The agreement does not change the way companies can use encryption and does not prevent companies from encrypting data. Although a U.S.-based provider is generally not required to provide communication content to third parties as public authorities, with the corresponding U.S. legal process, the CLOUD Act created an important exception to this restriction. In particular, the Stored Communications Act (“SCA”) has been amended to allow foreign law enforcement to obtain content data directly from U.S. suppliers when the foreign government enters into a qualified “executive agreement” with the U.S. government. Accordingly, in certain circumstances covered, the executive agreement between the United States and the United Kingdom effectively “unlocks” the British authorities in order to obtain information on the content of users of US suppliers in the absence of valid US legal procedures and removes the requirement for the British authorities to request such data through tedious GWG channels. The government is clear in its commitment to the right to privacy, but does not believe that the requirement to grant exceptional access to data where there is an arrest warrant undermines in any way. Enforcement and other agencies must have access, in certain circumstances, to data with strong and independent authorization and supervision.
The issue of preparing access to electronic data stored abroad has been growing steadily in recent years. This is particularly true for British enforcement agencies, as the evidence needed to develop their investigations and support subsequent prosecutions is often retained by US-based technology companies. The British government has denied that its mass surveillance programmes violate human rights – both in national courts and the European Court of Human Rights – but in the US and the United Kingdom. The executive agreement, especially on these issues, takes no part. Instead, it contains a comprehensive certification that the UK meets the cloud Act`s human rights and data protection requirements. The agreement alone therefore does not provide other potential partner countries with clear guidance on what the United States considers to be sufficient in terms of human rights or how it views them, apart from the fact that the United Kingdom is meeting these standards by continuing to use mass surveillance. Any request for information must be made within the framework of an authorization, in accordance with the legislation of the requesting country, and is subject to independent review or review by a court, judge, judge or other independent authority. Under agreements already concluded between the United Kingdom, the United States and other jurisdictions, law enforcement agencies may request information under mutual legal aid contracts (MLAT) abroad. In the context of these MLAT trials, law enforcement agencies send requests for information to the government of the country in which the data holding company is headquartered. The government, on the other hand, reviews the application, receives and serves an on-site order as required, collects the data and ultimately returns it to the law enforcement agencies of the requesting country. This is a multi-step process that can take months or even years to obtain relevant data from abroad.
The next specific factor is the “clear legal mandates and procedures” that govern the search for data by partner countries under the agreement, as well as sufficient accountability mechanisms. The United Kingdom met this standard in 2019 with the passage of the COPO Act which, like the CLOUD Act, approved Britain.