CLOUD Act Compliance: Key Takeaways for U.S. Companies from the U.S.-UK Executive Agreement
CLOUD Act Compliance: Key Takeaways for U.S. Companies from the U.S.-UK Executive Agreement
A groundbreaking agreement between the United States and the United Kingdom will give rise to a streamlined process for UK law enforcement to request data from U.S. companies, using UK legal process. DOJ views it as an important advance in cooperation between two longstanding allies in combating terrorism and other serious crimes – but U.S. companies should be prepared for questions and confusion from customers about what the agreement means for the privacy of information and the future of cross-border law enforcement requests.
Background
Last week, the United States and United Kingdom signed the first bilateral executive agreement under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), U.S. legislation enacted in 2018 that authorized the executive branch to enter into binding bilateral agreements aimed at removing legal barriers that may otherwise prohibit one country’s communications service providers from complying with qualifying orders issued by another country.[1]
The text of the U.S.-UK agreement became public this week. Although the CLOUD Act established a legal framework to facilitate foreign law enforcement requests, the absence of an executive agreement meant the law so far has had little practical effect on the ability of U.S. communication service providers to respond to requests for data from foreign governments. That is set to change with respect to requests from the United Kingdom once the agreement enters into force.
In a statement, Attorney General Barr praised the agreement as a step forward that “enhance[s] the ability of the United States and the United Kingdom to fight serious crime – including terrorism, transnational organized crime, and child exploitation – by allowing more efficient and effective access to data needed for quick-moving investigations.” But like the CLOUD Act itself, the agreement may draw controversy and confusion, and U.S. companies should expect questions from domestic and international customers and counterparts about the implications of the agreement for their information. In particular, communications service providers and other U.S. companies most directly affected by the law should start planning now in advance of the agreement’s effective date in April 2020.
Here are answers to key questions raised by the new agreement:
1. Does the agreement allow the UK government to request categories of data from U.S. communications service providers that it could not previously?
No. Although the agreement removes legal barriers under the Stored Communications Act that prevented U.S. communications service providers from providing the content of certain electronic communications to UK authorities – even when those providers were served with valid legal process in the UK – the agreement does not expand the authority of UK law enforcement to obtain data; it only covers data that historically could be sought by the UK government through the mutual legal assistance process. That mutual legal assistance treaty (MLAT) process (which can be notoriously time consuming and cumbersome to navigate) remains available, but the CLOUD Act creates a streamlined alternative that allows U.S. and UK law enforcement agencies to obtain legal process in their respective courts that can be served directly on communications service providers. As a practical matter, this means that it will be easier for UK authorities to obtain information from U.S. providers (and for U.S. authorities to obtain information from UK providers).
2. Which U.S. companies can receive a request under the Executive Agreement?
By its terms, the agreement applies to entities that provide to the public the ability to communicate, or to process or store computer data, by means of a computer system or a telecommunications system, and to entities that process or store data on behalf of such providers. Although broad, these categories of providers are not all-encompassing. Many U.S. organizations that are users rather than providers to the public of electronic communication service may have access to electronic communications that could be of interest to UK authorities but would not covered by the agreement, so their susceptibility to UK legal process would be unchanged.
3. Does the agreement apply beyond the United Kingdom?
No. Rather than establish a one-size-fits-all process, the CLOUD Act requires DOJ to enter into bilateral agreements with foreign governments. These agreements must include a variety of privacy and civil liberties protections, including a requirement that the Attorney General certify that the laws of a foreign country (and the implementation of those laws) include certain substantive and procedural safeguards. As expected, the first such agreement was struck with the United Kingdom – and does not apply to any other non-U.S. country. But the agreement is expected to be a model for others going forward, and, indeed, DOJ announced this week that the United States and Australia have entered into formal negotiations for a bilateral agreement, and it is expected that DOJ will seek to reach similar agreements with other countries.
