Legal Insights

No country is an island, especially in cyberspace: the US CLOUD Act and its international reach - part 2

• 14 June 2018 • 7 min read

Part Two examines the changes introduced by the Act and how other nations are looking to exercise the new powers potentially available under the Act

Welcome to part two of our three part series of TechKnowChat blog posts on the US Cloud Act.

In our first post we introduced and provided some context for new Act. This part two examines the changes introduced by the Act and demonstrates how other nations, including Australia, are already looking to exercise the new powers potentially available under the Act.

Changes introduced by the Act

The Act amends the Stored Communications Act (SCA)[1] and other parts of the United States Code (USC).

The key amendments to the USC effected by the Act are as follows:

  • the addition to USC Title 18, Chapter 121, “Stored Wire and Electronic Communications and Transactional Records Access” of a new section 2713, “Required preservation and disclosure of communications and records”; and
  • amendments to USC Title 18, Chapter 119, “Wire and Electronic Communications Interception and Interception of Oral Communications”, including the addition of a new mechanism for “executive agreements” for access to data.

These amendments are discussed in further detail below.

Extraterritorial application of the SCA

It is a generally accepted legal principle[2] that unless specifically indicated by Congress, laws will not have extraterritorial jurisdiction. This was examined by the 2nd Circuit Court on appeal in the Microsoft Ireland case which held that with regard to the SCA, Congress had given no ‘affirmative indication’ that it intended the law to be applied extraterritorially and that the drafting of the SCA itself did not expressly permit extraterritorial application.[3]

In response to the US Government’s position that the SCA was capable of extraterritorial application, 2nd Circuit Judges Carney and Bolden (Lynch J concurring in a separate judgement) stated that this argument:

stands the presumptions against extraterritoriality on its head. It further reads into the Act an extraterritorial awareness and intention that strike us as anachronistic, and for which we see, and the government points to, no textual or documentary support.[4]

This problem has now been specifically addressed by the Act, which expressly empowers authorities to issue warrants under the SCA for electronic data that is stored on servers outside the geographical borders of the US.

This key change has been introduced by the addition of a new section 2713 to the SCA, which states that service providers must:

preserve, backup or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody or control, regardless of whether such communication, record, or other information is located within or outside of the United States.

Executive agreements

The second major innovation in the revised legislation is the introduction of a mechanism for the establishment of “executive agreements” between the US Government and other (selected) governments. [5]

The executive agreements mechanism will bypass the Mutual Legal Assistance Treaty (MLAT) request process, which previously was the only mechanism by which warranted or subpoenaed material could be transferred between the US and another country.

There is a number of stringent requirements that must be satisfied before an executive agreement can be concluded.

First, the US Attorney General and Secretary of State must concur and must certify to Congress in writing, that the foreign state’s domestic laws deliver:

robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.[6]

That determination must take into account “credible information and expert input” on matters such as “whether the foreign government has adequate substantive and procedural laws on cybercrime and electronic evidence.”

Conditions for the satisfaction of this criterion include that the relevant foreign government

(a) is a signatory to the Budapest Convention on Cybercrime (Australia has acceded to and ratified that Convention (with certain reservations)); or

(b) has enacted domestic laws “consistent with definitions and the requirement set forth in Charters I and II of the Convention”.

Once an executive agreement is in place, there is a further layer of protection in relation to orders that can be obtained or made under it.

For example, the agreement cannot be used by a foreign government to target a US citizen or other person in the United States.

Also, the Act provides[7] that orders issued under an executive agreement must:

(a) relate to a ‘serious crime’, including terrorism;

(b) be specific by identifying a specific person, account, address, device or other identifier;

(c) be lawful under local law;

(d) be justified by ‘articulable and credible facts, particularity, legality and severity regarding the conduct under investigation’; and

(e) be subject to review or oversight by a court, judge, magistrate or other independent authority.

The UK and Australian Governments are first out of the blocks in terms of announcing their desire to conclude executive agreements with the US.

The UK has been anticipating the passage of the Act for some time it seems, with reports as long ago as February 2016, that the UK and the US had been discussing their entry into an executive agreement.

In February 2018, immediately ahead of consideration of the Bill by the US Senate, Downing Street announced the UK’s support for the legislation. In a statement,[8] a spokesperson said that the Rt Hon Theresa May MP, British Prime Minister, had discussed the legislation with the US President. The statement said:

The Prime Minister stressed the great importance of the legislation to the UK authorities in investigating criminal and terrorist activity in the UK. The Prime Minister and President Trump agreed the passage of the Act through the US legislative system was vital for our collective security.

As far as Australia is concerned, on 8 April 2018, the Hon. Angus Taylor MP, Minister for Law Enforcement and Cyber Security stated: “Given the size and scale of technology and communications companies based in the US, the Act has the potential to be of significant benefit to law enforcement. Australia welcomes the US taking leadership on this issue.”[9]

It has been reported that Mr Taylor was to travel to the US during April to discuss entering into an executive agreement under the Act with the US government.[10]

[1] 18 U.S.C. Chapter 121, “Stored Wire and Electronic Communications and Transactional Records Access.”

[2] In this specific context, see for example Christine Nielsen Czuprynski ‘The Stored Communications Act’s Warrant Provisions Do Not Apply Extraterritorially’, Technology Law Dispatch, 20 July 2016 Available here.

[3] Christine Nielsen Czuprynski op cit, note 2.

[4] Microsoft Corp v. United States 829 F.3d 197 (2d Cir. 2016), page 24 per Carney and Bolden J. In that judgment Lynch J who was also sitting concurred with the decision but in a separate judgement.

[5] See generally the new Section 2523, “Executive agreements on access to data by foreign governments” now added at the end of USC Title 18, Chapter 119.

[6] CLOUD Act ss 104(a), to be codified at 18 USC ss 2523 (b).

[7] 18 USC ss 2523(2)(b)(4)(D).

[8] Press Release, Prime Minister’s Office, “PM call with President Trump: 6 February 2018”; available online here.

[9] The Hon. Angus Taylor MP, Media Release, ‘Australia welcomes US CLOUD Act to improve lawful access to data across borders’, 8 April 2018. Available online here. http://minister.homeaffairs.gov.au/angustaylor/Pages/australia-welcomes-us-cloud-act-to-improve-lawful-access-to-data-across-borders.aspx

[10] See David Wroe, ‘Police could access US cloud data under planned crime-fighting deal’, The Sydney Morning Herald, 8 April 2018. Available online here.

Need assistance with complying with the CLOUD Act?

Contact the Information Technology team.

  • Share

Related articles

Online Access