Last fall, the U.S. and U.K. executed the first data-sharing agreement pursuant to the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act. The bilateral agreement allows the U.S. and the U.K. to obtain electronic data directly from tech and telecom companies located in the other country.
Congress had until July 8 to disapprove the bilateral agreement. It has not, so it is now in effect. Tech and telecom companies need to understand who can make data requests, the types of requests covered, and what is restricted, among other things under the bilateral agreement.
Accessing Overseas Data
The 2018 U.S. CLOUD Act amended the U.S. Stored Communications Act (SCA) in two ways, which were intended to allow U.S. authorities to access overseas data and to foster international cooperation. First, the CLOUD Act clarified the SCA’s extraterritorial reach.
Second, more relevant here, the CLOUD Act authorized the U.S. attorney general to enter into executive agreements allowing foreign governments to obtain data stored in the U.S., pursuant to their own foreign legal process.
Across the Atlantic, in early 2019, the U.K. enacted the Crime (Overseas Production Orders) Act (the COPO Act). The COPO Act allows U.K. authorities to apply to U.K. courts to compel a company or individual operating outside the U.K. to provide electronic data, pursuant to a “designated international co-operation arrangement.”
The U.S. and U.K. then entered into the bilateral agreement on Oct. 3, 2019. The bilateral agreement allows, in certain circumstances, the U.S. and the U.K. to obtain electronic data and communications in each other’s country, without having to resort to time-consuming and cumbersome mutual legal assistance treaty requests.
Impact of the Bilateral Agreement
Below, we answer some questions regarding the bilateral agreement.
Who can request data under the bilateral agreement?
Only government authorities, not private entities. When the U.K. is the requesting party, a U.K. judge must be satisfied there are “reasonable grounds” for believing that all or part of the data requested has a substantial value to the proceedings.
U.S. enforcement agencies requesting data must comply with the SCA by obtaining a warrant, court order, or subpoena. Notably, U.S. law generally requires that, to obtain the content of electronic communications, authorities must obtain a warrant, by making a showing of probable cause. Non-content information (such as the identity of the subscriber for an email address) can be obtained via subpoena, which does not require probable cause.
Once a request is approved, U.S. authorities can serve domestic legal process directly on providers in the U.K. in accordance with U.S. laws and vice versa.
Who is going to make more requests?
Since more tech and telecommunications companies are based in the U.S., it’s generally anticipated that the U.K. will make more requests.
What types of data may be requested?
Note that the agreement explicitly references for the “interception of wire or electronic communications,” (i.e., wiretaps), and not merely the collection of stored electronic data (such as emails) and subscriber information.
What offenses or causes of action are subject to the CLOUD Agreement?
The agreement is to be used for the prevention, detection, investigation, or prosecution of “serious crime,” which the agreement defines as an offense punishable by more than three years imprisonment. Accordingly, the agreement applies to most criminal fraud offenses under U.S. and U.K. law. It is not applicable to civil disputes.
Notably, the agreement can be used to obtain evidence in connection with an investigation—not just prosecution. Further, grand jury secrecy rules do not apply to data obtained pursuant to the SCA. As such, it is conceivable that information obtained by the Department of Justice in a criminal investigation could be shared with a civil regulator, such as the SEC, investigating the same conduct.
What restrictions are there on requests under the bilateral agreement?
Among other things, the agreement has numerous “targeting” restrictions. Perhaps most significantly, neither country can intentionally target “a receiving-party person,” which, when the U.S. is the receiving party, includes U.S. citizens, lawful permanent residents, and persons located in U.S.
Orders also cannot infringe upon free speech or target individuals based on characteristics such as race, sex, sexual orientation, religion, ethnicity, or political opinion.
What should companies do if they believe they receive an improper or incorrect production request?
The agreement contains mechanisms service providers can follow to challenge a production order. In the first instance, a U.S. service provider can consult with the “designated authority” in the U.K., the secretary of state for the Home Department. If the objection is not resolved, the U.S. service provider can apply to the U.S. designated authority—the U.S. attorney general—who will confer with the U.K. designated authority.
Ultimately if an agreement is not reached, the U.S. attorney general can decide that the bilateral agreement was not properly invoked and does not apply the production order at issue.
In addition, the COPO Act allows “any person affected by [a COPO] order” to move in the U.K. courts to “vary” or “revoke” an order. Further, the bilateral agreement states that providers “retain otherwise existing rights to raise applicable legal objections to an Order subject to Agreement.” Thus, we may see litigation in U.S. courts over whether, and to what extent, U.S. service providers can assert constitutional objections to a U.K. production order.
What this means going forward and how long will it last?
For companies that are accustomed to receiving SCA requests for stored electronic data from U.S. authorities, the production process for a U.K. order will likely not require large changes. However, requests to intercept electronic communications may involve technical hurdles (including re-routing communications to U.K. authorities) not previously faced by U.S. providers.
How the bilateral agreement actually plays out in practice remains to be seen. The agreement provides for review of its implementation by the U.S. and U.K. within the year and mandates that each party’s designating authority issue an annual report. Further, the bilateral agreement sunsets in five years, absent agreement to extend it.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Brendan Quigley is a former federal prosecutor and an experienced trial lawyer at Baker Botts. He represents organizations and individuals in white-collar enforcement and national security-related matters and in complex civil litigation.
Neil Coulson is an intellectual property partner at Baker Botts focused on dispute resolution and the exploitation of IP rights and all matters relating to data and data privacy.
Laura Santos-Bishop is an associate at Baker Botts and represents clients on a wide variety of complex litigation issues, including white collar, commercial litigation, and international arbitration matters.