On October 3, 2019, the United States’ Department of Justice announced “the world’s first evert Cloud Act Agreement” signed and entered into with the United Kingdom. The Agreement will enter into force six month after a review period by the US Congress and the UK Parliament.
Later, on October 7, 2019, the Department of Justice published a joint statement announcing the US and Australia have entered into formal negotiations for an agreement under the Cloud Act.
The US-UK agreement and the ongoing negotiations with Australia reflect the first steps into the Clarifying Lawful Overseas Use of Data Act (Cloud Act) implementation. The latter significantly changes the legislation regarding providers of electronic communication services or remote computing services and more specifically their obligation to disclose the contents of stored wire and electronic communications and transactional records.
Moreover, Google recently announced the publication of the number of government requests received for Google Cloud Platform and G Suite enterprise customer data. According to the company, “The publication of this information is an important milestone in [Google’s] efforts to improve transparency and help address broader uncertainty about how often governments are coming to Google to request access to enterprise customer data”.
What is a Cloud Act Agreement?
These agreements allow to each party’s law enforcement agencies to demand electronic data regarding serious crime held by electronic communication service remote or computing services providers. However, the scope of each agreement is subject to negotiations.
Regarding the US-UK agreement, both parties agreed to broadly lift restrictions for investigations and to assure providers that disclosure through the agreement are compatible with data protection laws. The US Department of Justice stated that each party “committed to obtain permission from the other before using data gained through the agreement in prosecutions relating to a party’s essential interest – specifically, death penalty prosecutions by the United States and UK cases implicating freedom of speech”.
Who can enter into executive agreements?
It is important to keep in mind the systems of check and balances which exists in the United States. Indeed, the President will only sign an executive agreement after strict scrutiny by the Attorney General and Secretary of State and approval by Congress (§ 2523 (b) of the Cloud Act). Congress may vote a joint resolution of disapproval, within 90 days, and in which case the executive agreement will not enter into force (§ 2523 (d) (4) of the Cloud Act).
The other party to an executive agreement is the “qualifying foreign government”. The definition of the latter is set out in two parts of the Cloud Act: section 2703 and section 2523. Indeed, under §2703 of the Cloud Act, a foreign government is one:
- “with which the United States has an executive agreement that has entered into force under section 2523 and
- the laws of which provide to electronic communication service providers and remote computing service providers substantive and procedural opportunities similar” to motions to quash or modify the legal process of disclosure and to the rules stating that the disclosure by the provider or remote computing service will not be considered as a violation of a protective order.
Section 2703 gives a partial definition of what a “qualifying foreign government” is. Indeed, one must refer to the requirements of section 2523 to assess whether the conditions for being a party to an executive agreement are met.
What conditions must the executive agreement meet?
2523 of the Cloud Act sets out a lengthy list of requirements for the content of executive agreements (ex: confidentiality of the data, requirements for the foreign government’s request, rights and obligations of each party, etc.).
It would nonetheless appear that most requirements for the content of executive agreements are also requirements for the foreign government. Indeed, section 2523 can be divided into three big categories of requirements which each hold their own conditions:
- The foreign government’s law must afford “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement”. The section goes on to list these protections such as “adequate substantive and procedural laws on cybercrime and electronic evidence, as demonstrated by being a party to the Convention on Cybercrime, done at Budapest November 23, 2001 (…) international human rights obligations and commitments or demonstrates respect for international universal human rights (…) sufficient mechanisms to provide accountability and appropriate transparency regarding the collection and use of electronic data by the foreign government”;
- The foreign government has adopted “appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement”; and
- Orders subject to the executive agreement must comply with rigorous conditions such as “not intentionally target a United States person or a person located in the United States”, be “for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism” and “shall be subject to review or oversight by a court, judge, magistrate, or other independent authority”.
In a few words, executive agreements enable foreign governments to directly request data of a non-U.S. person if they can comply with the numerous requirements. However, for requests concerning U.S persons, the foreign government will have to use the Mutual Legal Assistance Treaty (MLAT) process or obtain assistance in a criminal investigation or prosecution (28 U.S. Code §1782 and 18 U.S. Code §3512).
The term “U.S. person” has a broad scope and namely includes citizens or nationals of the United States (they do not necessarily have to reside in the United States) or aliens lawfully admitted for permanent residence or corporations incorporated in the United States (§ 2523 (a) (2) of the Cloud Act).
In practice, foreign governments will have to pay particular attention to the type of data requested and who the data concerns. Indeed, the procedures for obtaining data of a United States person or a non-United States person are not the same.
Will there be a Cloud Act Agreement between the US and the European Union?
Currently, the US and the European Union have not entered into any executive agreement under the Cloud Act.
The main issue arising from the implementation of the Cloud Act is its compatibility with the European Union’s General Data Protection Regulation or GPDR (regulation n°2016/679). On July 10, 2019, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a joint legal assessment on the Cloud Act and the EU legal framework for data protection. The EDPB and EDPS stated that the Cloud Act does not contain a sufficient legal basis under GDPR to justify personal data transfers to the US.
As a result, the EDPB and EDPS recommend that an international agreement could be concluded between the US and the EU, “containing strong procedural and substantive fundamental rights safeguards”. Alternatively, the EDPB and the EDPS suggest that the US and the EU could update their existing MLAT agreements to recognize and incorporate the Cloud Act.
Mathias Avocats remains at your disposal for any further questions and will keep you informed of the developments of executive agreements under the Cloud Act.