I. Introduction: The Need to Unpack the Long-Awaited UK-US Data Sharing Agreement
After four years of negotiations surrounded by secrecy, the United Kingdom and the United States finally released on October 7, 2019, the text of their Data-sharing agreement aiming to facilitate the cross-border access to electronic data for the purpose of countering serious crime. This long-awaited agreement is the first of the executive agreements envisioned by the CLOUD Act. It is, as rightly said, “critically important providing not just a window into the US and UK’s approach but also presumably setting out a basic blueprint for other agreements that may follow”. Indeed, the US and the European Union have recently begun negotiations in order to conclude an agreement in this field, while the US and Australia also announced having started similar negotiations.
The first reactions after the announcement of the UK-US Agreement, not surprisingly, have inspired mixed reviews. Jennifer Daskal and Peter Swire hailed an agreement containing “quite a few privacy and civil liberties safeguards that go beyond the text of the CLOUD Act”. The Electronic Frontier Foundation talked, on the contrary, about “a race to the bottom” (a comment made before the publication of the text of the Agreement) while others worried about purported “Cowboy practices” (!). Whereas in the US Congressman Doug Collins lauded the Agreement, in Europe a few MEPs raised concerns about it and submitted a written question to the European Commission.
Before rushing to judgment on what this means for transatlantic law enforcement access, and, in particular, how a future EU-US agreement might differ, it is essential to understand its provisions, the safeguards, and how the mechanisms of direct access to data introduced by the Agreement will work. But “understanding” cross border data issues is not always easy and the UK-US Agreement is far from being an exception. The Agreement includes some complex mechanisms which were considered necessary in order to accommodate the distinct legal requirements of the parties. The introduction of terms such as “Receiving-Party Persons” (based on the idea of reciprocity, but with two differentiated regimes) or “US-persons” and the resulting targeting procedures envisioned by the Agreement sound somehow odd for lawyers not familiar with the subject matter, not to mention the general public. Moreover, the introduction of a system of “direct access to data” must, in general, take into account a variety of factors: the location of data is one of them; the location of the targeted persons is another; and the location of Cloud/Communication Service Providers (“CSPs”) is a third one. The combination of these factors, and the fact that multiple “locations” (and different jurisdictions) can be implicated in a request to access digital evidence, makes it sometimes difficult to determine how (or whether) various cross border demands would be treated under the agreement.
The objective of this paper will thus be, to unpack, to the extent possible, the terms of the UK-US agreement not only to understand the basic mechanisms underlying it, but also to consider what are the International Law implications and some Human Rights issues – especially from a European Law perspective. This, in turn, could help assess what could be the differences between the UK-US Agreement and the envisioned EU/US agreement on this same issue, the negotiations for which have recently kicked off.
First, this Article tries to explain the basic mechanisms of the UK-US Agreement – without of course pretending to an exhaustive presentation of all the multiple issues covered. This is done through two graphic Charts presenting when and how (and under which conditions) data can be requested from CSPs by the two parties to the Agreement and when other, more traditional means of access to e-evidence, such as Mutual Legal Assistance Treaties (MLATs), should be used (Part II). Then this paper will express a series of first thoughts, comments and questions on the content of the Agreement. It considers that, while the Agreement contains some useful elements that could permit to check some of the boxes of the negotiation mandate given to the European Commission by the Council of the EU in June 2019, several other issues remain unclear and uncertain, while others are clearly problematic. They raise a series of important questions that need to be addressed in order to better understand what could be the implications of this agreement for the EU/US ongoing negotiations and, more generally, for EU law (Part III).
II. How the UK-US Agreement Works
The problem to which the UK-US Agreement wishes to respond has been explained in detail in a separate post with coauthors Jennifer Daskal and Peter Swire: Increasingly, evidence critical to ordinary criminal investigations is located across territorial borders. Before the rise of cloud computing, evidence of crimes generally was available within the requesting country’s territorial jurisdiction. Today, the content of emails, social network posts, and other content are often stored in a different country. A 2018 report by the European Commission found that “more than half of all investigations involve a cross-border request to access [electronic] evidence” (see page 14, here).
