The U.K.’s Decryption Order, the CLOUD Act, and Recommended Next Steps
How the U.S. can use the CLOUD Act to push back on countries that seek to impose decryption mandates on U.S. tech companies.
.jpg?sfvrsn=11cea85a_3)
Published by The Lawfare Institute
in Cooperation With
According to the Financial Times, the UK is now seeking to get out of its encryption fight with Apple. If true, this is good news. The turnaround appears to be the result of pushing by Vice-President J.D. Vance and others, including Director of National Intelligence Tulsi Gabbard and a bipartisan group of members of Congress. At issue is a still-secret, yet widely discussed order, issued under the U.K.’s Investigative Powers Act, that reportedly directs Apple to design its systems so that it can respond to lawfully issued government demands for data.
To date, however, the UK has not yet pulled the plug on its court case with Apple. The following suggests ways for the United States to use the Clarifying Lawful Overseas Use of Data Act (CLOUD) to the United States’ advantage–as additional leverage–in pushing back on the U.K. and others that seek to impose decryption mandates on U.S. tech companies.
The piece starts with background on the dispute, details the key legal provisions at issue, and then makes recommendations as to how to leverage the CLOUD Act in the dispute with the U.K, and more broadly, to better protect digital security.
Background
The dispute between the U.K. and Apple reportedly came to a head after Apple rolled out its Advanced Detection Protection—an optional feature that enables end-to-end encryption of data stored in the cloud and is turned on by the user. When this technology is deployed, only the user holds the decryption key; neither Apple nor any other unauthorized third party can access the decrypted data or provide its content to law enforcement (or anyone else). In response to the U.K. order, Apple reportedly has removed the option of employing end-to-end encryption for U.K.-based users and challenged the order in a closed U.K. proceeding.
The U.K. has reportedly been dissatisfied with Apple’s response; it wanted Apple to globally redesign its systems so that Apple can respond to lawful demands for user data stored in the cloud. In making these demands, the U.K. reportedly relied on a combination of the Investigatory Powers Act and its executive agreement with the United States, pursuant to the CLOUD Act.
On June 5, the House Judiciary Committee held a hearing on the issue. There was bipartisan frustration with the U.K. and a shared concern about the U.K. ordering a U.S. company to take action to reduce the security and privacy of its platform—particularly in the wake of Salt Typhoon, Volt Typhoon, and other intrusions that highlight the importance of strong cybersecurity. Director of National Intelligence Gabbard has weighed in, committing to “ensuring the UK government has taken necessary actions to protect the privacy of American citizens, consistent with the CLOUD Act.” As described below, there are several ways to do so.
U.K. Law: The Investigatory Powers Act
The U.K.’s Investigatory Powers Act, first enacted in 2016 and amended in 2024, gives certain U.K. officials authority to issue “technical capability notices” that require providers such as Apple to configure their systems in ways that ensure government officials can compel the production of sought-after data in a readable form.
These orders are secret, and they can, under U.K. law, be issued on any relevant provider serving customers in the U.K. The recipient of the order is also prohibited from discussing its existence—even with government officials in the recipient’s own country—without the permission of the U.K. secretary of state.
The U.K. reportedly relied on this law to order Apple to redesign the way it deploys end-to-end encryption, so that Apple can continue to respond to lawful demands for data. Apple was precluded from alerting anyone, including the U.S. government, of the fact or details of the order. In an April ruling, the U.K. Investigatory Powers Tribunal made public the existence of a legal dispute between Apple and the U.K. but refused to provide any details on the underlying facts and rejected requests to make the hearing public.
U.S. Law: The CLOUD Act
Enacted seven years ago, the CLOUD Act was intended, in part, to lift jurisdictional barriers that impede government access to data in response to serious crime. The CLOUD Act addressed a growing concern that foreign law enforcement officials were unable to obtain timely access to data held by U.S-based tech companies about crimes that took place in their own country involving their own nationals—given U.S. laws that generally prohibit U.S.-based tech companies from sharing communications data with foreign governments. These U.S. legal restrictions also spurred a growing call for data localization as a way to facilitate foreign government access to sought-after data.
The CLOUD Act addresses these concerns by lifting the otherwise applicable bars on sharing data with foreign governments—but only in limited circumstances in which there is an executive agreement with the requesting foreign government, subject to multiple requirements. A foreign government cannot target the data of Americans. Rather, it can only target data about non-Americans located outside the United States and must abide by a long list of procedural and substantive criteria in doing so. One of those criteria: “[T]he terms of [a CLOUD Act Agreement] shall not create any obligation that providers be capable of decrypting data[.]” 18 U.S. § 2523 (b)(3) (emphasis added).
To date, there are just two CLOUD Act agreements: one with the United Kingdom (effective 2022) and one with Australia (effective 2023).
