On October 3, 2019, the United States and United Kingdom signed an agreement on cross-border law enforcement demands for data from service providers (“Agreement”). The Agreement is the first bilateral agreement to be entered under the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It obligates each Party to remove barriers in their domestic laws so that U.S. and U.K. national security and law enforcement agencies may obtain certain electronic data directly from Communications Service Providers (“CSPs”) located in the jurisdiction of the other Party. The Agreement will go into effect 180 days after its transmission to Congress by the Attorney General, unless Congress disapproves by joint resolution.

Under the CLOUD Act, once the Agreement goes into effect, CSPs subject to jurisdiction in the United States will be excepted from a statutory prohibition that would otherwise preclude them from producing stored communications content directly to U.K. authorities. Similarly, under U.K. law, CSPs subject to jurisdiction in the United Kingdom will not be prohibited from disclosing stored content to U.S. authorities. Neither the CLOUD Act nor the Agreement establishes jurisdiction over a CSP if jurisdiction does not otherwise exist, nor do they compel a provider to produce data if the domestic law of the Party issuing the data demand does not require such production. As a general matter, the domestic law of the United States and United Kingdom largely will continue to govern demands for data issued by government agencies under the Agreement. However, in accordance with the requirements of the CLOUD Act, the Agreement imposes some important limitations on those demands, which we summarize below.

Restrictions on Law Enforcement Demands

  • Targeting Restrictions. The Agreement imposes restrictions on the accounts that may be subject to demands for data under the Agreement. Specifically, the United Kingdom may not issue demands for data of U.S. citizens, nationals, or lawful permanent residents (“U.S. persons”), nor may it demand the data of persons located inside the United States. Similarly, the United States may not demand the data of any person located in the United Kingdom. (According to the U.K. Home Office’s explanatory memorandum, the distinction between these targeting limitations for the respective countries arises from EU rules prohibiting discriminatory treatment between citizens of different member states.) (Articles 1.12, 4.3).
  • Targeting Procedures. Each Party must implement “targeting procedures” to guide decisions about which accounts may be targeted by data demands under the Agreement. (Article 7.1).
  • Serious Crime Limitation. Any law enforcement demand for data covered by the Agreement must be “for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution” of a “Serious Crime, including terrorist activity.” While the CLOUD Act does not define “serious crime,” the Agreement specifies that serious crime is an offense punishable by a maximum term of imprisonment of at least three years. (Articles 1.5, 1.14, 4.1).
  • Specific Account Limitation. Consistent with the CLOUD Act, the Agreement also provides that the order must target specific user accounts and identify a “specific person, account, address, personal device, or any other specific identifier.” In other words, the Agreement cannot be used to acquire data in bulk. (Article 4.5).

Procedures for Issuance and Enforcement of Law Enforcement Demands

  • Application of the Agreement. The Agreement is not the exclusive means by which government authorities of a Party may obtain data from CSPs subject to the other Party’s jurisdiction. Each Party may still use other legal authorities and mechanisms, such as mutual legal assistance requests, to obtain data from CSPs subject to the jurisdiction of the other Party. The Agreement provides that it “shall apply” to any demands for data as to which the Party issuing the demand “invokes” the Agreement with notice to the relevant CSP. Notice to the other Party is not required. (Articles 3.2, 11.1).
  • Certification by Designated Authority. The Agreement provides for a “designated authority”—a governmental entity designated, for the United Kingdom, by the Secretary of State for the Home Department, and for the United States, by the Attorney General. These designated authorities must review demands for data under the Agreement and certify in writing that the demand is lawful and complies with the Agreement before it may be transmitted to a CSP under the Agreement. (Article 5.7).
  • Third-Party Country Notification. If either Party issues a demand for the data of a person reasonably believed to be located in a third-party country (i.e., not in the United States or United Kingdom), the designated authority of the Party issuing the demand must notify the appropriate authorities in that third country. The Agreement excepts from this notification requirement circumstances where notice would be “detrimental to operational or national security, impede the conduct of an investigation, or imperil human rights.” (Article 5.10).
  • Appeal to Designated Authority. If a CSP has a “reasonable belief” that the Agreement may not properly be invoked with regard to the order, it can make an objection to the designated authority of the Party that issued the order. If the objections are not resolved, the CSP can also make the objection to its own designated authority. That designated authority may determine that the Agreement does not apply to the demand if it concludes the Agreement was not properly invoked. (Articles 5.11, 5.12)

Data Handling and Use Restrictions

  • Minimization Procedures. The United Kingdom is obligated to implement and apply “minimization” procedures to data received pursuant to demands under the Agreement. These procedures must “minimize the acquisition, retention, and dissemination” of information concerning U.S. persons that is inadvertently acquired under the Agreement. (Article 7.2).
  • Restrictions on Data Transfer to the United States. The minimization procedures must prohibit the United Kingdom from disseminating to the United States the content of a communication involving a U.S. person unless it relates to a “significant harm, or threat thereof, to the United States or U.S. person, including crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.” (Article 7.5).
  • Transfer to Third Countries. As a general matter, a Party receiving data under the Agreement may not transfer it to a third country or international organization without first obtaining consent of the Party from which the data was received. (Article 8.2).
  • Death Penalty and Free Speech Limits on Data Use. The United States must obtain approval from the United Kingdom before using evidence obtained from an order in cases for which the death penalty is sought. Similarly, the United Kingdom must obtain the approval of the United States in order to use evidence obtained from an order in a case that raises free speech concerns. (Article 8.4).

