US – UK Data Access Agreement

27 Nov 2022

The US-UK Data Access Agreement, signed in 2019, came into force recently on 3 October 2022. It allows law enforcement in each jurisdiction to directly request personal data held by telecommunication providers in the other party’s jurisdiction.

The Agreement’s main purpose is to facilitate and quicken the process of getting personal data for the purpose of preventing, detecting, investigating and prosecuting serious crimes – crimes punishable with a maximum term including imprisonment of at least three years, such as terrorism, or child sexual abuse and exploitation.

Background

Until the Agreement came into force, the sharing of personal data between public authorities of different jurisdictions was carried out under Mutual Legal Assistance Treaties (MLAT). Under an MLAT, a request would be sent by a court through diplomatic channels to another jurisdiction’s court, which would then send the personal data request to a service provider in its jurisdiction in line with applicable domestic laws.

The Agreement

The process set out above was found by both jurisdictions to be much too slow and thus hampering investigations of serious crimes.

The Agreement is aimed at making the exchange of information easier and quicker than under MLATs. Under the Agreement, law enforcement in either jurisdiction can under domestic law (the Crime (Overseas Production Orders) Act 2019 in the UK; the CLOUD Act 2018 in the US) request the court of their jurisdiction to grant them an order that the law enforcement authority can then serve onto foreign telecommunication providers to provide access to certain personal data. Under the 2019 Act, the provider then has seven days to comply with the order.

UK Companies to keep in mind

Telecoms providers in the UK need to be careful to comply with data protection laws in complying with any such orders – and should immediately seek legal advice as there are a number of data protection issues that are likely to arise when trying to comply with such an order.

The first issue to consider is whether the telecoms provider has a lawful basis to share such information with the foreign law enforcement agency. The second is whether the personal data involves special categories (such as data relating to health) or criminal offence data, in respect of which the provider will need to ensure it complies with the additional conditions of Articles 9 and 10 UK GDPR respectively.

The provider needs to assess whether the disclosure is necessary and whether it is proportionate to actually disclose it.

Finally, as the personal data will be transferred out of UK to the US, a jurisdiction without adequacy decision, and in light of the decision in Schrems II, the provider will need to ensure that the transfer takes place on the basis of adequate safeguards and an appropriate transfer risk assessment.

Impact on UK’s adequacy decision

It is unclear as to the impact the Agreement will have on the UK’s adequacy decision, but the Agreement is unlikely to be viewed favourably in Europe. In its initial adequacy decision, the European Commission expressed concerns as to how the US would protect onward transfers of EU personal data from the UK to the US, as the concrete implementation of safeguards was still subject to discussions between the UK and the US.

The European Commission was clear at that time that the UK should communicate the results of the US discussions with the European Commission to ensure proper monitoring of the adequacy decision. Whether the UK actually informed the European Commission is as yet unknown. However, this Agreement, together with the proposed Data Protection and Digital Information Bill introduced to Parliament on 18 July 2022, leads to concerns that the UK might be at risk of losing its adequacy decision, thereby hampering the free flow of data between the EU and the UK, and the business opportunities that come with it.