On October 3, 2019, the United States and United Kingdom signed an agreement on cross-border law enforcement demands for data from service providers (“Agreement”). The Agreement is the first bilateral agreement to be entered under the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It obligates each Party to remove barriers in their domestic laws so that U.S. and U.K. national security and law enforcement agencies may obtain certain electronic data directly from Communications Service Providers (“CSPs”) located in the jurisdiction of the other Party. The Agreement will go into effect 180 days after its transmission to Congress by the Attorney General, unless Congress disapproves by joint resolution.
Under the CLOUD Act, once the Agreement goes into effect, CSPs subject to jurisdiction in the United States will be excepted from a statutory prohibition that would otherwise preclude them from producing stored communications content directly to U.K. authorities. Similarly, under U.K. law, CSPs subject to jurisdiction in the United Kingdom will not be prohibited from disclosing stored content to U.S. authorities. Neither the CLOUD Act nor the Agreement establishes jurisdiction over a CSP if jurisdiction does not otherwise exist, nor do they compel a provider to produce data if the domestic law of the Party issuing the data demand does not require such production. As a general matter, the domestic law of the United States and United Kingdom largely will continue to govern demands for data issued by government agencies under the Agreement. However, in accordance with the requirements of the CLOUD Act, the Agreement imposes some important limitations on those demands, which we summarize below.
Restrictions on Law Enforcement Demands
- Targeting Restrictions. The Agreement imposes restrictions on the accounts that may be subject to demands for data under the Agreement. Specifically, the United Kingdom may not issue demands for data of U.S. citizens, nationals, or lawful permanent residents (“U.S. persons”), nor may it demand the data of persons located inside the United States. Similarly, the United States may not demand the data of any person located in the United Kingdom. (According to the U.K. Home Office’s explanatory memorandum, the distinction between these targeting limitations for the respective countries arises from EU rules prohibiting discriminatory treatment between citizens of different member states.) (Articles 1.12, 4.3).
- Targeting Procedures. Each Party must implement “targeting procedures” to guide decisions about which accounts may be targeted by data demands under the Agreement. (Article 7.1).
- Serious Crime Limitation. Any law enforcement demand for data covered by the Agreement must be “for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution” of a “Serious Crime, including terrorist activity.” While the CLOUD Act does not define “serious crime,” the Agreement specifies that serious crime is an offense punishable by a maximum term of imprisonment of at least three years. (Articles 1.5, 1.14, 4.1).
- Specific Account Limitation. Consistent with the CLOUD Act, the Agreement also provides that the order must target specific user accounts and identify a “specific person, account, address, personal device, or any other specific identifier.” In other words, the Agreement cannot be used to acquire data in bulk. (Article 4.5).
Procedures for Issuance and Enforcement of Law Enforcement Demands
- Application of the Agreement. The Agreement is not the exclusive means by which government authorities of a Party may obtain data from CSPs subject to the other Party’s jurisdiction. Each Party may still use other legal authorities and mechanisms, such as mutual legal assistance requests, to obtain data from CSPs subject to the jurisdiction of the other Party. The Agreement provides that it “shall apply” to any demands for data as to which the Party issuing the demand “invokes” the Agreement with notice to the relevant CSP. Notice to the other Party is not required. (Articles 3.2, 11.1).
- Certification by Designated Authority. The Agreement provides for a “designated authority”—a governmental entity designated, for the United Kingdom, by the Secretary of State for the Home Department, and for the United States, by the Attorney General. These designated authorities must review demands for data under the Agreement and certify in writing that the demand is lawful and complies with the Agreement before it may be transmitted to a CSP under the Agreement. (Article 5.7).
- Third-Party Country Notification. If either Party issues a demand for the data of a person reasonably believed to be located in a third-party country (i.e., not in the United States or United Kingdom), the designated authority of the Party issuing the demand must notify the appropriate authorities in that third country. The Agreement excepts from this notification requirement circumstances where notice would be “detrimental to operational or national security, impede the conduct of an investigation, or imperil human rights.” (Article 5.10).
- Appeal to Designated Authority. If a CSP has a “reasonable belief” that the Agreement may not properly be invoked with regard to the order, it can make an objection to the designated authority of the Party that issued the order. If the objections are not resolved, the CSP can also make the objection to its own designated authority. That designated authority may determine that the Agreement does not apply to the demand if it concludes the Agreement was not properly invoked. (Articles 5.11, 5.12)
Data Handling and Use Restrictions
- Minimization Procedures. The United Kingdom is obligated to implement and apply “minimization” procedures to data received pursuant to demands under the Agreement. These procedures must “minimize the acquisition, retention, and dissemination” of information concerning U.S. persons that is inadvertently acquired under the Agreement. (Article 7.2).
- Restrictions on Data Transfer to the United States. The minimization procedures must prohibit the United Kingdom from disseminating to the United States the content of a communication involving a U.S. person unless it relates to a “significant harm, or threat thereof, to the United States or U.S. person, including crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.” (Article 7.5).
- Transfer to Third Countries. As a general matter, a Party receiving data under the Agreement may not transfer it to a third country or international organization without first obtaining consent of the Party from which the data was received. (Article 8.2).
- Death Penalty and Free Speech Limits on Data Use. The United States must obtain approval from the United Kingdom before using evidence obtained from an order in cases for which the death penalty is sought. Similarly, the United Kingdom must obtain the approval of the United States in order to use evidence obtained from an order in a case that raises free speech concerns. (Article 8.4).
Oversight and Reporting
- Compliance Review. Within a year of the Agreement’s entry into force and periodically thereafter, each Party must engage in a review of the other Party’s compliance with the Agreement, including a review of both its issuance of orders and handling of data received under the Agreement. (Article 12.1).
- Annual Reports. The designated authorities of the United States and United Kingdom must issue and exchange annual reports containing aggregate data on their use of the Agreement. (Article 12.4).