Oversight and Reporting

  • Compliance Review. Within a year of the Agreement’s entry into force and periodically thereafter, each Party must engage in a review of the other Party’s compliance with the Agreement, including a review of both its issuance of orders and handling of data received under the Agreement. (Article 12.1).
  • Annual Reports. The designated authorities of the United States and United Kingdom must issue and exchange annual reports containing aggregate data on their use of the Agreement. (Article 12.4).
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Alexander Berengaut Alexander Berengaut

Alex Berengaut is a nationally recognized litigator and co-chair of Covington’s Government Litigation practice group. He has served as lead counsel in a range of commercial disputes and government enforcement proceedings, and currently represents several leading technology companies in litigation and compliance matters…

Alex Berengaut is a nationally recognized litigator and co-chair of Covington’s Government Litigation practice group. He has served as lead counsel in a range of commercial disputes and government enforcement proceedings, and currently represents several leading technology companies in litigation and compliance matters relating to data privacy, platform liability, artificial intelligence, and cybersecurity.

In recent years, Alex obtained a series of landmark victories against the federal government in bet-the-company disputes for technology clients. Alex represented TikTok in challenging the Trump Administration’s efforts to ban the app, delivering the winning argument that led the court to enjoin the ban hours before it was set to take effect. He also represented Xiaomi Corporation in challenging the Department of Defense designation that would have blacklisted the company from U.S. financial markets, delivering the winning argument that led the court to enjoin the designation, restoring $10 billion to Xiaomi’s market capitalization.

At the state level, Alex has successfully challenged unconstitutional state legislation and defended against state consumer protection actions. He obtained an injunction blocking Montana’s law banning the TikTok platform, and he secured the outright dismissal of multiple State AG consumer protection lawsuits relating to data privacy and security—a string of victories which resulted in Alex being recognized as Litigator of the Week

Alex has served as counsel to Microsoft Corporation in precedent-setting cases involving government surveillance issues, including Microsoft’s landmark challenge to the government’s attempt to compel disclosure of customer emails stored in Ireland using a search warrant; Microsoft’s First Amendment challenge in the Foreign Intelligence Surveillance Court to restrictions on disclosures about government surveillance; and Microsoft’s constitutional challenge to the statute that allows courts to impose gag orders on technology companies, resulting in nationwide reform of the government’s practices under the statute. 

 Alex maintains an active pro bono practice, focusing on trial-level indigent criminal defense and youth immigration matters. From 2017 to 2020, Alex represented the University of California in challenging the Trump Administration’s rescission of the Deferred Action for Childhood Arrivals (DACA) program, ultimately resulting in a 5-4 victory in the U.S. Supreme Court. See Department of Homeland Security, et al. v. Regents of the University of California et al., 140 S. Ct. 1891 (2020).

Photo of Jim Garland Jim Garland

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise…

Jim Garland’s practice focuses on government investigations and enforcement matters, litigation, and cybersecurity. Recognized by Chambers USA as a leading practitioner in both the white collar and cybersecurity categories, Jim draws upon his experience as a former senior Justice Department official to advise clients on sensitive, multidimensional disputes and investigations, often with national security implications. He previously served as co-chair of Covington’s “Band 1”-ranked White Collar and Investigations Practice Group and currently is a member of the firm’s Management and Executive Committees.

Jim regularly represents corporate and individual clients in government investigations and enforcement actions. He has successfully handled matters involving allegations of economic espionage, theft of trade secrets, terrorism-financing, sanctions and export control violations, money laundering, foreign bribery, public corruption, fraud, and obstruction of justice. He has particular expertise advising clients in connection with investigations and disputes involving electronic surveillance and law enforcement access to digital evidence.

Jim has substantial experience litigating high-stakes, multidimensional disputes for clients across a range of industries, including companies in the high-tech, financial services, defense, transportation, media and entertainment, and life sciences sectors. Many of his civil representations have substantial cross-border dimensions or involve parallel government enforcement proceedings in multiple forums.

In conjunction with his investigations and litigation practice, Jim regularly assists clients with cybersecurity preparedness and incident-response matters. He helps clients in assessing security controls and in developing policies and procedures for the protection of sensitive corporate data. He also regularly assists companies in responding to significant cybersecurity incidents, including in connection with criminal and state-sponsored attacks targeting customer and employee data, financial information, and trade secrets.

From 2009 to 2010, Jim served as Deputy Chief of Staff and Counselor to Attorney General Eric Holder at the U.S. Department of Justice. In that role, he advised the Attorney General on a range of enforcement issues, with an emphasis on criminal, cybersecurity, and surveillance matters.

Photo of Marty Hansen Marty Hansen

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues. Martin has extensive experience in advising clients…

Martin Hansen has over two decades of experience representing some of the world’s leading innovative companies in the internet, IT, e-commerce, and life sciences sectors on a broad range of regulatory, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under EU and U.S. law, UK law, the World Trade Organization agreements, and other trade agreements.

Photo of Lisa Peets Lisa Peets

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory compliance and investigations alongside legislative advocacy. In this…

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory compliance and investigations alongside legislative advocacy. In this context, she has worked closely with many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU and UK legal frameworks affecting technology providers, including data protection, content moderation, platform regulation, copyright, e-commerce and consumer protection, and the rapidly expanding universe of additional rules applicable to technology, data and online services. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to Chambers UK (2024 edition), “Lisa provides an excellent service and familiarity with client needs.”