US DOJ Announces “Landmark” Agreement with UK, Allowing Direct Access to Overseas Tech Company Data and Negotiations with Australia for Similar Agreement
On October 3, 2019, the Department of Justice announced that the United States and the United Kingdom had entered into a “landmark” agreement, which allows, in some circumstances, the US and the UK to demand electronic data “directly from tech companies located in the other country, without legal barriers.” (the “US-UK Agreement”)1 The US-UK Agreement is the first of its kind, and just days later, DOJ announced that it was negotiating a US similar agreement with the government of Australia.2 While both the US-UK Agreement and the potential agreement with Australia are significant in and of themselves, more broadly, they highlight DOJ’s larger efforts to streamline the process by which the government can obtain evidence located aboard.
The US entered the agreement with the UK pursuant to the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act of 2018. The CLOUD Act was enacted in the wake of the Second Circuit’s 2016 decision in Microsoft Corp. v. United States. In Microsoft, the Second Circuit held that the government could not use a warrant obtained under the Stored Communications Act (“SCA”) to compel a US-based internet service provider to produce emails stored on a server in Ireland. SCA warrants are the primary means by which the US government obtains email and other content from internet service providers.
The CLOUD Act made two significant amendments to the SCA, both of which were intended to make it easier for U.S. authorities to access overseas data. First, the CLOUD Act clarified the SCA’s extraterritorial reach, making explicit that providers served with legal process pursuant to the SCA must comply with that process “regardless of whether” the materials sought are “located within or outside of the United States.”3
Second, the CLOUD Act authorizes the Attorney General, with the concurrence of the Secretary of State, to enter into executive agreements, allowing foreign governments to obtain data stored in the US, pursuant to their own foreign legal process, without having to go through US authorities.4 Foreign governments seeking to enter such an agreement must meet certain requirements, including the existence of “robust substantive and procedural protections for privacy and civil liberties . . . .”5
The US-UK Agreement and Potential Agreement with Australia
The US-UK Agreement is the first executive agreement entered into pursuant to the CLOUD Act. The Agreement will enter into force after a six-month period of Congressional review, mandated by the CLOUD Act, and a similar Parliamentary review in the UK. Days after announcing the US-UK Agreement, DOJ also announced that the US and Australia had begun formal negotiations regarding their own CLOUD Act agreement.
With respect to the data requests received from foreign countries pursuant to CLOUD Act executive agreements, it bears noting that CLOUD Act itself imposes certain limits on requests from foreign governments. These include that the foreign order must relate to the investigation of a “serious crime,” must meet certain particularity requirements, and must be based on “articulable and credible facts,” although not necessarily “probable cause.6 Further, the foreign government cannot “intentionally target a United States person or a person located in the United States, and shall adopt targeting procedures designed to meet this requirement.”7 While the US-UK Agreement itself will be released only after “Congressional and Parliamentary notification,” DOJ’s announcement explicitly asserts that the US-UK Agreement’s complies with several of these requirements, including the targeting restrictions. Further, the DOJ announcement notes the UK agreed to seek the US’s permission before using data obtained under the Agreement in “cases implicating freedom of speech.”
Perhaps more significantly, in enabling the US to access electronic data stored in the UK by using US legal process, the Agreement demonstrates DOJ’s on-going efforts to streamline the ways in which US authorities can obtain foreign evidence. Traditionally, to obtain foreign evidence for use in an investigation, US law enforcement must make a request pursuant to a Mutual Legal Assistance Treaty (MLAT) between the US and the foreign nation. Even assuming an MLAT exists between the US and a given country, the request must be routed through, and vetted by, centralized authorities in both the US and the foreign country. As DOJ acknowledged in announcing the US-UK Agreement, such requests “can take years” to be fulfilled. DOJ’s press release announcing the US-UK Agreement explicitly distinguishes the Agreement from the traditional MLAT process and highlights that “the Agreement will see the timeline [for] obtaining evidence significantly reduced.”
Notably, in a speech the same day as the US-UK Agreement was announced, Attorney General Barr cited, as one benefit of the DOJ’s revised Foreign Corrupt Practices Act Corporate Enforcement Policy, the fact that the policy encouraged cooperation and thereby allowed DOJ to “take more investigative steps and gather more evidence without having to go through as many formal processes, including [MLAT] requests.”8 Thus, while the long-term impact of CLOUD Act agreements remains to be seen, DOJ’s multi-pronged efforts to avoid, or at least streamline, the time-consuming MLAT process indicates the Department will continue to focus on cross-border investigations going forward. Moreover, for companies that are considering cooperating with DOJ in its investigations of overseas conduct, DOJ’s repeated recognition of the challenges inherent in the MLAT process provides grist for highlighting the value of the company’s cooperation with the government and thereby obtaining a favorable disposition.
1 See Press Release, U.S. And UK Sign Landmark Cross-Border Data Access Agreement to Combat Criminals and Terrorists Online, available at https://www.justice.gov/opa/pr/us-and-uk-sign-landmark-cross-border-data-access-agreement-combat-criminals-and-terrorists (last visited Oct. 10, 2019).
2 See Press Release, Joint Statement Announcing United States and Australian Negotiation of a CLOUD Act Agreement by U.S. Attorney General William Barr and Minister for Home Affairs Peter Dutton, available at https://www.justice.gov/opa/pr/joint-statement-announcing-united-states-and-australian-negotiation-cloud-act-agreement-us (last visited Oct. 10, 2019).
3 18 U.S.C. § 2713.
4 See 18 U.S.C. § 2523.
5 See 18 U.S.C. § 2523(b).
6 See 18 U.S.C. § 2523(b)(4)(D)
7 See 18 U.S.C. § 2523(b)(4)(A).
8 See U.S. Attorney General William P. Barr Delivers Remarks at the U.S. Securities and Exchange Commission’s Criminal Coordination Conference, available at https://www.justice.gov/opa/speech/us-attorney-general-william-p-barr-delivers-remarks-us-securities-and-exchange-commission (last visited Oct. 7, 2019).