This article was first published by Law360 on August 10, 2020.
Last month the UK-US Bilateral Data Access Agreement (“Agreement”) came into effect.1 It is the first agreement to be put in place under legislation introduced to address contemporary challenges to data-gathering by domestic authorities where data is located overseas. The Agreement is a novel step for cross-border law enforcement cooperation, but rests on domestic legislation in each nation: the UK’s Crime (Overseas Production Orders) Act 2019 ( “OPO Act”) and the US’ Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) which amended the existing Stored Communications Act. There are significant differences between the UK and US domestic legislation.
The Agreement allows law enforcement in the UK to access data from communications providers in the US without review by US authorities, and the US obtains reciprocal rights. However, despite this reciprocity, all things are not equal. In practice, the UK gains more than the US as the legislation currently stands—quicker access to data held by major US communications providers for use in UK investigations. For the US, there is no new process for seeking data overseas enacted into legislation. The US does though benefit from the arrangements now, as the burden of handling Mutual Legal Assistance Treaty (“MLAT”) requests will be reduced.
The Agreement is intended to catch up with a world in which data flows do not recognize national borders. The speed at which data moves from one jurisdiction to another over the internet does not fit well with the current geocentric regulation of data. Law enforcement is often left dealing with a patchwork of different procedures dependent on where data of investigatory interest has (sometimes arbitrarily) ended up. This increasingly slows down investigations and creates roadblocks where there is conflict between the laws of two (or more) jurisdictions.2
Unlike prior frameworks for cross-border cooperation, the Agreement does not create a basis for governments providing reciprocal assistance to each other in investigations. Rather it contemplates one government obtaining evidence directly from within the other government’s jurisdiction, subject to predetermined procedures and limitations.
Prior to the Agreement’s coming into force, investigators in one country typically submitted a request for data held in the other country for a criminal investigation under an MLAT. The process is notoriously slow, with requests often taking more than a year to be fulfilled.
An MLAT request made by a UK authority such as the Serious Fraud Office (“SFO”) is subject to several layers of review in the US, including by DOJ’s Office of International Affairs, the relevant US Attorney’s Office, and a federal district court.3 By contrast, an order issued by a UK authority under the framework of the Agreement can be served directly on a US communications provider.4
The Agreement does not replace existing routes for obtaining data, but rather supplements the MLAT process, to create a more streamlined and effective alternative to obtaining certain types of data in the investigation of serious crimes.
The Agreement rests on domestic legislation5—each government’s authority to issue an order for the production of data must be based on that country’s own laws, not on the Agreement itself (although the Agreement sets out limits on what can be achieved). Orders subject to the Agreement are governed by the domestic law of the issuing country.6 Both the US and UK undertake in the Agreement to ensure their domestic legislation permits compliance with any order subject to the Agreement.7 It is therefore important to understand the parameters of the Agreement before turning to the domestic legislation.
The Agreement establishes limitations on: (1) who can be served with an Order; (2) what type of data can be requested; (3) the subjects whose data can be sought; and (4) for what types of investigations data can be obtained.
An Order may be served only on covered communications providers.8 This is any private entity that either:
(a) provides to the public the ability to communicate, or to process or store computer data, by means of a computer or telecommunications system; or
(b) processes or stores data for such an entity.9
The definition covers telecommunications companies as well as companies that provide any means by which to communicate over the internet.
The covered data a communications provider can be ordered to provide is broad and includes not only the content of communications but also the traffic data or metadata relating to the communication or storage of data. An Order may also request identifying information about the account holder, including names, addresses and means of payment.10
Location of target
The Agreement prevents law enforcement in the requesting country from applying for an Order targeting data about organizations and individuals from the receiving country.11 For example, UK law enforcement cannot apply to the English courts for an order that intentionally targets the US government, US citizens, US permanent residents, US corporations and unincorporated associations or persons located in US territory. The list is shorter for US law enforcement as they are not prevented from seeking an order targeting UK citizens or UK permanent residents provided those individuals are located outside of the UK.12
The UK and US have agreed that any Orders will be for the purpose of obtaining information relating to the prevention, detection, investigation of, or protection from, conduct constituting a “serious crime” under domestic law. This is any offense punishable by a maximum term of imprisonment of at least three years.13
UK - Overseas Production Orders
In the UK, the domestic legislation creates a novel process for requesting data with its own application process, the Overseas Production Order. Under the OPO Act, law enforcement may apply to the Crown Court for an Order requiring a communications provider in the US to provide certain data.14
A communications provider who is on notice of an application for an Order (or any person affected by the Order) may oppose the making of the Order in the Crown Court on the grounds that the necessary requirements are not met. If an Order has already been made, the communications provider who is served with the Order (or a person affected by the Order) can still apply to the Crown Court to revoke or vary the Order.15
US– legal process under the Stored Communications Act
The Agreement provides the US government with reciprocal rights to serve Orders on UK providers, but again the legal basis for any Order must come from domestic legislation. In the US, that basis is supplied by the Stored Communications Act (“SCA”), which the CLOUD Act amended.
