The U.S. and UK have entered into a landmark agreement to allow access to electronic data for use in criminal investigations between their law enforcement agencies (the U.S.-UK Agreement). We look at the final piece in the U.S.-UK data sharing puzzle.
Both the U.S. and the UK law enforcement agencies have a variety of powers to compel overseas communication service providers to disclose information.
In the case of the UK, the Crime (Overseas Production Orders) Act 2019 (COPO Act) allows a law enforcement agency to apply to the UK courts for an overseas production order against a person in respect of electronic data. However, these orders can only be made where there is a designated international co-operation arrangement with the overseas country.
The UK Investigatory Powers Act 2016 (IPA) also contains a host of extra-territorial powers under which certain UK law enforcement agencies can issue authorisations or warrants to overseas telecoms providers to obtain communications data, intercept communications or interfere with computer equipment.
In the case of the U.S., one such power is the Stored Communications Act (SCA). This was amended by the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act) to expressly allow U.S. law enforcement through a warrant, subpoena or court order to access electronically-stored communications data located outside the U.S. provided that the information sought is relevant and material to an ongoing criminal investigation. These powers apply to any provider of an electronic communication service or remote computing service who is subject to U.S. jurisdiction, which includes all major U.S. cloud companies.
Constraints on those extra-territorial powers
Unsurprisingly, those on the receiving end of these extra-territorial powers must balance them against constraints under national law.
For cloud providers storing data in the UK, the primary constraint is the EU General Data Protection Regulation (GDPR), which prevents the transfer of personal data to third countries unless certain conditions are met. The European Data Protection Board (the representative body of EU data protection regulators) and the European Data Protection Supervisor recently considered the GDPR’s interaction with the extension to the SCA made by the CLOUD Act. They concluded that only in very limited cases would an EU cloud provider be able to respond to an SCA order in respect of personal data stored in the EU. Absent a situation in which there was a threat to life or physical harm, an EU cloud provider responding to an SCA order would likely breach the GDPR and thus face fines of up to €20 million or 4% of turnover. Similarly, any attempt to intercept communications in the UK without lawful authority under the IPA would be a serious criminal offence. See U.S. CLOUD Act and GDPR – Is the cloud still safe?
A cloud provider storing data in the U.S. would also face a number of constraints on sharing data in response to requests from UK law enforcement agencies. The SCA prohibits cloud providers from disclosing the content of any electronic communications (sometimes referred to as “blocking” provisions) unless it falls into an exception. For example, one such exception is that disclosures may be made to foreign governments that have executed a CLOUD Act agreement. In short, content can only be shared with another country’s law enforcement under the SCA if that country has signed a CLOUD Act agreement with the U.S.
Until now – absent a CLOUD Act agreement – the solution was, in theory, relying on Mutual Legal Assistance Treaty requests (MLATs). However, these requests had to be submitted by law enforcement agencies to central governments and could take many months or even years to be processed.
The new U.S.-UK Bilateral Data Access Agreement
On 3 October 2019, the U.S.-UK Bilateral Data Access Agreement (the Agreement) was entered into to resolve this conundrum.
This is the first agreement reached under the U.S. CLOUD Act, which not only provides for extra-territorial application of the SCA but also enables the U.S. to enter into a bilateral data transfer agreement such as the Agreement. This is also the first agreement reached under the COPO Act and it acts as a designated international agreement under that Act.
Faster and more convenient
Under the U.S.-UK Agreement, when law enforcement has an appropriate extra-territorial power, they may now obtain a court order in their national court and then pass the order on to their national designated authority (the UK Home Office or the U.S. Attorney General) or other nominated body. The designated authority will then go directly to the overseas communication service providers to access electronic data.
This development is expected to allow for more efficient and effective access to data and thus dramatically speed up criminal investigations and prosecutions involving electronic evidence of crimes. While the use of an MLAT could take many months or even years, the Agreement should allow law enforcement to obtain information in a matter of days or weeks.
Although ostensibly targeted at the investigation of terrorism and child abuse cases, this new tool is potentially of far wider application. It is likely also to be used in cases involving fraud, corruption, money laundering, cyberattacks and other serious offences.
Safeguards under the U.S.-UK Agreement
The key safeguard under the Agreement is that it can only be used to obtain information about serious crimes, being defined as crimes that can be punishable by at least three years’ imprisonment. Any request under the Agreement must be made on the basis of articulated and credible facts, and interception requests may only be made if the information could not be obtained by another less intrusive method. Fishing expeditions are not permitted.
