The Clarifying Lawful Overseas Use of Data Act (Cloud Act) has created quite a national and international turmoil. Indeed, it significantly changes the legislation regarding providers of electronic communication services or remote computing services and more specifically their obligation to disclose the contents of stored wire and electronic communications and transactional records. Another essential novelty introduced by the Cloud Act is the possibility to share data through executive agreements (§ 2523 of the Cloud Act). What are these agreements? How can enter into one? Are there specific requirements?
Mathias Avocats analyses these new data transfer instruments and examines the relevant provisions of the Cloud Act.
Who can enter into executive agreements ?
Executive agreements appear to be bilateral agreements between the President of the United States and a “qualifying foreign government”.
It is important to keep in mind the systems of check and balances which exists in the United States. Indeed, the President will only sign an executive agreement after strict scrutiny by the Attorney General and Secretary of State and approval by Congress (§ 2523 (b) of the Cloud Act). Congress may vote a joint resolution of disapproval, within 90 days, and in which case the executive agreement will not enter into force (§ 2523 (d) (4) of the Cloud Act).
The other party to an executive agreement is the “qualifying foreign government”. The definition of the latter is set out in two parts of the Cloud Act: section 2703 and section 2523. Indeed, under §2703 of the Cloud Act, a foreign government is one:
- “with which the United States has an executive agreement that has entered into force under section 2523 and
- the laws of which provide to electronic communication service providers and remote computing service providers substantive and procedural opportunities similar” to motions to quash or modify the legal process of disclosure and to the rules stating that the disclosure by the provider or remote computing service will not be considered as a violation of a protective order.
Section 2703 gives a partial definition of what a “qualifying foreign government” is. Indeed, one must refer to the requirements of section 2523 to assess whether the conditions for being a party to an executive agreement are met.
What conditions must the executive agreement meet ?
2523 of the Cloud Act sets out a lengthy list of requirements for the content of executive agreements (ex: confidentiality of the data, requirements for the foreign government’s request, rights and obligations of each party, etc.).
It would nonetheless appear that most requirements for the content of executive agreements are also requirements for the foreign government. Indeed, section 2523 can be divided into three big categories of requirements which each hold their own conditions:
- The foreign government’s law must afford “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement”.
The section goes on to list these protections such as “adequate substantive and procedural laws on cybercrime and electronic evidence, as demonstrated by being a party to the Convention on Cybercrime, done at Budapest November 23, 2001 (…) international human rights obligations and commitments or demonstrates respect for international universal human rights (…) sufficient mechanisms to provide accountability and appropriate transparency regarding the collection and use of electronic data by the foreign government”; - The foreign government has adopted “appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement”; and
- Orders subject to the executive agreement must comply with rigorous conditions such as “not intentionally target a United States person or a person located in the United States”, be “for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism” and “shall be subject to review or oversight by a court, judge, magistrate, or other independent authority”.
In a few words, executive agreements enable foreign governments to directly request data of a non-U.S. person if they can comply with the numerous requirements. However, for requests concerning U.S persons, the foreign government will have to use the Mutual Legal Assistance Treaty (MLAT) process or obtain assistance in a criminal investigation or prosecution (28 U.S. Code §1782 and 18 U.S. Code §3512).
The term “U.S. person” has a broad scope and namely includes citizens or nationals of the United States (they do not necessarily have to reside in the United States) or aliens lawfully admitted for permanent residence or corporations incorporated in the United States (§ 2523 (a) (2) of the Cloud Act).
In practice, foreign governments will have to pay particular attention to the type of data requested and who the data concerns. Indeed, the procedures for obtaining data of a United States person or a non-United States person are not the same.
What happens now ?
The main issue arising from the implementation of the Cloud Act is its compatibility with the European Union’s General Data Protection Regulation or GPDR (regulation n°2016/679). One of the significant concerns are data transfers under the GDPR and the role of the Cloud Act in said transfer. Will executive agreements be sufficient in themselves to answer to the conditions set out in Articles 44 to 50 of the GDPR? For example, could executive agreements be considered as “necessary for important reasons of public interest” and thus fall under the exceptions of Article 49 of the GDPR?
More specifically Article 48 of the GDPR states that “any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”. Will executive agreements be considered as “an international agreement”? What will happen if an executive agreement cannot be found between the United States and the European Union before a personal data transfer occurs? Must the executive agreement comply with the principles set out in Article 5 the GDPR? What about the other obligations? Practitioners have not reached a consensus on whether both pieces of legislation are compatible. It is still unclear how they will interact in practice.
These questions namely lead to wondering how will the Cloud Act and the Umbrella Agreement interplay? The latter sets out the conditions for data transfers between law enforcement agencies in the United States and the European Union. However, the Umbrella Agreement does not authorise such transfers.
Another potential problem is that the Cloud Act clearly provides for the circumvention of foreign national law under § 2523 (b) (3) (I). The latter states that, if the foreign government’s law prohibits communications-service providers from disclosing the data, the foreign government must remove those restrictions to afford the same rights of data access to the United States. How will this play out in practice? How do providers know which law to comply with? Will the GDPR be lifted? Which law will predominate?
Mathias Avocats remains at your disposal for any further questions and will keep you informed of the developments of executive agreements under the Cloud Act.