By Theodore Christakis 
- Introduction: The Need to Unpack the Long-Awaited UK-US Data Sharing Agreement
After four years of negotiations surrounded by secrecy, the United Kingdom and the United States finally released on October 7, 2019, the text of their Data-sharing agreement aiming to facilitate the cross-border access to electronic data for the purpose of countering serious crime. This long-awaited agreement is the first of the executive agreements envisioned by the CLOUD Act. It is, as rightly said, “critically important providing not just a window into the US and UK’s approach but also presumably setting out a basic blueprint for other agreements that may follow”. Indeed, the US and the European Union have recently begun negotiations in order to conclude an agreement in this field, while the US and Australia also announced having started similar negotiations.
The first reactions after the announcement of the UK-US Agreement, not surprisingly, have inspired mixed reviews. Jennifer Daskal and Peter Swire hailed an agreement containing “quite a few privacy and civil liberties safeguards that go beyond the text of the CLOUD Act”. The Electronic Frontier Foundation talked, on the contrary, about “a race to the bottom” (a comment made before the publication of the text of the Agreement) while others worried about purported “Cowboy practices” (!). Whereas in the US Congressman Doug Collins lauded the Agreement, in Europe a few MEPs raised concerns about it and submitted a written question to the European Commission.
Before rushing to judgment on what this means for transatlantic law enforcement access, and, in particular, how a future EU-US agreement might differ, it is essential to understand its provisions, the safeguards, and how the mechanisms of direct access to data introduced by the Agreement will work. But “understanding” cross border data issues is not always easy and the UK-US Agreement is far from being an exception. The Agreement includes some complex mechanisms which were considered necessary in order to accommodate the distinct legal requirements of the parties. The introduction of terms such as “Receiving-Party Persons” (based on the idea of reciprocity, but with two differentiated regimes) or “US-persons” and the resulting targeting procedures envisioned by the Agreement sound somehow odd for lawyers not familiar with the subject matter, not to mention the general public. Moreover, the introduction of a system of “direct access to data” must, in general, take into account a variety of factors: the location of data is one of them; the location of the targeted persons is another; and the location of Cloud/Communication Service Providers (“CSPs”) is a third one. The combination of these factors, and the fact that multiple “locations” (and different jurisdictions) can be implicated in a request to access digital evidence, makes it sometimes difficult to determine how (or whether) various cross border demands would be treated under the agreement.
The objective of this paper will thus be, to unpack, to the extent possible, the terms of the UK-US agreement not only to understand the basic mechanisms underlying it, but also to consider what are the International Law implications and some Human Rights issues – especially from a European Law perspective. This, in turn, could help assess what could be the differences between the UK-US Agreement and the envisioned EU/US agreement on this same issue, the negotiations for which have recently kicked off. Continue reading