Landmark U.S.-UK Data Access Agreement Enters into Force

The Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime (“Data Access Agreement” or “Agreement”) entered into force today. The Agreement is authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a law enacted by Congress in 2018, and will be the first agreement of its kind, allowing each country’s investigators to gain better access to vital data to combat serious crime in a way that is consistent with privacy and civil liberties standards.

Under the Data Access Agreement, service providers in one country may respond to qualifying, lawful orders for electronic data issued by the other country, without fear of running afoul of restrictions on cross-border disclosures. The Data Access Agreement fosters more timely and efficient access to electronic data required in fast-moving investigations through the use of orders covered by the Agreement. This will greatly enhance the ability of the United States and the United Kingdom to prevent, detect, investigate, and prosecute serious crime, including terrorism, transnational organized crime, and child exploitation, among others.

The Data Access Agreement sets out numerous requirements that must be met for U.S. or UK authorities to invoke the Agreement. For example, orders submitted by U.S. authorities must not target persons located in the UK and must relate to a serious crime. Similarly, orders submitted by UK authorities must not target U.S. persons or persons located in the United States and must relate to a serious crime. U.S. and UK authorities must also abide by agreed requirements, limitations and conditions when obtaining and using data obtained under the Data Access Agreement. 

The United States and the United Kingdom have selected Designated Authorities responsible for implementation of the Data Access Agreement for each country. For the United States, the Designated Authority is the Department of Justice’s Office of International Affairs (OIA), and for the United Kingdom it is the Investigatory Powers Unit of the UK Home Office.

Among its various functions as U.S. Designated Authority, OIA has created a CLOUD team to review and certify orders that comply with the Agreement on behalf of federal, state, local, and territorial authorities located in the United States, transmit certified orders directly to UK service providers, and arrange for the return of responsive data to the requesting authorities.

For more information on the CLOUD Act, the Data Access Agreement and OIA, please visit: https://www.justice.gov/cloudact and https://www.justice.gov/criminal-oia.