Letter to US Justice Department Concluding White House Should Not Let UK Demand Private Data in US

Richard W. Downing 
Acting Deputy Assistant Attorney General
Criminal Division
United States Department of Justice
950 Pennsylvania Avenue NW
Washington, DC 20530

CC: Peter A. Winn
Acting Chief Privacy and Civil Liberties Officer
United States Department of Justice

Dear Mr. Downing:

The undersigned human rights and civil liberties organizations write to express our concerns about the prospect of the conclusion of an executive agreement under the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act permitting the United Kingdom of Great Britain and Northern Ireland to acquire, or obtain access to, the content of communications, associated metadata, and other personal data held or transmitted by US companies.

Our analysis of current UK law indicates that in several salient respects, the country does not or may not “adhere[] to applicable international human rights obligations and commitments or demonstrate[] respect for international universal human rights,” as the CLOUD Act requires.[1] In the UK’s case, the relevant international human rights instruments include the Convention for the Protection of Human Rights and Fundamental Freedoms (commonly known as the European Convention on Human Rights, “ECHR”), the International Covenant on Civil and Political Rights (“ICCPR”), and—at present—the Charter of Fundamental Rights of the European Union (“the Charter”).

The UK is also a party to the Convention on Cybercrime, which requires at article 15 that states parties ensure that their domestic laws comply with the rights found in the ECHR and ICCPR. The CLOUD Act specifically acknowledges the importance of this convention.[2]

We are also concerned about serious potential inconsistencies of data requests under a US-UK agreement with US constitutional rights standards.

Our considerations focus on UK laws that are presently enforceable, including the Investigatory Powers Act (“IPA”). However, we have also addressed the pending Counter-Terrorism and Border Security Bill and Crime (Overseas Production Orders) Bill, and note that the recently adopted Data Retention and Acquisition Regulations will also need to be considered.

As the CLOUD Act implicitly acknowledges, communications or other data sought by foreign governments pursuant to executive agreements may include correspondence with, or other personal data belonging to, people in the United States—even if the agreements prohibit the intentional targeting of US persons and others in the US, as the law requires.[3] The United Kingdom’s respect for human rights standards can therefore be expected to affect people in the United States as well as the intended foreign targets of any monitoring.

The points discussed herein represent only particularly prominent concerns based on clear, settled human rights case law or US constitutional principles, and should not be regarded as an exclusive list. We also do not address equipment interference (hacking), which the CLOUD Act potentially authorizes and which we will discuss in a separate letter as needed.

For a discussion of the United Kingdom’s respect for human rights beyond privacy, data protection, and free expression, we refer you to the most recent concluding observations of the UN Human Rights Committee; UN Committee on Economic, Social and Cultural Rights; and other human rights treaty bodies.[4]

1. Freedom of Expression—General

The ECHR establishes at Article 10 that “[e]veryone has the right to freedom of expression” and requires governments to refrain from interfering with free speech except where limitations are “prescribed by law and … necessary in a democratic society” for certain enumerated purposes. Meanwhile, the CLOUD Act specifically requires that “an order issued by the foreign government may not be used to infringe freedom of speech.”[5] As you are aware, US law broadly protects speech, with the US Supreme Court limiting First Amendment protections in only a very narrow set of circumstances, including true threats, incitement to violence, and defamation.[6]

However, UK law includes several pieces of legislation criminalizing expression in a manner that may at least arguably violate the ECHR or article 19 of the ICCPR in some circumstances, and—if used as a basis for data requests under the CLOUD Act—would be inconsistent with the freedoms set out in the First Amendment to the US Constitution.

For example, the Terrorism Act 2006 includes vague and potentially broad prohibitions on statements encouraging or glorifying terrorism, as well as the possession or dissemination of a “terrorist publication” (including online).[7] The Counter-Terrorism and Border Security Bill—if passed as currently drafted—would also excessively restrict freedom of expression by criminalizing clicking on certain types of online content and introducing new national security offences linked to acts of expression that go beyond the existing glorification and encouragement provisions of the Terrorism Act.[8]

The Public Order Act 1986, as amended, broadly prohibits behaviors, words, and the possession of materials intended to “stir up … hatred” on grounds of race, religion, or sexual orientation.[9] Regardless of whether this law may be compatible with the ECtHR’s case law, data requests stemming from it likely would not be consistent with US constitutional standards concerning free speech.[10]

Vague and potentially broad bans on speech are also found in the UK’s Malicious Communications Act 1988, as amended, which prohibits the sending of messages that are “indecent” or “grossly offensive.”[11]

Even in the absence of prosecutions, the possibility of investigations and resulting data demands may have a chilling effect on free expression in a manner that violates human rights and/or is inconsistent with First Amendment standards.

