CLOUD Act Executive Agreement Certified to Congress, After A Delay

Updated: January 21, 2020

On January 10, 2020, the U.S. Department of Justice (DOJ) officially notified the Congress of its certification of the agreement between the United States and the United Kingdom on Access to Electronic Data for the Purpose of Countering Serious Crime.  While the DOJ had previously sent the U.S./UK CLOUD Act Executive Agreement to Congress on December 4, 2019, and intended to notify the relevant committees at that time, “because of a clerical error, [the DOJ] did not provide actual notification to those committees until January 10, 2020.

The submission included the Attorney General’s certification that the United Kingdom meets the requirements under 18 U.S.C. § 2523(b) for a qualified foreign government.  Under § 2523(d)(2), now that the treaty and certification have been sent to Congress, the Agreement will enter into force on July 8 2020 unless the Congress passes a joint resolution of disapproval before that time.  Nathan Swire’s Lawfare Blog article “Applying the CLOUD Act to the U.S.-U.K. Bilateral Data Access Agreement” details the requirements for an Executive Agreement under the CLOUD Act, as well as Congress’s oversight role for these agreements.

Along with copies of the treaty text and the Attorney General’s certification, the documents delivered to Congress included clarifying letters of understanding between the U.S. Attorney General and the UK Secretary of State for the Home Department, as well as the U.S. Attorney General’s support for the decision to certify the UK as a qualified foreign government.  Notably, these supplemental documents include:

    • A list of UK criminal laws that implicate free speech concerns that would require explicit approval from the US prior to a data transfer under the Agreement. The U.S. also has the unilateral right to supplement this list under its sole discretion.
    • Acknowledgement of human rights concerns raised by experts and civil society groups during the consideration of the UK’s compliance with CLOUD Act requirements.
    • A finding that the minimization procedures included in Article 7 of the Agreement satisfy the minimization procedures requirement of the CLOUD Act § 2523(b)(2).
    • A section-by-section listing of the authorities supporting the decision to certify the UK. These authorities include international treaties to which the UK is party as well as findings by the U.S. State Department, Bureau of Democracy, Human Rights. The letters also refer to the Labor 2018 Country Report on Human Rights Practices in the UK, and findings by independent oversight officials like the UN High Commissioner for Refugees and the UN Committee against Torture.

While the CLOUD Act gives Congress a 180 day window in which to review the Agreement and the Attorney General’s findings, it will be up to Congress to determine the scope and nature of the review.  As stated in the introduction, if Congress does not act, then the Agreement will enter into force on July 8, 2020.

This article has been updated to reflect that the Department of Justice completed the CLOUD Act notice requirement on January 10, 2020.

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.