Although the replacement for the Privacy Shield has garnered bigger headlines, the United States government also took another step towards a more coordinated international privacy framework by entering into the data access agreement (the “Data Access Agreement”) with the United Kingdom. While increasingly harmonized laws are likely a positive development for businesses in the long run, the Data Access Agreement demonstrates that companies need to keep apprised of the changing legal landscape.
The Data Access Agreement stems from the 2018 Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”), which allows the U.S. to enter into executive agreements with foreign governments for access to data held by U.S.-based electronic service providers abroad. Pursuant to the Data Access Agreement, the United States and the United Kingdom may now demand, with much greater speed and ease, user data from service providers held overseas. Such data will, as the DOJ stated in its October 3, 2022 press release, “greatly enhance the ability of the United States and the United Kingdom to prevent, detect, investigate, and prosecute serious crime, including terrorism, transnational organized crime, and child exploitation, among others.”
Under the Data Access Agreement, U.S. and U.K. officials must meet “numerous requirements” in order to demand user data from service providers overseas. Orders submitted by investigators cannot target specific individuals in the other country and must relate to the serious crime. Service providers will that receive “qualifying, lawful orders” will be afforded certain protections. Moreover, the two entities tasked with overseeing the implementation of the Data Access Agreement in their respective countries—the DOJ’s Office of International Affairs and the U.K. Home Office—will likely need to coordinate efforts as requests under the agreement get underway.
This international cooperation between the United States and the United Kingdom is not an isolated occurrence: Other countries are working on similar bilateral data-access agreements under the authorization of the CLOUD Act. Indeed, at the end of last year, Australia and the United States announced their intent to enter into a similar data access arrangement, and Canada is seemingly not far behind as Canadian officials issued a joint statement with the DOJ announcing their plans to begin negotiating their own bilateral agreement. Discussions are also underway with the European Union.
How these bilateral agreements will interact with other international privacy initiatives—including concerns relating to investigative access to personal data—remains to be seen. However, what is clear is that technology companies need to start preparing for the impending intercept orders, and all companies need to keep an eye on the frequently changing landscape.