BCL partners, Michael Drury and Julian Hayes discuss the implementation of the much delayed UK-US data sharing agreement (Cloud Act) and examine the wider impact its provisions will have on criminal investigations across the globe.
Such is the pace of the modern media cycle that the 2019 signing of the UK-US Bilateral Data Sharing Agreement by Home Secretary Priti Patel and the then US Attorney General William Barr seems a distant memory. But the drivers behind the Agreement – the accelerating shift of everyday activities online, the globalisation of electronic data through cloud computing, and national law enforcement agencies’ need to access data to combat crime – are more pressing than ever and underscored in a post-Covid world where face-to-face meetings will be replaced by virtual ones and to some extent, by the written word.
With mutual legal assistance routes regarded as leaden-footed and anachronistic, nation states and international organisations around the world are grappling with the difficulties law enforcement agencies face in expeditiously obtaining electronic evidence held overseas, whilst respecting privacy concerns. Projects underway include high-level guidance in preparation by the OECD, the Second Additional Protocol to the Budapest Convention recently adopted by the Committee of Ministers of the Council of Europe, and the EU’s proposed E-Evidence Regulation inching through ‘trialogue’ discussions between the European institutions.
The UK-US Agreement was an early front-runner of such projects, and though its implementation has been much delayed, the hope is that it will begin operating in spring/early summer 2022 when, for the first time, demands will flow according to its provisions.
Given the way it is intended to operate, ‘demands’ is the appropriate word to describe what is being facilitated. This is on the basis that the Agreement provides that it is the law of the requesting state to which effect will be given, as long as the demands under that law meet the requirements set out in the Agreement. The underlying philosophy is to provide assurance of common standards that meet each state’s domestic requirements for acting lawfully.
The UK is the first state to enter into an Agreement contemplated by the snappily titled US ‘Clarifying Lawful Overseas Use of Data’ or CLOUD Act, effective in March 2018, with a view to ensuring that, as far as requests made by the UK are concerned, the delays occasioned by the mutual legal assistance process are cut. Such delays had been a long-running sore for criminal investigators in the UK especially given the key part that communications data plays in both intelligence gathering and for use in evidence in UK criminal proceedings, and the fact that vast swathes of such data are held and processed in the US by the dominant US providers of communications and social media services.
Whilst the CLOUD Act also clarified the capacity of US law enforcement agencies to demand stored data from US communications companies holding that data outside the territory of the US (subject to the capacity to contest demands where warrants would violate privacy rights provided for in the country where the data is stored), there must be real doubt about the extent to which it would have been carried forward in the absence of pressure from the UK Government for access to data by non-US agencies.
And the proof of the pudding is in the eating. Whilst the Agreement is still to come into effect, the headlong drive for similar arrangements with the US is notable, with Australia and the US signing an agreement in December 2021. While EU-US discussions are underway, a significant question exists about how far the US might wish to conclude an EU-wide agreement rather than deal with individual states, not least given issues concerning judicial independence in some Member States. It remains to be seen whether the outbreak of western solidarity in the face of Russian aggression towards Ukraine might overcome such difficulties.
What of the Agreement itself?
As foreshadowed in long-standing US domestic law requirements, and in the CLOUD Act itself, a key element is the protection to be given to US persons such that any demand made by the UK will not be given effect if it seeks to target a US person anywhere in the world, or if it seeks to target any person located in the United States. Data “minimization” is also required in relation to US persons in circumstances where non-US persons are being targeted. Whilst this is a longstanding and well understood concept in the US, first with regard to telephony and later electronic surveillance practice, it is doubtless anathema to UK law enforcement operatives and is likely to be a real point of contention in terms of practical operation. On the face of it, it provides the answer to US critics who have suggested that such agreements might be concluded by the US government with insufficient protection for US persons.
As might be expected, the Agreement also provides that it should be applied in a non-discriminatory way (blind to race, sex, sexual orientation, religion, ethnic origin, or political opinions) and, given the US sensitivity to the protection of First Amendment rights, it also seeks to ensure – with a degree of specificity contained in a detailed side letter – that the investigation of certain offences in UK law potentially giving rise to such freedom of speech issues require particular consideration.
(The sole limitation in favour of the UK seems to be that material provided under the Agreement which might be deployed as prosecution evidence in the US for an offence where the death penalty is sought may only be used with UK consent: the 2020 judgment of the UK Supreme Court in Elgizouli made clear that effectively such consent would always have to be withheld.)
All these requirements impose real practical constraints on the obtaining of data by the UK authorities, which, taken with the fundamental obligations that have to be met, appear to create a robust system that permits the providers of data – so called ‘covered providers’ – to be satisfied of the lawfulness of the demands, under both UK and US law. And lest there be any doubt, the Agreement seems likely, at least at first, to facilitate largely one-way traffic in which the party making the demands will be the UK. That is not in the least surprising given the market strength of US entities providing communications and social media services.
Notably, the Agreement is silent as to the exact process in the UK (or US) that is to be adopted domestically and which gives rise to its operation.
So whilst the UK has passed the Crime (Overseas Production Orders) Act 2019 (‘COPOA’) – the operation of which is specifically dependent on the existence of an agreement of the type now agreed between the UK and the US – the Agreement does not only give effect to process under COPOA. Far from it: one can expect the Agreement to be used to give effect to demands made under the Investigatory Powers Act 2016 (‘IPA’) as well as COPOA on the basis that certain processes under the IPA meet the requirements of the Agreement in that they relate to a specific person or other specific identifier; are based on requirements for reasonable justification based on articulable and credible facts, particularity and legality; relate to the prevention and detection of serious crime (noting the very similar definitions in the Agreement and IPA); and are issued subject to a review by a court, judge, magistrate, or other independent authority.
Where does this leave the ‘covered provider’ and especially the US and what can and should such a provider do to protect its own interests and those of its data users?
Obligations under data protection law will be key. Responsible US covered providers will wish to be satisfied that not only have the data protection obligations of the relevant UK public authority – acting through the Designated Authority under the Agreement (the Home Office) – been satisfied in the demands placed upon them, but, to the extent they are applicable in the case of US providers or can be said to be so, that their own data protection obligations have been met, as well as their obligations in US law, their commitments to their customers, and that they remain true to their corporate philosophy.
Whilst the stage is set, and the curtain call has gone out, the operation of the Agreement still feels like a play the final act of which is yet to be written. There will clearly be an element of ‘learning by doing’. But on any view how the Agreement functions is bound to attract attention, not only for the model it creates but also from privacy activists who will be very conscious of the contentious backdrop of the data protection and adequacy considerations affecting the relationships between the US, EU, and UK.