On 3 October 2022, the Agreement between the Government of the United Kingdom and the Government of the United States of America on access to electronic data for the purpose of countering serious crime entered into force. It is shortly dubbed the UK-US Data Access Agreement (DAA). As far as can be seen, this is the first executive agreement within the framework of part II of the US CLOUD Act, which allows UK law enforcement authorities to directly receive communications data from US service providers instead of making government-to-government mutual legal assistance requests for such data (→ Daskal, "Unpacking the CLOUD Act", eucrim 4/2018, 220-225).

The DAA obliges each party to ensure their laws permit a telecommunications operator to lawfully respond to direct requests for covered data made by a relevant public authority in the other party’s jurisdiction. It requires that all DAA requests are compliant with the relevant existing domestic obligations the issuing public authority is bound by.

Data covered by the agreement are the content of an electronic or wire communication; computer data stored or processed for a user; traffic data or metadata pertaining to an electronic or wire communication or the storage or processing of computer data for a user. The Agreement also recognises that requests can be made for subscriber information.

Orders for data can only be made under the Agreement for the purpose of the prevention, detection, investigation or prosecution of a serious crime (including terrorism). A serious crime is defined as one which could result in a custodial sentence with a maximum possible term of at least three years. Other restrictions include:

• The order must target a specific account and a specific person, i.e. it must be particularized;
• When the UK is using the Agreement, they cannot request covered data on a US person or a person located in the US;
• DAA orders may not be used to infringe freedom of speech or for disadvantaging persons based on their race, sex, sexual orientation, religion, ethnic origin, or political opinions;
• The DAA cannot be used for orders on behalf of another government and the UK cannot make request on behalf of the US and vice versa. Permission must be obtained from the other party, if the requesting party wishes to share the data with another country or international organisation. Furthermore, there is no compulsion under the DAA to share data obtained under the Agreement with the other party or any third party;
• In the event that data obtained from a UK communication service provider is intended to be used as evidence in a case which could result in the death penalty, the US will obtain permission from the UK to use this data in evidence before doing so.

The Agreement will remain in force for five years, and can be extended by mutual agreement for five years (or any other period as may be agreed). It also makes provision of a mutual periodic review of operation.

The Agreement was signed on 3 October 2019 (→ eucrim 3/2019, 180). Human rights and civil liberties organisations tried to prevent the US Congress from approving the agreement (→ eucrim 3/2019, 180-181). They criticised that the DAA falls short to have included robust rights protections and they expressed their concerns that its low standard may serve as a template for other similar agreements under negotiation, such as the US-Australia agreement or the US-EU agreement (for the latter → eucrim 3/2019, 179-180).