Like it was aptly mentioned in the first part of this blog, the US-UK Cloud Act Agreement was put together pursuant to the Clarifying Lawful Overseas Use Data (CLOUD) Act of the United States. Being the first kind of Cloud agreement made by the US with another sovereign country, it’s useful as a blueprint for subsequent agreements.
Apart from safeguards such as Quality Control/Designated Authority, Opportunity to Object/Review Procedure, and Use Limitation- already mentioned in the first part, the following are some other important provisions of the US-UK Cloud Act agreement.
Third Country Notification (Article 5): When seeking the data of a subject believed to be outside the geography of the agreement’s signatories, the requesting government is obliged to notify the government of the country wherein the subject is located. Unless doing so can be proved to be detrimental to the investigation, national security, or national human rights regime of the petitioner-government.
Reciprocity (With Limits) (Article 1 & 7): In conformity with provisions of the Cloud Act, the agreement inhibits the UK from targeting data of US persons within the UK and vice-versa. The limitation becomes invalidated once such individual leaves either jurisdictions.
Minimization Provisions (Article 7): The agreement also stipulates the steps the UK has to take in protecting US persons’ data. Changes relating to the acquisition, dissemination, and retention of data, has to be signed off by the other party, prior to implementation.
Serious Crime Definition (Article 1): In the US Cloud Act, the definition of “serious crime” was left open. But in the agreement, “serious crime” is defined to mean crimes that require a maximum jail term of three or more years.
In all, this agreement contains a few privacy and civil liberties that go beyond the Cloud Act. Undoubtedly, it would serve as an appropriate model for future Cloud Act executive agreements.