On 21 July the US and UK Governments announced that their agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (Data Access Agreement) would come into force on 3 October 2022. The Data Access Agreement was signed in October 2019, but its full implementation has been delayed (it was eligible to come into force from July 2020) while – we understand - enabling processes, including in relation to data minimisation, have been put in place.
Once the Data Access Agreement is in force it will herald a potential step change in the jurisdictional reach of UK law enforcement. It has been described as a "world-first" that will dramatically speed up investigations and demonstrate the strength of international law enforcement collaboration. In essence, it works by requiring each country to ensure their laws permit communication service providers, such as telecoms operators, to lawfully respond to direct requests for data made by law enforcement in the other jurisdiction. As a result law enforcement will, with appropriate authorisation, be able to issue overseas production orders (OPOs) directly to foreign tech companies caught by the scope of the Data Access Agreement in order to access their clients' data, rather than through governments using the traditional mutual legal assistance (MLA) route, which can take years.
The Data Access Agreement has significant implications for law enforcement, but also raises serious issues in relation to data protection laws and legal privilege rules that could prompt litigation which may challenge efforts to increase the speed of cross border law enforcement.
Effect of the Data Access Agreement
In brief, the effect of the Data Access Agreement is that law enforcement in either the UK or the US can under the appropriate domestic legislation (being the CLOUD Act 2018 in the US and Crime (Overseas Production Orders) Act 2019 (COPOA) in the UK) when armed with appropriate court authorisation, require 'communication service providers' (CSPs), i.e. companies that provide clients with an ability to communicate, process or store data, to produce documents. The novel element of the process is that it is to be controlled by the courts of the requesting country.
Typically where law enforcement have wanted to get hold of documents outside their jurisdiction up until now, they have used MLA requests. These: (i) are controlled by the government and courts of the recipient country; and (ii) take months or even years to process. By contrast the Data Access Agreement is intended to enable this process to happen in a matter of days (although it is far from clear whether it will succeed in this respect).
While the stated purpose of the Data Access Agreement is to target terrorism and child abuse crimes, it has a potentially much broader scope; it can be used in respect of any 'serious crime'. We understand the UK Serious Fraud Office is keen on making use of the powers granted under the Data Access Agreement, which could also be used to investigate money laundering, fraud, corruption, cyberattacks and other serious economic offences.
This is likely to make investigations of those crimes more efficient than under the traditional MLA process, which will be welcome to corporates under investigation given past criticism of the dragging pace of the some criminal investigations. It may also encourage UK law enforcement to seek evidence that would not previously have been available to it, with the implication that investigations and lines of enquiry that might not previously have been practical could now be considered.
Impact on Law Enforcement
The Data Access Agreement is intended to assist both UK and US agencies, but it is clear that the practical impact of the Data Access Agreement is asymmetric; it will be more impactful for UK law enforcement (and therefore American companies) than vice versa. This is the case because:
- most of the big cloud computing companies (being those most likely to hold the data of interest to law enforcement) are based in the US and it is expected that many more requests will flow from the UK to the US than vice versa. A very significant part of the benefit to the US is expected to be a reduction in the burden of dealing with MLA requests, which have been increasing in recent years. The Data Access Agreement is as such an example of both the increasing strength and necessity of international law enforcement collaboration; and
- any actual production requests are made under existing UK or US domestic legislation, not the Data Access Agreement itself. The jurisdictional bases for production orders under COPOA are broader than those available to US law enforcement.
There will be a more limited impact on US law enforcement (and UK companies responding to US law enforcement). First, as already stated, fewer requests are anticipated. Second, US law enforcement could already make extraterritorial production requests under the CLOUD Act before the Data Access Agreement was entered into so long as the US courts establish a jurisdictional nexus. The impact of the Data Access Agreement is significant in that it smooths the way for these requests by seeking to remove points relating to incompatible law (although whether it will be successful in doing so is unclear) but it does not change the actual reach of the powers already held by US law enforcement.
Data protection and litigation risk
The Data Access Agreement has been designed to attempt to mitigate any data protection concerns and to establish a simple process by which OPOs can be obtained. However, there are a number of data protection issues that are likely to arise, where UK companies are in receipt of a request from US law enforcement, relating to both the use of data by the CSP in responding to the OPO and the actual transfer of such data from the UK to the US. Under the UK GDPR and further to the Schrems II decision such transfers generally must take place on the basis of adequate safeguards and an appropriate transfer risk assessment. Consequently, any widespread use of OPOs will have significant implications for a wide range of tech companies that provide clients with an ability to communicate, process or store data such that they amount to CSPs under the Data Access Agreement.
We suggest that any parties served with an OPO seek legal advice as soon as possible to ensure successful compliance with the order and, if necessary, so that suitable steps can be taken to challenge the order. Companies that are likely to receive multiple OPOs would be well advised to consider putting in place a suitable process for handling these requests and to become familiar with the types of issues that may give rise to challenges.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
.jpeg?crop=300,495&format=webply&auto=webp)
