Department of Justice Announces New Data Sharing Agreement with the United Kingdom
On October 3, the Department of Justice (DOJ) announced that the Access to Electronic Data for the Purpose of Countering Serious Crime is now in effect. Under this landmark Agreement, service providers in the US and the UK will be permitted to transfer electronic data in response to a “qualifying, lawful” overseas production order (OPO).
According to the DOJ, the Agreement will allow the US and UK to “prevent, detect, investigate, and prosecute serious crime, including terrorism, transnational organized crime, and child exploitation.”
Domestic Law and Effect of the Agreement
Article 3 of the Agreement requires each party to “ensure that its domestic laws relating to the preservation, authentication, disclosure, and production of electronic data permit Covered Providers to comply with Orders subject to this Agreement.” These transfers may now be made “without fear of running afoul of restrictions on cross-border disclosures” as the Agreement requires that each party’s domestic laws afford “robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities subject to this Agreement.” For example, the UK must now apply the international data transfer provisions of the UK’s Data Protection Act of 2018 in accordance with the permissibility of these Agreement-induced transfers.
Additionally, Article 3 preserves a provider’s right to “raise applicable legal objections to an Order subject to this Agreement.”
Targeting Restrictions and Orders
Although the agreement “is intended to facilitate the ability of the Parties to obtain electronic data[,]” Article 4 makes clear that there are certain restrictions placed on OPOs. Specifically, these orders:
- “Must be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of a Covered Offense”
- “May not be used to infringe freedom of speech or for disadvantaging persons based on their race, sex, sexual orientation, religion, ethnic origin, or political opinions.”
- “May not intentionally target a Receiving-Party Person, and each Party shall adopt targeting procedures designed to implement this requirement.”
- “May not target a Covered Person if the purpose is to obtain information concerning a Receiving-Party Person.”
- “Must be targeted at specific Accounts and shall identify as the object of the Order a specific person, account, address, or personal device, or any other specific identifier.”
Additionally, Article 5 provides that OPOs must be in compliance with the domestic laws of the party issuing the order (“Issuing Party”) and must put forth a “reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation.” OPOs will remain subject to “review or oversight under the domestic law of the Issuing Party by a court, judge, magistrate, or other independent authority.”
In producing information pursuant to an order, Article 6 requires a provider to submit the Covered Information to the “Designated Authority,” the party who, by mutual agreement of the parties, is permitted to carry out functions under the Agreement.
The UK government stated the permissibility of these transfers do “not compromise or erode the human rights and freedoms that our nations cherish and share” but rather “protects our citizens by improving both nations’ ability to fight serious crime while maintaining the democratic and civil liberties standards that we stand for and promote around the world.”
Article 7 further requires the UK to “adopt and implement appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning U.S. Persons acquired pursuant to an Order subject to this Agreement,” which are still consistent with the purposes of the Agreement.
Additionally, under Article 8, a citizen’s produced information may neither be utilized in a court proceeding nor transferred to a third country or international organization without first obtaining the consent of the party receiving the order.
After one year of this Agreement being in effect, both parties will engage in a review of each party’s compliance, “which may include a review of the issuance and transmission of Orders subject to this Agreement to ensure that the purpose and provisions of this Agreement are being fulfilled, and a review of the Party’s handling of data acquired pursuant to Orders subject to this Agreement to determine whether to modify procedures adopted under this Agreement.”
If concerns arise as to the implementation of this Agreement prior to the completion of the first year, the parties will consult with each other and attempt to resolve the dispute. If the parties are unable to resolve this dispute, the matter may not be referred “to any court, tribunal, or third party.” However, either party may “conclude that the Agreement may not be invoked” for the specifically requested materials.
The Agreement will remain in effect, unless terminated by written mutual agreement, for a five year period, with an option to extend the Agreement for a subsequent five year period.
* * * * * * *
To read our news alerts, which include a proposed EU privacy rule for service providers, updates from New York’s new CIO, and results from a study about the business benefits of cybersecurity, click here.
This week’s breach report covers breaches of the following companies: Keystone Health, SHEIN, and Woolworth. Click here to find out more.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!