{"id":6455,"date":"2019-10-30T13:17:10","date_gmt":"2019-10-30T17:17:10","guid":{"rendered":"http:\/\/ncjolt.org\/?p=6455"},"modified":"2020-06-04T20:52:24","modified_gmt":"2020-06-04T20:52:24","slug":"the-cloud-act-us-and-uk-sign-agreement-to-allow-law-enforcement-agencies-to-share-data-regarding-serious-crimes","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/the-cloud-act-us-and-uk-sign-agreement-to-allow-law-enforcement-agencies-to-share-data-regarding-serious-crimes\/","title":{"rendered":"The CLOUD Act: US and UK Sign Agreement to Allow Law Enforcement Agencies to Share Data Regarding Serious Crimes"},"content":{"rendered":"\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0On October 3, 2019, the United States and the United Kingdom signed<\/a> the first ever Clarifying Overseas Use of Data (CLOUD) Act executive agreement, which allows cross-border sharing of electronic data with law enforcement agencies regarding serious crimes. The goal of the agreement was prompted by the countries\u2019 interest in combating crime \u2013 including terrorism, transnational organized crime, and child exploitation \u2013 as well as increasing the speed with which access to electronic data is made available.<\/p>\n\n\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Congress first passed the CLOUD Act in March 2018, which amended the Stored Communications Act to clarify that providers subject to the SCA must \u201cpreserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider\u2019s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.\u201d (codified at 18 U.S.C. \u00a7 2713). <\/p>\n\n\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0The CLOUD Act also authorized the United States to enter into bilateral executive agreements with foreign governments that meet a list of privacy and human rights requirements. It further required that these foreign governments may not target US persons. <\/p>\n\n\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Under this provision, the US and the UK issued this agreement on terms that lift restrictions for a broad class of serious criminal investigations. The agreement also promised to assure providers that disclosures of data under the agreement are compatible with data protection laws. The definition of \u201cserious crime\u201d is now defined broadly under Article 1 to include crimes with a maximum punishment of three or more years\u2019 incarceration, which excludes misdemeanors but incorporates a wide range of felonies to which data transfer could apply.<\/p>\n\n\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Both countries hope that this agreement will speed up investigations drastically by removing legal barriers to the collection of electronic evidence. It allows law enforcement agencies to receive electronic data from tech companies directly (with the appropriate court authorization of their home country) rather than going through a multiple-year long government process. Specifically, the US DOJ claims that it will accelerate dozens of investigations of suspected terrorists and pedophiles, who may have been convicted of crimes in the UK.<\/p>\n\n\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0The new agreement contains several privacy safeguards<\/a> that go further than the text of the CLOUD Act. For instance, Article 5 of the US-UK executive agreement<\/a> specifies that the cross-border transfers are still subject to oversight by a designed authority (in the US, the governmental entity is designated by the Attorney General). Data providers who are issued an order have the opportunity to object and resolve the issue with their country\u2019s designated authority, which has the ultimate veto power to block implementation of the order. This provision creates an important form of quality control for both providers and consumers.<\/p>\n\n\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Under Article 12, which imposes key transparency requirements, each country is also required to issue an annual report with data concerning the use of the agreement. Privacy is further safeguarded under Article 7, which mandates, consistent with the requirements of the CLOUD Act, that any changes to the targeting and minimization procedures for data collection must be approved by the other party before implementation.<\/p>\n\n\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0There are concerns<\/a> that the CLOUD Act would allow the US or the UK to require a covered provider to wiretap a user located in a third country, without the approval of that nation. While there is still some debate around the interaction of the CLOUD Act and the Wiretap Act under ECPA, Article 5 does at least explicitly require that when an order is issued for data related to an individual who is located outside the territory of the issuing party, the designed authority must notify the appropriate authorities in that third country where the data subject is located. <\/p>\n\n\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0However, there is still a risk that notice doesn\u2019t actually fix the problem and instead only lets the third country know, before collection, that electronic surveillance is happening within its borders. Furthermore, it is not yet clear how and when any objections to surveillance could be lodged. Providers should also be cautious if notice to a third country is withheld by US or UK court authorization, remedies for a third country against a provider are not covered by immunity provisions under the CLOUD Act and could subject the provider to criminal liability for electronic surveillance.<\/p>\n\n\n

Meredith Richards <\/p>\n\n\n

October 30, 2019<\/p>\n","protected":false},"excerpt":{"rendered":"

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0On October 3, 2019, the United States and the United Kingdom signed the first ever Clarifying Overseas Use of Data (CLOUD) Act executive agreement, which allows cross-border sharing of electronic data with law enforcement agencies regarding serious crimes. The goal of the agreement was prompted by the countries\u2019 interest in combating crime \u2013 including terrorism, …<\/a><\/p>\n","protected":false},"author":1,"featured_media":5316,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/6455"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=6455"}],"version-history":[{"count":1,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/6455\/revisions"}],"predecessor-version":[{"id":6793,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/6455\/revisions\/6793"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/5316"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=6455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=6455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=6455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}