Updated October 15, 2018 There have been some recent suggestions that the CLOUD Act will result in U.S. law enforcement authorities being able to directly monitor live conversations of Europeans in Europe. This is inaccurate. The following explains why.

In their Lawfare article Recommendations for the Potential U.S.-U.K. Executive Agreement Under the Cloud Act, Peter Swire and Justin Hemmings discuss potential issues with such an agreement.  The article explains key points for the Justice Department and Congress to consider if an agreement is presented for consideration on the Hill, and seeks to provide concrete and workable measures to ensure that any U.S./U.K. conforms to both the statutory requirements of the Cloud Act and good public policy.

Governments around the world have started to modernize the processes by which law enforcement accesses digital evidence across borders. In the United States, passage of the CLOUD Act created the foundation for a new generation of international agreements that allows governments to engage with each other to create lasting rules to protect privacy and facilitate legitimate law enforcement access to evidence. In Europe last week, the European Commission presented its proposed e-Evidence legislation to the European Parliament. Many other governments are similarly seeking to update their laws to protect privacy, promote digital security and address the challenge of an increasingly borderless world.

Passage of the Cloud Act in the U.S. coupled with the newly adopted E-evidence Regulation in the EU offer real hope for a not-too-distant future where the rules for cross-border data demands by governments are more rational, proportionate, predictable, and transparent. Unfortunately, the path forward towards this vision has been complicated by myths painting these developments as a massive expansion of governmental authorities. The reality is that neither the Cloud Act nor the E-evidence Regulation represent a grant of sweeping new powers establishing new authorities to reach data stored abroad. These laws actually have the effect of putting legal authorities governments long claimed—and courts have long upheld—inside of a framework that can be observed, audited, and adjusted over time. Significant effort will be required by and between national governments to reconcile differences in their laws with an eye towards fundamental human rights and civil liberties are protected while law enforcement gain accelerated processes to obtain data necessary to fight crime in an increasingly digital world. Ultimately, however, having this level of visibility into how cross-border data demands are made and processed will prove a boon for both data protection and security.

In his recent Observatoire FIC article Lost in the Cloud? Law Enforcement Cross-border Access to Data After the “Clarifying Lawful Overseas Use of Data” (CLOUD) Act and E-Evidence, Professor Théodore Christakis of the University Grenoble Alpes provides a European view of the Cloud Act and a possible executive agreement between the U.S. and EU.  The article explains how the Microsoft Ireland case, the Cloud Act, and the proposed EU E-Evidence Regulation connect, and outlines potential obstacles including conflict between the U.S.’s preference to negotiate with individual Member States and the EU’s preference to negotiate on behalf of all Member States.

In their Lawfare article A Possible EU-US Agreement on Law Enforcement Access to Data?, Daskal and Swire explain the current negotiations between the EU and the U.S. concerning the Cloud Act and the proposed EU “E-Evidence” Regulation. The article discusses key U.S. and EU legal issues that would need to be addressed in any EU/U.S. agreement, notably including how competence is shared for relevant issues between the EU and its Member States.