With the “CLOUD Act” of March 2018, the U.S. rushed ahead in facilitating law enforcement access to data held by U.S. service providers, such as Microsoft, Facebook, and Google. It also gave foreign law enforcement authorities the possibility to bypass existing MLA procedures and to directly request communication content of “non-U.S. persons” located outside the U.S. from U.S.-based providers, subject to specified requirements (see eucrim 1/2018, 36).

One pre-condition is the conclusion of an “executive agreement” with the “foreign government,” which must meet a number of criteria (e.g., adequate substantive and procedural laws on cybercrime and e-evidence, respect for the rule of law, non-discrimination and respect for human rights, accountability and transparency mechanisms, etc.).

The conclusion of an executive agreement is subject to a positive determination by the U.S. Attorney General before it is submitted to the US Congress. The EU and the U.S. agreed that the U.S. will negotiate one agreement with the EU instead of bilateral agreements with individual Member States. The Commission and the Council are preparing the mandate in order to start the negotiations.