On 23 March 2018, tucked away at the back of a 2,200-page budget bill, the United States of America’s Congress passed the next step in the ongoing fight to assist law enforcement agencies in tackling the international reach of the Internet: the CLOUD Act.
What is it?
With the full name of the ‘Clarifying Lawful Overseas Use of Data Act’, it does what it says on the tin: it establishes a framework for permitting non-US law enforcement agencies to access communications data held by US operators, and removes statutory prohibitions which might otherwise have prevented US operators from releasing the data.
Reciprocal access
On the basis that there is no such thing as a free lunch, the CLOUD Act is not a one-way street.
Only governments which enter into an ‘executive agreement’ with the USA will be afforded these rights of access and, among other things, one of the conditions of the executive agreement is that the foreign government must ‘afford reciprocal rights of data access, to include, where applicable, removing restrictions on communications service providers … and thereby allow them to respond to valid legal processes sought by a [US] governmental entity’.
If a foreign government wants easier access to data held by the major US Internet providers — think Microsoft, Google, Twitter, Facebook and others — they need to ensure that their country’s providers’ data are equally accessible to US authorities.
Executive agreement
Much of the remainder of the Act sets out other requirements before the US Attorney General can regard an executive agreement as valid.
These requirements include that:
(1) The foreign government must have ‘adequate substantive and procedural laws on cybercrime and electronic evidence’, demonstrate ‘respect for the rule of law and principles of non-discrimination’, and must ‘adhere to applicable international human rights obligations and commitments or demonstrate respect for international universal human rights’.
(2) The agreement must not ‘create any obligation that providers be capable of decrypting data’ — one of the ongoing uncertainties of the Investigatory Powers Act 2016 — nor must it create ‘any limitation that prevents providers from decrypting data’.
(3) An order issued by the foreign government, to be served on a US operator, must be for the purpose of ‘obtaining information relating to the preventing, detection, investigation, or prosecution of serious crime’, although it does not define that term.
By way of a brief diversion, what constitutes ‘serious crime’ is a live issue in the context of investigatory powers in the UK, since the CJEU’s ruling in Joined Cases C-203/15 and C-698/15. The court held that ‘only the objective of fighting serious crime is capable of justifying [national legislation which … provides for the retention of traffic and location data]’, calling into question the Investigatory Powers Act 2016’s provisions for permitting retention and acquisition also for non-serious crime.
In response to this ruling, in its November 2017 consultation, the Home Office proposed a revised definition of ‘serious crime’ for the purposes of retention or acquisition of ‘events data’, broadening the definition currently in the Investigatory Powers Act.
Whereas the current IPA definition covers only an offence where an offender with no previous convictions could reasonably be expected to be sentenced to imprisonment for a term of three years or more, or an offence which involves the use of violence, results in substantial financial gain, or is conduct by a large number of persons in pursuit of a common purpose, the proposed extension for communications data retention and acquisition would cover all offences where an offender is capable of being sentenced to imprisonment for a term of six months or more, where the offender is not an individual (eg offences by bodies corporate), and any offence which involves the sending of a communication or a breach of a person’s privacy.
If ‘serious crime’ is indeed a malleable concept, whether the threshold test for the acceptability of an executive order amounts to much must remain to be seen.
(4) The order must ‘identify a specific person, account, address, or personal device or any other specific identifier as the object of the order’. On the surface, this seems to suggest that the Investigatory Powers Act’s targeted interception (and possibly equipment interference) warrant, or targeted communications data authorisation, would be in scope.
(5) The order must be in compliance with domestic law, based on requirements for a reasonable justification, and must be subject to review or oversight by a court or other independent authority. This oversight is required ‘prior to, or in proceedings regarding, enforcement of the order’, with the use of ‘or’ suggesting that a framework which permitted oversight in only one of those situations might still be suitable.
(6) The order must not ‘be used to infringe freedom of speech’. It is not clear whose standards of ‘freedom of speech’ apply here, and whether the US expects the foreign government to interpret this consistently with the US’s approach to the First Amendment.
But the Investigatory Powers Act already has overseas effect?
The definition of ‘telecommunications operator’ in the Investigatory Powers Act includes entities which are not based in the UK, if they offer or provide a telecommunications service to persons in the UK, or control or provide a telecommunications system in the UK or which is controlled from the UK. It also enables the imposition of relevant warrants, notices etc on overseas telecommunications operators, and provides frameworks for attempting to enforce them.
In some cases, this may be sufficient to persuade an overseas operator to assist, particularly if they are willing to do so but require a mandate to satisfy local legal requirements.
In other cases, the threat of being held to be non-compliant with an overseas government’s legal framework may not prove sufficient and, where US providers are less willing to assist, an executive agreement under the CLOUD Act, recognised by US law, may strengthen the UK’s, and other foreign governments’, ability to obtain assistance from those US providers.
Impact on UK operators
Cross-border access to data for the purpose of investigations is not new, and states have attempted to address the challenges through bilateral frameworks, in the form of mutual legal assistance treaties (MLAT) and, within Europe, the European Investigation Order (2014/41/EU).
The CLOUD Act, and an executive order under it, might be seen as an enhanced form of MLAT, albeit with one key difference: the US law enforcement agency can approach the UK operator directly, rather than making the request through a domestic law enforcement agency.
The main impact of this, once a relevant executive agreement is in place, is the possibility of receiving requests directly from US law enforcement agencies, in addition to their own agencies.
First, these requests will require scrutiny, potentially involving legislation with which the service provider is unlikely to be familiar. The changes to the UK’s own investigatory powers framework have already required UK operators to get up to speed with an amended framework, and this is likely to be a further burden.
Second, UK operators will need to ensure that their reactions are consistent with domestic law, including data protection and privacy law. To the extent that orders served on them are binding, disclosure of personal data may have a lawful basis, but, since the destination of such orders is likely to be the USA, providers may need to consider issues of adequacy. Given the continued challenges against the Investigatory Powers Act 2016, and the seemingly perpetual morphing of the framework in response to each judgment, it is highly likely that challenges would also be made against a US-UK executive order.
Third, in the event that a demand is lawful and binding, resolving any technical hurdles may prove interesting, particularly where the US law enforcement authority is seeking lawful interception and wants target traffic communicated to it in real time.
Other proposals on cross-border access
The CLOUD Act is not the only current activity in this area as, between August and October 2017, the European Commission consulted on ‘improving cross-border access to electronic evidence in criminal matters’.
The Commission has yet to publish the outcomes of the consultation, but I would not be surprised to see a Europe-wide framework enabling law enforcement agencies to impose demands on telecommunications operators in other Member States in the near future.
Conclusion
The last couple of years have posed interesting challenges for UK telecommunications operators, with the evolution of the now-aged Regulation of Investigatory Powers Act 2000 into the Investigatory Powers Act 2016, and 2018 and onwards looks like more of the same, but perhaps soon with added overseas dimensions.
Neil Brown runs decoded:Legal, a telecoms, technology and Internet law firm.