision of the Cloud Act. Congress then has an opportunity to investigate and disapprove of the agreement. If Congress fails to pass a resolution of disapproval within six months, the agreement goes into effect, and is subject to review and recertification after 5 years.

As the U.S. and U.K. appear to be moving towards executing the first Cloud Act executive agreement, the requirements and safeguards included in the Act will be tested for the first time. The Cloud Act has been subject to criticism by civil liberties groups domestically, and by the European Parliament and others abroad. Given this skepticism towards the Cloud Act, it is important that the process be open and robust to publicly demonstrate that these agreements will not be mere “rubber stamps” for existing U.S. allies and that the safeguards and protections listed in the Act will be enforced.

In anticipation of a possible executive agreement, the U.K. Parliament is currently considering a bill that would introduce a new mechanism for British law enforcement to compel the production of evidence under foreign agreements, including the Cloud Act and MLATs. This bill would create a new “overseas production order” that British law enforcement officers, pursuant to international agreements, could use to demand access to evidence held outside Britain. Given the clear indications that the bill is meant to operate under a potential U.S.-U.K. Cloud Act agreement, this piece will consider the bill’s requirements alongside existing U.K. law in identifying areas of concern that warrant additional scrutiny and consideration during the negotiation process for the executive agreement to ensure compliance with the Cloud Act’s Section 2523 requirements. These concerns might be addressed either through amendments of the Crime Bill, or by provisions in the U.S.-UK agreement. We make recommendations in the following areas:

Transparency

Transparency is essential for the safeguards and remedies of the Cloud Act to be effective. To meet the requirements in Section 2523 of the law, and to demonstrate the effectiveness of Cloud Act safeguards to U.S. and foreign stakeholders, some degree of transparency should be permitted for both individual orders and overall trends in orders issued by the U.K. pursuant to the executive agreement.

Transparency concerns arise under Section 8 of the U.K. draft bill, which provides that a British judge issuing an overseas production order may include a non-disclosure requirement . That requirement can forbid the recipient of the order from disclosing the making of the order and its contents “to any person.” The recipient may receive leave of a judge or the written permission of an appropriate British official to disclose the order and its contents, but it remains up to the discretion of those authorities. While the order must specify an expiration date for the non-disclosure requirement, the bill provides no limits on the length of time disclosure may be withheld. The requirement and the Crime Bill’s procedures raise at least four specific transparency issues to address.

First, the non-disclosure requirement could be read to forbid a recipient from seeking advice even from outside counsel or others working on behalf of the recipient of such an order. U.S. recipients of a British overseas production order should be explicitly permitted to disclose the order to agents acting on their behalf, such as outside counsel. The bill might be clarified to provide a definition of “persons” for the purpose of the non-disclosure requirement that does not include those working on behalf of the recipient, provided that all recipients are bound to confidentiality. The ability of the recipient to seek outside counsel ensures that companies have a means of testing whether any individual order is lawful and should be referred to the Justice Department for review.

Second, the text of the Cloud Act supports permitting the recipient of a non-disclosure order to disclose the order to the Justice Department. Under Section 2523(b)(4)(K), an executive agreement under the Cloud Act must include a reservation of the U.S. government’s right “to render the agreement inapplicable as to any order for which the United States Government concludes the agreement may not properly be invoked.” The U.S. government would not be able to exercise this right without being able to review the contents of a specific order. A prohibition on disclosure to Justice would thus violate the Cloud Act’s requirements.

Third, the non-disclosure requirement might be read to prohibit even aggregate reporting of overseas production orders received from the British government. Effective oversight of the functioning of the executive agreement, however, should include accurate reporting of the number of orders issued under that agreement. Even companies subject to an non-disclosure requirement should be able to include the number of overseas production orders received from the U.K. in their regular transparency reporting in order to offer insights to customers and outside watchdogs.

Fourth, the Crime Bill as written does not require notification to the target, even though Section 7 of the Bill states that “any person affected by the order” (emphasis added) may apply to modify or revoke an overseas production order. Eventual notification to the target provides the individual an opportunity to challenge an order even if no prosecution relying on the evidence obtained by that order is eventually brought. This sort of delayed notice applies, for instance, under the Electronic Communications Privacy Act, at 18 U.S.C. § 2705.

Stay of Enforcement When Referred to the Justice Department

Under the Crime Bill, the only explicit avenue for a recipient to challenge a British overseas production order is to raise an objection in U.K. court. As just discussed, the Cloud Act provides that the Justice Department can moot a specific order issued under an executive agreement. While the Cloud Act does not explicitly require or authorize the recipients of a foreign order to share that order with the Justice Department, the department obviously cannot invalidate an order if it has no means to review it. To avoid confusion, the agreement should explicitly permit recipients of U.K. overseas production orders to refer a specific order to the Justice Department for review. The agreement should then stay the effect of the U.K. order until the Justice Department has an opportunity to respond. This referral mechanism would provide the basis for the Justice Department to work with the U.K. to resolve issues in an individual case and to further the department’s obligation to oversee the overall functioning of the agreement.

