UK-US Bilateral Data Sharing Agreement: what companies need to know

BCL partners Michael Drury and Julian Hayes write for Lexology on the UK-US Bilateral Data Sharing Agreement, ahead of their upcoming free Lexology webinar on the topic.

Here’s an extract from the article:

The fourth quarter of 2020 appears likely to bring into operation the UK-US Bilateral Data Sharing Agreement agreed in October 2019 between Home Secretary Priti Patel and US Attorney General William Barr.

For the first time, demands will flow under the Agreement. Given the way it is intended to operate, ‘demands’ is the appropriate word to describe what is being facilitated. This is on the basis that the Agreement provides that it is the law of the requesting state to which effect is to be given, as long as the demands under that law meet the requirements set out in the Agreement intended to provide assurance of common standards that meet each state’s domestic requirements for acting lawfully.

The UK is the first state to enter into an Agreement contemplated by the snappily titled US ‘Clarifying Lawful Overseas Use of Data’ or CLOUD Act, effective in March 2018, with a view to ensuring that, as far as requests made by the UK are concerned, the delays occasioned by the mutual legal assistance process could be avoided as far as possible. Such delays had been a long-running sore for criminal investigators in the UK especially given the key part that communications data plays in both intelligence and evidence in UK criminal proceedings, and the fact that vast swathes of such data are held and processed in the US by the dominant US providers of communications and social media services.

Whilst the CLOUD Act also clarified the capacity of US law enforcement agencies to demand stored data from US communications companies holding that data outside the territory of the US (subject to the capacity to contest demands where warrants would violate privacy rights provided for in the country where the data is stored), there must be real doubt about the extent to which it would have been carried forward in the absence of pressure from the UK Government.

And the proof of the pudding is in the eating. Whilst the Agreement is still to come into effect, although it will be soon, the headlong drive for similar agreements with the US is notable. A significant question remains about how far the US might wish to conclude an EU-wide agreement rather than deal with individual states, not least given issues concerning judicial independence in some Member States.

What of the Agreement itself?

As foreshadowed in long-standing US domestic law requirements, and in the CLOUD Act itself, a key element is the protection to be given to US persons such that any demand made by the UK will not be given effect if it seeks to target a US person anywhere in the world, or if it seeks to target any person located in the United States. Data “minimization” is also required in relation to US persons in circumstances where non-US persons are being targeted. Whilst this is a long-standing and well understood concept in the US, first with regard to telephony and later electronic surveillance practice, it is doubtless anathema to UK law enforcement operatives and is likely to be a real point of contention in terms of practical operation. Nonetheless, it provides the answer to those US critics who have suggested that such agreements could be concluded by the US government that provided insufficient protection for US persons.

As might be expected, the Agreement also provides that it should be applied in a non-discriminatory way (blind to race, sex, sexual orientation, religion, ethnic origin, or political opinions) and, given the US sensitivity to the protection of First Amendment rights, it also seeks to ensure – with a degree of specificity contained in a detailed side letter – that the investigation of certain offences in UK law potentially giving rise to such freedom of speech issues require particular consideration.

(The sole limitation in favour of the UK is that material provided under the Agreement which might be deployed as prosecution evidence in the US for an offence where the death penalty is sought may only be used with UK consent: the recent decisions of the UK Supreme Court in Elgizouli make clear that effectively such consent would always have to be withheld.)

All these requirements impose real practical constraints on the obtaining of data by the UK authorities, which, taken with the fundamental obligations that have to be met, appear to create a robust system that permits the providers of data – so called ‘covered providers’ – to be satisfied of the lawfulness of the demands, under both UK and US law. And lest there be any doubt, the Agreement seems likely, at least at first, to facilitate one-way traffic in which the party making the demands is the UK. That is not in the least surprising given the market strength of US entities providing communications and social media services.

Register here for the BCL Information Law team’s webinar on this subject, hosted by Lexology.

This article was originally published by Lexology on 28th September 2020. You can read the full version on their site here.

Michael Drury’s expertise in data collection and surveillance matters by state entities is unparalleled in the United Kingdom. As a former director of legal affairs at GCHQ, the largest of the UK’s security and intelligence agencies, for 14 years; founder member of the Serious Fraud Office; and for the last 10 years a partner in BCL providing advice on national security and criminal investigations to both corporate and individual clients, his breadth of experience both in terms of developing legislation (particularly the Regulatory Investigatory Powers Act as the forerunner to the current Investigatory Powers Act 2016) and practical casework gives him unique insights into how the law has developed and the practical consequences that follow. He has already provided advice on the US-UK Bilateral Data Sharing Agreement due to commence this autumn and brings his breadth of knowledge to bear on what is a new departure in a field that is inherently controversial.

Julian Hayes advises companies and individuals in the rapidly developing field of data protection, especially in the context of data breaches and law enforcement investigations, where necessary litigating to ensure that the actions of state authorities are properly constrained. A partner at BCL for three years, he has vast experience of all types of criminal inquiries, including the unlawful obtaining of data and computer misuse offences. He is well-known and highly regarded commentator on cybersecurity and privacy issues. He advises telecommunications operators on their obligations under UK investigatory powers legislation and provides practical guidance on how to handle demands placed upon them, including in establishing systems that work to ensure legal compliance and protection for the operator.