The United States and the United Kingdom recently entered the first ever CLOUD Act Agreement, which aims to streamline the process by which either government can collect electronic evidence located in the other country. Under the agreement, designated authorities from the U.S. and UK will be able to issue orders for the collection of electronic data directly to covered providers in the other country.
In his comments announcing the agreement, Attorney General William Barr said, “Only by addressing the problem of timely access to electronic evidence of crime committed in one country that is stored in another, can we hope to keep pace with twenty-first century threats.” While law enforcement officials will likely appreciate the streamlined process, companies that process and store electronic data will need to understand how this new process affects them.
The agreement comes pursuant to the Clarifying Overseas Use of Data (“CLOUD”) Act, which was enacted in March 2018 and, among other things, authorizes the Attorney General to enter into bilateral executive agreements with rights-respecting partners to remove legal barriers to access electronic data for serious criminal investigations. To obtain such data outside of a CLOUD Act agreement, law enforcement officials must proceed through Mutual Legal Assistance Treaties (“MLATs”), which require requests to be approved by foreign governments and can sometimes take years. Unlike the current MLAT process, orders pursuant to a CLOUD Act agreement do not need to be pre-approved by the other country’s government. Instead the order must contain a written certification by the issuing country’s designated authority that the order is lawful and complies with the agreement.
Who will the agreement affect?
Designated authorities from the U.S. and UK will be able to issue orders directly to any private entity in the other country that provides the public with the ability to communicate, process, or store computer data via a computer or telecommunications system. Authorities will also be able to issue orders to any private entity that processes or stores data on behalf of such entities.
What types of data can be collected?
Under the agreement, law enforcement authorities can require the disclosure or production of the contents of an electronic communication, computer data stored or processed for a user, traffic data or metadata pertaining to electronic communications or the storage or processing of computer data for a user, as well as subscriber information. Subscriber information includes, among other things, a customer’s name, address, telephone connection records, and means of payment.
What happens when a company receives an order under the agreement?
Any order pursuant to the agreement should also include a point of contact at the issuing authority who can provide information on legal or practical issues relating to the order. If a company has objections relating to an order, the agreement contemplates that they should first be raised to the issuing country’s designated authority. If the objections are not resolved, the company may raise them to their own country’s designated authority, which has the ultimate say on whether an order complies with the agreement.
How are privacy and other rights protected?
Although the agreement will make it easier for law enforcement to collect electronic data abroad, there are several protections within the CLOUD Act and the agreement itself which are designed to protect privacy and due process interests. For one, the CLOUD Act only allows agreements with “Qualifying Foreign Governments” (“QFGs”) that have strong data privacy and civil liberties protections. Any orders issued pursuant to a CLOUD Act agreement must comply with the internal laws of the issuing country, must identify reasonable justification for the order, and must be subject to review by an independent authority such as a judge. The Act also requires that collected data is securely stored and only accessed by authorized personnel. These safeguards are similar to protections and standards in the EU General Data Protection Regulation (“GDPR”).
The agreement itself also contemplates that orders for electronic data can only be made for the purpose of investigating “serious crimes,” which are defined as offenses which are punishable by a maximum of at least three years in prison. The agreement also specifies that permission must be obtained from the other government before collected evidence can be used in prosecutions relating to either countries’ essential interests (i.e., U.S. death penalty prosecutions or UK cases implicating freedom of speech).
What this means for you.
The agreement between the U.S. and UK is the first of its kind under the CLOUD Act. The Department of Justice, however, has already announced that it is formally negotiating similar agreements with the European Union and Australia. It is likely that those agreements will be similar to the agreement with the UK. Therefore, it will be important to monitor how the UK agreement plays out in practice.
The agreement has been submitted to Congress and will go into effect 180 days after submission, absent a joint resolution of disapproval from Congress. Once the agreement goes into effect, companies that facilitate or store electronic communications will likely see an increased number of requests for electronic data directly from UK law enforcement authorities. While those companies may be used to dealing with U.S. authorities, they will now be receiving requests directly from the UK and will need to know how to best navigate such interactions. Companies that receive orders under the agreement should consult with counsel in order to determine how best to comply.