Rand Paul Seeks Information on U.K. Requests for Americans' Private Data

Last month, the United Kingdom Home Secretary reportedly demanded access to user data of any Apple customer on the planet. Apple chose to degrade U.K. users' data protection instead of complying with the order. In a letter to the U.S. attorney general this week, Sen. Rand Paul (R–Ky.) expressed concern about the order and requested information on any other recent orders.

"Recent reports suggest that authorities in the United Kingdom (UK) have issued an order to a U.S. company requiring access to all end-to-end encrypted materials of UK users," wrote Paul, who chairs the Senate Homeland Security and Government Affairs Committee, in a letter to Attorney General Pam Bondi. "This action raises significant questions about the integrity of U.S. user data in the context of the Cloud Act and UK statutes."

The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed in 2018 as part of a 2,000-plus page omnibus spending bill, requires tech companies to provide information about customers to the government when asked, even if that information is stored outside the United States. The Department of Justice later entered into a data sharing agreement with the U.K. under the CLOUD Act.

When the bill came up for a vote, Paul tweeted an article in which American Civil Liberties Union (ACLU) legislative counsel Neema Singh Guliani wrote that "Congress should reject the CLOUD Act because it fails to protect human rights or Americans' privacy…gives up their constitutional role, and gives far too much power to the attorney general, the secretary of state, the president and foreign governments."

In his letter to Bondi, Paul relayed that the U.K.'s demand was "the latest concerning attempt by law enforcement entities to obtaining 'backdoor' access to private user context under the pretext of national security."

To that end, he asked for unredacted copies of any requests from the U.K. government for information about U.S.-based companies—known as a "technical capability notice"—received since August 2024. Paul also asked for "records related to any confidentiality agreements or nondisclosure requirements applicable to a U.S. company as it relates to actions authorized pursuant to the US–UK Cloud Act Agreement."

Under the U.K.'s Investigatory Powers Act—nicknamed the Snooper's Charter—Britain can request information about a company's users and forbid the company from disclosing the order's existence.

The Investigatory Powers Tribunal hears complaints about U.K. government surveillance; in a letter last week, five U.S. lawmakers, led by Sen. Ron Wyden (D–Ore.), asked the tribunal to "remove the cloak of secrecy related to notices given to American technology companies by the United Kingdom."

In fact, the U.K.'s actions are already chilling American speech. "Apple has informed Congress that had it received a technical capabilities notice, it would be barred by U.K. law from telling Congress whether or not it received such a notice from the U.K., as the press has reported," the letter noted. "Google also recently told Senator Wyden's office that, if it had received a technical capabilities notice, it would be prohibited from disclosing that fact."