'C.L.O.U.D.'s On the Horizon: How Law Enforcement Electronic Data Requests Are Going Global
Although they each may have their own wrinkles, new executive agreements will assuredly increase the volume of content requests from foreign governments.
October 28, 2019 at 07:00 AM
7 minute read
Companies storing or moving large quantities of digital information routinely encounter subpoenas, court orders and warrants from United States law enforcement for subscriber and related data and records. However, the realities of cybercrime and recent under-publicized diplomatic activities could dramatically increase the volume of incoming requests from abroad.
Cybercrime often involves a crime in one country—a hack of a school teacher's email account in the United Kingdom, for example—but the evidence of the crime often physically resides on servers in another country, such as malware and login records maintained by a social media or online company in California. However, law enforcement agencies investigating multi-country crimes are often bound by the geographic limits of their jurisdictions or must rely on slow diplomatic channels, such as mutual legal assistance treaties (MLATs), to request and obtain the evidence that they need. This slow process necessarily restricted the number of international requests received by U.S. companies.
The 2018 Clarifying Lawful Overseas Use of Data Act (CLOUD Act) authorizes the U.S. to enter into executive agreements with foreign governments to facilitate law enforcement access to cross-border data. The U.S. and the U.K. signed the first CLOUD Act Executive Agreement on October 3, 2019. Now, law enforcement agencies in either country can, according to the U.S. Department of Justice, "demand electronic evidence directly from tech companies based in the other country, without legal barriers." The Agreement cannot take effect until the legislatures of the respective countries have had six months to review the agreement (April 2020). However, more are coming: the European Union began discussions for an executive agreement and, on October 7, the U.S. and Australia announced that their own executive agreement negotiations. With these agreements on the way, the privacy protections built into the Act and the U.S./U.K. Executive Agreement provide some guidance as how those changes will affect companies.
|Scope
Article 1 of the Executive Agreement specifies that any "private entity" that "provides to the public the ability to communicate, or to process or store computer data" or "processes or stores" data for those public-facing private entities, are potential recipients of UK law enforcement process. While necessarily focused on telecommunications and internet service providers, the expansive nature of modern data and the broad definition of "communication" means many companies in the information and data economies can expect cross-border data requests.
The covered data includes communication content, computer data, traffic data, metadata, and "Subscriber Information." Subscriber Information, as defined, echoes the Stored Communications Act, which lists the information that can be requested by U.S. law enforcement via subpoena. As discussed below, requests for the U.K. persons' communications content may be subject to a lower standard than required under U.S. law.
|Issuance and Oversight
Judicial review and oversight of these cross-border data requests is not simple. Executive Agreement Article 5 specifies that the cross-border orders must be reviewed and certified as lawful by a "designated authority." For U.K. law enforcement requests to U.S. companies, the U.K. Home Secretary designates their authority and the order must then be reviewed by U.K. judges or magistrates. Thus, U.S. companies will now receive orders from U.K. judges that will carry the force of law and the inverse is true for U.K. companies. The orders must certify in writing that the order is based upon "articulable and credible facts."
Under existing U.S. law, the "articulable and credible facts" standard set forth in the agreement would likely suffice for orders requesting subscriber information and records, but not the content of communications. Indeed, even certain con-content information would require probable cause. In the context of cell site location data (which possesses no content), the Supreme Court found that a warrant was also required, and noted that the requirements for basing an order on "articulable and credible facts" falls "well short of the probable cause required for a warrant."
Companies who are issued one of these new orders can appeal to the issuing "designated authority" for clarification. However, this "clarification" will not change the potentially awkward fact that U.S. companies will be faced with U.K. orders certifying compliance with U.K. laws but not U.S. laws (or the reverse situation). If the objections are not resolved by the issuing designated authority, the company can contact its own designated authority. This is where things get even more complicated. Article 5 contemplates that the two governments will negotiate but that the provider's own designated authority decides. Therefore, a U.S. designated authority will have ultimate authority over a request to a U.S. company.
The Executive Agreement and CLOUD Act are largely silent on what a "Designated Authority" actually is. However, the Articles 1 and 5 of the Executive Agreement provide that: (1) the "issuing party" will be a law enforcement agency; (2) judges or magistrates will review data requests by the issuing party; and (3) "Designated Authorities," who are distinct from either the issuing party or the judge, and selected by the U.S. Attorney General or the U.K. Home Secretary, preside over it all. Given similar existing designations in the United States Attorneys Manual, the Designated Authority may be a subpart of the Department of Justice. In certain immigration circumstances, the "designated authority" is the State Department. Whomever or whatever entity is selected, the Designated Authority is unlikely to be an independent court and cross-border data requests may have little substantive legal review.
|Data Targeting and Use Limitations
According to the executive agreement, U.K. law enforcement cannot seek the communications content of U.S. persons (which, as discussed above, would require a warrant in the U.S. based on probable cause). Requests must be targeted to specific accounts, addresses or persons. Therefore, the CLOUD Act cannot be utilized for "bulk surveillance." However, most online data is pseudonymous and U.K. law enforcement may not know the location, name, or address of the target until they receive the data. Instead, they only know the cookie, online persona, or other alphanumeric identifier. While the U.S. and U.K. must implement protections for incidentally collected data via this CLOUD Act process, each company will have to consider its own appetite for these types of mistakes. Companies may have to consider prophylactic challenges in cross-border requests or risk good faith violations of peoples' privacy.
Article 8 of the Executive Agreement provides that the U.K. need not provide evidence for use in a U.S. death penalty cases and may even veto its use post hoc, as needed. The U.S. has similar veto power obviating production in cases that raise free speech concerns. These veto powers appear to be novel, although they may become standard for the upcoming Executive Agreements.
|Conclusions
This will likely be the first of many Executive Agreements that will issue in the coming years. Although they each may have their own wrinkles, these agreements will assuredly increase the volume of content requests from foreign governments. These agreements will also have tricky oversight and review frameworks. Moreover, the data use exclusions included in each agreement may provide interesting insight into which rights are most important to each country. Finally, while decryption was expressly excluded from the agreement, that issue and potential conflicts with the EU "e-evidence Rule" must be watched closely.
Chris Ott, CIPP/US, advises industry-leading organizations in sensitive cyber incidents, national security matters, white-collar investigations, government enforcement actions, and high-stakes litigation. Chris has served as an influential law enforcement official for multiple administrations, led some of the largest white-collar investigations in United States Department of Justice (DOJ) history, won more than 30 trials as a first-chair litigator, and spearheaded some of the DOJ and the SEC's first successful cyber investigations. Chris, who is a partner in the Washington, D.C. office of Davis Wright Tremaine, can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 2A Meta DIG and Its Nvidia Implications
- 3Deception or Coercion? California Supreme Court Grants Review in Jailhouse Confession Case
- 4State Bar of Georgia Presents Access to Justice Pro Bono Awards
- 5Tips For Creating Holiday Plans That Everyone Can Be Grateful For
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250