U.S. and UK Enter Into Landmark Data Access Agreement

Written By Haley Metteauer

On October 3, 2022, the Department of Justice (“DOJ”) announced that the Access to Electronic Data for the Purpose of Countering Serious Crime (“Data Access Agreement” or “Agreement”) between the United States of America (U.S.) and the United Kingdom of Great Britain and Northern Ireland (UK) is now in effect.

Under this landmark Agreement, service providers in the U.S. and the UK will be permitted to respond to a “qualifying, lawful” overseas production order (“OPO”) to transfer electronic data created or maintained by the provider. According to the DOJ, the Agreement will allow the U.S. and UK to “prevent, detect, investigate, and prosecute serious crime, including terrorism, transnational organized crime, and child exploitation, among others.” 

The Agreement

Domestic Law and Effect of the Agreement

Article 3 of the Agreement requires each party to “ensure that its domestic laws relating to the preservation, authentication, disclosure, and production of electronic data permit Covered Providers to comply with Orders subject to this Agreement.” These transfers may now be made “without fear of running afoul of restrictions on cross-border disclosures” as the Agreement requires that each party’s domestic laws afford “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities subject to this Agreement.” For example, the UK must now apply the international data transfer provisions of the UK’s Data Protection Act of 2018 (the “DPA”) in accordance with the permissibility of these Agreement-induced transfers.

Additionally, Article 3 preserves a provider’s right to “raise applicable legal objections to an Order subject to this Agreement.”

Targeting Restrictions and Orders

Although the agreement “is intended to facilitate the ability of the Parties to obtain electronic data[,]” Article 4 makes clear that there are certain restrictions placed on OPOs. Specifically, these orders:

  • “must be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of a Covered Offense”;

  • “may not be used to infringe freedom of speech or for disadvantaging persons based on their race, sex, sexual orientation, religion, ethnic origin, or political opinions”;

  • “may not intentionally target a Receiving-Party Person, and each Party shall adopt targeting procedures designed to implement this requirement”;

  • “may not target a Covered Person if the purpose is to obtain information concerning a Receiving-Party Person”;

  • “must be targeted at specific Accounts and shall identify as the object of the Order a specific person, account, address, or personal device, or any other specific identifier.”

Additionally, Article 5 provides that OPOs must be in compliance with the domestic laws of the party issuing the order (“Issuing Party”) and must put forth a “reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.” OPOs will remain subject to “review or oversight under the domestic law of the Issuing Party by a court, judge, magistrate, or other independent authority.”  

Interest Protections

In producing information pursuant to an order, Article 6 requires a provider to submit the Covered Information to the party who, by mutual agreement of the parties, is permitted to carry out functions under the Agreement (“Designated Authority”).   

The UK government stated the permissibility of these transfers do “not compromise or erode the human rights and freedoms that our nations cherish and share” but rather “protects our citizens by improving both nations’ ability to fight serious crime while maintaining the democratic and civil liberties standards that we stand for and promote around the world.”

Article 7 further requires the UK to “adopt and implement appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning U.S. Persons acquired pursuant to an Order subject to this Agreement,” which are still consistent with the purposes of the Agreement.

Additionally, under Article 8, a citizen’s produced information may neither be utilized in a court proceeding nor transferred to a third country or international organization without first obtaining the consent of the party receiving the order (“Receiving Party”).

Enforcement

After one year of this Agreement being in effect, both parties will engage in a review of each Party’s compliance, “which may include a review of the issuance and transmission of Orders subject to this Agreement to ensure that the purpose and provisions of this Agreement are being fulfilled, and a review of the Party’s handling of data acquired pursuant to Orders subject to this Agreement to determine whether to modify procedures adopted under this Agreement.”

If concerns arise as to the implementation of this Agreement prior to the completion of the first year, the parties will consult with each other and attempt to resolve the dispute. If the parties are unable to resolve this dispute, the matter may not be referred “to any court, tribunal, or third party.” However, either party may “conclude that the Agreement may not be invoked” for the specifically requested materials.

The Agreement will remain in effect, unless terminated by written mutual agreement, for a five year period, with an option to extend the Agreement for a subsequent five year period.

Haley Metteauer
Previous

Democratic Senators Sent FTC Chair Request Updates to COPPA
Next

Industry Experts and Shareholders Point to the Need for Cybersecurity Investments