Cloud Act Agreement between the Governments of the U.S., United Kingdom of Great Britain and Northern Ireland

1. Account means the means, such as an account, telephone number, or addressing information, through which a user gains personalized access to a Computer System or telecommunications system.

2. Computer System has the meaning set forth in Chapter I Article 1a of the Budapest Convention on Cybercrime, to wit: any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data.

3. Covered Data means the following types of data when possessed or controlled by a private entity acting in its capacity as a Covered Provider: content of an electronic or wire communication; computer data stored or processed for a user; traffic data or metadata pertaining to an electronic or wire communication or the storage or processing of computer data for a user; and Subscriber Information when sought pursuant to an Order that also seeks any of the other types of data referenced in this definition.

4. Covered Information means Covered Data for Accounts used or controlled by a Covered Person and not also used or controlled by any Receiving-Party Person.

5. Covered Offense means conduct that, under the law of the Issuing Party, constitutes a Serious Crime, including terrorist activity.

6. Covered Person means a person who, upon application of the procedures required by Article 7.1, is reasonably believed not to be a Receiving-Party Person at the time the Agreement is invoked for an Order pursuant to Article 5.

7. Covered Provider means any private entity to the extent that it:

8. Designated Authority means the governmental entity designated, for the United Kingdom, by the Secretary of State for the Home Department, and for the United States, by the Attorney General.

9. Issuing Party means the Party that issues the relevant Legal Process. Where the United States is the Issuing Party, this includes where Legal Process is issued by state, local, territorial, tribal, or any other authorities within the United States.  Where the United Kingdom is the Issuing Party, this includes where Legal Process is issued by authorities of the state within the United Kingdom of Great Britain and Northern Ireland.

10. Legal Process means Orders subject to this Agreement as well as preservation process and Subscriber Information process recognized by Article 10 of this Agreement.

11. Order means a legal instrument issued under the domestic law of the Issuing Party requiring the disclosure or production of Covered Data (including any requirement to authenticate such Data) by a Covered Provider, whether for stored or live communications.

12. Receiving-Party Person means:

13. Receiving Party means the Party, including political subdivisions thereof, other than the Issuing Party.

14. Serious Crime means an offense that is punishable by a maximum term of imprisonment of at least three years.

15. Subscriber Information means information that identifies a subscriber or customer of a Covered Provider, including name, address, length and type of service, subscriber number or identity (including assigned network address and device identifiers), telephone connection records, records of session times and durations, and means of payment.

16. U.S. Person means:

1. The purpose of this Agreement is to advance public safety and security, and to protect privacy, civil liberties, and an open Internet, by resolving potential conflicts of legal obligations when communications service providers are served with Legal Process from one Party for the production or preservation of electronic data, where those providers may also be subject to the laws of the other Party. The Agreement provides an efficient, effective, data protection-compatible and privacy-protective means for each Party to obtain, subject to appropriate targeting limitations, electronic data relating to the prevention, detection, investigation, or prosecution of Serious Crime, in a manner consistent with its law and the law of the other Party.

2. Without prejudice to the applicability of any other legal basis or other important interests under the respective Parties’ laws, this Agreement supports:

3. Interests relevant to this Agreement include, but are not limited to:

1. Each Party undertakes to ensure that its domestic laws relating to the preservation, authentication, disclosure, and production of electronic data permit Covered Providers to comply with Orders subject to this Agreement. Each Party shall advise the other of any material changes in its domestic laws that would substantially frustrate or impair the operation of this Agreement.

2. The provisions of this Agreement shall apply to an Order as to which the Issuing Party invokes this Agreement, with notice to the relevant Covered Provider. Any legal effect of an Order subject to this Agreement derives solely from the law of the Issuing Party. Covered Providers retain otherwise existing rights to raise applicable legal objections to an Order subject to this Agreement.

3. Each Party in executing this Agreement recognizes that the domestic law of the other Party, including the implementation of that law, affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities subject to this Agreement. Each Party shall advise the other of any material changes in its domestic law that significantly affect the protections for Covered Data and shall consult regarding any issues arising under this paragraph pursuant to Article 5 or Article 11.

4. This Agreement is intended to facilitate the ability of the Parties to obtain electronic data. The provisions of this Agreement shall not give rise to a right or remedy on the part of any private person, including to obtain, suppress or exclude any evidence, or to impede the execution of Legal Process. Each Party shall ensure that the provisions of this Agreement are fully implemented, including the provisions of Article 9, consistent with the constitutional structure and principles of each Party.

