Sunday, March 27, 2022

Video: Canada - US announce beginning of CLOUD Act negotiations

Today, I’m going to be talking about the newly announced “CLOUD Act” agreement negotiation process between Canada and the US to facilitate cross-border law enforcement investigations.

This is just beginning, so I’ll necessarily be doing some speculating.

This week, the United States Department of Justice announced that the governments of the US and Canada are currently negotiating an agreement under the CLOUD Act to facilitate cross-border law enforcement investigations.

This is a big deal. This will mean that Canadian police can use Canadian court orders to get evidence in the US, and American search warrants can be served on Canadians.

It is intended to be a solution to an issue that affects law enforcement in both countries who want evidence that is on the other side of the border.

Every country has absolute sovereignty over what happens in their territory

No “sovereign” can do anything in another sovereign’s territory without permission or invitation.

Canadian enforcement powers end – abruptly – at the border. A criminal court can’t order anyone outside of its jurisdiction to do anything, including the production of records.

It’s reciprocal: foreign states can’t extend their law enforcement into Canada without permission or invitation.

As it currently stands, a US search warrant has no effect in Canada. A Canadian production order has no effect in the US. Canadian law ends at the border, as does American law.

The Criminal Code does not authorize the issuance of a production order directed at a person or entity outside of Canada.

(It is important to remember that there’s a big difference between civil lawsuits and criminal investigations.)

Notice I said “without permission or invitation”. To provide that permission, countries have often entered into mutual legal assistance treaties with one another. If you’re investigating something in our country and some evidence is in our country, tell us about it and maybe we’ll assist you in getting it. I’ll discuss this a bit more later.

The reality is that most reputable US service providers will provide information to Canadian law enforcement under a Canadian production order, as long as they can do so without risking a violation of US law.

For example, in the first half of 2021, Twitter reports that it received 56 information requests about 63 accounts and it complied with 45% of them.

During the same time, Meta/Facebook reports it received 1,110 “legal process requests” from Canada and complied with 82% of the requests it received.

As I said, a Canadian production order doesn’t really have any effect in the US. But they generally do follow them, voluntarily, when they can.

Currently, a US privacy law called the Stored Communications Act prevents certain service providers from providing certain categories of data except with a qualifying US warrant. This annoys a lot of Canadian investigators, who have to go through formalities under the Mutual Legal Assistance Treaty between the two countries in order to get a US qualifying warrant.

A CLOUD Act agreement would remove that barrier and permit most US warrants for records and information to have effect in Canada. It is reciprocal, so Canadian law enforcement can get court orders in Canada for records that are in the custody of American service providers.

What is the CLOUD Act?

The CLOUD Act, or “Clarifying Lawful Overseas Use of Data Act”, was enacted in 2018. At the time, it got a lot of attention because it rendered moot a very high profile case in which US law enforcement was looking for data stored by Microsoft in one of their data centres in Ireland. Microsoft sensibly resisted the order, saying that US law did not extend to data that was outside of the US.

The case finally found its way to the Supreme Court of the United States, but before a decision was rendered, the US enacted the CLOUD Act that made it clear that a US warrant could compel US companies to provide stored data for a customer or subscriber on any server they own and operate, regardless where it is located, when demanded by warrant. The CLOUD Act also has a mechanism to challenge the warrant if they believe the request violates the privacy rights of the foreign country the data is stored in.

What the CLOUD Act also does is create a framework by which the US government can negotiate agreements with other governments for mutual recognition of the other country’s legal processes, subject to limitations set out in the agreement.

Before coming into effect, the bilateral or multi-lateral agreement needs to be put before the US congress, and the US Attorney General has to certify that the partner country has robust substantive and procedural protections for privacy and civil liberties.

The US has already negotiated such an agreement with the United Kingdom and Australia. Now it’s Canada’s turn.

This will be welcome news to Canadian law enforcement, who regularly seek evidence from US-based technology companies but sometimes find themselves hampered by a number of factors. In fact, Canadian law enforcement lobbying groups like the Canadian Association of Chiefs of Police have been pushing hard to get Canada to negotiate a CLOUD Act agreement with the United States.

Mutual Legal Assistance

There has for some time been a mutual legal assistance treaty between Canada and the United States, which provides a government-to-government pathway for law enforcement in Canada to obtain access to information in the United States. It is a two-way street, which similarly provides American law enforcement with access to Canadian data.

Without an agreement like the MLAT, carrying out searches on foreign territory violates international law and sovereignty.

