Introduction
The 2019 international agreement between the United Kingdom and the United States[1] on access to electronic evidence has attracted wide attention as a new tool of international assistance in criminal matters.[2] Historically, countries have conducted such cooperation pursuant to mutual legal assistance treaties (MLATs). The UK-US CLOUD Agreement, however, is the first international instrument putting in place a new mechanism providing that law enforcement authorities can request e-evidence directly from a cloud service provider, without going through MLAT procedures.
The US Congress enacted the 2018 CLOUD Act[3] to address two significant questions relating to the relatively new phenomenon of evidence in electronic form. First, the Act decrees that a US law enforcement authority may rely upon a warrant issued by a federal court to obtain, from a cloud service provider present in the United States, the content of electronic communications physically located outside the United States. Second, the CLOUD Act pre-authorizes the US executive to conclude executive agreements with foreign states enabling their law enforcement authorities to obtain US-located e-evidence directly from cloud service providers. These agreements are to be reciprocal in nature, also allowing US law enforcement likewise to make direct requests to providers for e-evidence located in the territory of the other state.
In part I of this post, we examine the legal nature of the UK-US CLOUD Agreement: is this “executive agreement” a binding legal treaty under international law, subject to the 1969 Vienna Convention on the Law of Treaties (VCLT)? This topic, so far unexplored, is important because the agreement purports to create binding rights and obligations not only for the two States but also for private actors, including cloud service providers and individuals. It matters as well for the series of similar negotiations that the United States intends to pursue with other States and entities, including those already underway with the European Union and Australia.
Part II considers questions of the meaning and legal effect of a CLOUD Act agreement under US law. In part III, we examine how the two parts of the CLOUD Act relate to each other. May the United States resort to its unilateral warrant authority to obtain e-evidence located in the United Kingdom, instead of utilizing the channels prescribed in the UK-US CLOUD Agreement itself? If so, are others pursuing negotiations with the United States obliged to accept this approach taken by the UK-US CLOUD Agreement while remaining within the framework of the agreements envisioned by the second part of the CLOUD Act? Is the United States free to vary it?
I. Does a CLOUD Act Agreement Satisfy the Requirements of the Vienna Convention on the Law of Treaties?
“What is a treaty? Simply put, it is an international agreement,” according to the Oxford Guide to Treaties.[4] Another standard source describes a treaty as “the creation of written agreements whereby the States participating bind themselves legally to act in a particular way or to set up the particular relations between themselves.”[5]
Article 2(1)(a) of the Vienna Convention on the Law of Treaties (VCLT) provides a more precise definition: “treaty means an international agreement concluded between States in written form and governed by international law, whether embodied in a single instrument or in two or more related instruments and whatever its particular designation.”[6]
Thus, as a matter of international law, a ‘treaty’ need not be expressly denominated as such. Other international agreements that States intend to be binding also qualify, and indeed the name they give to the legal instrument, or the form it takes, is irrelevant.[7] What matters is whether the agreement fulfills the elements of the VCLT definition. If it does, it is binding upon the States and must be performed by them in good faith, in accordance with Article 26 of that convention.[8]
Under the definitional requirements of Article 2(1)(a) of the VCLT, an international agreement must be 1) “concluded between States” [9]; 2) “in written form”; and 3) “governed by international law”. The UK-US CLOUD Agreement — the first concluded pursuant to the CLOUD Act — clearly satisfies these requirements. Its parties are the United Kingdom and the United States, and they denominate it an “Agreement”. Further, it consists of a written text, uses verbs of legal intentionality (e.g., shall) and it has been signed by the UK Minister of Justice and the US Attorney General. The agreement will take effect following an exchange of notes between the parties “indicating that each has taken the steps necessary to bring the agreement into force.”[10] Finally, it contains a procedure for termination traditionally found in international agreements.
The UK’s domestic approval step is ratification by Parliament.[11] The US counterpart procedure, specified in the CLOUD Act itself, is for the executive to submit the agreement to Congress for a 180-day period of review; if neither house of Congress objects during that time period, the agreement may enter into force.[12]
The UK-US CLOUD Act agreement also meets the third requirement of being ‘governed by international law’. This means, according to the negotiating history of the Vienna Convention, that an agreement must intend to create legal rights and obligations or to address a specific legal situation.[13] Clearly, the UK-US CLOUD Agreement arises in the context of international relations between the two States.[14] The agreement expressly states that its purpose is “the establishment of a system of access to electronic data that is comprehensively governed by binding, appropriate and substantial safeguards.”[15]
