The United States and the United Kingdom of Great Britain and Northern Ireland (UK) required a more efficient mechanism for cross-border data transfer between the two countries, especially for gaining access to data relating to serious crimes. This has led to the enactment of a landmark agreement between the governments of the two countries on “Access to Electronic Data for the Purpose of Countering Serious Crime” (“DAA” or “Agreement”).
Read on to learn more about the UK-US DAA and how it affects electronic communications service providers in both countries.
What is the UK-US Data Access Agreement?
The UK-US DAA is a bilateral agreement between the UK and the US, which came into force in October 2022. The agreement was signed to enable both countries to share information and intelligence with each other for the purpose of law enforcement or other national security purposes, including preventing, detecting, investigating, and prosecuting serious crimes, such as terrorism, transnational organized crime, and child exploitation.
The Agreement will enable both countries to further their relations and help each other protect their citizens from serious crimes. Under the DAA, each state party would be required to ensure that its national legal framework allows service providers operating within its territory to lawfully respond to requests for electronic data made by the relevant public authorities in the other state party’s jurisdiction. The DAA mandates that all such requests and the treatment of any acquired data should be compliant with the applicable domestic legal framework to a public authority is subject.
Moreover, it is important to note that the requests submitted by the public authorities of either member state requiring the disclosure or production of any electronic data should not intentionally target persons or governmental or private entities located in the other member state. Public authorities in each member state should seek information about the persons and entities located in their own jurisdiction who are involved in criminal activities but may evade liability due to the data localization requirements imposed on communications service providers operating in the member state.
In the US, the DAA is authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which was enacted in 2018. By allowing both countries to share relevant data with each other, the Agreement not only improves their mutual relationship but also helps interfere with or hamper possible threats and protect residents. Under the DAA, both countries can share information with greater speed and efficiency, which was a significantly slower process pre-DAA.
Why is the DAA Needed?
A policy paper by the UK government highlights that whenever a UK law enforcement agency tries to identify, investigate, intercept, and prevent any serious crime, it seeks relevant data against the individual or organization believed to be engaged in or possibly involved in criminal activities. With increasing digitalization, such data may be collected, stored, and processed by electronic communications service providers, such as social media platforms or messaging services. Law enforcement agencies in the UK are able to get access to data required by them in a relatively easy manner if the concerned service providers are based in the UK, provided they are compliant with the applicable local legal framework.
However, UK law enforcement bodies face difficulties when requesting access to data collected by US-based communications service providers. US laws prohibit these service providers from sharing certain data across US borders in response to requests directly made by foreign government bodies. For instance, the Stored Communications Act (SCA) prohibits US electronic communication services providers from disclosing the contents of the communication to any other person or entity, including foreign governmental bodies.
Moreover, the WireTap Act forbids providers from intercepting the contents of communications without the consent of one of the parties to the communications. Although the foregoing legislations provide mechanisms for US public bodies to compel the production of any communications content, the framework does not extend to foreign governmental bodies.
While mutual legal assistance (MLA) frameworks allow for the intergovernmental exchange of data, such mechanisms are fairly time-consuming and might take even months to process. This can hinder the efficient resolution of criminal investigations. Lack of timely executive and judicial action may also enable criminals to continue to spread harm in society, leaving people vulnerable to many kinds of threats.
The DAA will therefore enable law enforcement agencies in both the UK and the US to gain timely access to electronic data required for criminal investigations and ensure that criminals can’t hide behind jurisdictional barriers and continue with their illicit activities.
Who Will Enforce the UK-US DAA?
The United States and the United Kingdom have selected their respective Designated Authorities that will be authorized to enforce the Agreement. The UK has made the Investigatory Powers Unit of the UK Home Office its Designated Authority to enforce DAA, while the US made the Department of Justice’s Office of International Affairs its Designated Authority.
OECD Declaration on Government Access to Personal Data held by Private Sector Entities
It is interesting to note that the United States and the United Kingdom, along with 36 other countries and the EU, also issued a declaration on public bodies (including national security and law enforcement agencies) access to personal data held by private sector entities (Declaration).
The Declaration sets out the principles which governments should adhere to while accessing personal data held by private entities, that is, having a legal basis for accessing the data, legitimate aims, prior approvals for government access, data handling by authorized personnel, internal frameworks to prevent data loss or unauthorized access, transparency, efficacious and impartial oversight for compliance with the legal framework, and effective judicial and non-judicial redress mechanisms.
Final Thoughts
The DAA isn’t the first bilateral data access agreement entered into by the US. In fact, the US signed the Cloud Act Agreement with Australia in 2022, and a similar agreement is being proposed between the US and Canada. It is also important to note that the OECD declaration states that a country’s implementation of the principles should be taken into account by other member states “as a positive contribution” toward a determination that cross-border data flows should be facilitated, for example, in the context of the EU specifically for the US, through an adequacy finding.
The data privacy landscape is changing frequently and abruptly. It is yet to be seen how these bilateral agreements will affect or influence the existing cross-border regulations and other legal frameworks, such as the Privacy Shield 2.0 - however it is plainly clear the direction in which the United States, the European Union, the UK, and other OECD are heading towards with these agreements: greater legal integration and development of common standards are in a bid to facilitate legal cross border data flows.