We recently shared our concerns about the CLOUD Act in the U.S., explaining how important it is that the first agreements under the law include additional human rights protections. We also explained that the U.S. and U.K. are now working on an agreement. That agreement could help mitigate the problems with the CLOUD Act by including vital and necessary protections for users’ fundamental rights. Or it could do the opposite, defining a lower standard of protections and starting a global race to the bottom that will put our rights at much greater risk.
Specifically, a new CLOUD Act agreement between the U.S. and the U.K. could enable U.K. law enforcement to use its own vast authority to demand the data of users all over the world without a check by U.S. courts. In fact, without additional protections in the agreement, we could see a “worst of both worlds” scenario for law enforcement access to data: those in the U.K. would not get adequate protection for their data, and the U.S. CLOUD Act would serve to extend the power of the country’s dangerous Investigatory Powers (“IP”) Act so these problems go global.
What’s in the law: risk factors for a bad CLOUD agreement
The standards for law enforcement access to data under the U.K.’s Investigatory Powers (IP Act) are deeply flawed. The IP Act enables government hacking, threatens the use of strong encryption, allows broad data retention, and has limited judicial review. In fact, the recent ruling by the European Court of Human Rights found that the failure of U.K. surveillance law to require prior judicial or independent administrative approval for demands for communications data is at odds with E.U. human rights law. The ruling follows a similar ruling from earlier this year. Despite all of this, the U.K. is nevertheless likely to be the first to reach a CLOUD ACT agreement with the U.S. To protect human rights, the U.S. Department of Justice must take heed of the ECtHR findings. The CLOUD Act currently requires that countries maintain minimum standards.
Below is a chart that compares the standards for law enforcement access to data under the U.K. IP Act to those under U.S. law. To be clear, this does not imply that U.S. standards for access are ideal or satisfy all human rights requirements. Instead, it’s aimed at clarifying the issues for human rights under each regime and showing how the U.S. CLOUD Act could be used to extend the IP Act’s problems globally.
Under MLAT agreements, orders for access to data are generally required to meet the standard of both countries. Once a CLOUD Act agreement is made, however, U.K. law enforcement can use its own authority to demand data of users all over the world, without a check by U.S. courts.
As the chart shows, there are problems with the surveillance laws in both countries, marked in red. The U.K. IP Act lacks a number of key human rights protections. The law broadly authorizes data retention and government hacking, grants officials access to personal data for purposes other than investigating crime, and fails to provide users with meaningful notice. Moreover, while the IP Act created a new “double lock” judicial oversight, there are reasons to be skeptical that the new system will be an effective check. The law fails to require judicial approval for all orders, nor does it provide a clear standard of review. Meanwhile, the CLOUD Act itself lets U.S. federal law enforcement seek data stored abroad without issuing a request for mutual legal assistance, circumventing the protections that MLATs provide.
The solution: add the necessary protections to the CLOUD Act agreements, and ensure future proposals for easing access protect rights
With the CLOUD Act now in force, our best bet for protecting human rights is to bolster the protections in the agreements themselves. Our previous post on this issue has a list of five key protections these agreements should have. To safeguard our rights, any new U.S.-U.K. agreement should follow those recommendations.
Meanwhile, other countries are also looking at legislation to address the issue of law enforcement access to data. For instance, the E.U. is moving forward with the E-evidence package. It is similar to the CLOUD Act in that it would allow law enforcement in one member state to issue an order to a service provider in another E.U. member state. Like the CLOUD Act, the E-evidence proposal can be improved; in particular, by adding stronger requirements for user notice and better procedural protections for court challenges.
Any new laws to expand law enforcement access to data stored abroad will implicate the privacy of users, and in each case, we will be watching. By engaging with policymakers in the development and implementation of these laws, we will work to promote the strongest possible human rights protections for users. Stay tuned.