‘UK-US Data Sharing Treaty – A Welcome Recognition of Reality’ BCL Partners write for Privacy Laws & Business’s International Report

‘UK-US Data Sharing Treaty – A Welcome Recognition of Reality’ BCL Partners write for Privacy Laws & Business’s International Report

BCL partners Michael Drury and Julian Hayes have contributed the chapter titled ‘UK-US Data Sharing Treaty – a welcome recognition of reality’ as part of Privacy Laws & Business‘ Data Protection & Privacy Information International report.

In this report Michael and Julian explain how the UK-US Agreement, which will shortly begin to operate, sets the benchmark for future CLOUD Act arrangements.

Below is a short extract from their article which you can now read in full on the Privacy Laws & Business website here*.

As a tumultuous twelve months draws to a close, many of us are understandably looking forward to turning the page on 2020. And though there is much best put behind us, as far as law enforcement in our digital era is concerned, the year will be remembered as seminal with the (perhaps near) implementation of the UK-US Bilateral Data Sharing Agreement , which is designed to usher in a streamlined and expeditious exchange of electronic intelligence and evidence in the fight against crime. Belying its dry legalistic language, the Agreement is far from being of esoteric interest only, and affects telecommunications service providers and social media companies both large and small on both sides of the Atlantic. It also represents a significant shift in the approach taken by sovereign states when giving effect to each other’s judicial orders and is – arguably – an overdue recognition that, when those who threaten our safety and security operate without regard for national boundaries, those who seek to protect us need effective tools for the job.

Genesis of the Agreement

Signed in October 2019 by the Home Secretary and the US Attorney General, the UK and US had in fact been negotiating a data-sharing agreement since 2015. Underpinning those negotiations was a recognition of three key points: the importance of electronic material (particularly communications data) to both the intelligence services and in criminal proceedings; the vast majority of UK criminal suspects use the services provided by the dominant US providers and social media companies; and there are lengthy delays in procuring data from the US using the traditional Mutual Legal Assistance channel where nine or ten month waits are not uncommon, which is simply not an option in fast-moving investigations.

The Agreement was facilitated in the UK by the Crime (Overseas Production Orders) Act 2019 (COPOA) UK and its equally snappily-titled US cousin the ‘Clarifying Lawful Overseas Use of Data’ or CLOUD Act, effective from March 2018. The CLOUD Act also clarified the capacity of US law enforcement agencies to demand stored data from US communications companies holding that data outside US territory (subject to the capacity to contest demands where warrants would violate privacy rights provided for in the country where the data is stored). The Agreement is the first to be entered into under either COPOA or the CLOUD Act, though negotiations for similar arrangements are well underway between Australia and the US. A significant question remains about how far the US might wish to conclude an EU-wide agreement rather than deal with individual countries, not least given issues concerning judicial independence in some Member States, namely Poland and Hungary. (The European Commission has meanwhile proposed its own EU-wide overseas production and preservation order scheme for electronic evidence).

Setting the benchmark for future CLOUD Act arrangements, it is anticipated that the UK-US Agreement will start operating imminently, with demands beginning to flow under its provisions. Given the way it is intended to operate, ‘demands’ is the appropriate word to describe what will take place. That is on the basis that the Agreement provides that it is the law of the requesting state to which effect is to be given. Orders from the requesting state will have effect against recipients in the receiving state as long as requirements intended to provide assurance of common standards and lawfulness under domestic law and set out in the Agreement are met.

* This article was published in Privacy Laws & Business International Report, December 2020.

Michael Drury’s expertise in data collection and surveillance matters by state entities is unparalleled in the United Kingdom. As a former director of legal affairs at GCHQ, the largest of the UK’s security and intelligence agencies, for 14 years; founder member of the Serious Fraud Office; and for the last 10 years a partner in BCL providing advice on national security and criminal investigations to both corporate and individual clients, his breadth of experience both in terms of developing legislation (particularly the Regulatory Investigatory Powers Act as the forerunner to the current Investigatory Powers Act 2016) and practical casework gives him unique insights into how the law has developed and the practical consequences that follow. He has already provided advice on the US-UK Bilateral Data Sharing Agreement due to commence this autumn and brings his breadth of knowledge to bear on what is a new departure in a field that is inherently controversial.

Julian Hayes advises companies and individuals in the rapidly developing field of data protection, especially in the context of data breaches and law enforcement investigations, where necessary litigating to ensure that the actions of state authorities are properly constrained. A partner at BCL for three years, he has vast experience of all types of criminal inquiries, including the unlawful obtaining of data and computer misuse offences. He is well-known and highly regarded commentator on cybersecurity and privacy issues. He advises telecommunications operators on their obligations under UK investigatory powers legislation and provides practical guidance on how to handle demands placed upon them, including in establishing systems that work to ensure legal compliance and protection for the operator.