The U.S. and U.K. have agreed to ease rules for tech companies to turn over data to assist in terrorism, child exploitation, and other criminal investigations, privacy attorneys and former U.S. officials said.
The U.S.-U.K. Bilateral Data Access Agreement, announced Oct. 3, would allow law enforcement authorities in both countries to serve tech companies with court orders to produce electronic evidence in criminal probes of their citizens.
The pact is the first under the CLOUD Act, which permits the U.S. to enter deals with foreign governments to lift “legal barriers to the other party’s access to electronic data for certain criminal investigations,” according to the Department of Justice’s announcement.
The agreement’s text will be released in the coming weeks, followed by a six-month congressional review and a related U.K. parliamentary review, the department said.
The pact, if approved by Congress and Parliament, “would lift one very significant barrier to compliance,” David Bitkower, data privacy partner at Jenner & Block and a former deputy assistant attorney general, said.
U.S. tech companies would “no longer be barred by U.S. law from complying with qualifying U.K. orders for electronic data,” he said. U.S. law generally prohibits turning over communications to foreign governments.
Tech companies seem to want to comply, according to attorneys and officials. Annual transparency reports released by such companies as Facebook Inc., Alphabet Inc.'s Google, and Microsoft Corp. show a high rate of compliance with legal court orders.
However, most tech companies won’t want “to produce data without legal authority,” David Kris, founder of Culper Partners and former assistant attorney general in Justice’s National Security Division, said.
No Data Deluge
The U.S.-U.K. criminal data pact won’t spark a rush of tech companies turning over user data in bulk to government authorities, former officials said. Under the CLOUD Act, companies can fight data release orders they believe lack the proper legal authority, the officials said.
“The major cloud providers have elaborate processes to decide when to respond to law enforcement requests,” Peter Swire, senior counsel at Alston & Bird and professor of privacy and cybersecurity law at Georgia Institute of Technology’s Scheller College of Business, said.
These companies have “standards they apply globally to require proper legal authority before they turn over evidence,” Swire, a former member of President Obama’s intelligence and communications technology review group, said.
Businesses approached with government requests under the new pact should carefully weigh whether to comply, privacy attorneys and former officials said. They may not have to, “for example if they are not subject to U.K. jurisdiction, if there are meritorious legal challenges to the orders, or if some other law serves as a barrier to compliance,” Bitkower said.
Privacy advocates questioned whether the deal provides enough oversight of international criminal data collection efforts. If U.S. oversight is lax, companies should be doubly careful, they said.
“A U.S. company could receive an order to produce the content of emails stored on U.S. soil directly from the U.K. authorities, without ever involving the U.S. government,” Eleni Kyriakidies, international counsel at the Electronic Privacy Information Center, said. It falls “on companies to closely review the international orders they receive and object in cases where they see risks to civil liberties.”