'C.L.O.U.D.'s On the Horizon: How Law Enforcement Electronic Data Requests Are Going Global
Although they each may have their own wrinkles, new executive agreements will assuredly increase the volume of content requests from foreign governments.
October 28, 2019 at 07:00 AM
7 minute read
Companies storing or moving large quantities of digital information routinely encounter subpoenas, court orders and warrants from United States law enforcement for subscriber and related data and records. However, the realities of cybercrime and recent under-publicized diplomatic activities could dramatically increase the volume of incoming requests from abroad.
Cybercrime often involves a crime in one country—a hack of a school teacher's email account in the United Kingdom, for example—but the evidence of the crime often physically resides on servers in another country, such as malware and login records maintained by a social media or online company in California. However, law enforcement agencies investigating multi-country crimes are often bound by the geographic limits of their jurisdictions or must rely on slow diplomatic channels, such as mutual legal assistance treaties (MLATs), to request and obtain the evidence that they need. This slow process necessarily restricted the number of international requests received by U.S. companies.
The 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act) authorizes the U.S. to enter into executive agreements with foreign governments to facilitate law enforcement access to cross-border data. The U.S. and the U.K. signed the first CLOUD Act Executive Agreement on October 3, 2019. Now, law enforcement agencies in either country can, according to the U.S. Department of Justice, "demand electronic evidence directly from tech companies based in the other country, without legal barriers." The Agreement cannot take effect until the legislatures of the respective countries have had six months to review the agreement (April 2020). However, more are coming: the European Union began discussions for an executive agreement and, on October 7, the U.S. and Australia announced that their own executive agreement negotiations. With these agreements on the way, the privacy protections built into the Act and the U.S./U.K. Executive Agreement provide some guidance as how those changes will affect companies.
Scope
Article 1 of the Executive Agreement specifies that any "private entity" that "provides to the public the ability to communicate, or to process or store computer data" or "processes or stores" data for those public-facing private entities, are potential recipients of UK law enforcement process. While necessarily focused on telecommunications and internet service providers, the expansive nature of modern data and the broad definition of "communication" means many companies in the information and data economies can expect cross-border data requests.
The covered data includes communication content, computer data, traffic data, metadata, and "Subscriber Information." Subscriber Information, as defined, echoes the Stored Communications Act, which lists the information that can be requested by U.S. law enforcement via subpoena. As discussed below, requests for the U.K. persons' communications content may be subject to a lower standard than required under U.S. law.
Issuance and Oversight
Judicial review and oversight of these cross-border data requests is not simple. Executive Agreement Article 5 specifies that the cross-border orders must be reviewed and certified as lawful by a "designated authority." For U.K. law enforcement requests to U.S. companies, the U.K. Home Secretary designates their authority and the order must then be reviewed by U.K. judges or magistrates. Thus, U.S. companies will now receive orders from U.K. judges that will carry the force of law and the inverse is true for U.K. companies. The orders must certify in writing that the order is based upon "articulable and credible facts."
Under existing U.S. law, the "articulable and credible facts" standard set forth in the agreement would likely suffice for orders requesting subscriber information and records, but not the content of communications. Indeed, even certain con-content information would require probable cause. In the context of cell site location data (which possesses no content), the Supreme Court found that a warrant was also required, and noted that the requirements for basing an order on "articulable and credible facts" falls "well short of the probable cause required for a warrant."
Companies who are issued one of these new orders can appeal to the issuing "designated authority" for clarification. However, this "clarification" will not change the potentially awkward fact that U.S. companies will be faced with U.K. orders certifying compliance with U.K. laws but not U.S. laws (or the reverse situation). If the objections are not resolved by the issuing designated authority, the company can contact its own designated authority. This is where things get even more complicated. Article 5 contemplates that the two governments will negotiate but that the provider's own designated authority decides. Therefore, a U.S. designated authority will have ultimate authority over a request to a U.S. company.
The Executive Agreement and CLOUD Act are largely silent on what a "Designated Authority" actually is. However, the Articles 1 and 5 of the Executive Agreement provide that: (1) the "issuing party" will be a law enforcement agency; (2) judges or magistrates will review data requests by the issuing party; and (3) "Designated Authorities," who are distinct from either the issuing party or the judge, and selected by the U.S. Attorney General or the U.K. Home Secretary, preside over it all. Given similar existing designations in the United States Attorneys Manual, the Designated Authority may be a subpart of the Department of Justice. In certain immigration circumstances, the "designated authority" is the State Department. Whomever or whatever entity is selected, the Designated Authority is unlikely to be an independent court and cross-border data requests may have little substantive legal review.
Data Targeting and Use Limitations
According to the executive agreement, U.K. law enforcement cannot seek the communications content of U.S. persons (which, as discussed above, would require a warrant in the U.S. based on probable cause). Requests must be targeted to specific accounts, addresses or persons. Therefore, the CLOUD Act cannot be utilized for "bulk surveillance." However, most online data is pseudonymous and U.K. law enforcement may not know the location, name, or address of the target until they receive the data. Instead, they only know the cookie, online persona, or other alphanumeric identifier. While the U.S. and U.K. must implement protections for incidentally collected data via this CLOUD Act process, each company will have to consider its own appetite for these types of mistakes. Companies may have to consider prophylactic challenges in cross-border requests or risk good faith violations of peoples' privacy.
Article 8 of the Executive Agreement provides that the U.K. need not provide evidence for use in a U.S. death penalty cases and may even veto its use post hoc, as needed. The U.S. has similar veto power obviating production in cases that raise free speech concerns. These veto powers appear to be novel, although they may become standard for the upcoming Executive Agreements.
Conclusions
This will likely be the first of many Executive Agreements that will issue in the coming years. Although they each may have their own wrinkles, these agreements will assuredly increase the volume of content requests from foreign governments. These agreements will also have tricky oversight and review frameworks. Moreover, the data use exclusions included in each agreement may provide interesting insight into which rights are most important to each country. Finally, while decryption was expressly excluded from the agreement, that issue and potential conflicts with the EU "e-evidence Rule" must be watched closely.
Chris Ott, CIPP/US, advises industry-leading organizations in sensitive cyber incidents, national security matters, white-collar investigations, government enforcement actions, and high-stakes litigation. Chris has served as an influential law enforcement official for multiple administrations, led some of the largest white-collar investigations in United States Department of Justice (DOJ) history, won more than 30 trials as a first-chair litigator, and spearheaded some of the DOJ and the SEC's first successful cyber investigations. Chris, who is a partner in the Washington, D.C. office of Davis Wright Tremaine, can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
