Publication: 21 Thoughts and Questions about the UK/US CLOUD Act Agreement: (and an Explanation of How it Works – with Charts

Theodore Christakis has just published "21 Thoughts and Questions about the UK/US CLOUD Act Agreement: (and an Explanation of How it Works – with Charts)"
Theodore CHRISTAKIS, “21 Thoughts and Questions about the UK/US CLOUD Act Agreementand an Explanation of How it Works – with Charts)”, (October 13 2019). European Law Blog
Available at SSRN: https://ssrn.com/abstract=3469704

Abstract

After four years of negotiations, the United Kingdom and the United States finally released on October 7, 2019, the text of their Data-sharing agreement aiming to facilitate the cross-border access to electronic data for the purpose of countering serious crime. This long-awaited agreement is the first of the executive agreements envisioned by the CLOUD Act. It is, as rightly said, “critically important providing not just a window into the U.S. and U.K.’s approach but also presumably setting out a basic blueprint for other agreements that may follow”. Indeed, the US and the European Union have recently begun negotiations in order to conclude an agreement in this field, while the US and Australia also announced having started similar negotiations.

Before rushing to judgment on what this Agreement means for transatlantic law enforcement access, and, in particular, how a future EU-US agreement might differ, it is essential to understand its provisions, the safeguards, and how the mechanisms of direct access to data introduced by the Agreement will work.

The objective of this paper is to unpack, to the extent possible, the terms of the UK/US agreement not only to understand the basic mechanisms underlying it, but also to consider what are the International and Human Rights Law implications – including from a European Law perspective.

The article first proposes two graphic Charts explaining in the clearest way possible when and how (and under which conditions) data can be requested from CSPs by the two parties to the Agreement and when other, more traditional means of access to e-evidence (such as MLATs), should be used.

The paper then presents a series of 21 first thoughts, comments and questions on the content of the Agreement. It considers that, while the Agreement contains some positive and useful elements that could inspire an EU/US Agreement, several other issues remain unclear and uncertain. They raise a series of important questions that need to be addressed in order to better understand what could be the implications of this agreement for the EU/US ongoing negotiations and, more generally, for EU law.

Some of the issues discussed in this paper include the following:

- The fundamental question of whether the first part of the CLOUD Act remains applicable despite the Agreement, which could give the possibility to US authorities to bypass in some circumstances the targeting limitations (exclusion of persons located in the UK) of the Agreement rendering, in such circumstances, the reciprocity provisions of the Agreement an empty shell;

- The fact that the Agreement, in sharp contrast with the E-Evidence draft Regulation, does not include any mechanisms for resolution of conflicts of laws;

- The question whether transfer of EU data by CSPs under the UK/US CLOUD Act Agreement could conflict with the GDPR;

- The fact that, as shown by the two Charts, the legal regime is not the same when the UK wishes to access data as compared to when the US does so: the UK cannot access data of “US persons” – while the US can access data of UK persons not located in the UK;

- The fact that the Agreement does not require as such a judicial authorization before issuing an order to CSPs for production of content data and metadata – and what this could mean;

- The fact that the Agreement seems to be not just about law enforcement access to data during ongoing criminal investigations and proceedings, but also also about access by national security agencies. Indeed, the Agreement could give the impression of enabling intelligence agencies such as the NSA or the GCHQ to request content data or metadata from CSPs for the “prevention” of serious crime such as terrorism;

- The fact that the UK/US Agreement authorizes wiretap;

- A discussion of the Human Rights provisions of the Agreement;

- A comparison of its content with European standards;

…And several other issues.