Alert October 07, 2019

US-UK Bilateral Agreement to Authorize Direct Data Requests From Foreign Law Enforcement and Process for Challenging Requests


The Department of Justice announced that the United States and the United Kingdom have reached a bilateral agreement under the CLOUD Act that would permit service providers to disclose data in response to requests issued directly from their respective foreign government law enforcement agencies. Companies subject to both U.S. and U.K. data protection laws should welcome the move, which seeks to address tension between conflicting legal requirements including, for example, U.S. law and European data protection law, and adds a legal mechanism for companies to challenge requests that present such conflicts.

On October 3, 2019, the Department of Justice announced that the United States and the United Kingdom had reached an Executive Agreement authorized under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) that would allow each country’s law enforcement agencies to request electronic data regarding serious crime (e.g., terrorism, child sexual abuse, cybercrime, and other transnational crime) directly from companies based in the other country. Law enforcement previously sought foreign-held information through Mutual Legal Assistance (MLA) treaties, but those requests could take years to complete. The “US-UK Bilateral Data Access Agreement” opens an alternative path for speedy access to data in appropriate cases.

The CLOUD Act, passed by Congress on March 23, 2018, clarified that, under the Stored Communications Act, 18 U.S.C. §§ 2701, et seq., U.S. law enforcement can compel service providers to disclose electronic communications and records, regardless of whether such information is stored in the United States or abroad. Relevant here, the CLOUD Act also recognized that the Stored Communications Act prohibited service providers (that are subject to U.S. jurisdiction and foreign jurisdiction) from complying with valid requests from foreign law enforcement. Companies are now permitted — but not required — to disclose information to a qualifying foreign government with which the United States has entered into an Executive Agreement.

The CLOUD Act also creates a special legal mechanism for service providers — both foreign and domestic — to challenge requests made under the Stored Communications Act where the provider reasonably believes that the customer is not a U.S. person and does not reside in the United States, and the disclosure would violate the laws of a qualifying foreign government. The United Kingdom will become the first qualifying foreign government, though the exact terms of the agreement have yet to be released and are subject to review by the U.S. Congress and the U.K. Parliament.

There are some limitations on foreign law enforcement requests made directly to companies in the other country. For example, foreign requests may not intentionally target a U.S. person or a person located in the United States. Additionally, the purpose of obtaining information must relate to the prevention, detection, investigation, or prosecution of serious crime. Eligible foreign governments also must, with respect to the permitted data collection, afford robust substantive and procedural protections for privacy and civil liberties, and adopt appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning U.S. persons. The bilateral agreement will subject the United States to similar requirements when making direct requests to U.K. companies under the Stored Communications Act.

Goodwin’s Chambers and Legal 500 ranked Data, Privacy and Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security, a Legal 500 “Leading Lawyer” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as four other; Legal 500 Cyber Law ranked partners, several former federal prosecutors, and multiple GDPR, CCPA, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.