This globalization of criminal evidence is creating significant challenges for law enforcement. Traditional cross-border mechanisms such as Mutual Legal Assistance Treaties are widely considered too slow and cumbersome. The explanatory Memorandum to the UK-US Agreement states that “the total time for the process [of an MLAT request submitted to the US by the UK] is typically a year but can be years”. “Meanwhile the criminal activity continues with victims continuing to be harmed”. The purpose of the UK-US Agreement is thus to propose a paradigm shift: instead of requesting e-evidence through the time-consuming inter-State mechanism of MLATs, the parties could request the data directly from CSPs, subject to several conditions and safeguards. This is exactly the logic of the E-Evidence draft regulation and directive currently under discussion at the EU level (discussed previously on this blog and elsewhere, see here, here and here).The UK-US Agreement will be particularly beneficial for the UK: indeed, it is based on the second part of the CLOUD Act providing the possibility for like-minded countries entering into a CLOUD Act executive agreement with the US to make direct requests to US providers for communications content relevant to the investigation of “serious crime” and subject to several other limitations and conditions. In other terms, thanks to this Agreement, the UK will henceforward overcome the blocking provisions of the Stored Communications Act which otherwise prohibits U.S.-based service providers from disclosing communications content to a foreign government (for a detailed explanation on how this works check here). The explanatory Memorandum to the UK-US Agreement considers that “it is anticipated that the US will make considerably less use of the Agreement as few UK CSPs hold data of interest to the US” – but “the reduction in the burden on the US from MLA treaty requests is the key benefit the Agreement will deliver to the US”. (see here, page 5).
After these contextual remarks, let’s now proceed to the presentation of how exactly the UK-US Agreement works. The First Chart shows when and how the UK can request data from US-based CPSs while the second shows when the US can request data from UK-based CSPs. Both Charts only focus on the issue of access to stored content data and interception of wire electronic communications related to a serious crime investigation. However, it should be noted that the Agreement also authorizes of course requests for “traffic data or metadata” and subscriber information. The reason for not introducing these two categories of covered data in the Charts is explained in their commentaries (n°2 and 9): the domestic laws of the two countries might, in fact, be more permissive that what the Agreement provides for in relation with metadata (and are certainly are in relation with subscriber information) – which means that the location limitations appearing in the Charts would have been somehow misleading if we take into consideration the broader reach of national laws. More generally, the purpose of the Charts and of this article is to reflect what the Agreement says (or does not say) and to highlight some problematic issues. While some thoughts and comments on UK-US laws are made when particularly relevant, it is far beyond the scope of this Article to enter into a sophisticated 50-pages analysis on the meanders of US and UK laws on these issues. I do hope that US and UK lawyers will take the lead on this and that my article will contribute in identifying issues for further analysis.
Chart 1
Comments on Chart 1:
1. The Agreement does not make, as such, a distinction depending on whether the data are stored in the UK, the US or in any other country.
2. Both Charts only focus on the issue of access to content data – which are particularly sensitive data. The Agreement covers also “traffic data or metadata” which can also be particularly intrusive (as highlighted by the European Court of Human Rights). However, I do not include them in the Charts due to the uncertainty surrounding access to metadata under the domestic laws of the two countries: the US Stored Communications Act is a blocking statute clearly for content data. In general, it is not a blocking statute currently for metadata, so requests for metadata do not necessarily go through an MLAT (although there is uncertainty in this respect in the wake of Carpenter – an important case decided by the US Supreme Court). To put it simply: domestic law might be more permissive that what the Agreement provides for in relation with metadata. Similarly, the Agreement also covers of course access to subscriber information (including through detailed provisions in Article 10). That said, CSPs already respond to a large number of requests for subscriber information based on voluntary cooperation.
3. The Agreement authorizes wiretap under the additional conditions of Art 5(3) requiring that such Orders “shall be for a fixed, limited duration; may not last longer than is reasonably necessary to accomplish the approved purposes of the Order; and shall be issued only if the same information could not reasonably be obtained by another less intrusive method”.
4 “Serious Crime” is defined as “an offense that is punishable by a maximum term of imprisonment of at least three years”. [Art. 1(14)] It could be noted that this seems to be inspired by the equivalent provisions of the EU E-Evidence draft.
5. All the “YES” appearing in these charts are subject to the conditions and safeguards appearing in the Agreement including those of articles 7 and 8, and also subject to the requirements on the respective domestic laws.
