US, UK CLOUD Act Agreement an E.A.R.F.U.L.L., Literally

Since congress passed the Clarifying Law of Overseas Use of Data (CLOUD) Act in March of 2018, Intel has advocated for the prompt certification of CLOUD Act Executive Agreements with foreign governments that would optimize opportunities abroad for our most prominent cloud service provider (CSP) customers.  Such agreements would mitigate issues like data & server localization mandates through efficient requests for legal assistance, specifically for law enforcement access to cross-border data held in other countries.

On October 3rd, 2019, the DOJ’s William Barr and the UK’s Home Secretary, Priti Patel, signed the first Executive Agreement (EA) under the act which, according to the DOJ, promotes “public safety, privacy, and the rule of law around the world.” The EA between the two countries establishes an innovative and privacy-positioned framework for cross-border data access that (i) reduces restrictions for a broad class of investigations of serious crimes, (ii) does not target residents of the other country in agreement, and (iii) assures cloud service providers that release of data through EA’s meet data protection regulations.

 

E.A.R.F.U.L.L.

While criticisms of this agreement surfaced immediately, its objectives are indeed an E.A.R.F.U.L.L., aiming to:

  • Enhance cooperation between the two countries to protect public safety, combat serious crimes, and deter and prevent terrorism
  • Afford timely access to electronic data for authorized law enforcement purposes
  • Respect and preserve privacy, human rights, free speech, and due process of law
  • Form a privacy-centered & data protection framework that complies with both the UK’s and U.S’s respective laws regarding personal data, and to create a legally binding and enforceable instrument between public authorities that provides appropriate safeguards for that purpose
  • Understand and respect each country’s “appropriate and substantial” civil liberties protections including  probable cause and judicial oversight in accessing electronic data under this agreement
  • Limit over-breadth of orders when accessing digital communications content, and, very importantly;
  • Limit harms of data localization requirements to foster an innovative, trusted, and inclusive cloud, while striving to circumvent such requirements

 

Geo-Political/Historical Context

Prior to the CLOUD Act, Intel customers like Amazon, Microsoft, & Google expressed concern that the U.S. government demand for access in the now infamous Ireland Microsoft data case [1] would set a precedent in the international community that local privacy laws were insufficient to refuse requests for data relevant to a given country’s national security.  As a result,  various countries started (or considered) demanding access to data wherever it is stored. Naturally, these demands would be challenged, leading to drawn-out legal battles, in turn leading to missed opportunities to investigate and prosecute serious crimes, or worse, prevent terrorist acts.

To navigate the political difficulty of accessing data abroad, countries around the world began to propose legislation requiring that CSPs store data on their citizens strictly within their own borders.  Of course, such legislation would prove to be not only technologically challenging but financially burdensome for most CSPs as well; technologically and financially burdensome, especially for larger CSP’s, as was very well illustrated by legislation such as the EU General Data Protection Regulation.

 

Is the Long Arm of the Law Really that Long?

Under the CLOUD Act, CSPs now have a legal right to quash warrants when digital data disclosure requests contradict local laws.  For example, the UK could order a US-based social media company to share encrypted messages with UK law enforcement to assist with a criminal investigation. If the company refused and the U.S. government agreed, the order would be quashed.    And even if the company agreed with the order, the contents of end-to-end encrypted messages would remain out of reach, as the CLOUD Act states that agreements “shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.” [2]

Furthermore, the EA between the U.S. and the UK include protections that supersede the requirements of the CLOUD Act itself.    While Articles 2-10 of the agreement describe these various protections, like targeting restrictions, targeting and minimization procedures, limitations on use and transfer, and privacy & data protection safeguards, the overarching tone of the agreement is summarized by Article 2 section 1, which states:

“[This] Agreement provides an efficient, effective, data protection-compatible and privacy-protective means for each party to obtain, subject to appropriate targeting limitations, electronic data relating to the prevention, detection, investigation, or prosecution of serious crime, in a manner consistent with its law and the law of the other Party.” 

The UK/U.S. agreement has indeed established a solid foundation for future EAs with other foreign countries with goals to make accessing data abroad easier.  As of recent, the U.S. has entered into approved negotiations with both the EU and Australia.

Most importantly, since EAs like this are bi-lateral, foreign countries will be simultaneously afforded the same ease of access to data stored in the U.S., provided it is not data on a U.S. citizen.  This will, consequently, eliminate the motivation(s) by other countries to be protectionist about their citizens’ data, and in turn, remove the risk of increased data localization-related costs to CSPs.

________________________________________________

[1] In 2013, Microsoft challenged a warrant by the federal government to turn over email of a target account that was stored in Ireland, arguing that a warrant issued under Section 2703 of the Stored Communications Act could not compel American companies to produce data stored in servers outside the United States. Microsoft initially lost in the Southern District of New York, with the judge stating that the nature of the Stored Communication Act warrant, as passed in 1986, was not subject to territorial limitations. Microsoft appealed to the United States Court of Appeals for the Second Circuit, who found in favor of Microsoft by 2016 and invalidated the warrant. In response, the United States Department of Justice appealed to the Supreme Court of the United States, which decided to hear the appeal.
[2] Swire/Daskal, https://www.lawfareblog.com/uk-us-cloud-act-agreement-finally-here-containing-new-safeguards