Under U.S. law, an agreement on the CLOUD Act is considered an “executive agreement” – not a “treaty,” because the CLOUD Act itself requires the conclusion of international agreements in this form.  The law also sets out national procedural rules for the approval of agreements concluded under its control. The U.S. executive must submit to Congress a series of certificates certifying that a cloud act agreement meets certain data protection and process requirements, and Congress must have a binding deadline to review an agreement before it can enter into force.  On January 10, 2020, after the completion of the certification requirements for the CC-US, the U.S. executive submitted it to Congress. Unless Congress approves the agreement, the president is authorized to put it into effect on July 8, 2020.  Critical protection of human rights in the mutual legal aid process (MLAT) is a requirement that an American unit, namely the DOJ and a judge, review a foreign application to ensure that it does not raise human rights concerns. Such protection is essential, as even legal courts in general may have certain laws or practices that raise human rights concerns. The United Kingdom The agreement extends this important protection by allowing suppliers to respond directly to uk requests.
As part of the agreement, the United States does not even conduct a cursory review of these applications, matters potentially contrary to U.S. interests or human rights. Moreover, under the agreement, the British government is not even required to inform the United States that an application has been made in all circumstances. This essentially leaves suppliers as a final line of defence and does not reflect the reality that many suppliers will not have the capacity or interest to carry out robust human rights controls on applications received. Nothing in the CLOUD Act would rule out the inclusion in a future ON THE CLOUD agreement of a “First Resort” scheme such as that of the Germany-U.S. mlAT. Otherwise, the United States would also not be prevented from giving a cloud agreement the exclusive opportunity to obtain information from a foreign jurisdiction, as was indeed the case with the EU-US TFTP agreement. It remains to be seen whether any of the parties with whom the United States is pursuing cloud agreements is trying to exclude or delay unilateral domestic procedures. They will have to weigh their sovereign sensibilities on their strong desire to quickly conclude an agreement that their own law enforcement authorities are urgently seeking. The U.S.-U.K. agreement reduces the bar for law enforcement access to stored communications content, such as emails and live e-mail in the United States.
The text of the agreement itself eliminates the strict probable cause for foreign law enforcement agencies access to content data stored under the Electronic Communications Privacy Act.  Instead, the U.U.K. text. The agreement requires that content requests, widely regarded as the most sensitive electronic data, only meet the standard of “appropriate justification based on articulated and credible facts, specificity, legality and seriousness.”  This standard is vague and is not clearly defined in the agreement and probably weaker than the probable cause in different contexts. In addition, it allows for the first time a foreign government to request wiretaps in the United States.