The CLOUD Act is about to stir up a legal storm. The Act was originally passed in March 2018 to ensure U.S. law enforcement officials could obtain information from U.S.-based communications providers even if that information is stored overseas. But the Act has another, more controversial provision: Under certain circumstances, it permits foreign law enforcement officials to serve production orders directly on U.S.-based providers and requires the providers to appear in court overseas if they want to challenge the orders. This possibility may soon be reality, as a novel data-sharing agreement under the Act between the United States and the United Kingdom takes effect this spring.
Until now, if foreign law enforcement officials wanted access to data held by U.S service providers, they had to go through Mutual Legal Assistance Treaties or “letters rogatory,” which give U.S. providers the ability to challenge production orders in U.S. courts. But the U.S.-U.K. “Bilateral Data Access Agreement,” which is the first such agreement under the CLOUD Act, cuts U.S. courts out of the process and allows U.K. law enforcement to serve production orders directly on U.S. providers. The Department of Justice is negotiating similar agreements with representatives from the European Union and Australia. While the stated purpose of these agreements is to speed up criminal investigations that have international dimensions, a side effect may be a burst of litigation—in both the U.S. and overseas—over issues of venue, privacy, disclosure, and due process.
