U.S. and UK sign landmark data-sharing agreement, the first under the U.S. CLOUD Act and UK Crime (Overseas Production Orders) Act
The UK and United States have entered into a landmark agreement that will enable more efficient and effective access to electronic data for use in criminal investigations between their respective criminal law enforcement agencies.
The new U.S.-UK Bilateral Data Access Agreement
On 3 October 2019, U.S. Attorney General William P. Barr and UK Home Secretary Priti Patel signed the U.S.-UK Bilateral Data Access Agreement (the Agreement). This is the first agreement reached under the United States Clarifying Lawful Overseas Use of Data Act (CLOUD Act), passed in 2018, which gives U.S. law enforcement authorities, including the U.S. Department of Justice, the power to access electronically-stored data located outside the United States directly from communication service providers located outside the U.S. once a bilateral agreement with the relevant foreign country is signed. This is also the first agreement reached under the UK Crime (Overseas Production Orders) Act (C(OPO) Act), which received Royal Assent earlier this year. The UK law authorises domestic law enforcement agencies, including the Serious Fraud Office (SFO), to apply for a court order with extraterritorial effect to obtain data stored electronically directly from communication service providers based outside the UK.
Effect of the Agreement
Under the Agreement, law enforcement, when armed with appropriate court authorisation, may now go directly to tech companies or communication service providers based in the other country to access electronic data, rather than going through governments. This development is expected to allow for more efficient and effective access to data and thus dramatically speed up criminal investigations and prosecutions involving electronic evidence of crimes. Although ostensibly targeted at the investigation of terrorism and child abuse cases, this new tool is potentially of far wider application. It is likely also to be used in cases involving fraud, corruption, money laundering, cyberattacks and other serious offences.
Until now, Mutual Legal Assistance Treaty requests (MLATs) had to be submitted by law enforcement agencies to central governments and could take many months or even years to be processed. By comparison, the Agreement should allow law enforcement to obtain information in a matter of days or weeks. Once the Agreement takes effect, U.S. and U.K. law enforcement agencies could deploy these new tools to investigate and prosecute offences. This is expected to make it easier for law enforcement to follow investigative leads, bring charges and prosecute a case. The UK SFO Director Lisa Osofsky recently emphasised her desire to use all investigative and enforcement tools at the agency’s disposal to tackle the growing threat to the UK’s financial markets from international fraud and money laundering.
Certain conditions will have to be satisfied before data may be obtained. Any request for data must be made in accordance with the legislation of the country making the request and subject to independent oversight or review by a designated authority. In the UK, a court order will first have to be obtained under the C(OPO) Act, meaning that any request will be assessed by a judge who will need to be satisfied that there are reasonable grounds for believing that all or part of the data is likely to be of substantial value to the proceedings or investigation and that it is likely to be relevant evidence in respect of an indictable offence. There must also be reasonable grounds for believing that it is in the public interest for the data sought to be produced to or accessed by the investigators. Similarly, data access requests by U.S. law enforcement agencies will be subject to independent judicial authorisation and oversight in that law enforcement will be required to obtain the appropriate U.S. court order, subpoena, or search warrant pursuant to the CLOUD Act.
Safeguards and challenges
Additionally, limited safeguards are in place to ensure any disclosure of data conforms with relevant data protection legislation and also to protect communications service providers and tech companies. To comply with applicable data protection laws, law enforcement must obtain permission from the other country before using data gained through the Agreement as evidence in certain types of prosecutions, such as cases involving the death penalty in the United States (which the UK government opposes in all circumstances) and in UK cases implicating U.S. freedom of speech.
The CLOUD Act also provides mechanisms for U.S. communication service providers to challenge access requests, once the U.S.-UK Agreement takes effect. Providers may file a motion to modify or quash requests for disclosure under limited circumstances—specifically, if the provider believes the customer or subscriber is not a “U.S. person” (as defined under the CLOUD Act) and the disclosure would create a material risk of violating the laws of the country where the information is stored. Similarly, under the C(OPO) Act, the recipient of a production order or any person affected by it will have the right to apply to the UK court to have it varied or revoked. Additionally, the Agreement prohibits targeting residents of the other country, such that U.S. authorities may only investigate U.S.-based cases, and UK authorities only UK-based cases.
Despite these advances for law enforcement between the two countries, the Agreement does not change the way companies can use encryption or prevent the encryption of data. In particular, the Agreement does not enable law enforcement authorities to force data companies to hand over data in a legible format or break their own encryption policies.
Though just signed, the Agreement will not enter into force until after a six-month U.S. congressional review period mandated by the CLOUD Act, ratification by the UK Parliament and “designation” of the agreement by the UK Secretary of State. Absent a joint resolution of disapproval by the U.S. Congress or disapproval by the House of Commons during the review/ratification period, the Agreement should take effect in March 2020.
The Agreement may serve as a model for other bilateral agreements pursuant to the CLOUD Act and the C(OPO) Act. Additional bilateral agreements are anticipated, including between the United States and Australia who recently announced that they have begun negotiations on a bilateral agreement.