1. Orders subject to this Agreement must be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of a Covered Offense.

2. Orders subject to this Agreement may not be used to infringe freedom of speech or for disadvantaging persons based on their race, sex, sexual orientation, religion, ethnic origin, or political opinions.

3. Orders subject to this Agreement may not intentionally target a Receiving-Party Person, and each Party shall adopt targeting procedures designed to implement this requirement as described in Article 7.1.

4. Orders subject to this Agreement may not target a Covered Person if the purpose is to obtain information concerning a Receiving-Party Person.

5. Orders subject to this Agreement must be targeted at specific Accounts and shall identify as the object of the Order a specific person, account, address, or personal device, or any other specific identifier.

1. Orders subject to this Agreement shall be issued in compliance with the domestic law of the Issuing Party, and shall be based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.

2. Orders subject to this Agreement shall be subject to review or oversight under the domestic law of the Issuing Party by a court, judge, magistrate, or other independent authority prior to, or in proceedings regarding, enforcement of the Order.

3. Orders subject to this Agreement for the interception of wire or electronic communications, and any extensions thereof, shall be for a fixed, limited duration; may not last longer than is reasonably necessary to accomplish the approved purposes of the Order; and shall be issued only if the same information could not reasonably be obtained by another less intrusive method.

4. The Issuing Party may not issue an Order subject to this Agreement at the request of or to obtain information to provide to the Receiving Party or a third-party government.

5. The Issuing Party may issue Orders subject to this Agreement directly to a Covered Provider. Such Orders shall be transmitted by the Issuing Party’s Designated Authority. The Designated Authorities of the Parties may mutually agree that the functions each carries out under Articles 5.5 through and inclusive of 5.9, 6.1, and 6.2 may be performed by additional authorities in whole or in part. The Designated Authorities of the Parties may, by mutual agreement, prescribe rules and conditions for any such authorities.

6. Prior to transmission, the Issuing Party’s Designated Authority shall review the Orders for compliance with this Agreement.

7. Each Order subject to this Agreement must include a written certification by the Issuing Party’s Designated Authority that the Order is lawful and complies with the Agreement, including the Issuing Party’s substantive standards for Orders subject to this Agreement.

8. The Issuing Party’s Designated Authority shall notify the Covered Provider that it invokes this Agreement with respect to the Order.

9. The Issuing Party’s Designated Authority shall notify the Covered Provider of a point of contact at the Issuing Party’s Designated Authority who can provide information on legal or practical issues relating to the Order.

10. In cases where an Order subject to this Agreement is issued for data in respect of an individual who is reasonably believed to be located outside the territory of the Issuing Party and is not a national of the Issuing Party, the Issuing Party’s Designated Authority shall notify the appropriate authorities in the third country where the person is located, except in cases where the Issuing Party considers that notification would be detrimental to operational or national security, impede the conduct of an investigation, or imperil human rights.

11. The Parties agree that a Covered Provider that receives an Order subject to this Agreement may raise specific objections when it has reasonable belief that the Agreement may not properly be invoked with regard to the Order. Such objections should generally be raised in the first instance to the Issuing Party’s Designated Authority and in a reasonable time after receiving the Order. Upon receipt of objections to an Order from a Covered Provider, the Issuing Party’s Designated Authority shall respond to the objections. If the objections are not resolved, the Parties agree that the Covered Provider may raise the objections to the Receiving Party’s Designated Authority. The Parties’ Designated Authorities may confer in an effort to resolve any such objections and may meet periodically and as necessary to discuss and address any issues raised under this Agreement.

12. If the Receiving Party’s Designated Authority concludes that the Agreement may not properly be invoked with respect to any Order, it shall notify the Issuing Party’s Designated Authority and the relevant Covered Provider of that conclusion, and this Agreement shall not apply to that Order.

1. The Parties agree that any Covered Information produced by a Covered Provider in response to an Order subject to this Agreement should be produced directly to the Issuing Party’s Designated Authority.

2. The Designated Authority of the Issuing Party may make arrangements with Covered Providers for the secure transmission of Orders subject to this Agreement and Covered Information produced in response to Orders subject to this Agreement, consistent with applicable law.

3. This Agreement does not in any way restrict or eliminate any legal obligation Covered Providers have to produce data in response to Legal Process issued pursuant to the law of the Issuing Party.

4. The Issuing Party’s requirements as to the manner in which Covered Information is produced may include that a Covered Provider complete forms that attest to the authenticity of records produced, or to the absence or non-existence of such records.

1. Each Party shall adopt and implement appropriate targeting procedures, through which good-faith, reasonable efforts shall be employed to establish that any Account targeted by an Order subject to this Agreement is used or controlled by a Covered Person.

