This post discusses the impact of the new CLOUD Act international data sharing regime on the UK’s death penalty assurances policy. This regime—named after its enabling US legislation, the Clarifying Lawful Overseas Use of Data Act—is due to come into force in July 2020 following the signing of a bilateral US–UK agreement in October 2019 (US-UK Agreement). It provides a quicker alternative for law enforcement seeking access to electronic data overseas, beyond the existing mutual legal assistance (MLA) process, which operates through MLA treaties (MLATs) and other mechanisms. However, while the CLOUD Act regime has an admirable aim, its implementation weakens the UK’s existing death penalty assurances policy and thus risks exposing the UK and others to significant liability, as discussed below.
The CLOUD Act regime in the UK
The impetus for the CLOUD Act regime arises from ‘the MLAT problem’. As a House of Lords Library Briefing Paper explains, electronic data is increasingly important for criminal investigations, yet it is commonly controlled by overseas technology companies, typically in the US. The UK normally needs to use MLA to obtain such data, but this can take months or more, during which time investigations can ‘go cold’.
The CLOUD Act regime attempts to solve the MLAT problem through new international agreements, of which the US-UK Agreement is the first. It requires each state to remove blocking statutes (see arts 3(1) and 10(1)) so they can enforce their own court orders for preservation, disclosure, and interception of electronic data extraterritorially (see arts 5(5) and 10(2)), with certain carve-outs (prohibiting, eg, US targeting of persons in the UK). In contrast to MLA, which requires that requests are executed under the law of the requested state, US requests for UK data will now be issued and determined solely under US law, and vice versa (see arts 3(2), 5(1), 5(2), 8(1), 10(2) and 10(5)).
The UK passed the Crime (Overseas Production Orders) Act 2019 (COPOA) to enable the CLOUD Act regime. This allows for ‘overseas production orders’, permitting UK law enforcement to obtain data directly from persons in any country with which the UK has a “designated international co-operation agreement”). The COPOA powers complement extraterritorial interception powers in the Investigatory Powers Act 2016 (“IPA”). COPOA also amends s 52 of the IPA. As the responsible Lords Minister, Baroness Williams, explained, this section allows the UK to similarly designate international agreements, under which foreign states may intercept or obtain stored UK data, as exempt from the IPA’s blocking provisions.
In February 2020, the US-UK Agreement was designated under COPOA and the IPA by regulations, having been previously laid before Parliament. It is under review by the US Congress until July 2020 and will then likely enter into force. If successful, it may serve as a model for other countries wanting to join the CLOUD Act regime, such as Australia.
What will the CLOUD Act regime mean for the UK’s death penalty assurances policy?
In October 2019, the then Minister for Security, Brandon Lewis, reported to the House of Commons regarding death penalty assurances in the US-UK Agreement. He claimed the UK had achieved a “binding position” that “will allow Ministers to make a decision on a case by case basis, continuing the existing practise under [MLA].” He added: “It is the policy of this Government to continue to oppose the death penalty in all circumstances.”
The US-UK Agreement is in fact a marked departure from existing UK MLA practice. As Lord Carnwath recently emphasised at  of El Gizouli v Secretary of State for the Home Dept, released after COPOA’s enactment, the UK has a “long-standing policy of seeking full death penalty assurances in all cases” where foreign states seek MLA. A ‘full’ assurance requires a requesting state to agree that “the death penalty will not be imposed or, if imposed, will not be carried out against anyone found guilty of any criminal offense arising from” the investigation for which MLA is being provided (see ). It contrasts with a ‘partial’ or ‘direct use’ assurance, by which a requesting state merely agrees to “introduce no evidence obtained in response … in a proceeding against any person for an offense” potentially subject to the death penalty (see ). Only in “exceptional circumstances” will the UK not require a full assurance (see  and ). Any departure requires ministerial consultation. (For further on El Gizouli, see Cochrane, Butler, Maini-Thompson, and Molloy.)
In a shift from this long-standing policy, however, the US-UK Agreement requires merely ‘partial’ assurances. The US only needs to obtain the UK’s permission before the “introduction of data in evidence” in proceedings for which the death penalty may be applied (art 8(4) and associated side note). This is the result of s 16 of COPOA, which amends the IPA’s s 52 by requiring the UK to “seek” only a partial assurance before designating an applicable international agreement.
