Direct access: data gathering in U.S./UK criminal investigations

The Agreement represents a sea change in cross-border access to communications data required for criminal investigations. It means that criminal authorities in each country will be able to obtain electronic data directly from a range of telecommunications companies (so-called Covered Providers) in the other country – without any need to go through the domestic authorities in the recipient country.

To enable such access to electronic data, the agreement operates alongside existing legislation, in the UK via the Crime (Overseas Production Orders) Act 2019 (COPO), and in the U.S. by the Clarifying Lawful Use of Overseas Data (CLOUD) Act.

Impact on U.S. telecommunications companies

This will impact any company whose business satisfies the definition of Covered Provider: social media platforms; messaging services; data hosting, storage and processing; cloud storage; or potentially any other company to the extent it provides clients with an ability to communicate, process or store data.

There is expected to be a greater flow of ‘overseas production orders’ (OPO) from the UK directly to Covered Providers in the U.S., primarily by virtue of the fact that there are more of these types of businesses in the U.S. There will no doubt be some OPOs flowing from U.S. authorities to UK businesses too, though probably less frequently.

Both U.S. and UK companies should know what to expect and how to respond. Time limits for the production of data are short (the default is seven days), and any challenge will need to be made in the first instance in the country from which the order has emanated.

Here is a summary of the key features of the Agreement and thoughts on some of the thorny issues that are likely to emerge. 

As international agreements go, the Agreement has a relatively narrow scope:

• Only Covered Providers can be served with an OPO; Covered Providers are defined as “any private entity to the extent that it (i) provides to the public the ability to communicate, or to process or store computer data, by means of a Computer System or a telecommunications system; or (ii) processes or stores Covered Data on behalf of an entity defined in subsection (i)”. (Art. 1(7)) This covers a wide range of social media and tech companies, as well as other companies that may provide communication or data services incidentally to their businesses.

• An OPO can only be sought if it relates to the “prevention, detection, investigation or prosecution” of a ‘Covered Offence’, meaning conduct that, under the law of the party issuing the OPO, is a crime punishable by a maximum term of imprisonment of at least three years. (Art. 4(1))

• A UK order cannot be sought in respect of a U.S. person or a person located in the U.S. A U.S. order cannot be sought in respect of a person located in the UK.

Direct orders from foreign authorities

The UK government can issue an OPO directly to a Covered Provider in the U.S. once it has obtained a UK court order. So, for example:

• the UK Serious Fraud Office (SFO) could obtain an order from the English court which would be served directly on a U.S. social media platform requiring it to produce, or allow access to, specified electronic data held by the platform. (Art. 5(5)) It is currently the case that an SFO request has to be sent to the U.S. authorities under a Mutual Legal Assistance Treaty (MLAT). The U.S. Office of International Affairs states that it currently “evaluates the request for compliance with the requirements of the MLAT or convention and U.S. law” before giving effect to the request. This filter comprises not only a system of checks, but also, in many cases, months of delay. These U.S. checks and delay are now removed in eligible cases, replaced by a UK court scrutinising the SFO request, and a direct UK court order being served on the U.S. company.

• Likewise, the U.S. Department of Justice can obtain a U.S. order and have it served directly on a UK telecommunications company, without having to go through the filter of the UK authorities.

Note that, irrespective of the Agreement, the US CLOUD Act remains fully in force such that the U.S. authorities can still access data held by U.S. communications / cloud service companies outside the U.S. even if it relates to U.S. persons/residents that are located in the UK.

Data access and confidentiality

One of the most interesting features about the Agreement is its clear focus on telecommunications firms. They are the electronic equivalent of witnesses, dragged into an investigation simply because they hold relevant information. The Agreement envisages that in some cases at least, a firm will be subject to a confidentiality order that prevents it from informing a client, ie the party on whose behalf it holds data, that it is required to produce that data. For orders emanating from the UK, a judge may add a non-disclosure requirement that would prevent the U.S.-based recipient of the order from saying anything about it. That creates risk for the recipient Covered Provider when its clients are also expecting it to safeguard their data and alert them to any issues.

Privilege

The U.S. and UK governments plan to use the Agreement primarily to target those who use telecommunications systems as an essential means to commit a range of crimes, including terrorism. However, given that gathering evidence under the Agreement will take a fraction of the time required under an MLAT, it will be very tempting for law enforcement authorities to rely on the Agreement when investigating a range of issues, including business and financial crime. Indeed, the SFO and the Financial Conduct Authority are both able to use this new regime.^[1]

If that happens, one of the more difficult issues will be how a Covered Provider deals, in a very short time frame, with an order to disclose data it holds on behalf of a client which may contain legally privileged material. Dealing with privilege is never quick or easy. It is always significantly more difficult when the material being reviewed implicates the privilege of another party, as that party may take a different (but still reasonable) view of what is and is not privileged. Further complicating the position is that in many respects U.S. privilege is broader than UK privilege. However, the Covered Providers under the Agreement, particularly if they are subject to the gag order provision described above, may have to make calls regarding another party’s privilege without the benefit of that party’s input. The Agreement does not mention privilege although COPO specifies that a UK order cannot call for privileged material. And, as noted above, the default time period for production of the required data following service is just seven days – barely time to get a significant document review exercise initiated, let alone completed.

