On October 3, 2022, the UK-U.S. agreement on Access to Electronic Data for the Purpose of Countering Serious Crime (the UK-U.S. Agreement) came into force. The UK and the U.S. governments signed the UK-U.S. Agreement on October 3, 2019 under the U.S. Clarifying Lawful Overseas Use of Data Act 2018 (“CLOUD Act”). The U.S. government is negotiating similar agreements with the governments of Canada, Australia and New Zealand, but notably, not with the European Union.
What is the U.S. CLOUD Act?
The CLOUD Act was adopted in the U.S. in 2018 to allow access to and preservation of electronic data stored overseas by U.S.-headquartered electronic communication service providers and remote computing service providers. Such electronic data was previously beyond the jurisdiction of U.S. law enforcement and investigatory authorities unless the providers used the traditional mutual legal assistance treaty (“MLAT”) mechanism. The U.S. government wanted to gain access to such data through a streamlined process in the interest of fighting serious crime, including child exploitation, terrorism, significant financial fraud and other crimes involving national security. The UK adopted a similar legislation in the form of the Crime (Overseas Production Orders) Act in 2019.
How does the GDPR regulate requests from courts or public authorities of third countries?
Under Article 46 of the GDPR, which the UK adopted as domestic law, requests to access personal data stored in the UK by a third-country court or public authority must follow the rules set out in an international agreement, such as an MLAT. Under an MLAT, a request will usually be sent by a court through diplomatic channels to another country’s counterpart which would then, in turn, send a request to a service provider in its jurisdiction in line with domestic law.
The UK-U.S. Agreement aims to make access to data easier and quicker than under MLATs by allowing U.S. public authorities to issue requests to access or preserve data held by service providers directly, without resorting to local counterparts to issue such orders.
Are the obligations under the UK-U.S. Agreement compatible with the GDPR?
The UK-U.S. Agreement largely has two aims. One is to ensure the UK laws allow service providers to comply with the orders of U.S. public authorities (Art. 3.1 of the UK-U.S. Agreement). The other is to ensure “[T]he processing and transfer of data in the execution of Orders subject to this Agreement are compatible with the Parties’ respective applicable laws regarding privacy and data protection” (Art. 9.2 of the UK-U.S. Agreement).
These goals seemingly conflict with each other given the GDPR obligations of service providers based in the UK and the CJEU’s Schrems II judgement. The latter stated that U.S. public authorities, in certain circumstances, do not adequately apply the principles of necessity and proportionality in accessing and using EU data and do not provide appropriate remedies to EU data subjects (the Schrems II judgement is applicable to the UK). If, however, the anticipated Data Privacy Framework between the U.S. and EU fixes this, then it is likely the UK will tag onto the back of that and any new executive order should also apply to requests for data under the UK-U.S. Agreement.
The European Commission reviewed the UK-U.S. Agreement prior to adopting its decision on the UK’s adequacy for the purposes of transfers of personal data originating in the EU in June 2021. It was concerned about the access to the EU personal data onward transferred from the EU to the UK by U.S. law enforcement authorities. Despite the European Data Protection Board’s concerns regarding the UK-U.S. Agreement, the European Commission was satisfied at the time that the UK-U.S. Agreement applied the protections set out in the EU-U.S. Umbrella Agreement to all personal data produced or preserved under the UK-U.S. Agreement.
Since the details of how the U.S. authorities were going to implement the data protection safeguards in the UK-U.S. Agreement were unknown in 2021, the European Commission obligated the UK government to inform it of such details before the UK-U.S. Agreement came into force. It is not clear whether the UK government has filed such reports. In any case, the European Commission will evaluate the application of the UK-U.S. Agreement as part of its continuous monitoring of the UK adequacy decision.
The EU-U.S. Agreement
The EU and the U.S. have been negotiating a similar arrangement to the UK-U.S. Agreement as announced in the joint statement in September 2019. However, these negotiations stalled as the EU was not able to pass the Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (E-evidence Regulation) to enable the signing of the EU-U.S. agreement. The European Data Protection Supervisor’s opinion on the E-evidence Regulation emphasized that the EU data protection framework must be respected in such data exchanges with foreign governments and called for greater involvement of the EU judicial authorities in overseeing compliance.
Time will tell how the EU data protection framework will be applied in the EU-U.S. agreement in due course. If such an agreement contains more detailed data-protection safeguards than in the current UK-U.S. Agreement, the European Commission is likely to require similar protections from the UK to protect the EU personal data onward transferred from the EU to the UK. It could also mean that any transfer between the UK and the U.S. will require adjustments to the UK’s standard international data transfer agreement or the UK addendum by adding safeguards such as challenges to transfers of data under the UK-U.S. Agreement (where known).
Practical steps for organisations
U.S.-headquartered service providers based in the UK are subject to the GDPR because they are established in the UK. Now that they may start receiving requests to access or preserve data under the U.S.-UK Agreement (e.g. email providers, telcos, social media platforms, and cloud storage providers), organisations may need to consider taking additional measures to ensure no UK personal data or onward transferred EU data is accessed without valid authorisation and implementation of the GDPR rules. Service providers have the right to object to requests to access or preserve data under the U.S.-UK Agreement.[1] They will need to challenge any requests that fall foul of their GDPR obligations and principles of necessity and proportionality, and notify customers of any requests received from the U.S. authorities to give them an opportunity to protect their personal data.
[1] Article 5.11 of the UK-U.S. Agreement.