On 3 October, UK Home Secretary Priti Patel along with US Attorney General William P. Barr signed the first UK-US Bilateral Data Access Agreement - colloquially, a “CLOUD Act” agreement. In short, this will make it easier for law enforcement agencies in both countries to demand electronic data directly from technology firms in those countries by removing conflicting privacy restrictions faced by those firms. But first, some background:
1. The current position
Take the situation where an email provider has a headquarters or location in Country X but holds a certain customer’s emails on a server in Country Y. Now let’s say that law enforcement in Country X wants the emails. So law enforcement in Country X issues some kind of domestic legal process on the company saying ‘hand over the emails, even though they’re overseas’. Now the company is in a bind, because maybe it’s prohibited from turning over the emails by the privacy laws of Country Y, where the emails are located. You get into convoluted fights over the request, just like what happened a few years ago in the United States v. Microsoft case in the US. Now let’s switch it around: suppose law enforcement in Country Y wants the emails. It issues legal process against the company and the same problem arises, because maybe the company is prohibited from turning over the emails by the privacy laws of Country X, where the email provider is located.
Previously, the only good solution was the Mutual Legal Assistance Treaty process - and it wasn’t really a good solution. Mutual Legal Assistant Treaties or “MLATS” create a process where law enforcement in one country can pass requests through a “central authority” in their country to the “central authority” in another country, which then acts to obtain the information or evidence requested. Needless to say, this process is often cumbersome (it routinely takes months, often years), and in practice can offer multiple opportunities for an entity holding requested data to seek to delay or tailor the request.
2. The new agreement
In March 2018, Congress passed the CLOUD Act, intended to supplement the MLAT system. The CLOUD Act essentially offers a deal: if other countries rewrite their laws to allow the US to get emails directly from email providers, then the US will rewrite its laws to do the same. It works like this: The US government enters into a “CLOUD Act agreement” with another country. Then, the US government needs to certify that the foreign country has adequate protections for privacy and civil liberties, particularly regarding requests for electronic evidence. In particular, the foreign government needs to commit that it won’t ask email providers for evidence if a US person is the target of the investigation. If the US Congress doesn’t veto the certification after a period of review, the agreement becomes effective. At that point, if the foreign country asks an email provider to turn over evidence pursuant to the foreign country’s domestic process, then the email provider can comply without fear of US domestic repercussions: the CLOUD Act gives the provider immunity.
Meanwhile, in the UK, Parliament passed the Crime (Overseas Production Orders) Act 2019, which received Royal Assent in February this year. This Act creates a framework whereby, as with the CLOUD Act in the US, the UK government can enter into agreements with foreign governments, including to confirm that the relevant foreign government has adequate protections in respect of privacy. Then, UK law enforcement agencies can apply to court for an ‘overseas production order’ requiring a person in a foreign jurisdiction to produce electronic data where that data is required by those UK law enforcement agencies for the purposes of investigating and prosecuting serious crime.
The agreement between the US and UK is based on these two laws. Although its text hasn’t been made public yet, we can infer some key points from press releases from the US DOJ and UK Home Office, and from the CLOUD Act and the Overseas Production Orders Act themselves: Once in force, the SFO in the UK and law enforcement in the US will be entitled, after satisfying various procedural requirements, to go directly to tech companies to access electronic data, even if the tech company is based in the other country or if the tech company holds the data in the other country. This new process will be permissible only in cases where the relevant investigations don’t target those resident in the UK (in the case of US requests) or US (in the case of UK requests). And both governments must also obtain permission from the other before data obtained under the agreement is used in prosecutions affecting essential rights, for example death penalty prosecutions by the US and UK cases implicating freedom of speech.
3. What is next?
The new bilateral agreement is seen as crucial not only to save time in investigations, but also to secure evidence, as electronic data may be moved or deleted more easily than other forms of evidence. In this respect, a number of similar agreements are now being contemplated: EU and Australian officials are currently also negotiating a formal evidence-sharing agreement with the US, and the UK has indicated its own desire to negotiate similar agreements with other jurisdictions worldwide.
In the eternal tussle between firms that are concerned about handing data to the authorities and crime agencies seeking to conduct their investigations, this new bilateral agreement will surely only create new tensions. For example, the new bilateral agreement does not provide an ability for agencies to access encrypted data from messaging apps. And, finally, whilst the new bilateral agreement is stated to be aimed at fighting serious crime (terrorism, organised crime and child exploitation), the type of data that is in fact sought under this agreement remains to be seen, and will certainly be tested.
- Our previous client alert on the CLOUD Act can be found here: http://knowledge.freshfields.com/en/Global/r/3741/the_cloud_act___implications_for_data_privacy_in_the.
- The US DOJ’s announcement of the agreement can be found here: https://www.justice.gov/opa/pr/us-and-uk-sign-landmark-cross-border-data-access-agreement-combat-criminals-and-terrorists.
- And the UK Home Office’s announcement can be found here: https://www.gov.uk/government/news/uk-and-us-sign-landmark-data-access-agreement.