On October 3, 2019, the United States and the United Kingdom entered into the world’s first ever agreement (the Agreement) under the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), the text of which has now become public. The Agreement will make it easier for American and British law enforcement agencies to obtain certain electronic data from technology companies based in each country by removing traditional legal barriers to access. And there may soon be more to come—the US Department of Justice recently announced that it is in formal negotiations with Australia to enter into a similar CLOUD Act agreement.
The CLOUD Act was passed by Congress in March 2018. It clarified that companies subject to US jurisdiction served with court orders must turn over data they control, regardless of where the data is stored. It also authorized the United States to enter into executive agreements with foreign governments regarding cross-border data requests. The Agreement between the US and the UK is the first such executive agreement since the CLOUD Act’s enactment. The Agreement will undergo a six-month Congressional review period mandated by the CLOUD Act, as well as review by the UK’s Parliament.
The Agreement allows law enforcement agencies, when armed with an appropriate court order from their home country, to request electronic data by going directly to “covered providers” based in the other country, rather than requesting the data through the other country’s government process. Covered provider, under the Agreement, means any private entity that provides to the public the ability to communicate, or to process or store computer data, by means of a computer system or a telecommunications system, or any private entity that processes or stores data on behalf of such an entity. If approved, the Agreement is expected to largely supplant the Mutual Legal Assistance Treaty (MLAT) process that the US and UK currently use to request electronic data from technology companies based in the other country, which can take years. The new process under the Agreement is estimated to take a matter of weeks, or even days.
The CLOUD Act has been controversial, due in part to concerns over data privacy rights. Some of the same types of data privacy concerns have been raised about the Agreement. Nevertheless, covered providers that may be subject to data requests under the Agreement can take at least some comfort from the safeguards that it provides. For instance, the Agreement contains a mechanism by which a covered provider can object to a data request order, and through which unresolved objections are ultimately decided by the covered provider’s home country. The Agreement requires the UK to adopt and implement appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning US persons that is acquired pursuant to an order. The Agreement, moreover, can only be used to obtain information about “serious crimes,” punishable by a maximum penalty of three years or more of incarceration, and contains certain use limitations, including giving the United States the power to veto the use of evidence obtained through the Agreement in cases that raise free speech concerns.
Questions remain about how the Agreement will work in practice, and whether the Agreement risks sacrificing data privacy rights for the sake of expediency. But the Agreement does have safeguards, and becoming familiar with those safeguards will be important for covered providers that fall within its reach.