Last year, there was a robust debate about whether agreements authorized by the Clarifying Lawful Overseas Use of Data Act (known as the CLOUD Act) would undermine human rights. The 2018 CLOUD Act authorized the United States to enter into bilateral executive agreements that would allow partner countries to demand data directly from U.S. tech companies in investigations of serious crimes without going through the usual mutual legal assistance (MLA) treaties, which have human rights safeguards.

Prior to the Act’s adoption, some argued (here and here) that the CLOUD Act would be good for human rights. They made the case that the possibility of entering into CLOUD Act agreements could incentivize better human rights practices by potential partner countries because of the human rights criteria that would need to be certified by the U.S. government in order for such agreements to enter into force. They highlighted that CLOUD Act agreements could avert data localization requirements abroad (i.e., foreign nations requiring data be stored in their countries rather than in the U.S.), thus preserving U.S. leverage to influence human rights practices in other countries. They also argued that the existing MLA process was overwhelmed and unworkable.

Others disagreed, maintaining that the premise of the CLOUD Act – that countries could be pre-approved as human rights-compliant – was fundamentally flawed. Instead, they argued, individual data requests should be examined on their own merits with partner countries. These commentators raised a number of points, including that countries often have good laws but bad practices, human rights conditions can deteriorate rapidly in a country, tech companies are ill-positioned to assess if foreign requests meet CLOUD Act standards (e.g., that foreign governmental orders not be used to infringe on freedom of speech), and countries with poor human rights records will not be incentivized to improve their laws but rather will opt for data localization.

Over a year has passed since this debate, and no CLOUD Act agreements have been concluded between the U.S. and another country. In April 2019, the Justice Department released a white paper, which provided little guidance as to how it will interpret or apply the law’s human rights criteria.

Three key questions remain in assessing the human rights concerns surrounding potential CLOUD Act agreements: (1) how will the executive branch interpret the specific human rights criteria set forth in this law; (2) will the executive branch add more human rights criteria to such executive agreements as a matter of policy; and (3) how rigorous will the U.S. government’s due diligence be in assessing whether a country’s human rights record qualifies for a CLOUD Act agreement as well as with respect to monitoring a partner country’s implementation of such an agreement?

In order to get into the nitty gritty of tackling some of these issues, I asked 12 law students in my Human Rights Practicum class to simulate how executive branch lawyers would need to approach these questions. For purposes of this exercise, we assumed partner countries for CLOUD Act agreements would likely include, among others, France, Germany and India. (An agreement is already being negotiated with the United Kingdom.) Though by its own terms, the CLOUD Act involves the examination of a wide range of human rights topics, I asked my students to focus on the intersection of freedom of expression issues with the Act’s human rights criteria, particularly country eligibility for such agreements.

What Does the CLOUD Act Require in Practice?

Section 105 of the CLOUD Act mandates a determination by the U.S. Attorney General with the concurrence of the Secretary of State that, among other things,

“the domestic law of the foreign government, including the implementation of that law, affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.”

In making that determination, the executive branch must certify a variety of criteria have been met, including that the foreign government

“adheres to applicable international human rights obligations and commitments or demonstrates respect for international universal human rights, including . . . freedom of expression . . . .” (emphasis added to help with the analysis set forth below).

The Act requires a written certification (with explanations) be sent to Congress that each of the listed criteria is met, which is a condition that has been noted as an improvement over prior drafts that allowed the executive branch the discretion to certify a country even if it failed to meet certain criteria. (Leading NGOs have already written to the Justice Department with legal arguments for why the United Kingdom. doesn’t meet eligibility criteria for a CLOUD Act agreement.)

The criteria for qualifying for a CLOUD Act agreement raise a number of statutory interpretation questions. To begin with, the phrase “adheres to applicable international human rights obligations” could potentially mean almost nothing. For example, if a country has not ratified human rights treaties, then technically it hasn’t undertaken relevant treaty “obligations” and thus is adhering to “applicable” obligations because it has none. Similarly, if a country has limited its human rights treaty obligations by taking reservations when ratifying agreements, it would have narrower obligations than what is contemplated in the treaty and may very well be in compliance with its “applicable” (and limited) obligations. Read literally, this phrasing seems to mean there is no minimum human rights standard because the criteria depend on what obligations particular countries have undertaken.

This is not a hypothetical concern. India, for example, is a party to the International Covenant on Civil and Political Rights (ICCPR), but has limited its freedom of expression obligations to the extent of its own constitutional approach to speech. Similarly, France has limited its ICCPR expression obligations to the extent that right is protected by its regional human rights treaty (the European Convention on Human Rights). Given the ICCPR is more protective of speech than this regional treaty, France seems to have gracefully reserved itself out of significant ICCPR expression obligations.

International human rights “obligations” can also derive from customary international law (CIL), but the U.S. government has not issued a comprehensive listing of the human rights it considers to be CIL, which may make relying on CIL obligations tricky. In addition, countries may be persistent objectors to some CIL norms and thus certain CIL obligations may vary by country.

