Data Security

Preparing for the First CLOUD Act Bilateral Data Access Agreement

Published: Jun. 09, 2020

Updated: Oct. 05, 2020

The British Are Coming . . . and They’re Bringing Their Own Legal Process

Starting on July 8, 2020, for the first time, U.S. companies will be receiving binding legal process directly from the UK government. This change comes over two years after the Clarifying Lawful Overseas Use of Data Act’s (“CLOUD Act”) enactment and more than nine months after the United States executed the first bilateral CLOUD Act agreement with the United Kingdom (“Executive Agreement”). The roll out of the Executive Agreement represents a significant shift away from existing cross border data access mechanisms, including the Mutual Legal Assistance (“MLA”) process. As July approaches, U.S. and UK providers should prepare to navigate this change.

“Unblocking” the United Kingdom

Although a U.S.-based provider generally cannot be compelled to provide communications content to third parties other than governmental entities with the appropriate U.S. legal process, the CLOUD Act created an important exception to this limitation. Specifically, it amended the Stored Communications Act (“SCA”) to permit foreign law enforcement authorities to obtain content data directly from U.S. providers if the foreign government enters into a qualifying “executive agreement” with the U.S. government. As a result, in certain covered circumstances, the Executive Agreement between the United States and the United Kingdom effectively “unblocks” UK authorities from obtaining user content data from U.S. providers without valid U.S. legal process and removes the requirement that UK authorities seek such data through time-consuming MLA channels.

Preparing for Compliance—What Providers Need to Know

With the Executive Agreement’s July 8, 2020 start date, U.S. and UK providers should understand and be prepared to comply with the preservation and non-disclosure obligations and production deadlines that will now apply to them under the other country’s laws (including the UK Crime Overseas Production Orders Act 2019 (“COPOA”) and the SCA). This change may require providers to adjust their law enforcement response procedures.Additionally, providers and individuals storing their data with U.S. and UK providers should be aware of the following:

  • Legal Standards—Although warrants issued pursuant to the SCA must be based upon probable cause (in compliance with the Fourth Amendment), under Section 4 of the COPOA, UK orders under the Executive Agreement may compel the production of content data if a UK court finds there are reasonable grounds to believe that: an indictable offense has been committed; all or part of the requested data is likely to be of “substantial value (whether or not by itself)” to the U.K. investigation or proceeding; and it is in the public interest for all or part of the requested data to be produced. This is a lower standard than probable cause.
  • Wiretaps—Although the DOJ lacks a basis to secure wiretaps on behalf of foreign authorities through MLA channels, under the CLOUD Act and the Executive Agreement, UK authorities may compel U.S. providers to produce the content of electronic communications prospectively and in real time if the interception: (i) is for a limited fixed duration; (ii) lasts no longer than is reasonably necessary to accomplish the order’s purpose; and (iii) the requested data could not be reasonably obtained by other less obtrusive means. 
  • Encryption—The Executive Agreement and orders issued under it may not require or prohibit the encryption of data by a provider.
  • Validity—Before responding to an Executive Agreement order, providers should confirm that it was served by the issuing government’s “Designated Authority” (i.e., the UK Secretary of State for the Home Department or the U.S. Attorney General, or their designees) together with (i) a certification that the order complies with the Executive Agreement’s substantive requirements, and (ii) notice that the Executive Agreement is being invoked. 
  • Impermissible Targeting—Neither the United Kingdom nor the United States may use the Executive Agreement to target the other country’s persons. Where an Executive Agreement order fails to comply with this restriction (for example, the order requires a U.S. provider to produce data about a U.S. citizen, lawful permanent resident, corporation or other entity, or a person located within the United States), the provider can challenge the order by contacting the Designated Authority that served the order. If, after consulting with the other government, the provider’s concerns remain unresolved, the provider can escalate its objections to its own government. 
  • Other Substantive Requirements—Providers can use the same challenge process described above if they reasonably believe an order (i) relates to something other than the investigation and/or prosecution of covered offenses (i.e., those punishable in the requesting state by a term of at least three years’ imprisonment); (ii) in the case of U.S. orders being served in the United Kingdom, implicates the death penalty; or (iii) in the case of UK orders being served in the United States, is being used to infringe freedom of speech or disadvantage persons based on ethnicity, race, gender, sexual orientation, or religion. However, providers likely will have limited, if any, visibility into these issues.
  • Judicial challenges of an order—Because a provider’s obligation to produce data in response to an Executive Agreement order originates solely from the laws of the country issuing the order, it is unclear what, if any, rights a provider will have to challenge Executive Agreement orders within the provider’s own domestic judicial system. That said, providers will have certain means to challenge orders in the courts of the issuing country. For example, under Section 7 of the COPOA, U.S. providers and other persons “affected by” an Executive Agreement order may ask a U.K. court to quash or modify the order. The COPOA, however, does not enumerate the reasons for which a provider can seek to vary or quash an order. Given the lack of certainty regarding the scope of their judicial challenge rights, providers should be prepared to test both when and through which channels providers can best challenge objectionable orders.
  • Volume—Although the Executive Agreement is reciprocal, given the number of major providers operating in the United States and how widely their services are used, the real volume of activity under the Executive Agreement likely will flow from UK authorities to U.S. providers. Also, because the Executive Agreement process involves fewer hurdles and imposes a less onerous standard for UK content requests, U.S. providers should be prepared to receive higher volumes of direct requests from the United Kingdom than they would through MLA channels.
  • Comity-Based Challenges of SCA Orders—The CLOUD Act created a new statutory right for a provider to file a motion to quash or modify a data demand if the provider reasonably believes: (i) the target of the demand is not a U.S. person and does not reside in the United States; and (ii) disclosure would create a material risk of violating the laws of a foreign country that has entered into a qualifying executive agreement with the United States under the CLOUD Act. As a result, U.S. providers will now have a statutory basis to challenge U.S. domestic legal process (including validly issued warrants) compelling the production of data regarding non-U.S. persons or residents where the provider reasonably believes that compliance with the legal process likely will violate U.K. law.

If you have questions about how the U.S./UK Executive Agreement, or the CLOUD Act more generally, will impact your company’s data storage or law enforcement response practices, please feel free to contact us. Whether you are a U.S. provider looking to prepare for direct service of UK orders, a UK provider looking to understand your new obligations under the SCA, or a company considering how to store data, we are happy to help you navigate the CLOUD Act’s new approach to cross-border law enforcement access to data.