II. Does a CLOUD Act Agreement Qualify as a Treaty or International Agreement under US Law?
States also define treaties under their own domestic laws in order to specify the procedural requirements for their national approval. The US Constitution grants to the President the “Power, by and with the Advice and Consent of the Senate, to make Treaties, provided two thirds of the Senators present concur.”[16]
In the centuries since the promulgation of the US Constitution, the US legal system has devised alternative methods for authorizing another category of binding international agreements, and for approving them by means that are less time-consuming than the Senate advice and consent procedure.[17] The United States began to conclude executive agreements with foreign states in the nineteenth century. Today the vast majority – more than 90% — of US international agreements are categorized by the US Department of State as executive agreements rather than treaties.[18]
The term ‘executive agreement’ is not defined in US law or by the VCLT, but scholars have explained its contours. An executive agreement is “a treaty that has been concluded and ratified by the executive branch without formal approval by a legislative body, in a State in which treaties are usually ratified only with such approval. The term executive agreement refers only to the status of the agreement within the domestic law of the State in question.”[19]
The distinction in US law between ‘treaties’ and ‘executive agreements’ is thus essentially procedural, depending on whether the legal instrument is submitted for Senate advice and consent and Presidential ratification.[20] The United States views both ‘treaties’, as referred to in the Constitution, and binding international agreements approved by other procedural means, as ‘treaties’ in the international law sense of that term.[21]
The US President must have authority under US law to enter into a treaty or executive agreement. His power derives either from the US Constitution itself or from legislation passed by the US Congress specifically authorizing him to negotiate a type of international agreement. In some cases, Congress attaches strings to a statutory authorization by requiring the Executive to submit a resulting international agreement to Congress for a certain period of time before the President may actually bring it into force.[22]
In the United States, treaties and other international agreements are not enacted into domestic law, unlike in many other States. Rather, the US Constitution provides that “all treaties made, or which shall be made, under the authority of the United States, shall be the supreme law of the Land.”[23] In other words, they become part of US law without the need for transposition. The United States Supreme Court has ruled that the domestic legal effect of an executive agreement is the same as a treaty.[24]
The US executive generally strives during negotiations of treaties and international agreements to ensure that the international obligations to be assumed do not exceed the limits of existing US law. However, where a change to US law is needed in order to give full effect the agreement, the US Congress must enact implementing legislation.[25] For example, in order to give effect to the Genocide Convention, Congress first had to criminalize the offense of genocide in US criminal law.[26]
Sometimes Congress is asked to change an existing provision of US law in order that an international agreement may be successfully completed. During negotiations between the United States and the EU on an executive agreement to protect privacy interests in law enforcement proceedings, for instance, the EU insisted upon a provision enabling an EU citizen to seek redress in US courts in the event that a US law enforcement agency had improperly accessed or disclosed his personal information. At that time, however, the US Privacy Act afforded judicial redress only to US citizens. Only after the US Congress enacted the 2015 Judicial Redress Act[27] expanding access to foreign citizens was the United States in a position to agree to the inclusion of such a provision in the agreement.[28]
A CLOUD Act agreement is categorized under US law as an “executive agreement” – and not a “treaty” — because the CLOUD Act itself calls for the conclusion of international agreements in that form.[29] The Act also specifies the domestic procedural requirements for approval of agreements done under its authority. The US executive must submit to Congress a series of certifications that a CLOUD Act agreement fulfills certain privacy and due process requirements, and the Congress must be afforded a mandatory period to review an agreement before it may enter into force.[30] On January 10, 2020, after completing the certification requirements for the UK-US CLOUD Agreement, the US executive submitted it to Congress. Unless Congress affirmatively disapproves the agreement, the President will be authorized to bring it into force on July 8, 2020.[31]
III. How do the Two Parts of the CLOUD Act Relate to One Another?
The first part of the CLOUD Act states that US law enforcement authorities may obtain electronic evidence stored outside the United States by means of a judicially-authorized warrant served upon a cloud service provider with a US presence. The second empowers the US Executive to conclude international agreements allowing foreign states to obtain e-evidence located in the United States directly from cloud service providers. How do these two dimensions of the Act – one unilateral, the other consensual – relate to each other?
