by Jeremy Feigelson, Karolos Seeger, Jane Shvets, Robin Lööf, Robert Maddox, and Alma M. Mozetič

On October 3, 2019, the United Kingdom and the United States signed a landmark data sharing agreement to give law enforcement agencies in one country faster access to digital evidence held by service providers, such as web hosts and social media companies, located in the other (the “Agreement”).[1]  The material scope of the Agreement is wide, including fraud, cyberattacks, corruption, and other serious offences.  The Agreement aims to provide an alternative, faster mechanism to the current system based on government-to-government requests pursuant to Mutual Legal Assistance Treaties (“MLATs”).  Under the Agreement, law enforcement authorities will be able to compel production directly from service providers.  The hope is that this will reduce waiting times to weeks or sometimes days.  The Agreement is expected to enter into force following review by the U.K. Parliament and the U.S. Congress, in early April 2020.

Background

In response to what both governments view as unacceptable delays in obtaining digital evidence overseas under existing MLAT procedures, the United States introduced the CLOUD Act in March 2018, and the United Kingdom introduced the Crime (Overseas Production Orders) Act 2019 in February 2019.  Under the CLOUD Act, instead of sending an MLAT request through central government, U.S. authorities can request digital evidence directly from an overseas service provider if the United States has an executive agreement with that service provider’s home country.  Similarly, the U.K. Act allows designated authorities—including the police, the Serious Fraud Office, and the Financial Conduct Authority—to apply to the U.K. Crown Court for a binding “overseas production order” if a “designated international cooperation agreement” exists with the recipient’s home jurisdiction.  The present Agreement will make both laws operational between the United States and the United Kingdom.

Safeguards

• Written certification. Authorities in each country seeking to issue a production order must obtain a written certification by the “designated authority” of that country—as designated by the U.K. Secretary of State for the Home Department and the U.S. Attorney General—that the proposed order is compliant with the Agreement and any applicable law.  (Article 5(7)) 
• Independent judicial oversight. Any request for data will be subject to independent judicial oversight or review (usually by a judge or magistrate) of the requesting state, as provided for under national legislation.  (Article 5(2))  Any order must be justified based on “articulable and credible facts, particularity, legality, and severity.”  (Article 5(1))
• No targeting of residents. Both governments agreed that authorities in neither country can seek information on “residents” of the other.  In respect of non-residents, U.K. authorities may not seek information on U.S. citizens (and lawful permanent resident holders) located abroad whereas U.S. authorities are permitted to target U.K. citizens once they have left the United Kingdom.  Both governments can target individuals or corporates.  (Articles 1(12) and 1(16))
• Protection of “essential interest”. The Agreement also bars the use of requested data in prosecutions relating to an “essential interest” of either the United Kingdom or the United States—specifically cases implicating freedom of speech if the evidence is requested by the United Kingdom and death penalty prosecutions if the evidence is requested by the United States.  (Article 8(4))
• Objection procedure. The receiving government retains residual authority to refuse to give effect to the foreign order after the service provider has raised objections if the receiving government “concludes that the Agreement may not properly be invoked” with respect to any order.  (Article 5(11))

If the request falls afoul of any of the above, the issuing country will have to resort to the traditional MLAT procedure. 

Impact 

The majority of businesses are unlikely to be on the receiving end of requests under the Agreement.  But those that are – in particular, service providers – should prepare to comply with the new scheme.  In most cases, this will mean updating internal subpoena and law enforcement request compliance programmes to be able to comply with the shorter time frames for production under the new regime.

For those subject to investigation by U.S. or U.K. authorities, the impact can be significant.  Evidence against them could be gathered more quickly than before if held by a service provider in the other jurisdiction.  The Agreement also has the potential to impact the manner in which the U.K. Serious Fraud Office conducts cross-border investigations by creating easier and faster access to e-mails and other electronic material, particularly in relation to an uncooperative target or witness.

For U.K.-based companies, the Agreement also goes some way to easing tensions between the CLOUD Act and the EU General Data Protection Regulation (“GDPR”).  In July 2019, the European authorities opined that, without an international agreement making a CLOUD Act warrant enforceable, transfer of personal data from the European Union to the United States pursuant to such a warrant could breach the GDPR.  The opinion expressly reserved the position on whether a bilateral agreement under the CLOUD Act, such as the present Agreement, would satisfy the cross-border transfer requirements of the GDPR, though the opinion’s language suggests that it would.  Of course, companies producing documents would still need to abide by all other GDPR principles, including data minimisation.  

Conclusion 

The Agreement is important in a number of ways.  First, as a first agreement under the U.S. CLOUD Act and the U.K. Crime (Overseas Production Orders) Act 2019, it has potential to provide a blueprint for future agreements.  Negotiations between the United States and the European Union on a similar agreement commenced on September 25, 2019,[2] and negotiations between the United States and Australia were announced on October 7, 2019.[3] 

Second, while the Agreement will enhance U.S. and U.K. authorities’ data gathering arsenal, it does not address the challenges posed by increasingly prevalent use of encryption, leaving open the possibility of a data request returning encrypted data.  In parallel with the signing of the Agreement, these challenges led U.S., U.K. and Australian governments to publish an open letter to Facebook outlining their concerns with its plans to implement end-to-end encryption across its messaging services.  They urged Facebook to halt those plans unless and until it enables law enforcement to access content with a warrant in “exceptional circumstances” and to tackle serious crimes.  It remains to be seen how Facebook and other social media companies will respond to these recurring demands.

Footnotes

[1] The text of the Agreement is available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/836969/CS_USA_6.2019_Agreement_between_the_United_Kingdom_and_the_USA_on_Access_to_Electronic_Data_for_the_Purpose_of_Countering_Serious_Crime.pdf (PDF: 268 KB).   For the relevant press releases, see https://www.gov.uk/government/news/uk-and-us-sign-landmark-data-access-agreement (U.K.) and https://www.justice.gov/opa/pr/us-and-uk-sign-landmark-cross-border-data-access-agreement-combat-criminals-and-terrorists (U.S.).

[2] U.S. Department of Justice, “Joint US-EU Statement on Electronic Evidence Sharing Negotiations” (Sept. 26, 2019), https://www.justice.gov/opa/pr/joint-us-eu-statement-electronic-evidence-sharing-negotiations.

[3] U.S. Department of Justice, “Joint Statement Announcing United States and Australian Negotiation of a CLOUD Act Agreement” (Oct. 7, 2019), https://www.justice.gov/opa/pr/joint-statement-announcing-united-states-and-australian-negotiation-cloud-act-agreement-us.

Jeremy Feigelson, Karolos Seeger, and Jane Shvets are partners, Robin Lööf is international counsel, and Robert Maddox and Alma M. Mozetič are associates at Debevoise & Plimpton LLP. This piece was originally published in Debevoise & Plimpton’s FCPA Update.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.