Cross-Border Data Forum Bannner

EU and U.S. Negotiations on Cross-Border Data, Within and Outside of the Cloud Act Framework

This short article explains the streamlined U.S. legislative procedure that applies for executive agreements under the Cloud Act.  By contrast, other procedures exist, but require considerably more challenging steps for approval by Congress to go into effect.

As discussed extensively elsewhere, including by authors writing for the Cross-Border Data Forum, the Cloud Act authorizes the U.S. government to negotiate a specific sort of executive agreement with a Qualifying Foreign Government (QFG). The Cloud Act contains numerous requirements for such an executive agreement, both for each individual request and for the system of rule of law and privacy protections that must exist in the Qualifying Foreign Government.

On February 5, 2019, the EU Commission recommended that the Council authorize “the opening of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters.” On March 11, the Committee on Civil Liberties, Justice, and Home Affairs of the European Parliament (the “LIBÉ Committee”) issued “4th Working Document (B)” with relevant comments on the Council’s negotiations.

That Working Document contained two questions that relate to what sort of legal instrument would be appropriate for an EU/U.S. agreement on this topic:

“- Third, it has to be clarified if and how such an agreement (depending on its status) could be envisaged outside the framework of the CLOUD Act. This question is particularly important given that the US legislation is very clear as to which data can be requested by foreign authorities (namely only data of non-US citizens and non-residents), whereas, at the same time, the US government can request all data, including data stored or collected outside of the United-States – question of reciprocity of any future agreement.
– Fourth, it also has to be clarified if the EU actually falls under the term “foreign government” and, thus, can conclude such an agreement under the Cloud Act. It has already been claimed that any EU-US e-evidence agreement could be only a framework agreement demanding additional agreements by the individual Member States.” (emphasis added)

This article seeks to explain, especially for a non-U.S. audience, what it would mean under U.S. law to operate inside or outside of “the framework of the CLOUD Act.” The U.S. process differs for a Cloud Act executive agreement compared to three alternative procedures: (a) a non-Cloud Act executive agreement; (b) a treaty; or (c) a new statute that amends the Cloud Act.

(1) Cloud Act executive agreement. The Cloud Act enables the law enforcement of qualifying foreign governments to make direct requests to U.S. service providers for the content of communications. A Cloud Act executive agreement goes into force with certification by the U.S. Attorney General, in consultation with the Secretary of State, with opportunity for Congress to disapprove the agreement.

(2) Non-Cloud Act executive agreement. If the EU and U.S. reach an agreement outside of the Cloud Act, then the current provisions of the Stored Communications Act would remain in effect, notably to limit non-U.S. law enforcement access to the contents of communication. Probably the most likely process would also be called an “executive agreement,” but it would not be the specialized executive agreement included in the Cloud Act. To become effective, a non-Cloud Act executive agreement would require a majority vote in both the Senate and the House of Representatives. It would then require signature by the President, or a 2/3 vote in both the Senate and House to override a veto by the President.1

(3) Treaty. An EU/U.S. agreement might also be set forth in a treaty, which requires a 2/3 vote in the Senate. To change underlying law, however, it is possible that even a treaty would not be sufficient to lift the limits of the SCA. Some treaties are “self-executing” – they take effect without implementing legislation. Most U.S. treaties, however, require implementing legislation in order to have binding effect. In the latter case, additional legislation would be required to implement a treaty, with the same voting rules as for a non-Cloud Act executive agreement.

(4) Amend the Cloud Act or Stored Communication Act. As an alternative, the Cloud Act and/or Stored Communications Act could be amended. That would be ordinary legislation, requiring a majority of both the Senate and the House and signature by the President. If the President vetoes the legislation, then a 2/3 vote in the Senate and the House would be needed to override the veto.2

In summary, the U.S. legislative requirements for a Cloud Act executive agreement are far easier to meet than those for the three other procedures. Under the Cloud Act, the agreement automatically enters into force 180 days after Congress is notified of the agreement. To block the agreement requires a majority vote in both the Senate and the House, if the President agrees with Congress to stop an agreement that the Attorney General has already approved. If the President disagrees with Congress, then over-riding that veto would require 2/3 vote in both the Senate and House. Put another way, once the Attorney General certifies a Cloud Act executive agreement, it would likely enter into effect automatically unless a 2/3 majority in both the Senate and House disagreed within 180 days.

On the other hand, there is greater flexibility for the content of the text if one of the other three procedures is used. If it is a self-executing treaty, then approval of 2/3 of the Senate is required. Most likely, however, this would not be a self-executing treaty, so a vote by 2/3 of the Senate would not be sufficient to put an agreement into effect. For a non-self-executing treaty, non-Cloud Act executive agreement, or new statute the requirement would be an affirmative positive vote by both the Senate and the House of Representatives, and signature by the President or a veto override. With that affirmative vote in Congress, the text of a non-Cloud Act executive agreement or new statute could be whatever is within the power of Congress to legislate.

As Jennifer Daskal and I have written previously, and as noted by the LIBE Committee, there is legal uncertainty about whether the European Union can be a Qualifying Foreign Government as defined in the Cloud Act. Our previous writing explains that one possible way to address this issue is to adopt the procedures of the EU/U.S. Umbrella Agreement, with negotiation at the EU level but additional steps needed for ratification by each Member State. The discussion in the current article, however, shows other alternative lawful ways to proceed. If the EU and U.S. negotiate one of the other three types of legal instrument, such as a non-Cloud Act executive agreement, then this uncertainty in the Cloud Act would no longer be legally relevant. Passing a bill through Congress, however, can be difficult and time-consuming; until any such vote in Congress, EU law enforcement would continue to lack direct access to the content of communications held by a U.S. provider.

The intent in this short article is not to propose what legal instrument is desirable. Instead, the article seeks to explain clearly what can be done within or outside of a Cloud Act executive agreement. In addition, the discussion here describes only what legislative action would be required from the U.S. side. The EU or a country entering into an executive agreement would need to satisfy its own laws to put an agreement into effect.

1 As discussed in connection with treaties, the non-Cloud Act executive agreement would need to be “self-executing.” That procedurally is relatively easy to achieve for this executive agreement. It would be approved in Congress in the same way as a new law – majority vote in both the Senate and House of Representatives, with signature by the President. (Alternatively, Congress could override a Presidential veto with a 2/3 vote in both the Senate and the House of Representatives.) All voting requirements for changing a statute such as the SCA would thus be met. In short, a non-Cloud Act executive agreement can be made self-executing by stating that intent in the text of the agreement.

2 The voting procedures are identical for a non-Cloud Act executive agreement and a new statute.

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.