Although the bill only refers to raising objections in a U.K. court, that should not be a bar to notice to and action by the Justice Department. The bill enables the functioning of international agreements. These agreements may contain mechanisms for countries that receive requests or orders for electronic evidence (such as the U.S.) to filter out some incoming requests or orders (such as from the U.K.). For traditional mutual legal assistance requests, for instance, a request by the U.K. government for content would be subject to review by three levels of the U.S. government before being served on a recipient: the Justice Department’s Office of International Affairs, a U.S. attorney’s Office, and a federal judge. The Cloud Act and a U.S.-UK executive agreement would streamline this traditional process, allowing the British government to issue an overseas production order directly to service providers for orders that comply with the agreement. The agreement can and should then allow recourse to the Justice Department where a service provider cannot determine the legality of a U.K. order. Among other reasons, such recourse is important to enable the service provider to ensure that it is complying with U.S. law, and not subject to civil and criminal penalties under the Electronic Communications Privacy Act. Where the provider makes a good faith referral to the Justice Department, then the Crime Bill’s seven-day “shot clock” (period for required production of the evidence) should not apply.

Qualifying Crimes

The executive agreement should avoid a potential conflict between the types of investigations subject to an overseas production order under the Crime Bill and the “serious crimes” requirement of the Cloud Act. Under Article 4 of the Crime Bill, overseas production orders can be issued for any “indictable offenses” and “terrorist investigations,” with no caveat that the terrorist investigation be criminal. Under Section 2523 of the Cloud Act, however, a foreign government may only issue an order “for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism” (emphasis added). Therefore, the agreement should clarify that an overseas production order can be issued only pursuant to a criminal matter.

In addition, an executive agreement should clarify what indictable offenses do not qualify as “serious crimes” under the Cloud Act. Possible ways to define what qualifies as a “serious crime” include a minimum-sentencing requirement similar to the one used in the EU’s proposed “E-evidence” framework. Article 5 of the draft E-evidence Regulation states that a new “European production order” to produce transactional or content data may only be issued for either (a) “criminal offenses punishable in the issuing State by a custodial sentence of a maximum of at least 3 years,” or (b) a specified list of crimes such as child pornography and exploitation, terrorism, and drug trafficking, “if they are wholly or partly committed by means of an information system.”

Minimization Procedures

The Crime Bill or an executive agreement should define what minimization procedures should apply to any data concerning U.S. persons. Section 2523 of the Cloud Act requires a foreign government seeking an agreement to have minimization procedures to segregate, seal, or delete data received that is not relevant to a serious crime or necessary to prevent a threat of death or serious bodily harm to an individual. Section 2523 specifies that these procedures must “to the maximum extent possible, meet the definition of minimization procedures in section 101 of the [FISA Act].” The Crime Bill does not include any provision concerning such minimization. In order to conform to the Cloud Act, therefore, the agreement must provide for minimization procedures for personal information held in the United Kingdom. Among the several U.S. agencies that have published minimization procedures, the best model may be the minimization procedures for Title I FISA investigations. Title I investigations are similar to requests or orders under a Cloud Act agreement because they require minimization of U.S. person information. They are also appropriate because they involve the rules for the individual investigations under Title I, as contrasted for instance with larger-scale authorizations under programs such as Section 702 of FISA.

Time Limits for Accessing or Retaining Data

The Crime Bill currently lacks clear rules for time limits for accessing and retaining personal data pursuant to an overseas production order. Section 10 of the Crime Bill permits retention of such data “for so long as is necessary in all the circumstances.” This standard is much vaguer than the time limits required under European Union law. Even in the intelligence context, U.S. law provides a default retention period of five years, and in many settings that limit is shorter. A default retention period of no more than five years would match U.S. practice, and would also allow the U.S. government to review what data is set to expire during the Cloud Act’s required five-year reauthorization review. Exceptions may be carefully drawn, such as with a finding by a senior U.K. official that extension is necessary, and notice to the Justice Department of such extensions. One overall goal of the retention regime is to ensure that the U.S. can perform the compliance review required for an extension of the initial five-year period of the executive agreement.

A related concern is the potentially open-ended nature of overseas production orders for access under the Crime Bill. The Crime Bill states that an overseas production order can require the recipient to provide access to “the electronic data specified or described in the order.” This statutory language might be read expansively, to enable an overseas production order to continue for a long period, potentially even for years. To avoid such open-ended access demands, the U.K. might amend the Crime Bill to place limits on their duration. Such time limits are familiar under U.S. law, where wiretap and FISA orders remain open only for limited times, subject to renewal by a judge upon a proper showing. An executive agreement should ensure that there are time limits, rather than having such open-ended orders.

Freedom of Expression

The Cloud Act requires the country signing an executive agreement to adhere to international human-rights obligations, and specifically protects “freedom of expression, association, and peaceful assembly.” Under the traditional mutual legal assistance procedures, the Office of International Affairs has carefully reviewed legal assistance requests and filtered out content that might infringe on First Amendment rights. The U.K., however, criminalizes some activities that would be protected in the U.S. under the First Amendment. An Appendix to this post lists some British speech-related criminal laws. For speech-related crimes, the traditional mutual legal assistance process remains open for the U.K. in seeking evidence.