Law enforcement must also obtain permission from the other country before using data gained through the Agreement as evidence in certain types of prosecutions, such as cases involving the death penalty in the United States (which the UK government opposes in all circumstances) and in UK cases implicating U.S. freedom of speech.
Additionally, the Agreement prohibits targeting residents of the other country, such that U.S. authorities may not use the powers to obtain information about individuals based in the UK, and UK authorities may not use these powers to obtain information about U.S. persons or persons based in the U.S. (This asymmetry is because the UK cannot distinguish between individuals based on nationality).
Importantly, the Agreement is limited to requests made to communication service providers, defined as entities that provide the public with the ability to communicate, process or store data by means of a computer system or telecoms system, or a person processing data on behalf of such an entity. Requests under the Agreement cannot be made to other types of businesses.
Safeguards under national legislation
The Agreement does not create additional powers for the U.S. or UK law enforcement agencies to obtain data, rather it facilitates the use of existing powers. Therefore, any request for data must be made in accordance with the legislation of the country making the request and subject to independent oversight or review by a designated authority. These national laws apply an additional layer of safeguards to this process.
In the UK, where a court order is sought under the COPO Act, the request will be assessed by a judge who will need to be satisfied that there are reasonable grounds for believing that all or part of the data is likely to be of substantial value to the proceedings or investigation and that it is likely to be relevant evidence in respect of an indictable offence. There must also be reasonable grounds for believing that it is in the public interest for the data sought to be produced to or accessed by the investigators. The recipient of a production order or any person affected by it will have the right to apply to the UK court to have it varied or revoked. Finally, the COPO Act contains specific controls on orders being made for legally privileged materials or health records.
The process for a UK law enforcement agency obtaining authorisations or warrants under the IPA is similarly controlled. For example, an interception warrant under the IPA is subject to a “double lock” that requires it to be personally issued by the Home Secretary and approved by the Judicial Commissioners. There are a number of other protections in the IPA in relation to privileged or journalistic information.
Similarly, data access requests by U.S. law enforcement agencies will be subject to independent judicial authorisation and oversight in that law enforcement will be required to obtain the appropriate U.S. court order, subpoena or search warrant pursuant to the SCA. Providers may file a motion to modify or quash requests for disclosure under limited circumstances – specifically, if the provider believes the customer or subscriber is not a “U.S. person” and the disclosure would create a material risk of violating the laws of the country where the information is stored (albeit that no such violation should take place under UK law once the Agreement is implemented).
Does this solve national constraints?
The Agreement is very likely to allow communication services providers to disclose data stored in the UK. The Agreement serves as a legally binding and enforceable instrument thus permitting transfer of personal data to the U.S. under Article 46(2)(a) of the GDPR and removing the restriction in Article 48 of the GDPR (which the UK has opted out of in any event).
It is also very likely that the disclosure will have a legal basis under the legitimate interests condition (Article 6(1)(f) of the GDPR) given it is to prevent and detect serious crime, there are numerous safeguards in place and is made under a formal international framework. Similarly, the Agreement will allow communications service providers to lawfully intercept communications on behalf of U.S. law enforcement agencies under the IPA.
In relation to the U.S., the Agreement satisfies one of the exceptions in the SCA, thus allowing U.S.-based communication services providers to respond directly to UK law enforcement requests, such as interception warrants issued under the IPA.
Encryption and bilateral use
Despite these advances for law enforcement between the two countries, the Agreement does not change the way companies can use encryption or prevent the encryption of data. In particular, the Agreement does not enable law enforcement authorities to force data companies to hand over data in a legible format or break their own encryption policies.
In addition, while the Agreement is bilateral, it seems most requests will be made from the UK to the U.S. reflecting the fact many more large communication service providers store data in the U.S. than vice versa.
The Agreement will not enter into force until after a six-month U.S. congressional review period mandated by the CLOUD Act, ratification by the UK Parliament and “designation” of the agreement by the UK Secretary of State. Absent a joint resolution of disapproval by the U.S. Congress or disapproval by the House of Commons during the review/ratification period, the Agreement should take effect in March 2020.
The Agreement may serve as a model for other bilateral agreements pursuant to the CLOUD Act and the COPO Act. Additional bilateral agreements are anticipated, including between the United States and Australia who recently announced that they have begun negotiations.