The agreement follows the passing of the US CLOUD Act in early 2018. The CLOUD Act, brought into force by President Trump, permits the making of bilateral agreements between the US and other jurisdictions to facilitate the sharing of electronic data by way of a reciprocal arrangement. The UK subsequently passed the UK Crime (Overseas Production Orders) Act in 2019 which facilitated the deal signed last week.
The UK / US Bilateral Data Access Agreement is now the first CLOUD Act arrangement of its kind. Though its terms still need to go through the Parliamentary and Congressional approval processes, those terms mark an important shift towards cross-border information sharing. Law enforcement agencies in the US / UK will be able to bypass the usual system and obtain access, on an expedited basis, to electronic communications relevant to criminal investigations (such as communications sent by and to suspects) directly from the service providers themselves.
Changes from the current regime
Under the current rules, requests for documents / information by the UK must be submitted via the US federal government through Mutual Legal Assistance ("MLA"). This is a long and often complex process which in some instances can take up to two years.
Recent cases, such as R (on the application of KBR Inc.) v Director of the Serious Fraud Office (which gave clarity on the judicial reach of section 2 CJA 1987 and the SFO's ability to (i) require the production of documents held outside the UK by a UK company; and (ii) require the production of documents held outside the UK by a non-UK company, provided that a "sufficient connection" exists between the company and the UK) suggest momentum in favour of a more dynamic and versatile data sharing regime in the context of investigations. The shift away from the rigidity of the more traditional methods of obtaining information is arguably symptom of a system inadequately equipped for international investigations that deal with electronic evidence in the internet age.
US/UK Bilateral Data Access Agreement
The proposed terms lift restrictions on certain categories of investigations – though primarily aimed at criminal activity such as terrorism and child exploitation, we can expect the powers to be utilised by law enforcement agencies for the purposes of investigating and prosecuting other serious crimes such as those involving fraud and corruption. Enforcement bodies will be able to submit a request to a UK Judge / Magistrate, and, once a court order is obtained, send the demand for information directly to the US company (the US will have reciprocal access (pursuant to a US court order) to data from UK service providers). There will still be legal hurdles to overcome in order to obtain an order - the Judge reviewing the request will need to be satisfied that: the electronic data is likely to be of substantial value to the investigation / proceedings; the data is likely to be relevant evidence with regard to the offence; and it is in the interests of justice for the data to be produced.
Despite these developments, as it stands, the Agreement does not impact the way in which companies can use encryption, and as such the argument over encrypted material (such as communications on WhatsApp) continues, with Facebook maintaining its position that it must preserve an individual's right to a private conversation and therefore access to law enforcement agencies cannot be guaranteed. Despite a direct request from UK Home Secretary, Priti Patel, and US Attorney General, William Barr, Ms Patel stated "So far nothing we have seen from Facebook reassures me that their plans for end-to-end encryption will not act as barrier to the identification and pursuit of criminals operating on their platforms". The UK Government's position is that its requirement to obtain exceptional access to this data does not undermine its commitment to the right to privacy.
The Australian Home Affairs Minister has also joined the discussion encouraging Facebook to include a means for lawful access to those encrypted communications. This comes against the backdrop of Australia and the US beginning the process of agreeing the terms of a similar data sharing arrangement.
Despite the issues mentioned above, Ms Patel claims "the historic Agreement will dramatically speed up investigations, allowing our law enforcement agencies to protect the public" – whilst sign off on the final terms is required, we can expect to see the new provisions coming into force in early 2020.
The types of powers to be conferred under the new regime are arguably overdue in light of how digital communications are now used, managed and stored. The advancement of technology perhaps demands the need for more appropriate legal powers with regard to how that information is then accessed in the context of a criminal investigation, though the balance between protecting the public and maintaining one's right to privacy continues to pose real challenges when putting changes into practice.
Against the backdrop of criticism from civil liberties groups, the Bilateral Data Access Agreement will inevitably mean that communication providers will need to be reactive and ready to respond to direct requests from prosecutors with the collated material in a matter of weeks if not days. Given the volume of data in the possession of certain providers, and the potential scope of these wide-ranging requests, such demands and tight timeframes could place a significant burden on those seeking to comply with a court ordered request for information.
If a company has been involved in a potentially serious criminal issue with a US dimension, investigations and prosecutions are likely to be dramatically accelerated. Once information has been provided to the UK authority, as always, companies should be aware of the risk that the disclosed communications might then be the subject of a Norwich Pharmacal application, thus bringing that material into the context of civil proceedings much more quickly.
Sign up to our email digest