On 3 October 2019, the United Kingdom and the United States signed a first-of-its-kind Bilateral Data Access Agreement (the "Agreement"), which is expected to reduce the time it takes UK and US law enforcement agencies to access electronic evidence held by technology companies located in each other's territory. A link to the Agreement can be found below.1
The issue of ready access to electronic data stored abroad has become increasingly acute in recent years. This has particularly been the case for UK law enforcement agencies, since the evidence needed to further their investigations and support subsequent prosecutions is often stored by technology companies headquartered in the US.
Under pre-existing arrangements between the UK, the US and other jurisdictions, law enforcement agencies are able to request information held by a company abroad through Mutual Legal Assistance Treaties ("MLAT"). Under these MLAT processes, law enforcement agencies submit information requests to the government of the country in which the data-holding company is based. The government in turn reviews the request, obtains and serves an order as needed locally, collects the data and ultimately returns it to the requesting country's law enforcement agency. This is a multi-stage process that can take months or even years to obtain the relevant data from abroad.
The Agreement will expedite the process, by allowing law enforcement agencies to ask a domestic court to issue a production order for electronic data (such as emails, texts and instant messages) to be issued directly against a communication service provider ("CSP") located in the other country. As a result, following authorization from the court in their home country, law enforcement agencies will be able to serve that order for production of electronic data directly on a CSP in the other country, without that request having to be routed through the MLAT processes. The CSPs which are required to comply with production orders issued pursuant to the Agreement include email providers, mobile phone networks, social media companies and cloud storage services. Prosecutors hope that this process will mean that relevant evidential data can be obtained abroad in a matter of days or weeks, rather than months or years.
However, it is important to note that the Agreement will not:
- allow law enforcement agencies to access data to which they would not otherwise have had a right to access under existing domestic legislation and Constitutional protections. Accordingly the standard of proof and the jurisdictional requirements for the issuance of an order or warrant to access data remain unchanged;
- apply to circumstances in which the data subject is a resident of the country from which the evidence is requested (i.e., UK authorities may not request data related to US residents, and vice versa); and
- require CSPs to provide law enforcement agencies with a means of decrypting data (e.g., from encrypted messaging apps).
The Agreement was facilitated by complementing pieces of legislation recently passed in the UK and the US: the Crime (Overseas Production Orders) Act 2019 in the UK,2 and the Clarifying Lawful Overseas Use of Data Act (CLOUD) Act enacted in 2018 in the US.3 Both Acts anticipate that agreements of this type would be entered into with countries with equivalent levels of due process, privacy and the rule of law; the UK-US Agreement is the first. More agreements of this type are anticipated. In September, 2019 the US and EU released a joint statement that they had commenced negotiating a data access agreement,4 and in October 2019, a similar announcement was made by the US and Australia.5
In the US, the CLOUD Act also had an important secondary objective of clarifying that the 1986 Stored Communications Act ("SCA")6 does require disclosure of data subject to a search warrant that is stored abroad by companies subject to US jurisdiction. That question had caused some controversy after a 2016 Second Circuit decision in Microsoft v. United States7 held that the SCA did not require Microsoft to disclose information in its custody and control that it had stored on a server in Ireland.
The Microsoft case was on appeal to the US Supreme Court at the point that the CLOUD Act was passed and was therefore determined to be mooted.
What does the Agreement mean for you?
If you are a CSP, the Agreement, and any subsequent agreements entered into pursuant to the Crime (Overseas Production Orders) Act and the CLOUD Act, will allow foreign law enforcement agencies to serve upon you orders requiring the production of electronic data directly to the enforcement agency. The relative ease of their issuance, and the reduced timeframe, is likely to increase the volume of such international requests and accordingly increase the burden on CSPs in receiving, coordinating, and responding to them.
From a prosecutorial perspective, once in force, UK law enforcement agencies, including the Serious Fraud Office ("SFO"), should find that they have much quicker access to data stored by CSPs in the US, as will their US counterparts to data stored by CSPs in the UK. This should, for example, speed up SFO investigations, which are often hampered by the lengthy MLAT process, reduce the amount of SFO investigations that have on occasion been abandoned due to an inability to access data and evidence overseas, and potentially speed up the process of eliminating suspects from enquiries.
Since many of the major global CSPs are located in the US (rather than the UK), the effects of the Agreement in facilitating investigations are likely to be more pronounced for UK enforcement agencies than they will be for their US counterparts, who already have more immediate access to data held by domestic CSPs. However, since the US currently receives many more MLAT requests than it issues, the Agreement, and others like it, should diminish the burden on US law enforcement and its diplomatic apparatus currently handling them.
More broadly, the Agreement is another manifestation of global law enforcement cooperation. Evidence and information are more freely flowing across borders as seen by the ever increasing number of multi-jurisdictional prosecutions and investigations. This trend can only increase as governments continue to develop mechanisms to share information in global criminal matters.
Finally, of course, the Agreement will not impact the MLAT arrangements currently in place with other jurisdictions and those processes will still need to be followed with those counties until such time as similar data access agreements can be negotiated.
What should you do?
In anticipation of the Agreement's ratification, CSPs in the US and the UK should familiarize themselves with the new regime and implement the necessary processes and procedures to respond to electronic data production orders from foreign agencies, within the relatively short timeframes anticipated.
Other companies and individuals, potentially subject to investigation in either the US or the UK, should be aware that law enforcement agencies in each country will have more ready and speedy access to electronic data abroad believed to be relevant to their enquiries. This may in turn impact those agencies' expectations when assessing a company's own cooperation and voluntary document production.