Washington Journal of Law, Technology & Arts


Eddie B. Kim


In March 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act, also known as the CLOUD Act, in order to expedite the process of cross-border data transfers for the purposes of criminal investigations. The U.S. government entered into its first Executive Agreement, the main tool to achieve the goals of the statute, with the United Kingdom in October 2019. While the CLOUD Act requires the U.S. Attorney General to consider whether the foreign government counterpart has a certain level of robust data privacy laws, the relevant laws of the United Kingdom have generally been questioned numerous times for their inadequacies in protecting privacy. Thus, the privacy of U.S. citizens may be in jeopardy under the new agreement. Although the texts of the CLOUD Act and the Executive Agreement clarify that the UK government cannot explicitly target the data of U.S. citizens, it does not guarantee that such information will not be gathered incidentally. First, the UK courts do not adhere to the equivalent level of probable cause standard that is demanded under the Fourth Amendment. Therefore, they may issue judicial orders to force the U.S.-based service providers to deliver certain data, which may include information that belongs to the U.S. citizens, to the UK government upon finding mere possibility of relevance to the investigations. Coupled with this fact is arguably less robust privacy protection in the United Kingdom, from which it is not difficult to imagine a situation where the private information of U.S. citizens is extracted while the UK government seeks data belonging to citizens of its own. This Article argues that the threat to the data privacy of U.S. citizens via incidental collection is not only possible, but probable. At the same time, this Article explores possible solutions to fill in the identified gaps in the CLOUD Act that would enhance the protection of U.S. citizens’ data privacy from incidental collection.

First Page