21 Thoughts and Questions about the UK/US CLOUD Act Agreement: (and an Explanation of How it Works – With Charts)
European Law Blog, October, 2019
10 Pages Posted: 29 Oct 2019
Date Written: October 13, 2019
Abstract
After four years of negotiations, the United Kingdom and the United States finally released on October 7, 2019, the text of their Data-sharing agreement aiming to facilitate the cross-border access to electronic data for the purpose of countering serious crime. This long-awaited agreement is the first of the executive agreements envisioned by the CLOUD Act. It is, as rightly said, “critically important providing not just a window into the U.S. and U.K.’s approach but also presumably setting out a basic blueprint for other agreements that may follow”. Indeed, the US and the European Union have recently begun negotiations in order to conclude an agreement in this field, while the US and Australia also announced having started similar negotiations.
Before rushing to judgment on what this Agreement means for transatlantic law enforcement access, and, in particular, how a future EU-US agreement might differ, it is essential to understand its provisions, the safeguards, and how the mechanisms of direct access to data introduced by the Agreement will work.
The objective of this paper is to unpack, to the extent possible, the terms of the UK/US agreement not only to understand the basic mechanisms underlying it, but also to consider what are the International and Human Rights Law implications – including from a European Law perspective.
The article first provides two graphic Charts that intend to show when and how (and under which conditions) data can be requested from cloud service providers (CSPs) by either the U.S. or the U.K. under the agreement, and when other means of access to e-evidence (such as MLATs) should be used.
The paper then presents a series of 21 first thoughts, comments and questions on the content of the Agreement. It considers that, while the Agreement contains some useful elements that could inspire an EU/US Agreement, several other issues remain unclear and uncertain while others are problematic. They raise a series of important questions that need to be addressed in order to better understand what could be the implications of this agreement for the EU/US ongoing negotiations and, more generally, for EU law.
Some of the issues discussed in this paper include the following:
- The fundamental question of whether the first part of the CLOUD Act remains applicable despite the Agreement, which could give the possibility to US authorities to bypass in some circumstances the targeting limitations (exclusion of persons located in the UK) of the Agreement rendering, in such circumstances, the reciprocity provisions of the Agreement an empty shell.
- The more general question concerning the relation and interaction between the Agreement and the domestic laws of the two countries;
- The fact that the Agreement, in sharp contrast with the E-Evidence draft Regulation, does not include any mechanisms for resolution of conflicts of laws;
- The question whether transfer of EU data by CSPs under the UK/US CLOUD Act Agreement could conflict with the GDPR;
- The fact that, as shown by the two Charts, the legal regime is not the same when the UK wishes to access data as compared to when the US does so: the UK cannot access data of “US persons” – while the US can access data of UK persons not located in the UK;
- The fact that the Agreement does not require as such a judicial authorization before issuing an order to CSPs for production of content data and metadata – and why this creates uncertainties about the legal regime;
- The fact that the Agreement seems to be not just about law enforcement access to data during ongoing criminal investigations and proceedings, but also about access by national security agencies. Indeed, the Agreement could give the impression of enabling intelligence agencies such as the NSA or the GCHQ to request content data or metadata from CSPs for the “prevention” of serious crime such as terrorism;
- The wiretap provisions of the UK/US Agreement;
- A discussion of the Human Rights provisions of the Agreement;
- A comparison of its content with European standards;
- The question of what could be the influence of the UK-US Agreement for the EU/US negotiations;
…And several other issues.
Keywords: GDPR, CLOUD Act, E-Evidence, USA, United Kingdom, Data Protection, Privacy, Human Rights, Law Enforcement, International Law, Criminal Law, Extraterritoriality, Conflict of Laws, Reciprocity, International Agreements, Surveillance, Intelligence Agencies, National Security, European Union, CJEU
Suggested Citation: Suggested Citation