Notably, the CLOUD Act does not give the U.K. (or Australia) explicit authority to compel Apple or any other U.S.-based provider to turn over user data. It also does not provide any affirmative authority for the U.K to compel decryption. But it does provide a mechanism for the U.K. to go directly to Apple with its lawful requests for data. And it does eliminate one of the key objections to U.K. requests for such data and any associated decryption order.
If the U.S.-U.K. CLOUD Act Agreement was not in place, Apple would be prohibited under U.S. law from sharing the requested data with the U.K. But since the agreement is in place, that U.S. law prohibition is lifted.
Recommendations
It appears, based on recent reporting that—thanks to push-back from the Trump administration—the UK may be looking to change course. But for now, the UK case against Apple continues. The following describes ways the administration could use the CLOUD Act as additional leverage in these discussions, and suggests statutory amendments to the CLOUD Act that would help protect against additional foreign government decryption mandates in the future.
There are several possible ways for both the executive branch and Congress to respond:
- The Department of Justice has the authority to object to CLOUD Act orders and categories of such orders; it could object to any orders issued to any company that has been subject to a decryption mandate. Doing so would, under the terms of the agreement, render such orders null and void.
The U.S.-U.K. agreement specifies two different ways that the Justice Department might do so: Following an objection by a provider, it can invoke section 5, par.11 with respect to specific “Order[s];” alternatively, under section 12, par. 3, it can object to a whole category of “Legal Process.” The Justice Department need simply notify the relevant authority in the U.K. of its objection, and the U.K. can no longer rely on the CLOUD Act to issue relevant orders or categories of such orders.
There is strong ground for raising an objection with respect to the UK-issued orders: There is an explicit statutory requirement saying that executive agreements shall not create any obligation that providers be capable of decrypting data. Indeed, Congress would not advance the CLOUD Act until that provision was added to the bill. Any order that is coupled with a decryption demand certainly violates the spirit, if not the letter, of the CLOUD Act and the U.S.-U.K. agreement. - The executive branch could threaten to pull the U.S.-U.K. agreement entirely if the U.K. continues to use its Investigatory Powers Act to seek to prohibit the use of end-to-end encryption. Given the reported security benefits of the CLOUD Act agreement, this might be sufficient to compel a change in the U.K. approach.
To terminate the agreement, the United States simply needs to send a diplomatic note to that effect; termination takes effect a month later. (Alternatively, the U.S. could refuse to renew the agreement when it expires in 2027, but that is too long from now given the immediacy of the dispute with the U.K.) An updated agreement should make clear that the U.K. is prohibited from issuing decryption orders to U.S. companies and that continued issuance of such orders will render the agreement null and void. - Congress can also require these changes. Congress could, for example, amend the criteria for CLOUD Act agreements to specify that foreign governments that issue extraterritorial decryption orders on U.S. companies are ineligible for such agreements. This would prevent the U.K. or any other country from relying on a combination of their domestic law and a CLOUD Act agreement to support decryption efforts. In fact, even if the dispute with the UK is resolved, Congress may wish to also intervene to prevent this from becoming an issue with other countries
Future of the CLOUD Act
Some observers might think that, given the complications, it is time to simply rescind the CLOUD Act. But, as noted above, the U.K.’s domestic legal authority to compel companies that offer services in their country to abide by their technical capability notices does not depend on the CLOUD Act. The U.K. presumably would have made these demands on Apple and other U.S.-based companies that serve the U.K., even in the absence of a CLOUD Act agreement—thus placing the providers in a difficult position where compliance with foreign law might mean violating U.S. law.
Meanwhile, the U.S. government would give up key leverage. The U.K. reports that in its first two years of operation alone, the U.S.-U.K. agreement “contributed directly to 368 arrests, the seizure of 3.5 tons of illicit drugs, the recovery of GBP 5 million, the seizure of 94 firearms and 745 rounds of ammunition, and the identification of 41 threats to life and 100 threats of harm” (as described in a report to Congress and also discussed on Lawfare). The U.K.’s continued interest in accessing data held by U.S. service providers gives both the administration and Congress a basis for demanding the U.K. put an end to its extraterritorial encryption claims.
Instead of giving up on the CLOUD Act, the executive branch should consider future CLOUD Act agreements—albeit with provisions that make such agreements null and void if the relevant country or countries issue decryption requirements on U.S.-based companies. An EU agreement could be particularly valuable, given the pending e-Evidence Regulation, which goes into effect next year and gives EU states new authority to compel the production of data from U.S.-based providers. A U.S.-EU CLOUD Act agreement could help resolve otherwise likely legal conflicts and also ensure that this directive does not become an additional vehicle for compelling decryption.
