First Data Sharing Agreement Under CLOUD Act Reassures Some, Leaves Others Concerned

By: Austin Gillett

January 31, 2020

In October of 2019, the first executive agreement was reached under the CLOUD Act, the new statutory authority governing electronic data transfers between law enforcement in the United States and foreign governments. Signed into law in March of 2018, The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) invites foreign governments to enter into bilateral agreements with the United States in order to establish lawful mechanisms by which government entities may lawfully assist one another in the transfer of data relevant to law enforcement efforts. 

These agreements are an alternative to the frustrating process that foreign governments have endured when conducting law enforcement investigations where data is held by a U.S.-based company, even if the crime in question was conducted abroad and the subject of the data request was a citizen of the foreign government. Because pre-CLOUD authority prohibited U.S.-based service providers from disclosing information to parties, including foreign governments, the only course of action was to request the information through a mutual legal assistance treaty (MLAT), which normally requires approval by the Senate and the issuance of a warrant for probable cause. Additionally, governments continually confronted obstacles caused by data access requirements governed by statutes that permitted or denied access based, in part, on the physical location of the information sought—something increasingly difficult in an era of electronic information and worldwide data storage. 

To qualify for an executive agreement under the CLOUD Act, a country must satisfy a list of human rights commitments, including “robust substantive and procedural protections for privacy and civil liberties.” The foreign government must adopt “appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement.” The U.S. Attorney General, with the concurrence of the Secretary of State, must certify in writing to Congress that the foreign government qualifies under the requirements listed in the law—a determination which is not subject to judicial or administrative review. The Act requires that the data subject be a narrowly targeted person, account, or address, and not a U.S. person—which includes citizens and lawful permanent residents. 

The first bilateral agreement under the new statutory authority is the result of months of negotiations between the United States and the United Kingdom and Northern Ireland. In addition to meeting the requirements of the CLOUD Act, the agreement also adopted certain privacy protections not required by the CLOUD Act, including:

  • An opportunity for an internet service provider to reject a data access request and ultimately appeal to a domestic authority, which is given the right to reject the data request. For example, if the U.K. requests data from Facebook, and Facebook objects, the company may ask that the U.S. review the request and ultimately reject it. 
  • A stipulation that any data obtained must be safeguarded and its use minimized. This provision prevents the U.K. from requesting information on a U.S. person from a U.S.-based service provider and later sharing that information with a U.S. government entity. 
  • A notable example of adjusting privacy safeguards to respect the laws of the respective signatories. In this agreement, the U.K. is given the right to prohibit the U.S. from using information obtained from the U.K. in a case in which the death penalty would be sought. This compromise reflects the interest of the U.K. in not being complicit in a procedure inconsistent with British law. The U.S. has similar protections guaranteed over freedom of speech concerns.

The agreement between the United States and the United Kingdom is important, not just because of the changes to substantive law domestically and abroad, but because of its precedential effect. Privacy advocates and scholars have been divided over the impact that the CLOUD Act will have worldwide, and this first agreement provides a novel insight into how the United States will move forward with global data sharing. As two dominant world powers in data storage, the U.K. and the U.S. will influence how future countries handle data requests for electronic information that is increasingly stored worldwide, without regard for physical or geographic boundaries.

Some privacy experts applaud the CLOUD Act and this recent executive agreement as important steps forward. After a dozen privacy and civil liberties entities opposed the passage of the CLOUD Act, Jennifer Daskal and Peter Swire wrote that “the CLOUD Act includes an impressively long list of privacy protections,” citing the “critically important baseline substantive and procedural protections…[that are] achievable and understandable to other rights-respecting nations.” Daskal and Swire urged privacy scholars to “[l]et not the perfect be the enemy of the good.”

Other civil society organizations are more inclined to support a modernization of the MLAT process or consider alternative legislation to facilitate the cross-border transfer of data in a way that ensures greater privacy protections for data subjects. The Electronic Privacy Information Center, or EPIC, wrote that the recent agreement “permits cross-border access to personal data without judicial approval, allows for law enforcement investigations under lower standards than in the U.S., and lacks notice to data subjects who are subject to surveillance.” EPIC remains concerned that a lack of judicial oversight will undermine the privacy of both U.S. and non-U.S. persons, domestically and abroad. 

The CLOUD Act is new and the effect that the legislation and subsequent agreements will have on global data transfers is unclear. While the precise influence of the CLOUD Act remains to be seen, it is certain that these agreements will shape the contours of the privacy protections afforded to subjects of data requests, both in the United States and abroad. For better and perhaps for worse, the CLOUD Act has begun to take effect, and will continue setting privacy standards globally, one executive agreement at a time.

Austin Gillett, J.D. Class of 2020, N.Y.U. School of Law.

Suggested Citation: Austin Gillett, First Data Sharing Agreement Under CLOUD Act Reassures Some, Leaves Others Concerned, N.Y.U. J. Legis & Pub. Pol’y Quorum (2020).