2. Surveillance Regime

1. Recent Findings of the ECtHR

The ECtHR has recently issued a judgment in Big Brother Watch and others v. the United Kingdom concerning UK surveillance under the predecessor legislation to the IPA, and we do not yet know whether its findings will be appealed to the Court’s Grand Chamber. However, the Court’s First Section found that the UK’s surveillance regime violated the ECHR right to respect for private life by failing to provide “robust independent oversight of the selectors and search criteria used to filter” communications intercepted in bulk.”[12] We do not believe the IPA has cured this defect.[13]

The First Section also found that the UK surveillance regime violated journalists’ free-expression rights by failing to “circumscribe[e] the intelligence services’ power to search for confidential journalistic or other material … or require[e] analysts, in selecting material for examination, to give any particular consideration to whether such material is or may be involved.”[14] At the time of writing, various provisions of the IPA required some particularized consideration of surveillance involving journalistic materials, but Privacy International had assessed them as failing to meet the standards set out in Big Brother Watch.[15]

Where bulk interception is concerned, the ECtHR approved the regime that was at issue in Big Brother Watch. However, we note that rights standards under the US Constitution are more restrictive in this respect than those discussed in this part of Big Brother Watch. The Fourth Amendment approach to searches and seizures requires particularized warrants and is rooted in an abhorrence of general warrants (which were abused by the British authorities during the colonial era). Even the provisions of the IPA that concern ostensibly targeted interception warrants may therefore be highly inconsistent with US constitutional rights standards, since they permit warrants authorizing the surveillance of a “group of persons” who simply “share a common purpose”—and thus do not require the establishment of adequate reason to believe that the specific persons or places to be surveilled have been involved in a criminal offense.[16] From a US constitutional rights perspective, the same concern would arise regarding any warrant authorizing the monitoring of “a group of persons” who “may carry on[] a particular activity,” in the absence of specific and individualized factual support for this conclusion.[17]

2. Data retention

In late 2016, the Court of Justice of the European Union (“CJEU”) ruled that domestic legislation that, “for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” violates EU law.[18] It also ruled that EU law is violated when the circumstances under which authorities may gain access to such data are “not restricted solely to fighting serious crime,” “not subject to prior review by a court or an independent administrative authority,” and when the data need not be retained within the EU.[19]

The UK government has accepted that the IPA’s provisions allowing the government to require the “bulk” retention of communications data did not comply with EU law.[20] This concession has also led to a finding by the ECtHR that the government’s regime for access to such data violated the ECHR.[21]

The UK has very recently adopted the Data Retention and Acquisition Regulations (2018 no. 1123) in an effort to cure this defect. We urge you to keep abreast of any challenges to the compliance of these regulations, either as written or as applied, with EU law or the ECHR.

3. The Crime (Overseas Production Orders) Bill

The Crime (Overseas Production Orders) Bill was introduced in the UK House of Lords in June 2018.[22] As of the date of this letter, the legislation contained numerous provisions that would violate the United Kingdom’s rights obligations or the provisions of the CLOUD Act, and/or be gravely inconsistent with the principles underlying the Fourth Amendment to the US Constitution.

• The bill permits the issuance of overseas production orders where “there are reasonable grounds for believing that an indictable offense has been committed” or where “the order is sought for the purposes of a terrorist investigation” as defined in the Terrorism Act 2000.[23] This broad language does not specify that orders must explicitly identify a particular person or place that has been or will be involved in the commission of a criminal offense. It could therefore raise the prospect of “general warrants” that would be highly inconsistent with the Fourth Amendment and the principles underlying it.[24] It would also potentially be inconsistent with the specificity, particularity, and factual showing required by the CLOUD Act.[25]
• A similar concern arises in relation to the provision stating that the order need only be “of substantial value (whether or not by itself)” to the proceedings or investigation in question.[26] This standard raises a risk of orders that are disproportionate in violation of the ECtHR and unreasonably broad in a manner that would not meet Fourth Amendment standards.
• The bill does not appear to contain a limit on the duration of the data production or access under the order, which the CLOUD Act requires for interception orders.[27]
• UK judges would be permitted to impose gag orders on the recipients of overseas production orders,[28] preventing notice to affected individuals and raising free-expression issues under the ECHR as well as concerns about consistency with First Amendment standards. [29] The legislation does not place a time limit on these “non-disclosure requirement[s],” which may also prevent Congress from gaining a full understanding of the consequences and functioning of the production of data to UK authorities under the CLOUD Act.
• The bill’s text does not grant judges the power to revoke overseas production orders sua sponte.[30]
• The UK government may retain data obtained under the bill “for so long as is necessary in all the circumstances”—a vague provision that may permit indefinite or excessively lengthy retention, potentially in violation of the ECHR and/or EU law.[31] This may also violate the CLOUD Act’s requirement that countries “segregate, seal, or delete, and not disseminate material found not to be information that is, or is necessary to understand or assess the importance of information that is, relevant to the prevention, detection, investigation, or prosecution of serious crime, including terrorism, or necessary to protect against a threat of death or serious bodily harm to any person.”[32]

Additionally, the bill would obligate a recipient of a UK overseas production order to give effect to that order “regardless of where the electronic data is stored.”[33] At minimum, the proposition that the UK government could compel a US internet service provider to produce data the provider stores in a third country raises complex questions of international and US law.

Similar concerns arise from the provision stating that an overseas production order “has effect in spite of any restriction on the disclosure of information (however imposed),” as this appears to demand compliance regardless of legal restrictions imposed by Congress, US judges, state governments, or (as relevant) foreign lawmaking bodies.

* * *

For the reasons stated above, we believe an executive agreement permitting UK authorities to order the disclosure of, or access to, data held by US companies pursuant to the CLOUD Act should not be concluded at this time.

Sincerely,