States traditionally rely on international agreements such as mutual legal assistance treaties to organize international cooperation on judicial matters and to preclude incursions into their judicial sovereignty that otherwise would result from a foreign state’s unilateral legal process.[32] The second part of the CLOUD Act is not intended to displace MLATs, but rather to offer an additional type of international agreement specifically designed for securing e-evidence.[33]
The UK-US CLOUD Agreement fulfills this function, but also acknowledges the possible continued use of unilateral process. In a provision entitled “Compatibility and Non-Exclusivity”, it states that the Agreement is “without prejudice to and shall not affect other legal authorities and mechanisms for the Issuing Party to obtain or preserve electronic evidence from the Receiving Party and from Covered Providers subject to the jurisdiction of the receiving Party, including legal instruments and practices under the domestic law either Party as to which the Party does not invoke this Agreement; requests for mutual legal assistance; and emergency disclosures.”[34]
Not all States with which the United States has concluded agreements on access to foreign-located evidence have accepted this result, however. For example, the MLAT between the Federal Republic of Germany and the United States contains an express provision limiting a Party’s use of unilateral compulsory process in deference to a treaty-based request. Only if reliance on a treaty-based requests causes undue delay in production of evidence may the requesting State resort to its unilateral process.[35]
Similarly, the United States also concluded an executive agreement with the European Union in order to obtain, for purposes of its Terrorist Finance Tracking Program (TFTP), access to international bank transaction data held by the SWIFT company[36] in Europe. Initially, the US Treasury had utilized domestic administrative subpoenas to obtain the same data from a US-located SWIFT database, but public disclosure of SWIFT’s compliance with unilateral US process generated sovereignty and privacy concerns in Brussels. The resulting 2010 Agreement established a system whereby Europol, the EU police cooperation agency, would verify US Treasury requests for data in order that they be given binding legal effect in EU territory. SWIFT then would transmit responsive data directly from Europe to the US Treasury.[37] The agreement is the exclusive means for the US Treasury to receive such data from EU territory.
Nothing in the CLOUD Act would preclude incorporation into a future CLOUD agreement of a ‘first resort’ provision like that in the Germany-US MLAT. Nor would the United States otherwise be precluded from agreeing to consider a CLOUD agreement the exclusive means of obtaining information from a foreign jurisdiction, as it effectively did in the case of the EU-US TFTP Agreement. Whether any of those parties with which the United States pursues CLOUD Act agreements will seek to exclude or delay US resort to unilateral domestic procedures remains to be seen. They will have to weigh their sovereign sensitivities against their strong desire for rapidly completing an agreement urgently sought by their own law enforcement authorities.
Conclusion
A CLOUD Act executive agreement fulfills the VCLT requirements to be characterized as a binding international agreement. It also qualifies as a binding international agreement under U.S. law.
The United States Government presumably sees the agreement with the United Kingdom as a template for its ongoing negotiations with Australia and the European Union, as well as for future partners. However, agreements with other partners do not necessarily need to be identical to the UK-US one in order to be regarded as binding international agreements under international law and US law. This would be the case, for example, irrespective of whether the EU and the US choose to conclude a comprehensive CLOUD/e-evidence agreement, as the EU seems to desire, or instead a framework agreement requiring additional implementing legal instruments between the US and individual EU member states.
The UK-US CLOUD Agreement establishes agreed procedures in order to obtain e-evidence from the other’s territory, but it does not make these procedures exclusive. It may come as a rude shock to other partners that concluding a CLOUD Act agreement along the lines of the UK-US one would do nothing to preclude the United States from utilizing its unilateral legal process to obtain e-evidence stored in their territory by cloud service providers.
Concluding this new generation of agreements on international assistance in criminal matters is a necessity to address the challenges created by the rampant globalization of criminal evidence.[38] Flexibility and creative legal thinking will be key to building a new, successful, international legal regime permitting law enforcement authorities of democratic States to gain access to communications and other records necessary for criminal investigations, in a way consistent with privacy, human rights, and the sovereign concerns of all involved States.
About the Authors
Theodore Christakis is Professor of Law at the University Grenoble Alpes and a Senior Fellow with the Cross-Border Data Forum. He is a member of the Institut Universitaire de France, the French National Digital Council and the French National Committee for Data Ethics. He is co-Director of the Grenoble Alpes Data Institute and Chair on the Legal and Regulatory Implications of Artificial Intelligence within the Multidisciplinary Institute in Artificial Intelligence. He has advised Governments, International Organisations and the private sector on issues concerning International and European law, Human Rights, Cyber security law and Data protection.
Kenneth Propp was for many years the principal US Department of State negotiator of law enforcement information sharing agreements between the United States and the European Union and its member states, including the 2003 Agreements on Mutual Legal Assistance and Extradition. From 2011-15 he was Legal Counselor at the US Mission to the European Union in Brussels. Currently, he teaches European Union law at Georgetown University Law Center, and is a Senior Fellow with the Future Europe Initiative at the Atlantic Council and with the Progressive Policy Institute.
