On 3 October 2019, the UK and US governments signed the first bilateral Data Access Agreement (the Agreement) under the US Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act) and the UK Crime (Overseas Production Orders) Act 2019.

The Agreement seeks to facilitate faster and more direct access by each country’s agencies in criminal matters  to electronic information held by companies in the other jurisdiction (and in particular data held by technology companies on email servers or cloud systems).  The Agreement does not permit private (civil) litigants to have access to this data.

The Agreement will enable American and British law enforcement agencies, including the US Department of Justice (DOJ) and the UK Serious Fraud Office (SFO), to request electronic data related to terrorism, child sexual abuse and other serious crimes directly from technology firms[1] in the respective countries.

Under the Agreement, the requesting country will need authorisation from a court, judge, magistrate or other independent authority in order to request data. Under the Agreement both countries agree:

  • to target only suspects who are not residents of the country from which the evidence is being gathered (i.e. neither the UK or the US);
  • to ensure compliance with data protection laws when disclosing data under the Agreement (though how this would happen is not specifically addressed in the Agreement); and
  • to obtain permission from the other in cases where data collected under the Agreement needs to be used during prosecutions that is of the specific interest of either the US or the UK, particularly where information is being gathered in the UK for death penalty cases in the US and data is being gathered in the US in cases implicating freedom of speech in the UK.

Importantly, the Agreement does not provide a mechanism for law enforcement agencies to access encrypted messages.

The Agreement is currently being reviewed by UK Parliament and US Congress, but once in force it will significantly speed up evidence gathering by providing an alternative to the traditional Mutual Legal Assistance (MLA) regime, under which data requests need to be routed via and approved by the other country’s government.  The Agreement has a term of five years, but either party may terminate it on 30 days’ notice.

[1] The CLOUD Act defines technology firms as including email providers, mobile phone companies, social media networks and cloud storage services.

*Andrew Reeves (UK) and Lorenza Cocco (UK) also assisted in the preparation of this article.