US-UK Data Access Agreement: Top Five Things to Know

In May 2020, we published a blog post about the US-UK Data Access Agreement, a first-of-its-kind reciprocal agreement between the US and the UK. Under the agreement, law enforcement agencies in either country could obtain stored electronic data from communications service providers (CSPs) in the other country for the purpose of countering serious crime via a much-streamlined process, thereby overhauling the infamously sluggish mutual legal assistance process.

After a lengthy wait, the UK and US governments announced that they intend to bring the agreement into force on 3 October 2022, at which point substantial volumes of electronic data in the US will become available to UK law enforcement (and vice versa).

In no particular order, we’ve outlined below the top five things you should know in order to prepare for the imminent launch date.

Recipients

The companies likely to receive an overseas production order (OPO) are CSPs – either in the US from UK law enforcement, or vice versa. Broadly speaking, that means any private entity that provides to the public the ability to communicate, process, or store computer data via a computer or telecommunications system (or which processes or stores relevant covered data on behalf of such an entity). Therefore, OPOs could be served on a huge variety of tech and communications firms in the US and the UK, including cloud storage companies, social media providers and messaging platforms. While the agreement is reciprocal, it is anticipated that the bulk of OPOs will flow from UK law enforcement to US CSPs, as the explanatory memorandum to the agreement notes that ‘few UK CSPs hold data of interest to the US’ (emphasis added).

Timing

Recipients of an OPO issued by the UK will have, as a default, just seven days to produce the data stipulated to the UK authorities. While we expect that early recipients of OPOs are likely to request extensions, it’s highly advisable to act quickly.

Liability

Failure to comply with the order may render the recipient (and in certain circumstances, a director or officer of the recipient) in contempt of court. In addition, failure to comply with an OPO may attract publicity and reputational damage.

Data protection

UK and US recipients which do business in the European Union and are subject to the General Data Protection Regulation (GDPR) will need to assess whether they have a ‘legal basis’¹ for sharing personal data with the law enforcement authorities submitting the OPO. UK CSPs receiving an OPO from US authorities will need to assess whether the transfer of personal data to the US can be done in accordance with the requirements of the GDPR and applicable case law. US CSPs receiving an OPO from UK authorities will not initially have the same concerns in light of the adequacy decision that the European Commission has granted to the UK. However, if the commission were to withdraw its adequacy decision (on grounds that the agreement compromises the UK’s level of data protection), US companies also would need to assess whether the transfer of personal data to the UK can be done in accordance with the requirements of the GDPR and applicable case law.

Challenge

It is expected that OPOs may (and will) be challenged on a significant number of different grounds, including for breach of data protection laws and to determine applicability of US or UK legal privilege protections. The primary venue to challenge OPOs sent by UK law enforcement will be the Courts of England and Wales; however, it is likely that challenges will be made concurrently in the US. The scene is now set for critically important legal challenges to be made to help determine how the new process should be applied across the CSP community.

Any parties served with an OPO are encouraged to seek legal advice as soon as possible to ensure suitable steps are taken to challenge the OPO, if necessary, and ultimately to assist in successful compliance with the OPO and balance the various competing interests whenever possible. Companies that are likely to receive numerous OPOs would be especially well-advised to take steps to ensure their systems for handling OPOs are robust and to continue to stay abreast of the sorts of issues that may give rise to challenges.

Get in touch with any member of the Cooley white collar defense & investigations team today if you would like to find out more.

Notes

1. Article 6 of the GDPR.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.