2. The United Kingdom shall adopt and implement appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning U.S. Persons acquired pursuant to an Order subject to this Agreement, consistent with the need of the United Kingdom to acquire, retain, and disseminate Covered Information relating to the prevention, detection, investigation, or prosecution of a Covered Offense.

3. The minimization procedures for information acquired pursuant to an Order subject to this Agreement shall include rules requiring the United Kingdom to segregate, seal, or delete, and not disseminate material found not to be information that is, or is necessary to understand or assess the importance of information that is, relevant to the prevention, detection, investigation, or prosecution of a Covered Offense, or necessary to protect against a threat of death or serious bodily or physical harm to any person.

4. The minimization procedures shall include rules requiring the United Kingdom to promptly review material collected pursuant to an Order subject to this Agreement and store any unreviewed communications on a secure system accessible only to those persons trained in applicable procedures.

5. The minimization procedures shall include a provision stating that the United Kingdom may not disseminate to the United States the content of a communication of a U.S. Person acquired pursuant to an Order subject to this Agreement, unless the communication may be disseminated pursuant to the minimization procedures and relates to significant harm, or the threat thereof, to the United States or U.S. Persons, including crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.

6. Each Party shall develop those targeting and minimization procedures it is required by this article to adopt in consultation with and subject to the approval of the other Party, and shall seek the approval of the other Party for any changes in those procedures.

1. Without prejudice to limitations specified elsewhere in this Agreement, data acquired by the Issuing Party pursuant to an Order subject to this Agreement shall be treated in accordance with the Issuing Party’s domestic law, including its privacy and freedom of information laws.

2. The Issuing Party shall not transfer data received pursuant to an Order subject to this Agreement to a third country or international organization without first obtaining the consent of the Receiving Party, except to the extent that such data has already been made public in accordance with the Issuing Party’s domestic law.

3. The Issuing Party shall not be required to share any information produced pursuant to an Order subject to this Agreement with the Receiving Party or a third-party government.

4. Where an Issuing Party has received data pursuant to Legal Process from a Covered Provider, and

prior to use of the data in a manner that is or could be contrary to those essential interests, the Issuing Party shall, via the Receiving Party’s Designated Authority, obtain permission to do so. The Receiving Party’s Designated Authority may grant permission, subject to such conditions as it deems necessary, and if it does so, the Issuing Party may only introduce this data in compliance with those conditions. If the Receiving Party does not grant approval, the Issuing Party shall not use the data it has received pursuant to the Legal Process in that manner.

5. Use limitations additional to those specified in this Agreement may be imposed to the extent mutually agreed upon by the Parties.

1. The Agreement between the United States of America and the European Union on the Protection of Personal Information relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses done at Amsterdam, 2 June 2016, shall be applied mutatis mutandis by the Parties to all personal information produced in the execution of Orders subject to this Agreement to provide equivalent protections. For the United States, the principal laws implementing Article 19 of that agreement in this context are the Judicial Redress Act of 2015 and the Freedom of Information Act.

2. The processing and transfer of data in the execution of Orders subject to this Agreement are compatible with the Parties’ respective applicable laws regarding privacy and data protection.

1. Each Party undertakes to ensure that its domestic laws relating to the preservation, authentication, disclosure, and production of electronic data permit Covered Providers to comply with Legal Process under the domestic law of the Issuing Party that regards:

relating to the prevention, detection, investigation, or prosecution of crime.

2. The Issuing Party may issue such process directly to a Covered Provider. Such process shall be issued in compliance with and subject to review or oversight under the domestic law of the Issuing Party. Any legal effect of such process derives solely from the law of the Issuing Party. Covered Providers retain otherwise existing rights to raise applicable legal objections.

3. Such process shall be reasonable and must be issued for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of crime.

4. Such process may not be used to infringe freedom of speech or for disadvantaging persons based on their race, sex, sexual orientation, religion, ethnic origin, or political opinions.

5. Subscriber Information acquired pursuant to such process shall be treated in accordance with the domestic law of the Issuing Party, including its privacy and freedom of information laws, as well as the applicable provisions of the Agreement.

6. An Issuing Party and a Covered Provider may make arrangements for the secure transmission of such process and Subscriber Information produced in response, consistent with applicable law.

7. The Issuing Party shall not be required to share any Subscriber Information with the Receiving Party or a third-party government.

8. Each Party shall advise the other of any material changes in its domestic law that significantly affect the protections for preserved Covered Data or Subscriber Information, or would substantially frustrate or impair the operation of such process, and shall consult regarding any issues arising under this paragraph.