Data protection

One of the most interesting provisions of the Agreement is its treatment of data protection requirements, particularly from the perspective of a UK Covered Provider receiving an OPO from the U.S.

For an international data transfer, UK GDPR requires an Article 6 legal basis to transfer and a relevant Chapter 5 condition to safeguard the personal data. These requirements have posed a challenge for organisations when faced with an order for data under the CLOUD Act.

In its 2019 Joint Opinion with the European Data Protection Supervisor, the European Data Protection Board (EDPB) did not consider it possible to lawfully transfer personal data under the EU GDPR in response to a CLOUD Act order except in the narrowest of circumstances (to protect vital interests of a data subject).

However, Article 9 of the Agreement, entitled “Privacy and Data Protection Safeguards”, makes the bald assertion that “The processing and transfer of data in the execution of Orders subject to this Agreement are compatible with the Parties’ respective applicable laws regarding privacy and data protection”. 

It is an eye-catching statement, insomuch as interpretation of the law has always been the province of the judiciary, rather than the executive branch (which has negotiated and signed the Agreement). It would seem to have been included at least in part to address s6(4)(c) COPO, which states that a person subject to an OPO is not required to do anything that contravenes data protection legislation.

In any event, an organisation in receipt of an OPO will need to consider data protection issues very carefully. In determining whether to comply with an OPO, a UK entity may potentially argue that the Agreement is “a legal, binding and enforceable instrument between public authorities and bodies” providing for safeguards and so fulfils a condition under UK GDPR Chapter 5 - Article 46(2)(a). The UK Government has not provided complete clarity on this in terms of detailed guidance and, while it looks to be the most appropriate condition to rely on, there is currently no precedent and so it could be open to challenge. In such a case the Covered Provider may need to consider a fall-back derogation, such as Article 49(1)(e) (transfer is necessary for establishment, exercise or defence of a legal claim).

In identifying the legal basis to transfer personal data under Article 6 of the UK GDPR, a UK Covered Provider is most likely to rely on Article 6(1)(f) legitimate interests. However, any reliance on this basis will need to be supported by documented decisions considering the necessity of the transfer and balancing of the action with the rights of the data subject. These legitimate interest tests are not always easy to achieve, particularly if the Covered Provider is relying on the legitimate interests of the recipient party where the Covered Provider may have limited information on which to base the assessment.

As the Agreement is implemented in practice, it will be interesting to see whether further guidance is forthcoming. This is particularly the case as the European Commission has flagged the Agreement as one of the factors it will consider when monitoring the UK’s positive data protection adequacy status, relied upon by many organisations to enable free flows of personal data from the EU to the UK.

Challenging an order

There are bound to be a spate of challenges from Covered Providers in receipt of early orders under this new regime. We predict challenges around the issues above, plus notice, timing extensions, encryption, whether the data is really needed for the stated purpose, and public interest.

A Covered Provider who wishes to dispute an order must raise objections in the jurisdiction where the OPO has been made, and, if they are not resolved, can raise the objections with its domestic government agency that serves as the designated authority under the Agreement. Ultimately, a domestic designated authority has the ability to conclude that an OPO issued by the other country is invalid. 

If that process is unsatisfactory, judicial challenge may follow. In the UK, any challenge to the UK government could, of course, be followed by an application for judicial review. In the U.S., we may see challenges on the basis that OPOs issued in the UK violate rights under U.S. law, including that they seek material that is privileged under U.S. law but not under English law (given the former’s broader scope).

Next steps

We can expect the UK authorities to request OPOs, given the game-changing efficiency it gives them. No doubt that efficiency will be tested by the issues above (and others), especially in the early days of use. The UK Government’s 2023 Fraud Strategy reported that the Agreement is already in use and, as of May 2023,  UK and US agencies have made over 3,000 requests.

Australia and the U.S. have concluded a similar agreement. The U.S. has announced that it is in formal negotiations for such an agreement with Canada and negotiations are ongoing with the EU.^[2]

Companies that may be Covered Providers should be considering how to respond to an OPO, including whether their current processes are sufficient to provide data within what may be very short time frames. Both Covered Providers and their clients should also be considering whether their commercial agreements require any amendments to take account of this; standard agreements should make exceptions for confidentiality when legally compelled but it may be worth considering, for example, whether provision needs to be made for legally privileged material that a Covered Person may be required to review.

[1]s2(1)(a) COPO
[2] https://www.justice.gov/opa/communiqu-eu-us-justice-and-home-affairs-ministerial-meeting