The Data Access Agreement (DAA), by which the US and UK have agreed how one country can respond to lawful data demands from police and investigators in the other, took effect on Monday.
The DAA (aka the Access to Electronic Data for the Purpose of Countering Serious Crime) is intended to facilitate cross-border law enforcement within the boundaries set by privacy and civil liberties laws, though a legal analysis by the Brooklyn Journal of International Law on the agreement suggests a more nuanced impact, with some civil rights enhanced, others reduced, and uncertainty when people from other countries are involved.
The DAA spells out US and UK obligations under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which the US Congress approved in 2018. The CLOUD Act authorized bilateral agreements like the DAA between the US and its foreign partners, because the other major mechanism for international cooperation – Mutual Legal Assistance Treaties, or MLATs – takes too long. Other countries like Australia have negotiated their own agreements for making legal requests for data.
“Under the Data Access Agreement, service providers in one country may respond to qualifying, lawful orders for electronic data issued by the other country, without fear of running afoul of restrictions on cross-border disclosures,” the US Justice Department said in a statement.
“The Data Access Agreement fosters more timely and efficient access to electronic data required in fast-moving investigations through the use of orders covered by the Agreement.”
The Justice Department says the DAA will facilitate the prevention, detection, investigation, and prosecution of serious crime, such as terrorism, transnational organized crime, and child exploitation. The UK Home Office characterizes the DAA similarly and contends that it will help the UK particularly because so much online data is held by companies operating with the US where it hasn’t been easily available.
“Many of the currently popular telecommunications services, such as social media platforms and messaging services, operate within US jurisdiction,” the Home Office said in a recent policy paper.
“Unfortunately, US law prohibits these companies from being able to share certain data in response to a request made directly by a foreign government. This means that data which might be essential to an investigation cannot be obtained.”
Indeed, the bulk of overseas production orders – legal demands for data – are expected to be served on US communications service providers by UK authorities because there are comparatively fewer UK companies holding data of interest to US law enforcement.
The enthusiasm for the DAA demonstrated by US and UK legal authorities isn’t entirely shared among academics and rights advocates.
Tim Cochrane, a doctoral candidate in law at the University of Cambridge in the UK, analyzed the legal framework in an article [PDF] titled “Digital Privacy Rights and the CLOUD Act.”
He argues that while the CLOUD Act represents a net gain for US and UK persons by bringing the legal regime back to the baseline protections sometimes compromised under MLATs, these rules still should receive more legislative attention to ensure bilateral agreements are consistent with privacy and legal commitments.
“The rights-enhancing aims of Cloud Act agreements should be welcomed,” he concludes. “Much more is required, however, for these aims to be realized. The current protection gaps under the US-UK Agreement threaten to undermine rights for [third-country persons] – i.e. most persons across the world.” ®