US-UK system to access electronic data to combat serious crime comes into effect

On 3rd October 2022, the United States Department of Justice announced that the Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (“Data Access Agreement”/ “Agreement”) entered into force. It was signed in October 2019, between the governments of the United States of America and the United Kingdom of Great Britain and Northern Ireland. The Agreement is authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, enacted by the United States in 2018. It furthers international cooperation against exploitation of data localization laws by criminals. It seeks to facilitate timely and efficient access to vital electronic data by investigators of both countries to combat serious crimes without violating privacy and civil liberties standards. The Agreement requires such orders to relate to offences that are punishable by a maximum term of imprisonment of at least three years.

According to the Department of Justice announcement, service providers in one country may now respond to qualifying, lawful electronic data disclosure orders issued by the other country, without fear of violating restrictions on cross border disclosures. It will allow authorities of one country quicker access to information relating to prevention, detection, investigation, or prosecution of serious crimes, held by service providers in the other country.

The Agreement prohibits authorities of one country from issuing orders that intend to (a) target person(s) in the other country; (b) infringe freedom of speech; or (c) disadvantage person based on factors like their race, sexual orientation, religion etc. It mandates that such an order must identify a specific identifier like a specific person as the object of the order.

The Agreement places limitations on the use and transfer of data acquired pursuant to an order subject to the Agreement, including compliance with the domestic laws of the country issuing such orders.

The Agreement requires the two countries to apply the 2016, Amsterdam agreement between the USA and the EU on the Protection of Personal Information relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offences to all personal information produced in execution of orders under the Agreement.Processing and transferring of such data should comply with the corresponding privacy and data protection laws of USA and UK.

In furtherance of its functions under the Agreement, OIA has created a CLOUD team to review and certify orders that comply with the Agreement on behalf of federal, state, local and territorial authorities located in the United States, transmit certified orders directly to the UK service providers, and arrange for return of responsive data to the requesting authorities.

Unless terminated earlier the Agreement will remain in force for a five year period.