6 “U.S. Person” means: (i) a citizen or national of the United States; (ii) a person lawfully admitted for permanent residence; (iii) an unincorporated association a substantial number of members of which fall into subsections (i) or (ii); or (iv) a corporation that is incorporated in the United States. [Art. 1(16)]
7. Nonetheless, it should be emphasized that: a) the notified third country has no possibility to object to the production of the data by the CPS; and b) the Agreement provides for no specific mechanism of resolution of an eventual conflict with a third country’s laws (although national existing mechanisms, such as a request for Comity analysis, apply – see infra Part III).
Chart 2
Comments on Chart 2:
Introductory comment_: Chart 2 describes the mechanism of access to data by US authorities as it appears in the UK-US Agreement. However, the targeting and other limitations appearing in the Agreement and reflected in this Chart, could not be applicable in several cases if, as everything seems to indicate, the CLOUD Act remains fully in force. See comments n°11, 14 and 15 below.
8. The Agreement does not make, as such, a distinction depending on whether the data are stored in the UK, the US or in any other country.
9. Both charts only focus on the issue of access to content data. However, as explained above (comment n°2) the Agreement covers also “traffic data or metadata” and access to subscriber information.
10. As mentioned above (comment n°3) the Agreement authorizes interception of wire or electronic communications under the additional conditions of Art 5(3). This seems to go beyond what is provided for by the Wiretap Act, which is the statutory authority for U.S. law enforcement officials to intercept electronic communications in real-time. According to this Act a judge may only authorize such surveillance “within the territorial jurisdiction of the court in which the judge is sitting (and outside that jurisdiction but within the United States in the case of a mobile interception device.)”. For an analysis see here.
11 “Serious Crime” is defined as “an offense that is punishable by a maximum term of imprisonment of at least three years”. [Art. 1(14)]. However, it should be noted that the first part of the CLOUD Act is not limited to “serious crime” but concerns all type of crimes. The CLOUD Act seems to remain applicable in the UK-US relations after the adoption of this Agreement (see infra comment n°14). US law enforcement agents could then, under the conditions of US Law, make requests for stored communication data related to all kind of criminal investigations.
12. All the “YES” appearing in these charts are subject to the conditions and safeguards appearing in the Agreement including those of articles 7 and 8, and also subject to the requirements on the respective domestic laws.
13. The “targeted person” covers: (i) any governmental entity or authority of the UK; (ii) an unincorporated association, a substantial number of members of which are located in its territory; (iii) a corporation located or registered in its territory; or (iv) any other person located in its territory.
14. However these provisions of the Agreement might appear, in a large part, as misleading: the US Law Enforcement Authorities could use instead the CLOUD Act which, in its first part, authorizes US access to e-evidence “regardless of whether such communication, record, or other information is located within or outside of the United States”. In other terms, the UK-US Agreement limitation concerning exclusion of persons located in the UK seems to be overturned by the broader reach of the CLOUD Act each time the CSPs are under US jurisdiction and have possession custody and control of the data. The UK-US Agreement does not seem to modify existing US Law. This is also stressed by Art. 6(3) of the Agreement according to which: “This Agreement does not in any way restrict or eliminate any legal obligation Covered Providers have to produce data in response to Legal Process issued pursuant to the law of the Issuing Party”. It has also been confirmed by the US Department of Justice during a public conference in Washington DC on October 15, 2019. See Part III(1) below.
15. See, however, the previous note concerning the applicability of the CLOUD Act in situations where CSPs are under US jurisdiction and have possession custody and control of the data. The CLOUD Act does not include a notification requirement. Once again, the limitation appears as an empty shell in such cases.
16. It should be emphasized nonetheless that: a) the notified third country has no possibility to object to the production of the data by the CPS; and b) the Agreement provides for no specific mechanism of resolution of an eventual conflict with a third country’s laws (although national existing mechanisms, such as a request for Comity analysis, apply – see infra Part III).
III. Thoughts and Questions on the UK-US Agreement and Its Effects
The comments under the Charts already raise several issues and questions. We could resume them here also adding a series of other important thoughts and questions.