The authors would like to thank Duncan Hollis and Peter Swire for their useful comments on a previous version of this paper.
[1] Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime [hereinafter UK-US CLOUD Agreement], October 3, 2019, available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/836969/CS_USA_6.2019_Agreement_between_the_United_Kingdom_and_the_USA_on_Access_to_Electronic_Data_for_the_Purpose_of_Countering_Serious_Crime.pdf.
[2] See, e.g., , Jennifer Daskal and Peter Swire, The UK-US CLOUD Act Agreement is Finally Here, Creating New Safeguards, Lawfare and Just Security blogs, October 8, 2019, available at https://www.justsecurity.org/66507/the-uk-us-cloud-act-agreement-is-finally-here-containing-new-safeguards/ ; and Theodore Christakis, 21 Thoughts and Questions about the UK-US CLOUD Act Agreement, European Law Blog, October 17, 2019, available at https://europeanlawblog.eu/2019/10/17/21-thoughts-and-questions-about-the-uk-us-cloud-act-agreement-and-an-explanation-of-how-it-works-with-charts/.
[3] The Clarifying Lawful Overseas Use of Data Act [hereinafter CLOUD Act], contained in Consolidated Appropriations Act, 2018, P.L. 115-141, div. V, available at https://www.crossborderdataforum.org/wp-content/uploads/2018/07/Cloud-Act-final-text.pdf.
[4] Duncan Hollis (ed.), The Oxford Guide to Treaties (2012), 10.
[5] Malcolm N. Shaw, International Law, 5th ed., (2003), 88.
[6] Convention on the Law of Treaties [hereinafter ‘VCLT’], done at Vienna, May 23, 1969, 1155 U.N.T.S. 331, 8 ILM 679 (1969), (entered into force January 27, 1980). The VCLT serves to codify customary international law rules about the nature and interpretation of treaties. Many States, including the United Kingdom, are party to it. Some, including the United States, are not. However, the United States accepts VLCT rules, and applies them in its domestic legal system, on the basis that they constitute customary international law. Duncan Hollis, A Comparative Approach to Treaty Law and Practice, 10-11, in National Treaty Law and Practice, Duncan F. Hollis, Merritt R. Blakeslee, and L. Benjamin Ederington (eds.) (2005).
[7] An international instrument called a ‘Convention’, ‘Protocol’ “Statute” or “Declaration”, for example, can constitute a treaty under international law. An internationally binding treaty also may take the form of an exchange of diplomatic notes, or even agreed minutes of a negotiation between senior state officials. International Court of Justice, Qatar v. Bahrain Case, Judgment of 1st July 1994, available at https://www.icj-cij.org/files/case-related/87/087-19940701-JUD-01-00-EN.pdf .
[8] Article 26 of the VCLT codifies the ‘pacta sunt servanda’ principle of customary international law.
[9] Although the VCLT rules do not extend to international agreements concluded by international organizations, the Convention on the Law of Treaties between States and International Organizations or between International Organizations, done at Vienna, March 21, 1986, U.N. Doc. A/CONF. 129/15, 25 ILM 543 (1986), does so.
[10] UK-US CLOUD Agreement, supra, Article 16. The International Court of Justice has found inclusion of an entry into force clause as strongly indicative of a binding agreement. International Court of Justice, Maritime Delimitation in the Indian Ocean (Somalia v. Kenya) (Judgment) [2017] I.C.J. Rep. 3, 21, para. 42.
[11] Explanatory Memorandum to the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, United Kingdom Command Paper No. 178, Policy Consideration (v), available at https://www.gov.uk/government/publications/ukusa-agreement-on-access-to-electronic-data-for-the-purpose-of-countering-serious-crime-cs-usa-no62019?utm_source=b4d391f0-3d36-4077-8793-d5b2b06944c1&utm_medium=email&utm_campaign=govuk-notifications&utm_content=immediate.
[12] CLOUD Act, supra, Section 105 (adding 18 U.S.C. Section 2523).
[13] Philippe Gautier, Article 2 in Olivier Corten and Pierre Klein (eds.), The Vienna Conventions on the Law of Treaties: A Commentary, vol. I, (2011), 40-44.
[14] Explanatory Memorandum, supra, (vi).
[15] UK-US CLOUD Agreement, supra, Article 2.
[16] Constitution of the United States, Article II, Section 2(2).
[17] A Comparative Approach to Treaty Law and Practice, supra, 16.