4. Are there any limitations on the scope of information UK authorities can request in an order under the agreement?
Yes. Although the types of data that can be requested under the agreement are broad – including the content of electronic communications, metadata, and related subscriber information – the agreement imposes various restrictions on the UK and U.S. governments’ use of orders under the agreement. CLOUD Act orders can only be used to obtain information relating to the prevention, detection, investigation, or prosecution of a serious crime, defined as any offense that is punishable by a maximum term of imprisonment of at least three years under the law of the country issuing the order. Another important restriction is that a UK order under the agreement cannot target a U.S. person (or person with the United States), and vice versa. Thus, the United Kingdom can request the content of a communication between two UK persons, even if that communication is held by a communication service provider in the United States. In addition, the agreement makes clear that UK authorities can only use the agreement to obtain information about a “serious crime” under UK law, which is defined as an offense for which the maximum penalty is three years or more of incarceration.
5. Can a U.S. communications service provider challenge a UK order under the agreement?
Yes, but generally not in a U.S. court. The agreement envisions that any disputes about an order under the agreement will be addressed by the respective governments, specifically the Home Secretary in the United Kingdom and the Attorney General in the United States. A U.S. company may, within a “reasonable time” after receiving an order, raise specific objections to the Home Secretary if it has a reasonable belief that a UK order is improper under the agreement. Unresolved objections can be taken to the Attorney General, who may then confer with the Home Secretary. Under the agreement, the Attorney General is the final arbiter of the validity of any order received by a U.S. entity. If the Attorney General concludes that the agreement does not cover a particular order, the agreement does not apply. An entity that receives an order from the UK also retains the right to challenge the order in UK courts to the extent provided by UK law, and the same is true of UK entities that receive orders from the United States.
6. Does a U.S. communications service provider have to comply with a UK order under the agreement?
The answer depends on whether those entities are subject to jurisdiction in the United Kingdom. In the past, some commentators have expressed concern that executive agreements could impose a new obligation on such providers insofar as they could require a U.S.-based global communications service provider to comply with a foreign government order to provide electronic data. But in public statements earlier this year, DOJ sought to address that concern, arguing that the CLOUD Act does not impose any new obligation to comply with a foreign government order or establish, by itself, that a foreign government has jurisdiction over a communications service provider. Rather, DOJ explained, the import of any executive agreement would be to eliminate any potential conflict with U.S. law for qualifying government orders in the situation where a foreign country has jurisdiction over a communication service provider under its domestic law.
7. Does a U.S. communications service provider risk running afoul of GDPR if it complies with a CLOUD Act order?
No. A UK order under the agreement is no different than an order the UK government would use to obtain the content of electronic communications held by a UK service provider – the agreement simply makes such an order effective when directed against a U.S. communications service provider. To the extent that a UK order issued under UK domestic law to a UK service provider is consistent with GDPR, such an order directed to a U.S. communications service provider similarly would not present concerns under GDPR. The agreement also makes clear that the UK government does not perceive a conflict with GDPR or other applicable laws: “The processing and transfer of data in the execution of Orders subject to this Agreement are compatible with the Parties’ respective applicable laws regarding privacy and data protection.”
8. When could a U.S. or UK communications service provider first receive an order under the U.S-UK agreement?
U.S. communications service providers have another six months before they might receive an order from the United Kingdom under the law. The agreement will not enter into force until 180 days after Attorney General Barr submits the agreement to Congress. During that time period, there is a window of opportunity for Congress to enact a joint resolution of disapproval that would preclude the agreement from taking effect.
9. Does the U.S.-UK agreement require companies to decrypt encrypted communications?
No. The CLOUD Act specifically provides that agreements entered into under the Act cannot create any obligation to decrypt data, and this agreement does not impose such an obligation.
[1] As we have discussed previously (in March 2018 and April 2019), the CLOUD Act has two distinct components. In addition to the provisions discussed here, relating to bilateral agreements that will permit companies subject to U.S. jurisdiction to respond to other countries’ requests for data, the Act amends the Stored Communications Act to clarify that companies subject to U.S. jurisdiction served with court orders must turn over data they control regardless of where it is stored.