“CLOUD”s On the Horizon – How Law Enforcement Electronic Data Requests Are Going Global

Companies storing or moving large quantities of digital information routinely receive subpoenas, court orders and warrants from United States law enforcement seeking subscriber information and related data and records. International law enforcement data requests often came in the form of Mutual Legal Assistance Treaty (MLAT) requests, which are significantly less common than requests from domestic law enforcement. That is now likely to change.

The Clarifying Lawful Overseas Use of Data Act, or the CLOUD Act, which passed as part of the federal government’s spending bill in March 2018, authorizes the U.S. to enter into executive agreements with foreign governments to facilitate law enforcement access to cross-border data. Those executive agreements would essentially remove MLATs from the equation so that signatory countries could directly request data and records from U.S.-based providers.

The United States and the United Kingdom signed the first CLOUD Act Executive Agreement on October 3, 2019, also referred to as the U.S.-U.K. Bilateral Data Access Agreement. Now, law enforcement agencies in either country can, according to the United States Department of Justice, “demand electronic evidence directly from tech companies based in the other country, without legal barriers.” The U.S.-U.K. agreement will not take effect until April 2020, allowing for legislative review in both countries. The EU and, separately, Australia announced that negotiations have begun for their own CLOUD Act executive agreements.

Scope

Article 1 of the Executive Agreement specifies that any “private entity” that “provides to the public the ability to communicate, or to process or store computer data, by means of a Computer System or a telecommunications system” or “processes or stores” data for those public-facing private entities, are covered and thus potential recipients of U.K. law enforcement process.

This language parallels the scope of the Electronic Communications Privacy Act (ECPA) in the U.S., and, indeed, one key point of the law is to allow subpoenas and court orders originating in the U.S. under ECPA to be enforceable against U.S. entities’ U.K. operations.

As under ECPA, though, the Agreement reaches a wide range of companies that may not think of themselves as providers of communications or information storage or processing services.

The Executive Agreement authorizes requests for “content of an electronic or wire communication; computer data stored or processed for a user; traffic data or metadata pertaining to an electronic or wire communication or the storage or processing of computer data for a user; and Subscriber Information.”

  • Subscriber Information includes “information that identifies a subscriber or customer, including name, address, length and type of service, subscriber number or identity (including assigned network address and device identifiers), telephone connection records, records of session times and durations, and means of payment.”

While U.S. law requires warrants based on “probable cause” for domestic law enforcement access to content of communications, orders under the U.S.-U.K. Agreement appear to be subject to a possibly lower standard of “articulable and credible facts.” Companies may seek clarification from the U.K. authorities and absent resolution can ask the U.S. designated authority to resolve any dispute or conflict with U.S. law. Given a recent U.S. Supreme Court interpretation of the Fourth Amendment to require warrants for certain non-content subscriber information, we might see some limits on the scope of U.K. Law enforcement requests.

Issuance and Oversight

Article 5 of the Executive Agreement specifies that the orders envisioned must be reviewed and certified as lawful by a “designated authority.” Here, the U.K. Home Secretary and the U.S. Attorney general will designate their own authorities. In addition, each order must be reviewed by U.K. judges or magistrates.

Thus, U.S. companies will now receive orders from U.K. judges that will carry the force of law. The inverse is true for U.K. companies, which will receive orders from U.S. judges and certification by “designated authorities.” Any challenges to these orders will be considered first by the “designated authority,” of the country issuing the order.

If the provider receiving the order is not satisfied, it can raise the issue with its own “designated authority,” at which point the two “designated authorities” shall confer.

  • If they agree the order is valid, that ends the matter for the provider.
  • But if they do not agree, then the Executive Agreement “shall not apply to” the order, making it unenforceable without invoking the more cumbersome MLAT procedure.

As discussed in the full article, this process may be problematic for U.S. companies worried about potential privacy issues.

Data Targeting and Use Limitations

Also, on the same day that the U.S./U.K. Executive Agreement was announced, there was a joint request to halt all end-to-end messaging encryption, reviving the battle over encryption. It is important to note that the CLOUD Act provides that the terms of any Executive Agreement may not create an obligation to decrypt or limit decryption.

This will likely be the first of many Executive Agreements that will issue in the coming years that will provide a roadmap to future agreements and most assuredly increase the volume of content requests from foreign governments. Click through to the full analysis to learn more.