Let’s first focus on reciprocity. A simple comparison of the two charts shows that the legal regime is not the same when the UK wishes to access data as compared to when the US does so. At first glance, one could be surprised by the fact that the limitations are much more important for the UK side – which cannot access data of “US persons” – while the US can, under the Agreement, access data of UK persons not located in the UK. To give an example: the US cannot target, under the Agreement, a UK national located in the UK – but if this UK person travels to France the US can target him/her! This differentiation results from EU law which prohibits discrimination treatment between citizens of different Member States. It was thus impossible for the UK to introduce into the Agreement a prohibition of targeting “UK persons” – equivalent to the prohibition of targeting “US persons” (required by US Law). The UK had in reality only two options: either introduce in the Agreement a prohibition of targeting any “EU person” – but this was a no-go for the two parties; or to limit the reciprocity provisions to the “persons located in the UK” dimension – giving more latitude to US authorities – solution finally adopted. Still, one could have the impression that the Agreement is based on reciprocity, albeit a limited one. This impression could, nonetheless, be just an illusion if one takes into consideration the fact that the CLOUD Act remains applicable.
There is a fundamental issue indeed related to the continuing relevance of the first part of the CLOUD Act. Using the CLOUD Act as the basis of the request, instead of the Agreement, could give the possibility to US authorities to avoid in some circumstances (CSPs under US jurisdiction having possession custody and control of the requested data) the targeting limitations (exclusion of persons located in the UK) of the Agreement rendering, in such circumstances, the reciprocity provisions of the Agreement an empty shell. Indeed, everything seems to indicate that the US CLOUD Act remains in full effect after the UK-US Agreement (see also Chart’s comment n°14). The “reciprocity” provisions and limitations of the Agreement thus seem to be misleading: the US would retain access any time it has “possession custody and control” in the US, which means it will always have access to all the major US service providers, irrespective of UK personhood. Moreover, the continuous applicability of the first part of the CLOUD Act permits US law enforcement authorities to bypass, in such cases, other limitations and safeguards included in the Agreement such as the requirement of “serious” crime (see Chart’s comment n°11) or the requirement of notification of third affected States (see Chart’s comment n°15). It is very interesting that, during a public conference in Washington DC on October 15, 2019, representatives of the US Department of Justice could not provide any example where the US, under current law, would need to use the Agreement (instead of the CLOUD Act) to gain access. For them, the big effect of the Agreement was helping the UK which, henceforward, will be able to request (under the conditions of the Agreement) from US CSPs content data and wiretap – something that was impossible before, because of the Stored Communications Act blocking Statute. It seems thus to be confirmed that existing CLOUD Act authorities and other domestic laws remain plainly in force. One could question, by the way, whether the existing provisions of UK law, such as the Investigatory Powers Act 2016 and the Crime (Overseas Production Orders) Act 2019, read in conjunction with 6(3) of the Agreement mentioned (cited in Chart’s comment n°14), might in a similar way permit the UK to go beyond some limitations existing in the Agreement.
As a continuation to the previous two points, one could note how strange the Agreement appears in the eyes of an International Law expert. There are at least two curiosities. First, from the point of view of an International Lawyer, International Law always has primacy over domestic laws. Articles 26 (“pacta sunt servanda”) and 27 (“A party may not invoke the provisions of its internal law as justification for its failure to perform a treaty…”) of the Vienna Convention on the Law of Treaties are cornerstones of contemporary International Law. One would expect that the function of a data-sharing agreement such as the one between the UK and the US, would be to fix directly and with clarity the rules and the framework of access to data by the authorities of the two states. Instead of this, the UK-US Agreement clearly announces its subordination to national laws in Art. 6(3) (cited in Chart’s comment n°14). This makes the legal regime very difficult to understand: in order to have a full comprehension of the legal regime one needs to be simultaneously expert in International, US and UK law and to have a profound knowledge of: 1) the Agreement itself; 2) the provisions of multiple US Laws (CLOUD Act, Stored Communications Act, Wiretap Act, Foreign Intelligence Act…); AND 3) the equivalent provisions of multiple UK laws… How many experts in the US and UK (not to talk about the rest of the world) have this high level of expertise? In any case this situation creates huge uncertainties and is probably not the best model to follow for future similar agreements. The second curiosity concerns the “reciprocity as an empty shell” theory discussed above (2). If the two parties intended to maintain in force the CLOUD Act, which authorizes US authorities to access data in (almost?) all cases, then why they introduced in the UK-US Agreements all these limitations (impossibility to request data of persons located in the UK, obligation to notify a third State, etc.) as they appear in Chart 2? What is the meaning of introducing limitations in an Agreement if domestic law can overturn them? What is the meaning of talking about reciprocity, if, in reality, there is (almost) none? It makes little sense. To conclude on this point: the reciprocity provisions of the UK-US Agreement could make lots of sense if they were followed by the clarification that the Agreement replaces the equivalent provisions of domestic law and that the authorities of the two states need to respect in all cases the limitations of the Agreement as they are reflected in the two Charts.