This was deliberate. A full death penalty assurance restriction initially passed the Lords but was stripped out in the Commons. The responsible Commons Minister, Ben Wallace, explained that the US “has made it clear that we will not be able to progress with the treaty” if a full death penalty assurance were required. A requirement to seek a partial assurance only was then added and later enacted. Writing in Criminal Law Week, Rebecca Niblock astutely “wonder[ed] whether the outcome” in Parliament “would have been different if [COPOA] had come after” El Gizouli, which emphasised the significance of the UK’s policy.
The CLOUD Act regime requires a significant UK policy change. As Mr Wallace himself explained during COPOA’s passage, “there are often cases in which access to data is fundamental in discovering certain leads in an investigation, although [the data] will not necessarily be used as evidence in court.” Previously, the US would have needed to provide a full assurance before the UK would honour an MLA request for such data. Under the CLOUD Act regime, as Baroness Williams noted, s 52 of the IPA will become “the gateway for the flow of information from the UK” to the US without UK government oversight.
Section 52 was also discussed in El Gizouli, most notably by Lord Kerr at  (in dissenting comments). He considered its narrow scope of limited concern because “a specific assurance can be requested before transferring the specific information collected.” With respect, Lord Kerr appears to have been unaware of the gateway role s 52 plays. Through the s 52 designation of the US-UK Agreement, the US can directly access UK data using its own legal process. No specific assurance will be sought by the UK government before data is transferred from UK companies to the US; instead, the UK will not normally be involved, or necessarily even aware, when such transfers occur. While the US-UK Agreement contains a notification clause, triggered when persons outside requesting states are targeted (art 5(10)), this has broad exceptions and in any event may often be an “empty shell” as Theodore Christakis explains. The US will be restricted only to the extent it seeks to introduce such data in US criminal proceedings. It is free to otherwise use such data to advance investigations that may result in death penalties.
Given the above, it is also arguable that, as well as representing a policy shift, the UK’s implementation of the CLOUD Act regime exposes the UK to liability. Bharat Malkani suggests there is a developing international law obligation to refrain from complicity in the death penalty through MLA, including under the European Convention on Human Rights (ECHR). Lord Kerr made similar supportive comments about the direction of ECHR jurisprudence in El Gizouli at – (albeit dissenting), as did Lord Hope, speaking extrajudicially during COPOA’s passage (although these were doubted by Lord Pannick). In addition, for the reasons articulated in El Gizouli, UK companies responding to US CLOUD Act regime requests arguably risk breaching the Data Protection Act 2018.
Finally, with regard to any future CLOUD Act regime agreements the UK may enter, it is concerning that the UK is only under an obligation to “seek”, not necessarily obtain, a (partial) death penalty assurance before an agreement may be designated under s 52. Lord Hope was “inclined to think that [the word received] is implied” under this section. This may flow from the UK’s ECHR and other public law duties. However, such an interpretation must also be weighed against the fact that Parliament expressly rejected a separate amendment to add that very word.
The CLOUD Act regime is a significant new international mechanism that attempts to respond to a genuine problem facing law enforcement in the UK, US, and around the world. It is beyond the scope of this post to address the general appropriateness of this regime for the UK, or indeed the US or other countries. Instead, this post attempts to show that the CLOUD Act regime necessitates a significant shift from the existing UK government policy of requiring full death penalty assurances during MLA. This shift is important, particularly in light of the Supreme Court’s comments in El Gizouli, and risks legal exposure for the UK government as well as the individual UK companies responding to US requests.
Tim Cochrane is an international disputes lawyer, currently researching an MPhil in Law at Balliol College, University of Oxford, focussing on privacy and white collar crime issues, including the impact of the CLOUD Act regime on digital privacy rights in the UK and US.
(Suggested citation: T. Cochrane, ‘The Impact of the CLOUD Act Regime on the UK’s Death Penalty Assurances Policy’, U.K. Const. L. Blog (1st June 2020) (available at https://ukconstitutionallaw.org/))