As digital data continues to grow at an unprecedented rate, the laws governing storage, privacy, and law enforcement agencies’ ability to access digital information have become more critical than ever. The end of March marked the seventh anniversary of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which tackles these issues on a global scale.
The CLOUD Act fundamentally changed how law enforcement agencies can access digital data stored across borders — and new international agreements negotiated under the Act can continue to modernize access to digital evidence worldwide.
What Is the CLOUD Act?
The CLOUD Act was passed as part of an omnibus appropriations bill and was signed into law by President Trump on March 23, 2018. It has two key parts:
- First, it clarifies that US law enforcement agencies can require technology companies to provide data in response to US legal process, even when that data is stored outside the US.
- Second, it creates a framework for law enforcement agencies outside the US to seek data from US technology companies. That framework depends on the US government negotiating with another government to adopt an executive agreement with specific privacy and civil liberties protections.
Until the CLOUD Act, law enforcement agencies seeking evidence outside their country often relied on the Mutual Legal Assistance Treaty (MLAT) process, which proved slow and cumbersome.
The CLOUD Act creates an efficient, effective mechanism for obtaining digital information related to serious crimes. It also reduces the potential for global companies to be caught between conflicting laws, by ensuring that companies aren’t barred from complying with orders that are issued pursuant to a CLOUD Act agreement.
Executive Agreements Under the CLOUD Act
The United States has already entered into two executive agreements under the CLOUD Act:
- United Kingdom: In 2019, the US and the United Kingdom signed the first CLOUD Act agreement, which entered into force on Oct. 3, 2022. As a result, UK law enforcement agencies can request data directly from US-based tech companies — and US law no longer bars those companies from complying with orders issued under the agreement. The UK has used the CLOUD Act agreement to transmit more than 20,000 orders to US companies, according to a recent DOJ report to Congress.
- Australia: In 2021, the US and Australia signed the second CLOUD Act agreement, which entered into force on Jan. 31, 2024. Like the UK CLOUD Act agreement, the Australian CLOUD Act agreement only applies to legal process for “serious crimes,” which are defined as those punishable by at least three years of imprisonment. The Australian agreement also limits the ability of US law enforcement agencies to use information obtained under the agreement in connection with death penalty cases, as the UK agreement also does. By their own terms, both the Australia and UK agreements expire after five years unless they are renewed.
Negotiations for new CLOUD Act agreements have already been initiated with the European Union and Canada. Concluding these negotiations and entering into additional agreement will continue to modernize how digital evidence is accessed worldwide, support important privacy safeguards, and reduce the potential for conflicting laws. Indeed, the UK and Australian agreements are seen as models for future CLOUD Act partnerships.
Which Countries Can Enter CLOUD Act Agreements?
Not all countries can enter into CLOUD Act agreements. To qualify, a country must meet specific criteria establishing that its domestic law affords robust substantive and procedural protections for privacy and civil liberties, based on a series of factors set out in the Act.
The CLOUD Act also requires executive agreements to limit the types of orders that may be submitted by foreign law enforcement agencies to US technology companies. These include requiring orders relate to a serious crime, including terrorism. Orders must also comply with the foreign government’s domestic law and cannot be used to infringe freedom of speech.
Importantly, CLOUD Act agreements do not create any new legal requirements for US technology companies to comply with a foreign country’s legal orders. Instead, law enforcement agencies outside the US must rely on their own legal authorities to issue an order to a US provider. But the CLOUD Act ensures that US law does not prohibit US technology companies from complying with foreign legal orders that were issued in line with a CLOUD Act agreement.
What’s Next for the CLOUD Act?
As the global landscape for data protection and privacy continues to evolve, CLOUD Act agreements can be an effective tool for modernizing access to digital evidence and committing to core values of privacy and civil liberties.
BSA is urging the Administration to support three priorities in implementing the CLOUD Act:
- Conclude the CLOUD Act agreement with the EU as rapidly as possible;
- Develop a comprehensive, public-facing strategy for prioritizing and negotiating additional CLOUD Act agreements; and
- Consider options to address law enforcement access challenges with countries that are important partners but may not meet eligibility requirements for CLOUD Act agreements.
For more information on the CLOUD Act, BSA’s comprehensive explainer is available here.
