US and UK landmark cross-border data access agreement begins

The world’s first ever CLOUD Act Agreement allowing American and British law enforcement agencies to demand electronic data from serious crimes has begun.

The world’s first ever CLOUD Act Agreement that will allow American and British law enforcement agencies, with appropriate authorisation, to demand electronic data regarding serious crime, including terrorism, child sexual abuse, and cybercrime, directly from tech companies based in the other country, without legal barriers has taken force. 

The current legal assistance process can take up to two years, but the Agreement will reduce this time period considerably, while protecting privacy and enhancing civil liberties.  The historic agreement was signed by US Attorney General William P. Barr and UK Home Secretary Priti Patel at a ceremony at the British Ambassador’s residence in Washington, DC.

Attorney General William Barr said: “This agreement will enhance the ability of the United States and the United Kingdom to fight serious crime, including terrorism, transnational organised crime, and child exploitation by allowing more efficient and effective access to data needed for quick-moving investigations.  Only by addressing the problem of timely access to electronic evidence of crime committed in one country that is stored in another, can we hope to keep pace with twenty-first century threats.  This agreement will make the citizens of both countries safer, while at the same time assuring robust protections for privacy and civil liberties.”

Former Home Secretary Priti Patel said: “Terrorists and paedophiles continue to exploit the internet to spread their messages of hate, plan attacks on our citizens and target the most vulnerable.  This historic agreement will dramatically speed up investigations, allowing our law enforcement agencies to protect the public.”

Restrictions lifted 

Both governments agreed to terms which broadly lift restrictions for a broad class of investigations, not targeting residents of the other country, and assure providers that disclosures through the Agreement are compatible with data protection laws.  Each also committed to obtain permission from the other before using data gained through the agreement in prosecutions relating to a Party’s essential interest, specifically, death penalty prosecutions by the United States and UK cases implicating freedom of speech. 

The novel US-UK Bilateral Data Access Agreement will dramatically speed up investigations by removing legal barriers to timely and effective collection of electronic evidence.  Under its terms, law enforcement, when armed with appropriate court authorization, may go directly to tech companies based in the other country to access electronic data, rather than going through governments, which can take years.  The current Mutual Legal Assistance (MLA) request process, which sees requests for electronic data from law enforcement and other agencies submitted and approved by central governments, can often take many months.  Now in place, the Agreement will see the timeline obtaining evidence significantly reduced.

Power of the agreement

The Data Access Agreement sets out numerous requirements that must be met for US or UK authorities to invoke the Agreement. For example, orders submitted by US authorities must not target persons located in the UK and must relate to a serious crime. Similarly, orders submitted by UK authorities must not target US persons or persons located in the United States and must relate to a serious crime. US and UK authorities must also abide by agreed requirements, limitations and conditions when obtaining and using data obtained under the Data Access Agreement. 

The United States and the United Kingdom have selected Designated Authorities responsible for implementation of the Data Access Agreement for each country. For the United States, the Designated Authority is the Department of Justice’s Office of International Affairs (OIA), and for the United Kingdom it is the Investigatory Powers Unit of the UK Home Office.

Among its various functions as US Designated Authority, OIA has created a CLOUD team to review and certify orders that comply with the Agreement on behalf of federal, state, local, and territorial authorities located in the United States, transmit certified orders directly to UK service providers, and arrange for the return of responsive data to the requesting authorities.

Data protection 

Dr Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network has commented on the new agreement. 

The CLOUD Act certainly accelerates and simplifies complex investigations in cyberspace, being an efficient and effective alternative to now-outdated MLATs and other traditional instruments used in cross-border criminal investigations. The executive agreement between the US and the UK enacted under the Act will, however, unlikely have a revolutionary effect," he says. 

"Law enforcement agencies from the two countries have already established tenable and rapid communication mechanisms when seeking digital evidence from each other in transborder criminal investigations. Likewise, while Australia has also joined the club, other countries are reluctant to participate because of, among other things, privacy concerns. Cybercriminals are well aware of it and purposely store their data in countries that are reluctant to cooperate in cross-border criminal matters, preferably in those states that still have not signed the Budapest Convention on Cybercrime. Therefore, to ensure a frictionless investigation of transnational cybercrime and computer-enabled crime, global cooperation – involving as many jurisdictions as possible – is crucial. Nonetheless, the CLOUD Act serves a laudable example for other countries to join or enact similar legislation, he concludes. 


Featured Articles

UK police cyberattack a reminder of third party risk

Cyber criminals use back-door suppliers cyberattack to spread alarm through Britain's biggest police force

Building Cyber Resilience into ‘OT in Manufacturing’ webinar

Join Acronis' webinar, Building Cyber Resilience into ‘OT in Manufacturing’, 21st September 2023

Trustwave report on hospitality industry security threats

Nearly 31% of hospitality organisations have reported a data breach in their company’s history, according to a Trustwave cybersecurity report

Barracuda Managed XDR uses AI to uncover cyber incidents

Technology & AI

Imperva: 32% of work data breaches could have been avoided

Operational Security

Supply chain cyberattacks seen as catastrophic for business

Cyber Security