On October 3, 2019, the United States and the United Kingdom entered into a first-of-its-kind executive agreement under the CLOUD Act. The text of the agreement was released on October 7, 2019.
For a fine overview of the provisions of the agreement, Jennifer Daskal and Peter Swire posted a summary on Lawfare, identifying some surprising provisions and others that fall a little flat. But there is a big flaw in the agreement that hasn’t been discussed — it allows either the US or UK to require a covered provider to wiretap a user located not in the US or UK, but in any third country, without the approval of that sovereign nation and perhaps even without its knowledge.
THE BIG INTERCEPTION FLAW IN THE US-UK CLOUD ACT AGREEMENT
