The CLOUD Act: US framework for gathering electronic evidence

The increasingly transnational nature of crime and exchange of data across borders has made it increasingly complex for authorities to investigate cyber-enabled crime and gather electronic evidence.

At a recent Academy of European Law Conference, the U.S. Deputy Assistant Attorney General Richard W. Downing delivered remarks concerning the recently passed CLOUD Act, and its importance in enabling international cooperation to effectively tackle transnational crime.

 

The importance of electronic evidence

While rapid technological advancements have provided everyday citizens with increased convenience and flexibility, the reality is that this also applies to cybercriminals. Encrypted communication platforms and anonymising virtual currencies make it easier than ever for organised crime groups and individuals alike to conduct their operations, and evade detection by authorities.

In his address, Deputy Assistant Attorney General Downing highlighted the importance of electronic evidence. “So many of our ordinary, everyday, domestic law enforcement matters now rely on electronic evidence.  From social media posts that preceded a homicide, to texts revealing a woman being stalked, to chat sessions involving those planning a terrorist attack, to the cell phone location of a drug trafficker – almost everything we do as law enforcement officials to protect the public is grounded in electronic evidence.”

 

Current challenges

The gathering of evidence is a key component of conducting a successful criminal investigation, and electronic evidence has become increasingly common. Complications arise where electronic evidence is held across borders. For example, an investigation being conducted in the UK may require access to social media communications held by a provider in the United States. In this scenario, UK investigators would have to issue a formal mutual legal assistance request to the US government, and then wait months for a response.

 

The CLOUD Act

The Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) has been developed to overcome the challenges of gathering cross-border electronic evidence, as an alternative to relying on the often slow and inefficient mutual legal assistance process.

Enacted in March 2018, the CLOUD Act has been the subject of criticism with other countries taking the view that the Act introduces new US surveillance powers and expanded jurisdiction over foreign companies or entities. In his address, Deputy Assistant Attorney General Downing  referred to some of these and clarified the importance of the Act in fostering effective international cooperation.

 

The CLOUD Act as a model for international cooperation

The complexity of international investigations involving electronic evidence stored across multiple jurisdictions, combined with varying legal systems and domestic laws across countries, often frustrates investigations.

For example, a global technology company may hold electronic evidence critical to an investigation. Country A may order them to disclose the data, whilst Country B’s laws may restrict disclosure of that same data. What is this company to do to ensure compliance with international law?

“With the CLOUD Act, the US Congress created a way that we can lift US legal restrictions so that our partners could more efficiently protect their citizens and promote justice and the rule of law”, said the Deputy Assistant Attorney General.

 

How does the CLOUD Act operate in practice?

The CLOUD Act authorises the United States to enter into bilateral agreements to facilitate the process of obtaining electronic evidence across borders, with each country essentially agreeing to “lower their respective barriers that might otherwise stand in the way of compliance with lawful orders.” Prior to this, many US providers were hesitant to disclose electronic data to foreign law enforcement agencies for fear of breaching domestic law.

Rather than obliging foreign providers to comply with domestic law enforcement orders, the Act simply removes conflicts of law so that electronic evidence can be more freely and easily exchanged.

 

What are the potential benefits of the CLOUD act?

There are a number of important benefits that the CLOUD Act can help to realise:

  • Easing pressure of the current mutual legal assistance (MLA) process, allowing countries such as the US who are inundated with such requests to increase the efficiency of processing requests that do need to go through the MLA process.
  • Bypassing the MLA process will reduce delays and result in speedier, more effective investigations.
  • Reduced potential for compromised public safety due to inability to access crucial electronic evidence.

 

Some criticisms

Deputy Assistant Attorney General Downing addressed some common criticisms that have arisen by countries viewing the Act as a “data grab” by the United States. In his address, the following points were posited:

  • Nothing in the CLOUD Act’s clarification of U.S. law expands U.S. jurisdiction over foreign companies or any other entity.
  • Nothing in the CLOUD Act expands the categories of providers subject to U.S. jurisdiction.
  • The CLOUD Act does not alter who falls under the jurisdiction of U.S. courts; it merely confirms the obligations of the providers that already do.
  • There will not be a single entity that is subject to U.S. jurisdiction after the CLOUD Act that was not already subject to U.S. jurisdiction before the CLOUD Act.
  • The CLOUD Act will not give U.S. law enforcement any new legal process to acquire data.
  • CLOUD is a benefit rather than a threat to other countries.

Nyman Gibson Miralis provides expert advice and representation in complex transnational criminal cases involving cyber-enabled crime and electronic evidence.

Contact us if you require assistance.