Another important issue is that the Agreement does not include any mechanisms for resolution of conflicts of laws. Indeed, as shown in the two Charts, the Agreement authorizes both the US and the UK to request from service providers located in their respective countries data of persons residing in a third country (and which might be stored in such third country also). This might create conflicts if such third countries have blocking statutes. The silence of the Agreement in this respect is in sharp contrast with the introduction of detailed conflict of laws provisions in another international instrument, the E-Evidence regulation (for a discussion of how the EU Council downgraded the initial protections introduced by the European Commission read however here). This problem is, nonetheless, somehow mitigated by the fact that such situations should be pretty rare: according to some CSPs in more than 90% of all criminal investigations the suspect is located in the country requesting the data. The problem is also mitigated by the possibility for CPSs to use national mechanisms, such as a request for a comity analysis, combined eventually with the procedure recognized by Art. 5(11) of the Agreement. The CLOUD Act, for instance, provides for a specific comity mechanism in case of conclusion of an executive agreement, while common law standards governing the availability or application of comity analysis also are available to CSPs.
In relation with the previous point, an important question is whether transfer of EU data by CSPs under the UK-US CLOUD Act Agreement could conflict with the GDPR and, more specifically, Article 48. I have discussed extensively elsewhere when and how GDPR Article 48 could be considered as a blocking statute and how the derogations of Article 49 might be applicable or not – an issue also addressed in the recent joint EDPB/EDPS joint opinion on the CLOUD Act. On the basis of these elements, one could consider that future conflicts between transfers of EU data under the UK-US CLOUD Act Agreement and the GDPR cannot be excluded. It should be noted, in this respect, that the UK Government has chosen not to opt-in Article 48 and considers that it is not bound by that Article. It could be useful, eventually, in the future to think about how data sharing agreements (such as the future EU/US Agreement) could interact with other similar agreements (such as the one between the UK and the US) in order to avoid an additional layer of complexity to conflict of laws issues.
As mentioned above (Chart’s comment n°7 and 16), the requirement to notify, as a principle (and with the exceptions mentioned in Article 5(10)), an affected third State (where the person is located) is positive and could help address conflict of laws issues. However, the Agreement could have been more precise about how exactly this notification should take place and fix transparency requirements in this regard so that the exceptions do not become the rule. Also, as mentioned, the fact that the CLOUD Act remains in force, renders the Agreement’s notifications requirement an empty shell each time US authorities request data of persons located in a third country.
Another important issue is the fact that the Agreement does not require as such a judicial authorization before issuing an order to CSPs for production of content data and metadata. This contrasts sharply with the EU E-Evidence Regulation draft, which insists heavily on the requirement that an order for production of transactional and content data “may be issued only by a judge, a court or an investigating judge competent in the case concerned” (see 4(2)). This also contrasts with the negotiation mandate given to the European Commission by the Council of the EU requiring the issuance of such orders by “judicial authorities”. Of course, one could respond that both US and UK domestic laws might require prior judicial review/authorization for such orders. Indeed, during initial discussions with US and UK colleagues it has been said that a judicial authorization is necessary in all situations of access to content data envisioned by the Agreement. However, one could ask then: if such a requirement exists in both US and UK domestic systems then why the drafters didn’t include such an important requirement into the Agreement to avoid criticism – such as the one raised immediately by some Members of the European Parliament? The fact that such a requirement has not been introduced directly in the Agreement creates a cloud of doubt in this respect, a feeling that “there is no smoke without a fire” and raises the question of potential legal loopholes. More clarity will be needed, in this respect, in the future commentaries about the Agreement.
In relation with the previous point, it is to be mentioned that the explanatory Memorandum describes how the Agreement will enable not only “law enforcement and prosecution agents” but also “national security agencies” to request data related not only to the “detection, investigation or prosecution” but also the “prevention” of serious crime. This might give the impression that the Agreement is not just about law enforcement access to data during ongoing criminal investigations and proceedings but could also enable intelligence agencies such as the NSA or the UKs Government Communications Headquarters GCHQ to request content data or metadata from CSPs for the “prevention” of serious crime such as terrorism. This, in turn, raises once again the question of whether a judicial authorization is always needed in the domestic systems of the two countries for such requests by intelligence agencies and whether judicial oversight and control and adequate legal remedies for targeted persons are available in such situations.