Did Congress intend to issue a standard for eligibility for CLOUD Act agreements that fluctuates based on the scope and number of “obligations” undertaken by a particular country? That would seem to undermine any objective of having a minimum human rights baseline for CLOUD Act agreement partners. Is this statutory phrasing salvageable by the fact that it goes on to add consideration of “commitments” (i.e., “adheres to applicable international human rights obligations and commitments”)? Most nations have committed to innumerable and laudable human rights aspirations in hundreds of non-legally binding U.N. General Assembly and Human Rights Council resolutions, but given the sheer volume of these resolutions and the ability of States to carve themselves out of these commitments through explanations of their position issued when the resolutions are adopted, it is unclear how adding a review of “commitments” helps to create a manageable human rights baseline.

More likely the objective of this provision is best captured by the phrase “or demonstrates respect for international universal human right standards,” as this measure is not tethered to a nation’s particular reservations when ratifying a treaty or its explanations when endorsing a myriad of non-legally binding human rights resolutions. Though “international universal human rights standards” is undefined in the CLOUD Act, we deemed it reasonable to interpret this phrase to encompass at a minimum two foundational U.N. human rights documents in the International Bill of Human Rights: the Universal Declaration of Human Rights and the ICCPR, which are both supported by the United States.

Given our focus on freedom of expression, the key provision we focused on was ICCPR Article 19, which is the global standard for expression. This provision affords broad protections for expression over any media and across borders, but does permit limitations when a three part test is met. To be legitimate, any speech restrictions must be (1) provided by law (e.g., properly promulgated and not vague), (2) imposed for a legitimate public purpose (e.g., public order, national security, etc.) and (3) necessary (which means, among other things, the restriction is the least intrusive means of achieving the legitimate purpose). Even ICCPR Article 20’s mandatory ban on hateful advocacy that incites violence and other harms is subject to Article 19’s tripartite test, according the U.N. Human Rights Committee (which is the independent experts body charged with monitoring the treaty’s implementation) in paragraph 50 of its recommended treaty interpretations.

It is worth noting that the United States has traditionally been the champion of the broadest possible interpretations of freedom of expression under ICCPR Article 19. In ratifying the ICCPR in 1992, the United States issued a declaration noting that States Parties should refrain where possible from limiting rights such as freedom of expression. In written comments submitted in 2011 to the Human Rights Committee, the United States affirmed very similar understandings of the Article 19 tripartite test as well as the applicability of Article 19 to bans on speech encompassed in Article 20.

Turns out our test-case countries have a variety of criminal speech bans that don’t pass scrutiny under the interpretations of ICCPR Article 19 that have been issued by the U.N. Human Rights Committee. For example, Germany and India have laws criminalizing the defamation of religions that continue to be enforced. Germany’s blasphemy law, for instance, was enforced against an atheist for anti-Christian slogans on his car in 2016. While the European Court of Human Rights (which interprets Europe’s regional human rights convention) has upheld such laws, they are not in line with international standards. In paragraph 48 of its recommended interpretations of Article 19, the U.N. Human Rights Committee stated that such blasphemy laws are not permissible unless they rise to the level of advocacy of incitement to violence and other harms, a standard that is rarely met in the implementation of such laws.

France and Germany have laws criminalizing Holocaust denial, which continue to be enforced. While such laws have been upheld in the European Court of Human Rights’ jurisprudence, these atrocity-denial laws are not in accord with international human rights standards. The U.N. Human Rights Committee has stated in paragraph 49 of its recommended interpretations of ICCPR Article 19 that

“[l]aws that penalize the expression of opinions about historical facts are incompatible with the obligations that the Covenant imposes on States parties in relation to the respect for freedom of opinion and expression. The Covenant does not permit general prohibition of expressions of an erroneous opinion or an incorrect interpretation of past events.”

(And the list of problematic speech crimes laws in these countries goes on, including France’s apology of terrorism law as well as the criminalization of defamation in all three countries.)

How Should the CLOUD Act’s “Demonstrate Respect” Standard be Applied?

Given such laws do not meet international standards, does that mean the countries we examined do not “demonstrate respect” for such standards because some of their laws fail to pass muster? In other words, will executive branch lawyers and policymakers interpret “demonstrating respect” to mean each law (and its implementation) in a country must survive scrutiny under international standards? Such an interpretation would potentially prevent the U.S. from entering into CLOUD Act agreements with any partner.

Alternatively, will the executive branch interpret “demonstrating respect” for international freedom of expression standards to be met when most laws in a country pass muster even if others are problematic? Such an option would take the United States down a slippery slope: How many laws can violate human rights (e.g., freedom of expression) before a country no longer “demonstrates respect” for international human rights standards? Also, such an interpretation would lead to the United States facilitating cross-border data transfers that undermine free expression (and other) rights when our country has traditionally promoted the broadest possible protections for speech abroad.

