WHAT DOES THE U.S.-U.K. DATA ACCESS AGREEMENT MEAN FOR INTERNATIONAL COMMUNICATION SERVICE PROVIDERS?
Earlier this month the governments of the United Kingdom and United States signed an agreement to help law enforcement agencies (LEAs) in each country gather digital evidence in the other country for purposes of criminal investigations. The pact is known as the “Data Access Agreement.” Why is the Data Access Agreement needed, how does it work, and what is the impact on communication service providers (CSPs)?
The problem of gathering evidence in cross-border criminal investigations
An order from a judge in Country A to disclose evidence stored in Country B may violate the data protection laws of Country B. This dilemma spawned a legal controversy in 2016, when Microsoft refused to honor a U.S. court order to produce emails that the company had stored in a data center in Ireland. In the litigation, the Second Circuit Court of Appeals ruled in Microsoft’s favor.
The Microsoft ruling delivered an important victory for end user privacy. But it frustrated a law enforcement investigation. Beyond that, criminals likely realized they could help conceal their criminal activity in the U.S. by contriving email user accounts designated for email storage outside the U.S.
The problem with mutual legal assistance treaties (MLATs)
Governments worldwide tried to solve the problem of cross-border digital evidence gathering by entering into agreements called mutual legal assistance treaties, or “MLATs.” Under an MLAT, a law enforcement agency in Country A that needs copies of emails stored in Country B could submit a formal request to the government of Country B, and if Country B approved the request it would dispatch its own law enforcement agents to collect the evidence under its own laws.
MLATs worked well in theory because they paved an investigatory path for LEAs while protecting privacy. Unfortunately, they proved unsatisfactory in practice. Sometimes a country in receipt of an MLAT filing would deny the request. Other times the approval process would take months or years to complete. Countries with good political relations enjoyed more MLAT cooperation than others.
The benefits of the Data Access Agreement
To improve the international sharing of digital evidence, the U.S. Congress enacted a statute called the Clarifying Lawful Overseas Use of Data Act of 2018 (the “CLOUD Act”), and the U.K. passed a similar bill called the Crime (Overseas Production Orders) Act of 2019. The implications of these actions were explored in a prior blog. The dual legislation enabled the two democracies to negotiate the Data Access Agreement. The Agreement facilitates criminal investigations while preserving meaningful privacy protection.
Under the Data Access Agreement, an LEA in the U.K. that must investigate electronic information stored in the U.S. no longer needs to invoke the government-to-government MLAT channel to obtain the evidence. Instead, it may serve an order directly on the U.S. CSP. The order would be issued by a “designated entity,” meaning an agency appointed by the U.K. Home Office or Secretary of State. In the U.S., the designation would come from the attorney general. The service provider could be an email host, a wireless service provider, social network, or cloud storage company. Likewise, a U.S. designated entity could approve the same type of order for delivery to a British CSP. The terms of the Agreement ensure that both sides would observe a common baseline of strong due process and privacy protection. By skipping the governmental middleman, the process should work more quickly and reliably than the MLAT scheme.
The Data Access Agreement is not a cure-all. The arrangement cannot be used for evidence-gathering in civil proceedings. It is available only for “serious crimes,” such as terrorism, transnational organized crime, murder, cybercrime, and child sexual abuse. Even within that narrow scope of wrongdoing, each country may investigate only suspects who are not residents of the other country. The idea is to let Country A investigate its own citizens without exploiting the opportunity to investigate citizens of Country B. Moreover, the range of assistance is limited to the disclosure of stored records. It does not permit orders for real time electronic surveillance (wiretapping). Finally, the plan does not solve the problem of deciphering encrypted communications. Services like Facebook’s WhatsApp could still be encrypted end-to-end.
The bilateral Agreement will take effect following a six-month period of review by Congress and the U.K. Parliament.
The impact on communication service providers
Thanks to the Data Access Agreement, CSPs on both sides of the Atlantic may receive more requests for stored electronic data. A provider that serves both markets may see an even greater upsurge in evidentiary demands. Look for a relatively larger number of orders to flow from the U.K. to the U.S. After all, American competitors like Microsoft, Facebook, and Google hold dominant market shares worldwide.
On the other hand, the U.K.-U.S. deal affects only two jurisdictions. Other governments undoubtedly want similar terms of reciprocity. But if they lack high standards of due process and privacy they probably won’t get far. The EU and Australia have begun data access negotiations with the U.S. Any progress between Australia and the U.S. must overcome at least one significant policy difference. Australia’s decryption mandate is stricter than that of the U.S. Beyond the collection of traditional U.S. allies, it is difficult to predict when any other data access agreements may emerge.
Data access agreements will impose a bigger impact on CSPs subject to data retention mandates. For example, if the U.S. signs a data access agreement with Australia, and a U.S. designated entity requests data from an Australian email provider, the company may need to disclose as much as two years of data because two years is the Australian-mandated period of retention. A U.S. VoIP provider, by contrast, is not subject to any data retention law and therefore need not retain user data at all. No provision of the Data Access Agreement requires a service provider to disclose data it does not have.
The need for appropriate legal expertise
To the extent CSPs receive more requests for stored data they may need more legal experts to review the requests for validity and process them pursuant to the applicable privacy laws. Some service providers could expand their in-house staffs. Others may prefer to outsource the function to a contractor with the appropriate expertise. Another option is to hire outside counsel, though that can be expensive.
A CSP that objects to a digital evidence order may appeal to the foreign designated entity. But that would naturally require foreign legal expertise. At this early stage of the Data Access Agreement, the chances of success would be hard to predict.
The Data Access Agreement intends to expedite LEA investigations while protecting end user privacy. But the legal breakthrough may produce an unintended consequence: a bigger workload for the communications industry.