On March 3, 2020, U.S. Attorney General William Barr, in accordance with the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”), relating to an executive agreement governing access by a foreign government to electronic data, gave notice that he has determined, and has submitted a written certification of such determination to Congress, that the U.S.-U.K. CLOUD Agreement satisfies the requirements of the CLOUD Act.
On November 27, 2019, the Attorney General certified that he had determined that the U.S.-U.K. CLOUD Agreement satisfies the requirements of the CLOUD Act. On January 10, 2020, the Attorney General completed the process of providing his certification to Congress. The U.S.-U.K. CLOUD Agreement will enter into force not earlier than July 8, 2020, unless Congress enacts a joint resolution of disapproval, in accordance with the CLOUD Act.
On March 23, 2018, the CLOUD Act was signed into law. Public Law 115-141, Div. V, 132 Stat. 1213-25. The CLOUD Act removes certain restrictions under U.S. law on companies disclosing electronic data, in response to qualifying, lawful orders in investigations of serious crime, directly to a qualifying foreign government with which the United States has entered into an executive agreement governing access by the foreign government to covered data. Id. at 132 Stat. at 1213-17.
Before an agreement can go into effect, the Attorney General, with the concurrence of the Secretary of State, must determine that the considerations outlined in 18 U.S.C. 2523(b) have been met. The Attorney General must then submit a written certification of his determination to Congress, including an explanation of each consideration required by 18 U.S.C. 2523(b), not later than 7 days after the date on which the Attorney General certifies the executive agreement. 18 U.S.C. 2523(d) (1).
The executive agreement will enter into force not earlier than 180 days after the date the Attorney General notifies Congress, unless Congress enacts a joint resolution of disapproval, in accordance with the CLOUD Act. 18 U.S.C. 2523(d)(2). Under 18 U.S.C. 2523(g), the Attorney General’s determination or certification under 18 U.S.C. 2523(b) must be published in the Federal Register..
Determination and Certification Pursuant to Section 2523(b)
On October 3, 2019, the Home Secretary of the United Kingdom and the Attorney General of the United States signed the U.S.-U.K. CLOUD Agreement. A copy of the U.S.-U.K. CLOUD Agreement is available at: https://www.justice.gov/dag/cloudact. On November 27, 2019, the Attorney General certified his determination that the U.S.-U.K. CLOUD Agreement satisfies the requirements of 18 U.S.C. 2523(b). The Attorney General’s determination was based on the considerations in paragraphs (1), (2), (3), and (4) of 18 U.S.C. 2523(b), as explained in the “Explanation of Each Consideration in Determining that the Agreement Satisfies the Requirements of 18 U.S.C. 2523(b),available at: https://www.justice.gov/dag/cloudact. Secretary of State. Pompeo concurred with the Attorney General’s determination.
The Department of Justice (“Department”) transmitted the U.S.-U.K. CLOUD Agreement certification to the Committee on the Judiciary and the Committee on Foreign Relations of the Senate on December 4, 2019. Due to a clerical error the Committee on the Judiciary and the Committee on Foreign Affairs of the House of Representatives did not receive notice until January 10, 2020.
Non-Reviewable Determination and Certification
In accordance with 18 U.S.C. 2523(c), the determination and certification by the Attorney General described in this notice are not subject to judicial or administrative review.
The Way Forward
The U.S. has also signed a CLOUD Act Agreement with Australia. The U.S. and the Ministers of Justice of the European Union have held discussions over a CLOUD Act Agreement. The U.S. hopes to sign many CLOUD Act Agreements.
Many privacy groups, such as Electronic Privacy Information Center, and human rights groups have opposed the CLOUD Act agreements. They oppose it, among other reasons, because it gives foreign authorities access to information without any judicial authorization, no notice is given to the data subject and no remedies, and unequal minimization and targeting protections exist for U.K. and U.S. citizens