The United States Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed in March 2018, clarifies that United States law enforcement can compel evidence stored abroad by U.S. companies. It also allows the Attorney General to negotiate bilateral “executive agreements” that allow partner countries to directly request electronic evidence from U.S.-based companies, rather than routing requests through the Mutual Legal Assistance Treaty (MLAT) system. Potential partner countries must meet certain criteria set out in the law, including regarding human rights.

On 18 September, GNI convened a group of experts on technology policy and human rights to discuss how other countries measure against that criteria, how Congress can help ensure agreements made under the CLOUD Act protect human rights, and how the law may impact Internet governance globally.

GNI Policy Director Jason Pielemeier opened the session by outlining challenges that have spurred recent efforts like the CLOUD Act, as well as a draft European e-Evidence regulation, and the negotiation of a new additional protocol to the Budapest Convention on Cybercrime. [1] The MLAT system, through which most requests for overseas evidence are processed, was designed for an era that predated the Internet. With electronic evidence making up such an important component of most criminal prosecutions, MLAT requests have increased exponentially, creating significant delays in processing.

David Bitkower, a partner at Jenner & Block LLP and formerly the Principal Deputy Assistant Attorney General for the Criminal Division of the US Department of Justice explained the main provisions of the CLOUD Act and provided some context about how it originated. He noted the view, shared by the Obama administration and Congress, that by allowing some close partner countries to make direct requests for data to companies, the law can free up resources to improve the response time for other countries who will continue to make requests under the MLAT system. He also explained that the criteria that the law provides could incentivize those countries interested in entering into executive agreements to improve related laws and practices.

Panelists expressed a range of views about whether and how such agreements could provide sufficient incentives and the extent to which data requests under such agreements would protect users’ rights as compared to those made under the existing MLAT regime. Jodie Ginsberg from Index on Censorship, an NGO headquartered in London, noted that the U.K. is currently considering the Crime Overseas Production Order Bill to allow for the kinds of direct requests to companies that are contemplated under the CLOUD Act and the EU e-Evidence proposal. Elonnai Hickok of the Centre for Internet and Society sought to map India’s legal and policy framework to the standards outlined in the CLOUD Act, and she noted that a key question remained about how the U.S. government will attempt to assess a country’s practices, in addition to their laws and policies. Professor K.S. Park of Korea University explained that the idea that one country can and should evaluate another’s human rights practices in such a detailed and systematic manner is relatively novel and unlikely to be without controversy.

Patrik Hiselius of Telia Company flagged that the EU e-Evidence proposal currently being considered by the European Parliament (also discussed at our 2018 Learning Forum) puts an unnecessary burden on ICT companies to make judgements about the legality and human rights implications of requests for evidence, essentially running the risk of “privatizing law enforcement.” According to Professor Park, experience shows that ICT companies in South Korea would likely tend toward oversharing under such arrangements.

Mr. Bitkower pointed to several procedures outlined in the CLOUD Act that may assuage some of these concerns. For instance, he noted that the law provides for auditing requirements to ensure appropriate use of the agreements, leaves room to negotiate common ground on issues like speech laws and probable cause where there is variance in domestic laws, and allows for the possibility of negotiating executive agreements with only one or a limited set of entities within a partner country. Mr. Bitkower closed by reminding the audience that some of the alternatives to these proposed arrangements, i.e., forced data localization or insufficient evidence sharing, pose risks for human rights and public safety alike.

Learn more about GNI’s work on cross-border data challenges on the “jurisdictional assertions and limits” issue page.

[1] GNI discussed these proposed arrangements for cross-border evidence sharing in more detail at our 2018 Learning Forum, “New World Borders: How Jurisdiction Affects Human Rights Online.”