On October 3, 2019, the governments of the United Kingdom and United States signed the first-ever executive agreement governing cross-border data requests (the “Agreement”) pursuant to the US Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”). As contemplated by the CLOUD Act, the Agreement provides a mechanism for the governments to access and share data stored abroad by electronic communications services providers (“CSP”) in their respective countries in a timely manner. The Agreement will enter into effect following a 180 day Congressional review period required by the CLOUD Act and a similar review by the UK Parliament.
The CLOUD Act was enacted in May 2018 to clarify that under a provision of the 1986 Stored Communications Act (“SCA”) the United States government may use a warrant or subpoena to access not only communications stored in the United States but also those stored abroad by CSPs otherwise subject to jurisdiction in the United States. Included in the Act was a provision that allows the U.S. Attorney General to enter into executive agreements with foreign governments, when those foreign governments meet certain privacy and human rights requirements. As the Department of Justice (“DOJ”) explained in its 2019 white paper, this new authority to enter into executive agreements with foreign governments is intended to lift legal barriers to gathering electronic evidence from global CSPs based in the United States and abroad, and will allow U.S. law enforcement agencies to require U.S. and foreign-based CSPs to disclose electronic data held abroad without making requests through judicial assistance procedures laid out in current mutual legal assistance treaties (“MLAT”), which can be a laborious process taking months to complete.
The CLOUD Act established certain minimum requirements that any order issued pursuant to future CLOUD Act agreements would need to incorporate, including, among others: (i) that requests “be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime”; (ii) identify specific accounts, addresses or persons; (iii) be based on “articulable and credible facts” related to the conduct under investigation; and (iv) be subject to review or oversight by a judge, magistrate or other independent authority. Additionally, CLOUD Act agreements must contain measures to protect the data of U.S. persons that is collected incidentally to an order issued by a foreign government under such an agreement and the targeting of citizens and lawful residents of the United States by the foreign government.
The CLOUD Act Agreement Between the U.S. and the U.K.
As explained in Article 2 of the Agreement, the Agreement provides an efficient means for each of the countries “to obtain electronic data relating to the prevention, detection, investigation, or prosecution of Serious Crime,” in a matter consistent with data privacy concerns and protective of the respective countries’ citizens and lawful residents. “Serious Crime” is defined broadly as an “offense that is punishable by a maximum term of imprisonment of at least three years.” While this definition excludes misdemeanors and minor felonies, it covers an otherwise wide range of crimes.
Under the Agreement, the country in which the data being sought is stored will have the right to object to and block an order issued pursuant to the Agreement seeking disclosure of that data. Absent any such objection, the CSP served with a request will be required to produce the data directly to the issuing authority. This differs from the way MLATs, which typically require the CSP only to produce the data to the central authority of the country in which the data is stored, operate. Thus, the Agreement will allow the parties to access data through efficient and rapid means, regardless of where the data is stored. Notably, however, the Agreement does not affect other existing legal methods. Consequently, U.S. law enforcement agencies will still be able to compel CSPs subject to U.S. jurisdiction to disclose data stored abroad by issuing appropriate process to the CSP and enforcing it in federal district court, a mechanism that will often be the most expeditious method when seeking the disclosure of data from such CSPs.
Perhaps the most immediate practical impact of the Agreement is that U.S. law enforcement may now obtain communications from U.K. CSPs not subject to U.S. jurisdiction, and U.K. authorities may do the same with respect to U.S. CSPs. In addition. in the face of CSP’s challenge to a warrant, U.S. courts conducting a comity analysis of a warrant issued by a U.S. law enforcement agency under the CLOUD Act’s “totality of the circumstances” test are instructed to consider “the interests of the qualifying foreign government in preventing any prohibited disclosure.” Once the Agreement enters into effect, courts may find that the United Kingdom has no interest in preventing disclosure of the data being sought if it does not formally object to the warrant.
In addition to incorporating the requirements laid out above, the Agreement includes several other provisions of note that go beyond what is generically required by the CLOUD Act:
- Prior to the issuance of an order to a CSP, the order must be certified in writing by the issuing party’s designated authority as lawful and in compliance with the Agreement. The designated authority is a governmental entity designated by the U.K. Secretary of State for the Home Department and the U.S. Attorney General.
- To the extent a CSP that receives an order pursuant to the Agreement has objections, the CSP may raise those objections to the issuing party’s designated authority. In the event the objections are not resolved by the issuing party, the CSP may raise the objections to its own government’s designated authority. If, after conferring with the issuing party’s designated authority, the CSP’s government determines that the order is not proper under the Agreement, the order will not be implemented.
- In the event an order issued subject to the Agreement seeks data of an individual who is located in a third country, the issuing party’s designated authority must notify the country where the person is located, except insofar as the issuing party determines that such notification to the third country would be detrimental to its investigation or operational or national security, or threatens human rights.
- In addition to prohibiting the targeting of data with respect to citizens and lawful residents of the United States, as mandated by the CLOUD Act, the Agreement contains a reciprocal provision prohibiting the targeting of citizens and lawful residents of the United Kingdom by U.S. law enforcement agencies. However, law enforcement agencies in the United States may still seek to compel CSPs to disclose data with respect to citizens and lawful residents of the United Kingdom through the MLAT process.
As the first CLOUD Act agreement entered into by the United States with a foreign government, the Agreement will likely serve as a model for future agreements with other foreign governments. Accordingly, U.S.-based and foreign CSPs should familiarize themselves with the obligations and rights they will have when responding to an order issued under the Agreement even if they do not store data within the United Kingdom. While the Agreement does not impose any new freestanding obligations on CSPs, it is important for CSPs to understand the new process contemplated by the Agreement for requiring disclosure of data stored abroad, particularly in light of the expedited timeline over which this process will now take place. Importantly, the Agreement also has significant ramifications for non-CSPs. Companies that use email or cloud providers in the U.S. or U.K. should assume that, once the Agreement enters into effect, U.S. and U.K. law enforcement agencies will be able to reach communications held by such providers through the processes contemplated by the SCA and the Agreement.
 For further analysis of the CLOUD Act, see CLOUD Act Establishes Framework To Access Overseas Stored Electronic Communications, Cleary Gottlieb Alert Memorandum (Apr. 4, 2018), https://www.clearygottlieb.com/-/media/files/alert-memos-2018/cloud-act-establishes-framework-to-access-overseas-stored-electronic-communications.pdf.
 For further analysis of the DOJ White Paper, see DOJ Releases White Paper Addressing Scope & Implications of CLOUD Act, Cleary Cybersecurity and Privacy Watch post, (Apr. 18, 2019), https://www.clearycyberwatch.com/2019/04/doj-releases-white-paper-addressing-scope-implications-of-CLOUD-act/.