Cross-Border Data Forum Bannner

Setting the Record Straight: The CLOUD Act and the Reach of Wiretapping Authority Under US Law

Updated October 15, 2018

There have been some recent suggestions that the CLOUD Act will result in U.S. law enforcement authorities being able to directly monitor live conversations of Europeans in Europe. This is inaccurate. The following explains why.

#1. The CLOUD Act does not amend the Wiretap Act. The Wiretap Act is the statutory authority for U.S. law enforcement officials to intercept electronic communications in real-time, as the conversations are being carried out. In order to engage in this kind of direct surveillance, U.S. law enforcement needs a court-issued warrant, subject to a finding of probable cause, a determination that other investigative measures have been tried and failed or reasonably appear to be unlikely to succeed if tried, and other requirements regarding notice, duration of monitoring, and data use.

Importantly, a judge may only authorize such surveillance “within the territorial jurisdiction of the court in which the judge is sitting (and outside that jurisdiction but within the United States in the case of a mobile interception device. . .)” In other words, there is no authority for a judge to issue a wiretap warrant for the interception of data in Europe, or any other place outside the territorial boundaries of the United States. The CLOUD Act did not change this.

#2. The key provisions of the CLOUD Act deal with stored communications only. The CLOUD Act clarifies the reach of U.S. warrants for law enforcement purposes – but for stored communications only. Specifically, the CLOUD Act specifies that U.S.-based companies must turn over responsive data within their custody or control, regardless of where the 0s and 1s are located. (It separately sets up a new statutory basis, albeit limited, for companies to object based on the existence of conflicting foreign law.) To reiterate, it does not in any way augment or alter the authorities governing wiretaps.

#3. The executive agreements envisioned by the CLOUD Act do not provide any independent authority to conduct wiretaps or other surveillance. Rather, the authority for any such orders must come from the requesting government’s domestic laws. To reiterate, the executive agreements do not provide any new authorities where none currently exist. Rather, the authority for any such orders must come from the requesting government’s domestic laws. In other words, the jurisdictional limitations under the Wiretap Act continue to apply both before and after any executive agreements are agreed upon and implemented. As do any jurisdictional limits in other country’s laws.1

#4. Any U.S. law enforcement action that involved the wiretapping of Europeans conversations in Europe would violate EU member states’ laws. This was true before the CLOUD Act. And it remains true after the CLOUD Act.

To be sure, the CLOUD Act envisions bilateral agreements pursuant to which partner governments could, subject to specified limitations, issue wiretap orders on U.S.-based entities. The CLOUD Act also requires the partner foreign government to provide “reciprocal rights of data access.” This has led some to erroneously assert that any EU agreement with the US will result in US law enforcement authorities being entitled to issue wiretap orders on European-based providers for Europeans’ data.

But this is wrong for two reasons.

First, the CLOUD Act merely lays out the permissible scope of the envisioned executive agreements. It does not require that require that the executive agreements authorize the full scope of what is potentially permitted. Thus, there is no requirement that the agreements include any provisions on wiretap whatsoever. That is solely at the discretion of the United States and EU authorities. If the EU does not want wiretapping to be included in the agreements, it need not be.

Second, even if the agreements did include provisions on wiretapping, the CLOUD Act limits the scope of the authority. Even with agreements in place, foreign governments can not issue wiretap orders that target persons located in the United States or U.S. citizens and legal permanent residents, regardless of where they are located.

Any US-EU agreement would necessarily include reciprocal limits. Thus, even if a US-EU agreement covered wiretaps, and even if the United States were to enact new laws or otherwise determine that it had the authority to issue extraterritorial wiretap orders, it could only do so for non-EU residents and citizens’ located outside the EU. And even if the US entered into executive agreements on a country by country basis, without first adopting a US-EU framework agreement laying out common rules, non-discrimination principles in EU law would demand this result.

In sum, there is no current authority for US law enforcement to issue extraterritorial wiretap orders. Nothing in the CLOUD Act changes that. Moreover, EU member states’ laws currently prohibit the US from issuing extraterritorial wiretap orders. Nothing in the CLOUD Act changes that either.

Finally, it is important to note that the CLOUD Act deals with law enforcement access only. It does not in any way expand, authorize or otherwise affect the collection of foreign intelligence information via separate and distinct rules governing intelligence collection.

Jennifer Daskal is an Associate Professor of Law at American University Washington College of Law, and a Senior Fellow of the Cross-Border Data Forum.

1 The E-Evidence proposals currently being considered in the European Union apply only to stored records, and not to real-time interception. Similar to the Cloud Act, the E-Evidence proposals create no new authorization to conduct wiretaps.

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.