[Cross-posted on Lawfare]

Attorney General Jeff Sessions is scheduled to fly to Sofia, Bulgaria for a May 22 meeting with senior European law enforcement officials.  In the wake of the Cloud Act, enacted by Congress at the end of March, the possibility of an EU-US agreement on law enforcement access to digital evidence is almost certain to be on the table.  The EU is separately moving ahead with its proposed “E-Evidence” Regulation, which would streamline law enforcement access to data among its 28 member states.

As we and other have discussed at length here and elsewhere, the CLOUD Act authorizes the U.S. to enter into executive agreements with foreign governments so as to better facilitate law enforcement access to data across borders, pursuant to a long list of procedural and substantive safeguards.  Countries that sign executive agreements with the U.S. no longer need to go through the mutual legal assistance process to request communications content from U.S. based providers; rather they can, pursuant to a long list of substantive and procedural safeguards, directly request the data from U.S.-based providers, so long as they are seeking the data of foreigners located outside the United States.  Conversely, those governments must commit to ensuring that U.S. law enforcement can directly request communications content from their local providers – also enabling the United States to bypass the otherwise applicable mutual legal assistance process.

An initial and important question is whether the US, pursuant to the terms of the CLOUD Act, enter into an agreement with the EU as a whole, or whether instead negotiations must proceed country-by-country for each member state. To reach any sort of agreement, the negotiations would need to comply as well with EU law, which has a number of requirements that may be unfamiliar to US lawyers and may be tricky to navigate.

In this post, we describe the key legal requirements under both US and EU law.  We next make the case for a framework EU-US agreement so as to set key standards and resolve issues of importance across the EU. Each individual country would then need to establish (and pursuant to the terms of the CLOUD Act be certified as complying) that it meets the requisite standards before they can join the framework agreement.  From what we can determine at this early stage of negotiations, this approach appears to satisfy the legal requirements of the CLOUD Act and EU law, take into account the variety of member state legal regimes, and have the advantage of setting out significant common safeguards and procedures across the EU.

US Law – The Cloud Act and “Foreign Governments”

The CLOUD Act envisions executive agreements with “foreign governments.” The Act does not define “foreign government”—thereby raising the question as to whether and in what circumstances the US would be permitted to enter into an agreement with the European Union itself, consistent with the terms of the statute. For the reasons we discuss here, we think that such an agreement is possible, but if and only there is a separate certification for each member state (or subdivision of a member state).

In accordance with its ordinary understanding, a read of the rest of the CLOUD Act, and use elsewhere in the U.S. code and regulations, the term “foreign government” seems to refer to a government of a particular foreign country or possibly a political subdivision of that country.  

Importantly, each “foreign government” must be certified by the Attorney General, with the concurrence of the Secretary of State as affording “robust substantive and procedural protections” for privacy and civil liberties in its “domestic law,” among multiple other requirements.  This suggests, at a minimum, an inquiry, analysis, and finding with respect to the domestic legal system of each member state or subunit thereof with which the United States would enter into an agreement. We do not see a convincing read of the statute that can bypass this requirement.

Under this approach, nothing in the Cloud Act prohibits the EU and the United States from lawfully negotiating a general framework, laying out specifics of how any such agreements would be implemented. It could, for example, set out: rules and procedures as to how minimization procedures would work, so as to protect against the dissemination of non-relevant information; procedures and standards regarding compliance reviews by the United States; and additional specificity as to baseline requirements that each member state must meet, including things like the nature of the required judicial or independent review and protections for free speech.  

This framework approach has the advantage of allowing the US to negotiate one general agreement, pursuant to which each EU member state could individually accede.  This kind of framework agreement also opens up the possibility for some other EU-wide entity such as Europol to play a role in oversight and compliance, so as to help ensure the requirements of the Cloud Act are met.  In addition, consistent with the understanding of the term “foreign government” as referring either to the government of a foreign country or a political subdivision, it opens up the possibility that particular subunits within EU member states could be certified as meeting the relevant requirements, even if the country as a whole could not.  Under this approach, for example, requests from a particular government would have to be channeled through certain certified units or subdivisions, which would in turn be required to meet the requirements of the EU-US agreement; this would facilitate the possibility of quality control.

Such a framework agreement could and should address the issue of how the Cloud Act’s reciprocity provision would work.  The Cloud Act requires that foreign governments continues to employ the MLAT system if they are seeking data of at US persons (defined as citizens and legal permanent residents) and others located in the United States  – a provision that ensures US rules regarding a warrant based on probable cause continue to govern the accessing of US person’s data. The Act also requires “reciprocal rights of access” from the non-US government. Foreign governments could read this to require that the United States go through the MLAT system if and when the United States were seeking data of that foreign governments citizens and residents.

This raises potentially complex issues then arise for how an EU-US agreement would operate.  For instance, under a bilateral German-US agreement, this approach would mean that the United States would need to employ traditional MLAT procedures if seeking the data of German citizens and residents.  Under EU law, however, there is non-discrimination jurisprudence that suggests that protections offered to citizens of one nation (Germans) should apply to all EU citizens. If applicable, it would mean that the US would have to go through the MLAT system any time it sought to directly access a EU citizen’s data directly from an EU-based provider; for obvious reasons, this would make any such agreement less attractive to the United States.

We believe careful legal work will be needed to interpret the scope of the reciprocity provision in the CLOUD ACT and the related non-discrimination principles of EU law.  Resolving these issues should proceed at the EU level, because they have ramifications for all member states and for the ultimate stability of any such agreements, particularly if subject to legal challenge.

EU Law – “Competence” and Other Issues

EU law contains its own complexities about whether and to what extent the EU can be a counter-party for negotiations of executive agreements under the Cloud Act.  These EU legal issues include: “competence” of the EU; the relationship between a possible EU-US agreement and development of the proposed E-Evidence Regulation; and the obligations to protect fundamental rights while enabling new forms of law enforcement cooperation.

