Hiding in the Eye of the Storm Cloud: How CLOUD Act Agreements Expand U.S. Extraterritorial Investigatory Powers

by Tim Cochrane

Click here for a PDF file of this article

Abstract

The United States and United Kingdom will soon implement a new reciprocal international law enforcement data sharing agreement (U.S.-UK Agreement), the first of its kind under the Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act), which will enable law enforcement of one signatory state to directly request data from service providers based in the other state. The United States says CLOUD Act agreements simply remove conflicts of law and do not affect its jurisdiction over overseas providers, claiming these are strictly constrained by the personal jurisdiction requirement contained within the Constitution’s Fifth Amendment Due Process Clause. It is widely believed that that the United States will issue few, if any, U.S.-UK Agreement requests.

This article critiques this belief, examining the impact of CLOUD Act agreements at public and private international law, as well as domestic U.S. and UK law. While the removal of conflicts is a significant private international law benefit itself, CLOUD Act agreements also allow signatory states to significantly expand enforcement jurisdiction over overseas providers at public international law. Under domestic U.S. law, such expanded jurisdiction does not appear to be meaningfully constrained by the Due Process Clause, nor would new legislation necessarily be required. Frequent United States use of CLOUD Act agreements should be presumed.

Hiding in the Eye of the Storm Cloud: How CLOUD Act Agreements Expand U.S. Extraterritorial Investigatory Powers

by Tim Cochrane

Click here for a PDF file of this article

Abstract

The United States and United Kingdom will soon implement a new reciprocal international law enforcement data sharing agreement (U.S.-UK Agreement), the first of its kind under the Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act), which will enable law enforcement of one signatory state to directly request data from service providers based in the other state. The United States says CLOUD Act agreements simply remove conflicts of law and do not affect its jurisdiction over overseas providers, claiming these are strictly constrained by the personal jurisdiction requirement contained within the Constitution’s Fifth Amendment Due Process Clause. It is widely believed that that the United States will issue few, if any, U.S.-UK Agreement requests.

This article critiques this belief, examining the impact of CLOUD Act agreements at public and private international law, as well as domestic U.S. and UK law. While the removal of conflicts is a significant private international law benefit itself, CLOUD Act agreements also allow signatory states to significantly expand enforcement jurisdiction over overseas providers at public international law. Under domestic U.S. law, such expanded jurisdiction does not appear to be meaningfully constrained by the Due Process Clause, nor would new legislation necessarily be required. Frequent United States use of CLOUD Act agreements should be presumed.