In May 2020, we published a blog post about the US-UK Data Access Agreement, a first-of-its-kind reciprocal agreement between the US and the UK. Under the agreement, law enforcement agencies in either country could obtain stored electronic data from communications service providers (CSPs) in the other country for the purpose of countering serious crime via a much-streamlined process, thereby overhauling the infamously sluggish mutual legal assistance process.
After a lengthy wait, the UK and US governments announced that they intend to bring the agreement into force on 3 October 2022, at which point substantial volumes of electronic data in the US will become available to UK law enforcement (and vice versa).
In no particular order, we've outlined below the top five things you should know in order to prepare for the imminent launch date.
The companies likely to receive an overseas production order (OPO) are CSPs – either in the US from UK law enforcement, or vice versa. Broadly speaking, that means any private entity that provides to the public the ability to communicate, process, or store computer data via a computer or telecommunications system (or which processes or stores relevant covered data on behalf of such an entity). Therefore, OPOs could be served on a huge variety of tech and communications firms in the US and the UK, including cloud storage companies, social media providers and messaging platforms. While the agreement is reciprocal, it is anticipated that the bulk of OPOs will flow from UK law enforcement to US CSPs, as the explanatory memorandum to the agreement notes that 'few UK CSPs hold data of interest to the US' (emphasis added).
Recipients of an OPO issued by the UK will have, as a default, just seven days to produce the data stipulated to the UK authorities. While we expect that early recipients of OPOs are likely to request extensions, it's highly advisable to act quickly.
Failure to comply with the order may render the recipient (and in certain circumstances, a director or officer of the recipient) in contempt of court. In addition, failure to comply with an OPO may attract publicity and reputational damage.
UK and US recipients which do business in the European Union and are subject to the General Data Protection Regulation (GDPR) will need to assess whether they have a 'legal basis'1 for sharing personal data with the law enforcement authorities submitting the OPO. UK CSPs receiving an OPO from US authorities will need to assess whether the transfer of personal data to the US can be done in accordance with the requirements of the GDPR and applicable case law. US CSPs receiving an OPO from UK authorities will not initially have the same concerns in light of the adequacy decision that the European Commission has granted to the UK. However, if the commission were to withdraw its adequacy decision (on grounds that the agreement compromises the UK's level of data protection), US companies also would need to assess whether the transfer of personal data to the UK can be done in accordance with the requirements of the GDPR and applicable case law.
It is expected that OPOs may (and will) be challenged on a significant number of different grounds, including for breach of data protection laws and to determine applicability of US or UK legal privilege protections. The primary venue to challenge OPOs sent by UK law enforcement will be the Courts of England and Wales; however, it is likely that challenges will be made concurrently in the US. The scene is now set for critically important legal challenges to be made to help determine how the new process should be applied across the CSP community.
Any parties served with an OPO are encouraged to seek legal advice as soon as possible to ensure suitable steps are taken to challenge the OPO, if necessary, and ultimately to assist in successful compliance with the OPO and balance the various competing interests whenever possible. Companies that are likely to receive numerous OPOs would be especially well-advised to take steps to ensure their systems for handling OPOs are robust and to continue to stay abreast of the sorts of issues that may give rise to challenges.
Get in touch with any member of the Cooley white collar defense & investigations team today if you would like to find out more.
1. Article 6 of the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.