The issue of competence involves the allocation of power between the EU and its member states.  There are some areas where the EU has exclusive competence; some where it has shared competence with member states; and some where it has none.  To the extent that the issue of cross-border data arrangements is deemed an exclusive EU competence, it will be difficult for the US to insist that negotiations take place only with the member states. The allocation of competence between the EU and member states, however, is the subject of ongoing debate and discussion.

As background, EU legal instruments apply generally to a wide range of commercial and government action where the EU has either exclusive or shared competence.  Notably, EU law regularly applies to law enforcement activities, such as in the Law Enforcement Data Protection Directive that is going into effect this month together with the better-known General Data Protection Regulation.  The Law Enforcement Directive sets EU legal rules for “competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties,” and also applies for “safeguarding against and the prevention of the threats to public security.”

By contrast, national security is outside of the competence of EU law; consequently, Recital 14 of the Law Enforcement Directive says it does not apply to “activities concerning national security” or “activities of agencies or units dealing with national security.”

The scope of EU competence arises as well under the new E-Evidence regulation proposed by the Commission in April. This regulation provides support for the view that the EU has at least shared competence, and may have exclusive competence in at least some instances.  Once finalized, the regulation would create a European Production Order, so law enforcement from any one of the member states could, if lawfully requested, compel production of sought-after data from a service provider in any other member state. For instance, a French law enforcement order could be issued directly to a company headquartered in Ireland, the home base in Europe for many service providers.  

The proposed E-Evidence regulation thus provides support for direct EU-US  negotiations under the Cloud Act in two ways. First, the legal rationale for the proposed E-Evidence Regulation supports the finding of EU competence in this area.  Second, any negotiations under the Cloud Act (for US to EU evidence requests) would need to be closely integrated with the E-Evidence Regulation (for evidence requests between EU member states) so as to ensure harmonization of approaches across borders.

Separate and apart from the competency issues, legal developments in the EU have trended toward stricter protection of fundamental rights, including privacy rights.  Among other examples, this strictness is illustrated by both the striking down the EU-US Safe Harbor and the pending referral of the Schrems II case to the European Court of Justice, which involves a challenge to use of standard contract clauses for transfer of personal data from the EU to the US. Any new mechanisms for cross-border law enforcement cooperation must comply with the fundamental rights protections demanded by EU law.  These too will be applicable on an EU-wide basis, thus further strengthening the case for negotiation with the European Commission as an institution with responsibility and expertise across the EU.

Compared with negotiating with each member state, there could be significant advantages for the US in negotiating with the EU institutions.  Any agreement on law enforcement transfers of data will only succeed if it passes muster under EU law, and the EU-level institutions have the greatest expertise in the subtleties of what will likely survive judicial review. They also have previous experience negotiating in this area, for example, the EU-U.S. umbrella agreement on data protection for law enforcement  and the EU-US Agreement on Mutual Legal Assistance.

In summary on EU law, there may well be a range of issues where the EU, rather than each member state, is the appropriate and presumably best negotiator under EU law.  That conclusion is bolstered by the issuance of the proposed E-Evidence Regulation. Negotiations also would benefit from EU-level expertise about how to comply with fundamental rights review by European courts.

The Policy Issues: Why an EU-US Agreement Is a Good Idea

Any agreement on law enforcement transfers, to succeed, must comply both with US and EU law. There is therefore a need to reconcile Cloud Act’s requirement that executive agreements be with “foreign governments” and the EU preference for negotiating at the EU level.  The most promising path we can see at this point is to conduct negotiations on a framework agreement at the EU level, while implementing agreements with each nation consistent with that framework and the certification requirements of the CLOUD Act.

In addition to the points already discussed, we highlight three additional reasons that favor such an approach.  First, the EU supports having negotiations at the EU level, as shown for instance by this statement  by EU Justice Minister Jourová: “I want to see the EU and the US have compatible rules for obtaining evidence stored on servers located in another country, in order to solve serious crimes.” During consideration of the Cloud Act, Senator Hatch similarly spoke in favor of implementing an agreement with the EU.

Second, the proposed E-Evidence Regulation includes a requirement that providers offering services in the EU have a point of contact for purposes of receiving legal process under that Regulation.  The US could perhaps use the negotiations over an EU-US agreement to secure reciprocal obligations on EU providers that serve the US.

Third, the U.S. can use these agreements to address, and ideally resolve, another key issue presented by the CLOUD Act—namely the reach of U.S. warrants over data that is held in the EU.  As those familiar with the CLOUD Act know, the Act contains two key parts. One provides for the kind of executive agreements that we have focused on here. The other part clarifies that a U.S. warrant issued to a U.S.-based provider compels disclosure of data in that provider’s custody or control, regardless of where that data is located.  This, however, creates a potential conflict with EU law, given EU legal provisions that limit when data can be transferred outside of the EU. The scope of any such conflicts is still uncertain, as it depends on the yet-unknown interpretation of the soon-to-be implemented General Data Protection Regulation, an issue that Daskal discusses in more depth here.   An EU-wide agreement can address, minimize, and ideally eliminate, such conflicts.

In conclusion, as Attorney General Sessions travels to Bulgaria for the upcoming ministerial meeting, a possible EU-US agreement on cross-border access to data is likely to be on the table.  We think this is something that should be pursued, although there are complex issues of both US and EU law and policy to consider. Here, we have tried to present key issues as best we can at this early stage, in the wake of the Cloud Act’s recent passage and publication of the E-Evidence proposal.  Considerable analysis and discussion will undoubtedly be needed before any eventual agreement is possible.