Cross-Border Data Forum Bannner

European Law Blog – 21 Thoughts and Questions about the UK-US CLOUD Act Agreement: (and an Explanation of How it Works – with Charts)

Professor Theodore Christakis’s European Law Blog article 21 Thoughts and Questions about the UK-US CLOUD Act Agreement: (and an Explanation of How it Works – with Charts) unpacks, to the extent possible, the terms of the agreement not only to understand the basic mechanisms underlying it, but also to consider the International and Human Rights Law implications – including from a European Law perspective.

The article provides two graphic Charts that intend to show when and how (and under which conditions) data can be requested from cloud service providers (CSPs) by either the US or the UK under the agreement, and when other means of access to e-evidence (such as MLATs) should be used.

The article also presents a series of 21 first thoughts, comments, and questions on the content of the Agreement, including:

  • The fundamental question of whether the first part of the CLOUD Act remains applicable despite the Agreement, which could give the possibility to US authorities to bypass in some circumstances the targeting limitations (exclusion of persons located in the UK) of the Agreement rendering, in such circumstances, the reciprocity provisions of the Agreement an empty shell;
  • The more general question concerning the relation and interaction between the Agreement and the domestic laws of the two countries;
  • The fact that the Agreement, in sharp contrast with the E-Evidence draft Regulation, does not include any mechanisms for resolution of conflicts of laws;
  • The question whether transfer of EU data by CSPs under the UK-US CLOUD Act Agreement could conflict with the GDPR;
  • The fact that, as shown by the two Charts, the legal regime is not the same when the UK wishes to access data as compared to when the US does so: the UK cannot access data of “US persons” – while the US can access data of UK persons not located in the UK;
  • The fact that the Agreement does not require as such a judicial authorization before issuing an order to CSPs for production of content data and metadata – and why this creates uncertainties about the legal regime;
  • The fact that the Agreement seems to be not just about law enforcement access to data during ongoing criminal investigations and proceedings, but also about access by national security agencies. Indeed, the Agreement could give the impression of enabling intelligence agencies such as the NSA or the GCHQ to request content data or metadata from CSPs for the “prevention” of serious crime such as terrorism;
  • The wiretap provisions of the UK-US Agreement; and
  • The question of what could be the influence of the UK-US Agreement for the EU-US negotiations.

To read the full article on the European Law Blog, please click here.

A PDF version of the full article is also available for download here.

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.