The CLOUD Act has been supported by the Department of Justice and by major technology companies such as Microsoft, Apple and Google. [11] [12] The bill has been criticized by several civil rights groups, including the Electronic Frontier Foundation, the American Civil Liberties Union, Amnesty International and Human Rights Watch. These groups argued that the bill deprived the Fourth Amendment rights against inappropriate searches and seizures, given that the government could enter into data rights exchange agreements with foreign countries and that U.S. courts would be able to notify affected users if such warrants were issued. [12] [13] Some of these groups were concerned that the government would not fully review requests from abroad for their citizens to be stored on servers in the United States, which could allow such data to be used in these countries in bad faith. [14] The CLOUD Act was passed by Congress in March 2018. It said companies subject to U.S. jurisdiction and subject to court rulings must hand over the data they control, regardless of where the data is stored. It also authorized the United States to enter into executive agreements with foreign governments on cross-border data requests. The agreement between the United States and the United Kingdom is the first executive agreement of its kind since the adoption of the CLOUD Act. The agreement will be subject to a six-month review of Congress, provided for by the CLOUD Act, and a review by the British Parliament. We want to clarify an important point about encryption. Despite a false report to the contrary, this agreement is independent of the separate and ongoing debate on encryption.

Indeed, the cloud law explicitly states that agreements «do not create an obligation for vendors to decipher or create borders that prevent providers from decrypting data.» In other words, these agreements are agnostic about encryption and decryption requirements, including whether, in what situations and procedures, a government requires companies to take steps to make encrypted data accessible elsewhere. However, it is possible that the UK government will use its separate legal authority to require decryption in the same investigation as the United Kingdom.