[18] The Constitution of the United States of America: Analysis and Interpretation, (2013), 544, available at https://www.govinfo.gov/content/pkg/GPO-CONAN-2013/pdf/GPO-CONAN-2013.pdf. The U.S. State Department’s annual published list of all binding international agreements, Treaties in Force, is subtitled A List of Treaties and Other International Agreements of the United States.
[19] Fred Morrison, “Executive Agreements,” in Max Planck Encyclopedias of International Law, (2007), 1, available at https://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1403#law-9780199231690-e1403-div1-2.
[20] The VCLT is “fairly agnostic on the issue of whether signature or ratification express consent to be bound, and simply holds that both would qualify, given the right circumstances.” Jan Klabbers, “Treaties: Conclusion and Entry Into Force”, Max Planck Encyclopedias of International Law, (2006), available at https://opil.ouplaw.com/view/10.1093/law:epil/9780199231690/law-9780199231690-e1484.
[21] The Oxford Guide to Treaties, supra, 15.
[22] Examples are nuclear cooperation agreements, fisheries agreements, and debt relief agreements. A Comparative Approach to Treaty Law and Practice, supra, 28.
[23] U.S. Constitution, Article VI.
[24] United States v. Belmont, 301 U.S. 324, 331 (1937).
[25] In US treaty law parlance, such a treaty is deemed ‘non-self-executing’, whereas a treaty that can be implemented without any necessary change to US law is ‘self-executing.” Robert E. Dalton, National Treaty Law and Practice: United States, in National Treaty Law and Practice, supra, 788.
[26] Id., 788-89.
[27] Judicial Redress Act of 2015, 5 U.S.C. Section 552a note.
[28] Agreement on the Protection of Personal Information relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offenses between the United States of America and the European Union, June 2, 2016, TIAS 17-201. Article 19(1) requires judicial redress be afforded to “any citizen” of the other State who believes that a law enforcement authority has improperly accessed or disclosed his personal information.
[29] CLOUD Act, supra, Section 105 (adding 18 U.S.C.2523(b)).
[30] CLOUD Act, supra, Section 105 (adding 18 U.S.C.2523(d)).
[31] Id.
[32] The authoritative commentary on U.S. foreign relations law observes that “the conduct of criminal investigations within the territory of a foreign state without its permission may violate customary international law as well as the domestic laws of the foreign state. To facilitate cooperation, the United States has concluded treaties providing for mutual legal assistance in criminal matters.” Restatement (Fourth), the Foreign Relations Law of the United States, Section 429, comment a (May 22, 2017).
[33] A US Department of Justice White Paper explaining the effect of the CLOUD Act states that an executive agreement done under its authority “would not be the exclusive mechanism for either party to the agreement to obtain electronic data; other mechanisms such as MLATs….would remain available.” United States Department of Justice, “Promoting Public Safety, Privacy and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” April, 2019.
[34] UK-US CLOUD Agreement, supra, Article 11. Article 6(3) further stipulates the use of its procedures “does not in any way restrict or eliminate any legal obligation Covered Providers have to produce data in response to Legal Process issued pursuant to the law of the Issuing Party.”
[35] Treaty on Mutual Legal Assistance in Criminal Matters, with related exchange of notes, between the United States of American and the Federal Republic of Germany [hereinafter US-Germany MLAT], entered into force October 18, 2009, TIAS 09-1018. Article 1(5) states that a party “shall request assistance pursuant to the provisions of this Treaty” when seeking, by compulsory unilateral means, evidence located in the other party. “Where denial of a request or undue delay of its execution may jeopardize the success of the criminal investigation or proceeding” the parties must consult, and only if consultations do not resolve the problem is the treaty obligation “deemed to have been fulfilled”. Although the treaty itself does not say what may happen thereafter, the US executive clarified to Congress, in seeking advice and consent to ratification, that “other, non-treaty-based measures may be pursued.” US-Germany MLAT, US Department of State Letter of Submittal to the US Senate, June 14, 2004, Senate Treaty Doc. 108-27.
[36] SWIFT is the Society for Worldwide Interbank Financial Telecommunications, a Belgium-based company that routs most of the world’s international financial transactions. Although SWIFT has a US office, it now maintains its databases exclusively in Europe.
[37] Agreement between the European Union and the United States of America on the Processing and Transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program (TFTP), Article 4, June 28, 2010, TIAS 10-801.
[38] Jennifer Daskal, Peter Swire, and Theodore Christakis, “The Globalization of Criminal Evidence,” IAPP, 16 October 2018, available at https://iapp.org/news/a/the-globalizationof-criminal-evidence/.