On 3 October 2022, the Data Access Agreement (DAA) between the UK and US (see our earlier blog here) came into force. In this blog post we look at this landmark agreement and consider its impact.
What is the US-UK Data Access Agreement?
Under the new agreement, on receipt of a qualifying lawful order telecommunication service providers based in the US are required to promptly share data with UK law enforcement authorities, and vice versa. For an order to be qualifying and lawful, a number of requirements have to be met including that the order is sought for the purpose of a serious crime investigation and that there are reasonable grounds for believing the recipient has possession or control of the requested data. Failure to comply with such an Overseas Production Order (OPO) may render the recipient in contempt of court and likely attract negative publicity and reputational damage.
The key purpose of the DAA is “to allow UK and US law enforcement to directly request data held by telecommunications providers in the other party’s jurisdiction for the exclusive purpose of preventing, detecting, investigating and prosecuting serious crimes including terrorism, child sexual abuse and exploitation”. Whilst the stated purpose of the DAA refers to terrorist and sexual abuse offences, it has much broader scope to be used in respect of any “serious crime” and may therefore be relied on in fraud and financial crime investigations, allowing key data to be shared much more quickly.
Who does the agreement apply to?
The types of US and UK service providers who may be ordered to provide relevant data to the authorities include a wide range of telecommunications companies, such as mobile phone companies, social media providers, cloud storage companies and messaging platforms.
How is it different from existing legislation?
Prior to the DAA coming into effect, law enforcement agencies had to rely on the US-UK Treaty on Mutual Legal Assistance (MLAT) in order to access documents from the other jurisdiction. The difficulty with the MLAT process is that it can take months or even years before authorities receive the requested data and requests must be sent via and approved by the recipient country’s government. In addition, the MLAT process is costly for governments, as authorities incur the cost of facilitating the data production.
Under the DAA, a company issued with an OPO will have, as default, just seven days to produce the data requested. Whilst it is anticipated that extensions will be granted, the OPO nevertheless facilitates a much more efficient and timely period for electronic data to be shared than the MLAT process. OPOs made under the DAA will also be issued directly to the recipient companies, rather than via government authorities. This shifts the financial burden of facilitating compliance from the subject of the investigation and government authorities to the recipient tech companies.
Challenges brought by the legislation
The DAA has raised concerns in relation to data privacy and the protection of legal privilege, in particular as there are no safeguarding requirements to consult the individual or company under investigation (although any OPO must include a written certification by the issuing party that the OPO is lawful). Some critics have also noted that the provisions in the DAA are not consistent with the requirements under the MLAT (which may lead to confusion in certain scenarios) and that the DAA is asymmetrical, with differences in the scope between the US and UK powers under the legislation.
Going forward, telecoms companies should have systems and procedures in place to respond to OPOs, whilst ensuring that local data laws are adhered to. Companies and individuals subject to investigations will also have to consider the availability of OPOs in establishing their strategy as regards responding to investigations.
With thanks to Stephanie Allen for her assistance in preparing this post.