29 Mar, 2022
Canada’s Future CLOUD Act Agreement with the United States
In an era of rapid cross-border ephemeral data flows, access to extraterritorial electronic evidence has long been a source of frustration for law enforcement in Canada and abroad. Take, for instance, that many Canadian investigations into serious crime require electronic evidence over which other countries exercise jurisdiction. Without the timely disclosure of overseas data, criminal investigations have been delayed or abandoned, negatively affecting victims, public safety, and the economy.
Underpinning such frustrations are at least four converging realities. First, the marked shift in the balance of power for multinational private technology companies that increasingly control and store digital data, often rendering them the main decision-makers for encryption policies and the gatekeepers for access to digital data. Second, the ever-increasing transnational nature of crime and criminal investigations, often involving local victims and laws but globally located evidence. Third, the persistent territorial challenges created by the extraterritorial digital domain. And fourth, the painfully slow diplomatic process for trans-border electronic evidence disclosures, called mutual legal assistance (MLA), compared to quickly developing criminal investigations, combined with data access barriers owing to default technical protections. Of all the countries, the main recipient of mutual legal assistance requests for digital data is the United States (US), where the highest number of technology companies are headquartered.
In response, states continue to adopt a range of unilateral and bilateral alternative measures in an attempt to access otherwise inaccessible evidence. Notable among these are efforts to mandate the local storage of digital data (data localization laws), authorize the use of malware by police (government hacking), introduce exceptional access mandates (encryption back doors), and facilitate direct bilateral cooperation. Indeed, recent legislative advancements by western governments signal an increasing reliance on direct cooperation for electronic evidence exchange.
For instance, on 22 March 2022, the United States (US) and Canada announced that they have formally started negotiating towards the elaboration of a bilateral agreement pursuant to the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). The CLOUD Act, passed on 23 March 2018, provides the legal basis for the establishment of “executive agreements” for bilateral direct digital data disclosures with eligible governments. Having already drafted CLOUD Act Agreements with the United Kingdom (UK) and Australia, Canada is now the third country to negotiate with the US.
If the US-Canada CLOUD Act Agreement enters into force, Canadian judicial authorities will be able to grant production orders for the surrender of targeted content and non-content data by US-based private technology companies like Meta and Microsoft for investigations and prosecutions of serious crime (defined as an offence punishable by a prison term of at least three years). In so doing, Canada can bypass the approval that would have otherwise been required by the US government to fulfill a MLA request.
For several years, foreign law enforcement agencies have been able to use direct cooperation for non-content data held by US-based technology companies; however, requests can be denied by the main technology companies with little transparency of the criteria against which requests are evaluated. Meta’s Transparency Centre, for instance, shows that some non-content data were disclosed to Canadian law enforcement in 82% of cases from January to June 2021. A US-Canada CLOUD Act Agreement may therefore enable Canada to reclaim control monopolized by technology companies in deciding whether and to what extent direct voluntary assistance is provided, expand the scope of data coverage, and expedite the surrender of data by circumventing but not replacing the MLA regime.
So, too, will a CLOUD Act Agreement shift the determinants of electronic evidence access from the location of data storage to the location and citizenship/residency status of the person to whom the data of interest relates. In other words, data disclosures under a CLOUD Act Agreement to the US cannot relate to a Canadian citizen, permanent resident, or a person located on Canadian soil. In so doing, those involved in the disclosure may need to rely on a series of assumptions, such as using an IP address as an indicator for a person’s location and/or nationality, which is generally a weak proxy. Likewise, content data produced by Canadians are often mixed with those by Americans, meaning that it will be difficult to practically uphold data restrictions. Consequently, it is conceivable that the scope of data surrendered pursuant to a CLOUD Act Agreement could extend beyond its stated parameters for which a MLA request would have been suitable.
Of note is that there are several similarities and differences between the CLOUD Act Agreement and MLA processes. Unlike the MLA regime whereby government vetting is conducted prior to evidence disclosure without oversight for how the evidence is eventually used, the CLOUD Act compliance reviews will – for perhaps the first time – provide insight into how the other party (i.e., US) is handling, storing, and using surrendered electronic evidence. In other words, the CLOUD Act Agreements will still require independent judicial review and approval via a Canadian production order (or a US search warrant) and will provide opportunities for both the US and Canada to comprehensively review the evidence exchanges, although after the data have already been disclosed. The findings from the compliance reviews may be used in re-negotiating the terms of the CLOUD Act Agreements (five years following entry into force), representing an opportunity for reform that is not otherwise typically afforded to governments that are party to multilateral treaties.
Experience from the UK and Australia shows that negotiating such an agreement can take around two years, although the timeframe for Canada might be quicker given that two examples of such Agreements already exist. In the process, Canada will need to lay the legal groundwork for the Agreement by either passing legislation to establish international or overseas production orders or by extending the jurisdiction of existing production orders to have extraterritorial reach. Canada will also need to amend some of its privacy laws to enable Canadian-based tech companies to relinquish data to US law enforcement. After an Agreement has been drafted, it will obviously need to receive parliamentary (Canada) and congressional (US) approval, which can take several months.
Although the Agreement will likely be welcomed by the Canadian law enforcement community, the evolving regime of bilateral CLOUD Act Agreements will have broader implications for international cooperation. Owing to the eligibility requirements set out in the CLOUD Act, only a handful of states qualify for CLOUD Act Agreements, absent any major national human rights reforms. Countries like Russia and China will obviously continue to resort to the very practices that the CLOUD Act Agreements arguably aim to stem, contributing to even further fragmentation in an already highly polarized cyber field. The extent to which the CLOUD Act Agreements will ease the strain on the MLA regime is also questionable, particularly since requests from Australia, Canada, and the UK are typically the quickest to process. Even so, in view of the escalating tensions among states in the cybercrime field, it may make the most political sense to advance rights-based cooperation reform by starting small with a few like-minded governments.
Indeed, the framework for direct cooperation legislated by the CLOUD Act is new and untested, but it might well sit among the most promising modalities through which law enforcement can acquire data across borders, while maintaining independent judicial oversight and upholding human rights safeguards. This might be especially true in view of the wider context of ineffective international cooperation and states’ disparate cyber paradigms. Although not a panacea for all cooperation challenges, the US-Canada CLOUD Act Agreement will undoubtedly expedite electronic evidence gathering for Canadian investigations and prosecutions of serious crime, although the degree of compliance with the Agreement remains to be seen.
Photo by imgix on Unsplash.