The Human Rights provisions of the Agreement also raise some important questions. The most important is, probably, the absence of any requirement in the Agreement to notify (or let the CSPs notify) the targeted persons. This is, once again, in sharp contrast not only with the notification requirements of the E-Evidence Regulation draft (for a discussion read here), but also with the calls of some CSPs to recognize a “universal right to notice” and to “ensure that secrecy orders are the exception not the rule when the government seeks data owned by [CSPs]customers”. Once again, the domestic legal systems of the UK and the US might (or not) remedy to some of these shortcomings (for US Law see, for instance, the discussion under point 26 here), but the silence of the Agreement in this respect should be noted.
Another issue concerns what seems like a divergence in the very definition of some categories of data. More precisely, Article 1(15) of the UK-US Agreement includes in the definition of “subscriber information” “telephone connection records” and “records of session times and durations”. This seems to go beyond the understanding of “subscriber data” under EU law and the proposed E-Evidence Regulation. Indeed, “telephone connection records” seem to correspond more to the category of “access data” or even “transactional data” in the E-Evidence draft (compare with Article 2(7)-(9) of E-Evidence).
The fact that the UK-US Agreement authorizes wiretap also raises some questions, and not only the ones mentioned in Chart’s comment n°10 about the effect of such provision on US law and the Wiretap Act. More precisely, it is well known that, after a lot of debate, EU Member States decided to exclude wiretap from the E-Evidence Regulation. The draft explains that: “This Regulation regulates gathering of stored data only […]. It does not stipulate a general data retention obligation, nor does it authorise interception of data…” (see here, recital 19). It could be hard to imagine thus introduction of a similar provision on wiretap in the EU-US Agreement.
Despite all these problems and doubts, there are also some positive elements in the Agreement which could be helpful for the EU-US Agreement. Jennifer Daskal and Peter Swire have presented them very well in their blog post. These include: the introduction of quality control/designated authorities (Art. 5); the opportunity for CSPs to object/request review procedures (Art.5(11) with a possibility to raise such objections to the Authorities of both States (and not just the issuing State); the limitations on use and transfer (Art. 8); the targeting and minimization provisions (Art.7); the transparency requirements (Art. 12); and others.
Another positive element is that the Agreement focuses on the location of the targeted person – not on the location of the data. All safeguards (including limitations on targeting or notification requirements for third States) turn around this criterion. As I have argued elsewhere, it is important to put at the heart of any legal regime the targeted persons (and the States where they are located) instead of focusing only on the rather artificial criterion of the place where the data are stored – as the EU Council did in its general approach on E-Evidence . Indeed, the Council of the EU introduced some safeguards (a notification requirement) only in favor of the country where the data are stored – but not in favor of the country where the targeted person is located. The UK-US Agreement adopts a much better approach and could be helpful in this respect both for the EU-US negotiations and for the E-Evidence final draft.
It should also be noted that, contrary to what some press articles have seem to imply, the UK-US Agreement does not affect end-to-end encryption. It does not compel CSPs to remove encryption or introduce backdoors and is encryption neutral (something also emphasized in the explanatory Memorandum). However, the fact that the announcement of the UK-US Agreement was made in conjunction with a highly-debated letter by the US, the UK and Australia to Facebook criticizing encryption, creates confusion. One could wonder then, how the “direct access” mechanisms of the UK-US Agreement could be combined in the future with efforts by these governments to weaken encryption in some cases. As Swire and Daskal have noted: “There is, nonetheless, a possibility that the U.K. government could use its separate statutory authority to demand decryption, in the same investigation that the U.K. seeks an order under the Agreement”. The two scholars add that: “The major service providers have strongly objected to the U.K. decryption authority. If such a decryption order were to occur, the provider presumably would object to the order and would have the objection process in the agreement as a new mechanism for doing so”.
The introduction, in the Agreement, of specific Freedom of Expression provisions (Art. 8(4)) is also a positive development. It remains to be seen how this could interact with the new strong hate speech laws in some EU countries (such as France).
Similarly, the introduction, in the Agreement, of specific protections in relation with offenses for which the death penalty is sought (Art. 8(4)) is also positive and responds to a major European requirement for an EU-US Agreement.