9. The Agreement between the United States of America and the European Union on the Protection of Personal Information relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses done at Amsterdam, 2 June 2016, shall be applied mutatis mutandis by the Parties to all personal information preserved or Subscriber Information produced pursuant to such process. For the United States, the principal laws implementing Article 19 of that agreement in this context are the Judicial Redress Act of 2015 and the Freedom of Information Act.

10. In light of the safeguards recognized in this Article and the domestic law of each party including the implementation of that law, there are robust substantive and procedural protections for privacy and civil liberties in relation to such process. The processing and transferring of data pursuant to such process is compatible with the Parties’ respective applicable laws regarding privacy and data protection.

11. The Issuing Party’s requirements as to the manner in which Subscriber Information is produced may include that a Covered Provider complete forms that attest to the authenticity of records produced, or to the absence or non-existence of such records.

1. This Agreement is without prejudice to and shall not affect other legal authorities and mechanisms for the Issuing Party to obtain or preserve electronic data from the Receiving Party and from Covered Providers subject to the jurisdiction of the Receiving Party, including legal instruments and practices under the domestic law of either Party as to which the Party does not invoke this Agreement; requests for mutual legal assistance; and emergency disclosures.

2. This Agreement shall constitute, with respect to the compulsory measures arising from Orders subject to this Agreement and such process for preservation and Subscriber Information recognized in Article 10, the consultation, exhaustion, and other requirements of paragraphs 2, 3, 4, 5, and 6 of Article 18 of the Annex to the Instrument as contemplated by Article 3(2) of the Agreement on Mutual Legal Assistance between the United States of America and the European Union signed 25 June 2003, as to the application of the Treaty between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Mutual Legal Assistance in Criminal Matters signed at Washington 6 January 1994, signed at London 16 December 2004.

1. Within one year of this Agreement’s entry into force, and periodically thereafter, the Parties shall engage in a review of each Party’s compliance with the terms of this Agreement, which may include a review of the issuance and transmission of Orders subject to this Agreement to ensure that the purpose and provisions of this Agreement are being fulfilled, and a review of the Party’s handling of data acquired pursuant to Orders subject to this Agreement to determine whether to modify procedures adopted under this Agreement.

2. The Parties may consult at other times as necessary concerning the implementation of this Agreement or to resolve disputes, and any such disputes shall not be referred to any court, tribunal, or third party.

3. In the event that the Parties are unable to resolve a concern about the implementation of this Agreement or a dispute, either Party may conclude that the Agreement may not be invoked with respect to an identified category of Legal Process, including Legal Process that are issued on or after a particular date.  Notification of that conclusion must be sent by the Designated Authority of the Party that has so concluded to the Designated Authority of the other Party. The notified Party shall not invoke the Agreement with respect to any Legal Process within the identified category upon receipt of such notification. Such a conclusion may be revoked at any time, in whole or in part, by the Party that reached the conclusion through a notification of the revocation to the other Party’s Designated Authority. Any data produced to the Issuing Party shall continue to be subject to the conditions and safeguards, including minimization procedures, set forth in this Agreement.

4. Each Issuing Party’s Designated Authority shall issue an annual report to the Receiving Party’s Designated Authority reflecting aggregate data concerning its use of this Agreement to the extent consistent with operational or national security.

5. This Agreement does not in any way restrict or eliminate a Covered Provider’s reporting of statistical information, consistent with applicable law, regarding Legal Process received by the Covered Provider.

Each Party shall bear its own costs arising from the operation of this Agreement.

This Agreement may be amended by written agreement of the Parties at any time.

This Agreement shall apply to Legal Process issued by an Issuing Party on or after the Agreement’s entry into force.

This Agreement shall enter into force on the date of the later note completing an exchange of diplomatic notes between the Parties indicating that each has taken the steps necessary to bring the agreement into force.

1. This Agreement shall remain in force for a five year period unless, prior to the expiry of the Agreement, the Parties agree in writing, through an exchange of diplomatic notes, to extend the Agreement for a further five years (or any other period as may be agreed between them).

2. Separately from expiration under paragraph 1, this Agreement may be terminated by either Party by sending a written notification to the other Party through diplomatic channels. Termination shall become effective one month after the date of such notice.

3. In the event the Agreement expires or is terminated, any data produced to the Issuing Party may continue to be used, and shall continue to be subject to the conditions and safeguards, including minimization procedures, set forth in this Agreement.

IN WITNESS WHEREOF, the undersigned, being duly authorized by their respective governments, have signed this Agreement.

Done at Washington this 3rd day of October, 2019, in duplicate, in the English language.