One good practice to address free-speech concerns would be for the Crime Bill or the executive agreement to require that the overseas production order state on its face what crimes are being investigated. If the crimes are based on expression that is protected under the First Amendment, then the service providers will be put on notice of the freedom-of-expression concern. The service providers could then consult with the Justice Department about how to proceed. This good practice would greatly assist in providing notice of speech-related investigations, even though it would not reveal all speech-related prosecutions. For example, an overseas production order might state that there is a conspiracy to commit fraud, while the investigation in fact concerns speech-related crimes. Such evasion of the free-speech protections in the Cloud Act would be an important topic to address under Justice Department’s obligations to oversee the executive agreements and decide whether to recommend renewal after five years.

Central Authority

Under the Crime Bill, while any U.K. judge may issue an overseas production order, Article 9 designates two central authorities that hold the sole power to serve such an order. For an overseas production order made in England, Wales, or Northern Ireland, only the British secretary of state may serve the order. For an overseas production order made in Scotland, only the lord advocate may serve such an order. In addition, those officials may only serve an order if they consider “that to do so would be in accordance with a designated international co-operation arrangement.” Per the Crime Bill, any order that is not served within three months of being made must be treated as if it was immediately quashed at the end of that period.

An executive agreement between the U.S. and U.K. could more clearly delineate the role of Secretary of State and Lord Advocate. For example, as one of the authors (Swire) has discussed previously, compliance with an agreement can often be done most effectively with a clearly defined qualifying point of contact. On the same reasoning, the agreement could specify that the secretary of state and lord advocate be the point of implementation for minimization procedures.

Conclusion

The U.S./U.K. executive agreement appears to be heading toward public announcement and submission to Congress within a short time. This agreement will be the prototype for future agreements under the Cloud Act, and thus deserves careful attention. As part of our ongoing attention to implementation of the Cloud Act and related issues of cross-border government access to data, we have sought here to provide concrete and workable measures to ensure that any U.S./U.K. agreement conforms to the statutory text of the Cloud Act, as well as good public policy.

Appendix A: U.K. Speech-Related Criminal Statutes

Section 2523 of the Cloud Act requires an executive agreement to adhere to international human rights obligations, and specifically protects “freedom of expression, association, and peaceful assembly.” Under the MLAT regime, the U.S. screens electronic evidence requests to minimize the risk of any data being used to infringe on the right to freedom of speech and expression under the First Amendment. Under U.K. law, some actions that would be protected under the U.S. First Amendment are criminalized. This appendix includes a non-exhaustive list of crimes that can apply to free expression:

1. Malicious Communications Act

Under the Malicious Communications Act, it is a crime in the UK to send messages that are “indecent or grossly offensive,” or cause “annoyance, inconvenience, or needless anxiety to another” through electronic messages known to be false.

2. Communications Act 2003

Under Section 127 of the Communications Act 2003, it is a crime in the UK to send messages over a public communications network that are “grossly offensive or of an indecent, obscene or menacing character,” or to send knowingly false messages over a public electronic communications network in order to cause “annoyance, inconvenience or needless anxiety to another.”
3. Terrorism Act 2006

Under the Terrorism Act 2006, it is a crime in the UK to “glorify” past or future acts of terrorism, or to publish a statement likely to be understood by some members of the public as an indirect encouragement or inducement of an act of terrorism, regardless of whether the statement is effective in encourage a terrorist act.

4. Public Order Act (Race and Religious Hatred)

Under the Public Order Act, it is a crime in the UK to utter or publish threatening, abusive, or insulting words or behavior intended to “stir up racial hatred” based on the relevant circumstances. A showing that the speaker or publisher did not intend to threaten, abuse, or insult is an affirmative defense to this crime.

5. Official Secrets Act of 1989

Under the Official Secrets Act, it is a crime in the UK to report on unauthorized disclosures of government information if the disclosing individual has reasonable cause to believe the information is protected against disclosure, even if the individual making the report does not have a UK security clearance and has not sworn to keep the information secret.

Note: The authors thank Jennifer Daskal, Sharon Bradford Franklin, Robert S. Litt and Greg Nojeim for providing comments on an earlier draft of this article. Any mistakes in this article, and the views expressed here, are solely those of the authors.


Peter Swire is the J.Z. Liang Chair in the Georgia Tech School of Cybersecurity and Privacy, and Professor of Law and Ethics in the Georgia Tech Scheller College of Business. He is Senior Counsel to Alston & Bird LLP, and Research Director of the Cross-Border Data Forum. He served as one of five members of President Obama’s Review Group on Intelligence and Communications Technology.
Justin D. Hemmings is a Research Faculty Member at the Georgia Institute of Technology Scheller College of Business and a Project Attorney at Alston & Bird, where he engages in legal and policy issues and practice concerning privacy and cybersecurity. He and Peter Swire co-authored the 2017 NYU Annual Survey of American Law article “Mutual Legal Assistance in an Era of Globalized Communications: The Analogy to the Visa Waiver Program,” which proposed an approach that was later codified in Section 5 of the Clarifying Lawful Overseas Use of Data Act.

Subscribe to Lawfare