This brings us to a huge question: what could be the influence of the UK-US Agreement for the EU-US negotiations? It is important to emphasize that no two data sharing agreements will be the same because of course each negotiating party has its own requirements. We should also probably avoid to compare a bilateral agreement between two States (such as the UK-US one) with an agreement between a State (the US) and a supranational organisation such as the EU. Lots of things will also depend on the nature of the EU/US agreement: is it going to be a comprehensive data sharing agreement? or a framework EU-US agreement to be followed by bilateral agreements with EU Member States as the US heavily insists (see, for instance, the recent report on the EU-US negotiations that the EU Commission submitted to the Council).
This being said, the US-UK agreement shows that two parties negotiating an agreement can introduce safeguards as necessary to fulfill the interests and needs of both parties’ legal systems. There are some positive elements in the UK-US agreement that could help find creative solutions for the EU-US agreement. These include the fact that the agreement is based on reciprocity (although a rather limited one – not to say a very limited one if the broader reach of CLOUD Act remains in force…), the introduction of additional safeguards (including protections related to the death penalty), targeting and minimization procedures, prohibition of onward transfers, transparency requirements, periodic joint reviews, etc.
However, several other issues, starting with the requirement of judicial authorization, should be much better addressed in the EU-US agreement than what has been done with the UK-US one. Similarly, one could expect that the EU-US agreement will reserve a more prominent place to Human Rights protections (including privileges and immunities) than the one between the US and the UK which remains, according to this author, a little bit vague on some Human Rights safeguards and remedies. It is to be noted, in this respect, that the negotiation mandate given to the EU Commission by the Council of the EU requires the introduction of several Human Rights safeguards in the EU/US Agreement and, it is expected that the EU Parliament, while not a direct actor in the negotiations, might require even more safeguards prior to consenting to such Agreement. Moreover, the future EU-US agreement should be “Court-proof” in order to avoid disappointments, such as what happened with the EU-Canada PNR Agreement (discussed in this Blog here and here) where the CJEU applied a high level of scrutiny in respect with Human Rights protections and safeguards.
Similarly, the US-UK Agreement’s provisions on reciprocity do not meet the standards of what is expected by the EU. Indeed, the EU negotiation mandate insists heavily of perfect reciprocity and requires that “the agreement should be reciprocal in terms of the categories of persons whether legal or natural persons whose data must not be sought requested pursuant to this agreement”. The differentiated regime of the US-UK Agreement does not really seem to correspond to what is expected by the EU. Moreover, as discussed in this article, if the broader reach of the CLOUD Act remains in force, this would mean in reality that the reciprocity limitations of the UK-US Agreement are an empty shell each time that the US has possession, custody or control of data. We can hardly imagine how the EU could accept such a situation.
Finally, there are some other questions raised by the US-UK Agreement which do not concern the content of the agreement as such or its potential influence on EU/US negotiations – but its effect on EU Law. MEPs Sophie In’t Veld (The Netherlands) and Moritz Körner (Germany) have submitted in this respect a written question to the European Commission on this subject. “Considering that the UK is still an EU Member State, does the Commission consider this bilateral agreement to be in line with EU law, notably the GDPR and the Law Enforcement Directive and with the Case Law of the European Court of Human Rights? If not, will it start infringement proceedings?” was one of those questions. “If the UK should leave the EU, how will this agreement affect the adoption of an adequacy decision for personal data transferred from the EU to the UK”? was another. It will be interesting to see the answers that the EU Commission will provide to these questions, as well as to a third question submitted by the same MEPs about whether this agreement sets a precedent or could restrict the EU’s room for manoeuvre in the current negotiations with the United States. More generally it will be important to follow the discussions about the multiple points of uncertainty surrounding the US-UK CLOUD Act Agreement – including the ones highlighted in this article.
You can download a PDF version of this article here: https://ssrn.com/abstract=3469704
The author will like to thank all the colleagues who contributed comments to a previous draft of this article, including Karine Bannelier, Vanessa Franssen, Oliver Garner, Mona Giacometti, and, especially, Peter Swire. He would also like to thank Mathias Becuye, Katia Bouslimani and Stephanie Lorca for their help in finalizing the Charts. The views expressed in this article are entirely the author’s. My research on this topic has been supported by the Institut Universitaire de France, the Grenoble Alpes Data Institute and the Cross-Border Data Forum. I would also like to thank the NYU School of Law and its Centre for Cybersecurity for providing excellent conditions of work permitting to draft this article during my visitorship.