We ultimately assessed that one way to thread the needle could be for the executive branch to explicitly exclude laws (and related implementation practices) that do not meet international standards from a Section 105 determination that a partner country demonstrates respect for international human rights as well as from the CLOUD Act agreements themselves. Such an approach is also helpful with regard to a subsequent provision in Section 105 of the Act, which states that CLOUD Act agreements must require that data requests not be used to infringe on “freedom of speech.” While the prior CLOUD Act provision analyzed above uses international human rights terminology (rather than U.S. constitutional phrasing) when referring to country-eligibility criteria (e.g., “freedom of expression” and not “freedom of speech” as well as “cruel, inhuman, and degrading treatment” and not “cruel and unusual punishment”), this subsequent provision mandates that foreign governmental orders not “infringe on freedom of speech,” which encompasses solely First Amendment terminology.

We assessed that this change in terminology was not inadvertent, but rather commemorated the longstanding public policy of the United States that it will not facilitate the repression of speech in foreign countries when such speech would be allowed in the United States. The criminal speech bans, such as those on blasphemy and atrocity denial, in our test case countries would obviously run afoul of First Amendment standards. Thus, exclusion of such laws from these bilateral agreements would also help in fulfilling this additional CLOUD Act requirement that specifically protects “freedom of speech” abroad as many of these laws are inconsistent both international standards and U.S. norms.

That said, we recognized that excluding problematic laws through an explicit listing in CLOUD Act agreements could ruffle diplomatic feathers of U.S. allies. A more low-key way of excluding particular laws could be to define “serious crimes” (which are undefined in the statute) in a particular agreement as only covering crimes that have prison sentences beyond those provided for in a particular country’s speech crime laws. Thus, problematic laws would not be explicitly highlighted for exclusion from the agreement, but would be excluded nonetheless by operation of a clause that limits the scope of “serious crimes.”

If diplomatic feathers remain ruffled, another option could be for the U.S. government to reserve the right to review all requests by a CLOUD Act partner pursuant to particular laws before any data is turned over. Under such a scenario, the requesting government would have the burden of proving that a particular request meets international and U.S. protections for expression. The U.S. government would then assess whether a particular request meets the appropriate standards in a specific case.

While the exclusion of problematic laws or review of such laws would no doubt undermine the “fast tracking” of cross-border requests with respect to those particular laws (or implementation practices), we could not identify another way for these bilateral agreements to properly implement the CLOUD Act’s human rights criteria (as well as the executive branch’s longstanding policy of not assisting in the repression of free speech abroad). That said, meticulous due diligence and drafting could potentially provide a way to allow CLOUD Act agreements to proceed while seeking to avoid adverse human rights impacts (though such due diligence and drafting would ultimately need to encompass a much larger range of human rights issues).

 Some Lessons Learned

In sum, from our limited experiment that focused on only a handful of countries and only one human right (freedom of expression), several lessons emerged quite clearly. First, there are key statutory interpretation issues that will significantly affect the scope of the human rights due diligence that is conducted to assess whether countries qualify for CLOUD Act agreements. The interpretations set forth above create a manageable and meaningful human rights baseline for assessing whether a country qualifies for such an agreement.

Second, the appropriate level of due diligence conducted on foreign countries, their laws, and their implementation of those laws, will require an intensive time commitment by executive branch lawyers and policymakers. Our experiment only focused on free expression issues and it took substantial time to assess relevant laws and implementation practices regarding that one human right in a few countries. In reality, there are many human rights topics set forth for assessment in the Act. While CLOUD Act agreements may ultimately fast track data requests and relieve an overburdened MLA process, the road to entry into such agreements will require a serious commitment of time to implement properly the Act’s human rights requirements.

Third, if CLOUD Act agreements are entered into with broad brush strokes (e.g., certifying that “generally” a democratic country has a good human rights record) rather than engaging in a careful analysis of whether relevant laws (and their implementation) comport with CLOUD Act standards, then such agreements seem doomed to fast track U.S. assistance to human rights violations, even with respect to allies and fellow democracies.

Fourth, creative drafting to exclude problematic laws/implementation practices or to reserve the ability of the U.S. government to review particular requests will be necessary to assure the Act’s human rights provisions and objectives are respected. Additional drafting solutions will be necessary for a variety of foreseeable scenarios that impact human rights, including prohibiting use of data for laws that do not appear in a data request and provisions that address a change in the laws, practices or human rights situation in a partner country. Outreach to civil society will be critical in developing such caveats to prevent undermining human rights.

Last year, supporters of the CLOUD Act pointed to this timeless caution: “Let not the perfect be the enemy of the good.” Our words of wisdom are: let not the imperfect CLOUD Act be the enemy of good and longstanding U.S. policy to refrain from assisting others in repressing free expression (or other human rights) abroad.