Law enforcement without borders: The US-UK Data Access Agreement

The UK-US Bilateral Data Sharing Agreement (the Agreement), was signed in October 2019 and can be brought into force from 8 July 2020. Our current understanding is that it is not yet in use, as it remains subject to law enforcement putting data minimisation processes in place. However it heralds a potential step change in the jurisdictional reach of UK law enforcement. It is described as a "world-first" that will dramatically speed up investigations by enabling law enforcement, with appropriate authorisation, to issue overseas production orders (OPOs) directly to foreign tech companies in order to access their clients' data, rather than through governments using the traditional mutual legal assistance (MLA) route, which can take years.

The Agreement has significant implications for law enforcement, but also raises serious issues in relation to data protection and legal privilege that could prompt litigation which may challenge efforts to increase the speed of cross border law enforcement.

Negotiations to enter into similar 'CLOUD Act' agreements are underway between the US government and each of Australia and the EU.

Effect of the Agreement

In brief, the effect of the Agreement is that law enforcement in either the UK or the US can - under the appropriate domestic legislation (being the CLOUD Act 2018 in the US and Crime (Overseas Production Orders) Act 2019 (COPOA) in the UK) - when armed with appropriate court authorisation require companies that provide clients with an ability to communicate, process or store data, such that they amount to 'communication service providers' (CSPs), to produce documents. The novel element of the process is that it is to be controlled by the courts of the requesting state.

Typically where law enforcement have wanted to get hold of documents outside their jurisdiction, they have used MLA requests. These (i) are controlled by the government and courts of the recipient state and (ii) take months or even years to process. By contrast the Agreement is intended to enable this process to happen in a matter of days (although it is far from clear whether it will succeed in this respect).

While the stated purpose of the Agreement is to target terrorism and child abuse crimes, it has a potentially much broader scope; it can be used in respect of any 'serious crime'. We understand the UK Serious Fraud Office is keen on making use of the powers granted under the Agreement, which could also be used to investigate money laundering, fraud, corruption, cyberattacks and other serious economic offences.

This is likely to make investigations of those crimes more efficient than under the traditional MLA process, which will be welcome to corporates under investigation given past criticism of the dragging pace of the some criminal investigations. It may also encourage UK law enforcement to seek evidence that would not previously have been available to it, with the implication that investigations and lines of enquiry that might not previously have been practical could now be considered.

Impact on Law Enforcement

The Agreement is intended to assist both UK and US agencies, but it is clear that the practical impact of the Agreement is asymmetric; it will be more impactful for UK law enforcement (and therefore American companies) than vice versa. This is the case as:

• most of the big cloud computing companies (being those most likely to hold the data of interest to law enforcement) are based in the US and it is expected that many more requests will flow from the UK to the US than vice versa. A very significant part of the benefit to the US is expected to be a reduction in the burden of dealing with MLA requests, which have been increasing in recent years. The Agreement is as such an example of both the increasing strength and necessity of international law enforcement collaboration; and

• any actual production requests are made under existing UK or US domestic legislation, not the Agreement itself. The jurisdictional basis for production orders under COPOA are broader than those available to US law enforcement.

There will be more limited impact on US law enforcement (and UK companies responding to US law enforcement). First, as already stated, fewer requests are anticipated. Second, US law enforcement could already make extraterritorial production requests under the CLOUD Act before the Agreement was entered into so long as the US courts establish a jurisdictional nexus. The Agreement smooths the way for these requests by seeking to remove points relating to incompatible law, although whether it does so successfully is unclear - but it does not change the actual reach of the powers US law enforcement already has.

Data protection and litigation risk

The Agreement has been designed to attempt to mitigate any data protection concerns and to establish a simple process by which OPOs can be obtained. However, there are a number of data protection issues that are likely to arise, where UK companies are in receipt of a request from US law enforcement, relating to both the use of data by the CSP in responding to the OPO and the actual transfer of such data outside the EU. Consequently, any widespread use of OPOs will have significant implications for a wide range of tech companies that provide clients with an ability to communicate, process or store data such that they amount to CSPs under the Agreement.

These issues are only magnified by the current doubt over EU-US data transfers following the Schrems II decision (see our ICT colleagues' run down of the practical issues here) and raise further concerns in relation to the equivalence decision required from the EU on data protection following the end of the Brexit transition period (see here).

We suggest any parties served with an OPO seek legal advice as soon as possible to ensure that, if necessary, suitable steps are taken to challenge the order and, ultimately, to assist in successful compliance with the order. Companies that are likely to receive multiple OPOs would be well advised to consider putting in place a suitable process for handling these requests and to become familiar with the types of issues that may give rise to challenges.