The U.K.-U.S. CLOUD Act Agreement Is Finally Here, Containing New Safeguards
Editor's note: This piece is cross-posted at Just Security.
Published by The Lawfare Institute
in Cooperation With
Editor's note: This piece is cross-posted at Just Security.
On Oct. 7, the United Kingdom and the United States released the text of the long-awaited data-sharing agreement—the first of the executive agreements envisioned by the CLOUD Act, enacted in May 2018 in order to better facilitate cross-border access to data in the investigation of serious crime. At the time of enactment, there was a heated debate about whether these executive agreements would result in the lowering or raising of privacy and other civil liberties protections—with the two of us taking the position that they held out the promise to induce privacy-enhancing reforms.
That argument depended, in part, on nations entering into these agreements and updating—in our view, improving—their laws and practices to meet the CLOUD Act requirements, and the agreements themselves incorporating additional provisions that would ensure key protections are met. This first agreement is critically important, providing not just a window into the U.S. and U.K.’s approach but also presumably setting out a basic blueprint for other agreements that may follow—the European Union has begun discussions over a potential CLOUD Act executive agreement, and this week the United States and Australia formally announced negotiations as well. Notably, the agreement includes a set of additional safeguards not included in the CLOUD Act itself. Congress will now have 180 days to examine the agreement. Absent objection, it will go into effect after that time period.
Here we assess what’s new about the agreement; what’s surprising; and why—despite the critics—we continue to view these agreements as positive developments that protect privacy and civil liberties, accommodate divergent norms across borders, and respond to the reality that digital evidence critical even to wholly local crimes is often located across international borders.
As we have discussed in detailed FAQs on the CLOUD Act, the agreement provides a lawful mechanism for law enforcement in either the U.S. or the U.K. to request data from a service provider in the other country without having to go through the laborious mutual legal assistance process to do so. It thus incorporates—as it is required to do under U.S. law—the numerous preconditions already mandated by the CLOUD Act, including, among others: (a) that requests be targeted to specific accounts, addresses or persons; (b) that they be subject to review or oversight by a judge, magistrate or other independent authority; (c) that they be based on “articulable and credible facts”; (d) that the communications content of U.S. persons (including citizens and lawful permanent residents) or others physically present in the U.S. is protected from foreign government targeting (for that data, the U.K. still needs to employ the mutual legal assistance process); and (e) that the U.K. implement a range of protections for U.S. persons data collected incidentally. We have written previously about these and other CLOUD Act requirements as the baseline, and we focus here on significant new items, which go beyond what the act itself requires:
- Quality Control/Designated Authorities (Art. 5). The agreement specifies that the kind of cross-border orders envisioned must be reviewed and certified as lawful by a designated authority. For the U.S., this is a governmental entity designated by the attorney general. For the U.K., the designation must be done by the secretary of state for the Home Department. The certification must be in writing, based on a finding that the order complies with all of the requirements of the agreement and any other applicable law. This is a critically important form of quality control, akin to the specialized points of contact that Swire has advocated here.
- Opportunity to Object/Review Procedures (Art. 5). Providers who are issued such orders can go back to the designated authority that issued the order if and when they have specific concerns. If the objections are not resolved, the provider can then raise the same concerns with its own designated authority and the two governments are required to work it out. Importantly, the provider’s own designated authority has ultimate veto power. Thus, if the U.K. issues an order, say, to Google, and Google objects and the U.S. agrees with the objection, the U.S. has the clear power under the agreement to block implementation of the order.
- Use Limitations (Art. 8). The agreement provides the U.K. explicit veto power to the use of evidence obtained by any such order for a case in which the death penalty is sought. The U.S. has similar veto power to the U.K. use of evidence in a case that raises free speech concerns. This is a notable provision that enables negotiating countries to raise—and protect via this kind of veto power—core, essential interests that diverge across borders.
- Third Country Notification (Art. 5). If the U.K. is seeking data of someone who is reasonably believed to be outside of the U.K., or if the U.S. is seeking data of someone outside the U.S., the requesting government must—absent a finding that doing so would be detrimental to the investigation, operational or national security, or human rights—notify the third country government where the person is located. The requirement helps ensure that the interests of third countries are taken into account and that they have the information needed to weigh in and object if and when it is appropriate to do so.
- Minimization Provisions (Art. 7). Consistent with the requirements of the CLOUD Act, the agreement lays out steps that the U.K. government must take with respect to the protection of U.S. persons data. Notably, any changes to the targeting and minimization procedures—dealing with acquisition, dissemination and retention of data—must be approved by the other party before implementation.
- Reciprocity (With Limits) (Arts. 1 and 7). How the reciprocity requirement in the CLOUD Act was going to be implemented was a major question prior to release of this agreement. As is required by the CLOUD Act, the U.K. may not target the data of U.S. persons and others within the U.S. The agreement now establishes a similar limitation as to what the U.S. can do. Reciprocal to limits imposed on U.K. access, the U.S. may not target the data of persons within the U.K. The U.S. is not subject to the same limitations with respect to U.K. citizens and lawful permanent residents once such individuals leave the U.K.
- Transparency (Art. 12). The agreement contains a number of transparency provisions, in addition to the provider’s ability to notify its home government about an objectionable request. Each country shall issue an annual report reflecting aggregate data concerning the use of the agreement. Also, the agreement “does not in any way restrict or eliminate” a provider’s ability to issue transparency reports, something we both advocated as key.
- Definition of Serious Crime (Art. 1). The CLOUD Act leaves open the definition of “serious crime.” The agreement provides specificity, requiring a maximum punishment of three or more years of incarceration. This excludes misdemeanors and minor felonies but incorporates a wide range of crimes.
- Subscriber/Preservation Requirements (Art. 10). Interestingly, the agreement also specifies the possibility of issuing preservation orders for both content and noncontent data and orders for subscriber information. U.S.-based providers already respond to large number of requests for subscriber information, including from the U.K. This provision is presumably added to address concerns about U.S. officials being able to access subscriber information from U.K. providers, although perhaps there are other reasons as well.
We want to clarify one key point, about encryption. Despite erroneous reporting to the contrary, this agreement is independent from the separate and ongoing encryption debate. In fact, the CLOUD Act explicitly states that the agreements “shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.” In other words, these agreements are agnostic as to the requirements with respect to encryption and decryption—including whether, in what situations, and according to what procedures either government demands that companies take steps to make otherwise encrypted data accessible. There is, nonetheless, a possibility that the U.K. government could use its separate statutory authority to demand decryption, in the same investigation that the U.K. seeks an order under the agreement. The major service providers have strongly objected to the U.K. decryption authority. If such a decryption order were to occur, the provider presumably would object to the order and would have the objection process in the agreement as a new mechanism for doing so.
In conclusion, this new agreement contains quite a few privacy and civil liberties safeguards that go beyond the text of the CLOUD Act, a number of which are similar to safeguards we proposed here and here. Once the agreement is transmitted to Congress, presumably this week, Congress will have 180 days to consider the text. We hope those with a wide range of perspectives carefully examine the agreement, both for its effect on U.K. investigations but also as a model for future CLOUD Act executive agreements.