The CLOUD Act clarified that a provider’s obligations under the SCA to preserve, backup, or disclose data extend to information within the provider’s “possession, custody, or control regardless of whether [the data] is located within or outside of the United States.”16 The CLOUD Act did not expand the category of providers subject to the SCA. Therefore, unlike the UK OPO Act, the CLOUD Act does not create a new route to obtain data from a UK communications provider with no connection to the US. The existing processes under the SCA must be used, and the communications provider must still fall within the jurisdiction of the US courts if US law enforcement wishes to obtain an order. Furthermore, if the data is located in the UK, the requirements of the Data Protection Act would still apply, potentially limiting a provider’s ability to comply.
The CLOUD Act contains provisions to facilitate compliance with UK OPOs in the US, specifically allowing disclosure to a foreign government pursuant to an order subject to an executive agreement such as the UK-US Agreement.17
Under the UK regime, a US communications provider cannot challenge an Order issued by a UK Crown Court judge in the US courts. Given the wide-ranging nature of the UK regime, this would seem like a home run for UK law enforcement. However, the Agreement provides a mechanism by which the US government can maintain some control.
The Agreement provides that the Attorney General in the US and the Home Secretary in the UK will designate specific government entities as the executive authorities with oversight of the process (“Designated Authorities”).18 A communications provider can raise objections to an Order with the Designated Authority in their home country, but only once they have raised it with the Designated Authority in the country that made the request.19 A US communications provider must therefore object to an Order to the Designated Authority in the UK before making an objection in the US.
The US authority is entitled to conclude that the Agreement does not apply to a particular issue based on the objection.20 The US government specifically reserves the right under the CLOUD Act to “render the agreement inapplicable as to any Order for which the United States Government concludes the agreement may not properly be invoked.”21
The novel approach taken by the US and UK in this area is a significant development, reflecting the cooperation of both nations to resolve issues created by conflicts of law. The arrangements should have the effect of streamlining the process for the UK to make data requests of US communications providers, albeit with some limitations. The Agreement certainly gives the US scope to introduce a similar process, although it has not sought to do so to date.
1 July 8, 2020 is the date the US Department of Justice identified as the date the Agreement would come into force. Department of Justice, Letter from Stephen E. Boyd, Assistant Attorney General, to Congress dated January 16, 2020. In the UK, the Agreement was designated for the purposes of the Crime (Overseas Production Orders) Act 2019 (allowing orders to be made in respect of data governed by US law), and for the purposes of the Investigatory Powers Act 2016 (allowing a telecommunications operator to intercept the communications of an individual at the request of the US) as of February 28, 2020. The Overseas Production Orders and Requests for Interception (Designation of Agreement) Regulations 2020 (S.I. 2020, No. 38 (UK)).
2 See Agreement, Preamble and art. 2.
3 US Congressional Research Service, Cross-Border Data Sharing Under the CLOUD Act, Stephen P. Mulligan, April 23, 2018, 14.
4 OPO Act, s. 14.
5 Agreement, art. 5, cl. 1.
6 Agreement, art. 3, cl. 2.
7 Agreement, art. 3, cl. 1.
8 Agreement, art. 5, cl. 5.
9 Agreement, art. 1, cl. 7.
10 Agreement, art. 1, cl. 3 and 15.
11 Agreement, art 4, cl. 3 and 4, and art. 1, cl. 12.
12 Agreement, art. 1, cl. 12.
13 Agreement, art. 1, cl. 14, art. 4, cl. 1.
14 OPO Act, s. 1(1) and (7).
15 OPO Act, s.7.
16 18 U.S.C. § 2713.
17 18 U.S.C. § 2702(b)(9).
18 Agreement, art. 1, cl. 8.
19 Agreement, art. 5, cl. 11.
20 Agreement, art. 5, cl. 12.
21 18 U.S.C § 2523.