The Cloud Act allows a new data exchange system to allow law enforcement agencies in partner countries to bypass the MLAT procedure for serious criminal investigations. The passage of this law was necessary for the United States to enter into such agreements under the Electronic Communications Privacy Act of 1986 (ECPA), which prevents providers from sharing records with foreign governments without an arrest warrant, legal authorization or user consent. The CLOUD Act removes these legal barriers in U.S. law and allows partner countries that have signed an executive agreement to place orders directly to U.S. service providers. It also requires these partner countries to remove legal barriers that would prevent the U.S. government from ordering service providers within their borders. For example, a U.S. judge could issue an arrest warrant for information housed on a British server – provided the information is in possession, detention or control of a party with jurisdiction over the court – and british service providers comply without the prior authorization of their own government. This agreement will make citizens of both countries safer while ensuring strong protection of privacy and civil liberties.
Until now, without agreement on the CLOUD, the solution was theoretically to be based on the requests of the mutual legal aid contract. However, these requests had to be lodged by the enforcement authorities with central governments and could take many months, if not years, to be processed. The United States will have access to data from British communications service providers on the order of reciprocity of the United States. The United Kingdom has received assurances that the government`s persistent opposition to the death penalty in all circumstances. The agreement will most likely allow communication service providers to disclose data stored in the UK. The agreement is a legally binding and enforceable instrument allowing the transfer of personal data to the United States in accordance with Article 46, paragraph 2, point a), the RGPD and the removal of the restriction under Article 48 of the RGPD (against which the United Kingdom has in any case chosen).