All these requirements constitute real practical restrictions on the obtaining of data by the UK authorities, which, together with the essential obligations to be complied with, appear to constitute a robust system allowing data providers – so-called “covered providers” – to be convinced of the legality of the requirements, both under UK and US law. And for the sake of no doubt, the agreement seems, at least at first glance, likely to facilitate one-way traffic in which the party laying down the requirements is the United Kingdom. This is not surprising given the market power of U.S. companies that provide communication and social media services. Companies share all kinds of data for all sorts of reasons. However, if this data is personal data, additional attention is required. In some cases, a data controller shares data with another data controller (instead of delegating processing to a processor). The UK is the first state to enter into an agreement under the title of the US Clarifying Lawful Overseas Use of Data or CLOUD Act, with the agreement that came into force in March 2018, to ensure that delays in UK requests caused by the mutual legal assistance procedure can be avoided to the extent possible. Such delays have long been a pain for UK criminal investigators, especially given the key role played by communication data in the secret service and in evidence in UK criminal proceedings and the fact that much of this data in the US is stored and processed by major US providers of communication and social media services. With a data sharing agreement, a data controller (i.e. a party that determines what to do with the personal data in question instead of receiving instructions from another party) may share personal data with another data controller for agreed purposes. The third controller is not subject to the instructions of the first controller; However, the agreement sets out a number of restrictions on the use of shared data, as well as a series of obligations to ensure that both parties comply with their obligations under the GDPR and the Data Protection Act 2018.
As anticipated in the long-standing requirements of U.S. domestic law and in the CLOUD Act itself, a key element is the protection that must be afforded to the United States, so that a request from the U.K. does not take effect when it attempts to target a U.S. person anywhere in the world or when it attempts to target a person in the United States. “Data minimization” is also necessary with respect to U.S. individuals when non-U.S. individuals are targeted. While in the United States this is a long-standing and well-understood approach, first with regard to telephony and then with regard to the practice of electronic surveillance, this is undoubtedly an atrocity for British law enforcement authorities and it will probably be a real point of contention as far as practical operation is concerned. Nevertheless, it provides the answer to U.S. critics who have suggested that such deals could be made by the U.S. government, which do not offer sufficient protection to Americans.