The mutual legal assistance process has been said to be cumbersome and time-consuming, mainly because all requests from Canadian law enforcement are routed through the department of Justice Canada in Ottawa, who then sends a request to the United States Department of Justice. Both of these entities review the request and there is an element of discretion on the part of the receiving government as to whether or not they wish to process it. Assuming it is OK with the Canadian and US central authorities, a lawyer from the US Department of Justice seeks an order from the United States Federal Court that is addressed to the service provider, requiring them to provide the data to the US DOJ, which then sends the data to the Canadian DOJ and then to the law enforcement agency.

A key part of this process is the review and approval by the central authorities in each country. They ask “does this fit within the treaty?” “Does it meet the legal thresholds?” “Is it appropriately tailored – not too broad?” “Is it consistent with our laws and values?” “Does it implicate any of our own domestic interests?”

Canadian law enforcement generally would prefer to avoid this, and have tried to do so by seeking production orders in Canadian courts that name US based service providers.

The Canadian Criminal Code does not authorize the service of production orders outside of Canada, mainly because a Canadian court does not have jurisdiction over someone who is not in Canada. Some Courts simply will not issue these orders, but more are issuing these sorts of orders after a decision from the British Columbia Court of appeal called Brecknell. For a bunch of reasons, I think that decision is wrongly decided but for more information on that you can read my case comment.

In my experience, most US service providers will provide data in response to Canadian Court orders, but they are prohibited under US criminal law from providing the content of any communications except with a qualifying US warrant. That can be obtained through the MLAT process, but a “qualifying US warrant” is not available from a Canadian court.

A few years ago, I was involved in a case on behalf of an American company where a Canadian law enforcement agency sought and obtained a production order that would have required the US company to violate American law. The case ultimately became moot before it went to a hearing, so there's no written decision I can point you to. But it was clear that the attempt to do so was out of frustration with the mutual legal assistance process and the perception of the time it takes. In reality, urgent orders can be turned around quite quickly and the average turnaround time is around 2 months.

The process we have ahead likely looks like this: it will take some time to negotiate the agreement between Canada and the US. It is not “one size fits all”. Once the agreement is negotiated, it will have to go to the US congress – a process that is at least six months. And Canada would have to amend a bunch of laws before it can go into effect.

What to expect

So what would implementing a CLOUD Act agreement look like on the Canadian side of the border? I would only be speculating, because we don't have a final agreement to look at, but a number of laws would have to be amended.

For example, all of our existing privacy laws in Canada prohibit the disclosure of personal information or personal health information except to comply with a warrant, production order, court order or where required by law. Currently, that would be read as we're required by Canadian federal or provincial law. Or under a Canadian court order.

Complying with a US order would not fit within that. Those barriers would need to be taken down, or a new law would need to be passed so that these American orders could be complied with in Canada.

I don't think making US orders mandatory in Canada is how it would likely play out. On the American side of the border, the CLOUD Act does not make foreign orders mandatory in the United states. What it did was take down the barriers, mainly in the Stored Communications Act, that prevented US-based companies from disclosing certain categories of information. In order to be truly reciprocal, Canadian laws would need to be amended to permit disclosures to US law enforcement in response to a US court order or subpoena.

This is where I think things will get a little bit controversial in Canada. After all, two provinces went so far as to prohibit personal information from being stored outside of Canada or being accessed from outside of Canada because of an overblown concern about the USA PATRIOT act. In some instances, it is an offense to disclose personal information in response to a “foreign demand for disclosure”. All that would have to change, and I think that will attract some interesting responses.

At the end of the day, it makes sense that Canadian police should be able to go to a Canadian judge to get an order for access to information about Canadian suspects of a crime that took place in Canada.

It also makes sense that American police should be able to go to an American judge to get an order for access to information about American suspects of a crime that took place in the US.

The CLOUD Act agreements with the UK and Australia provide some idea about the guardrails that should be included in an agreement with Canada.

First, it should be limited to serious crimes and not triviality or just administrative and regulatory tribunals.

Second, it should not permit one country to investigate the citizens or residents of the other country. It should be limited to Canadian authorities investigating Canadian crimes, or American authorities investigating American crimes.

Third, there would be a mechanism by which either country gets to say for a particular request that the agreement would not apply in that instance.

Fourth, there should be a mechanism by which a company that receives a legal process to challenge it.

As a final note, when this progresses and we see what the agreement looks like, Canadians should be very careful to make sure that it is not used to further the Canadian so-called “lawful access” agenda that has been pursued for years and years by Canadian law enforcement. In particular, Canadian law enforcement have been trying to get the laws amended so they can get warrantless access to personal information.

No comments: