What UK telecoms operators need to know about the UK/USA Data Access Agreement and the US CLOUD Act
The Home Office announced on 21 July 2022. that UK/USA Data Access Agreement, which sits under the USA's CLOUD Act, will come into force on October 3rd 2022.
A draft of the agreement has been available for coming up three years now (and I've been working on this topic since before that!), so the key part of the announcement is that it has (finally) been finalised, and that there is an effective date.
There is also an Explanatory Memorandum.
If you are telecommunications operator in the UK, here's a high level summary of what you need to know.
From 3 October 2022, you could receive requests for assistance directly from the US Department of Justice
Under the UK/USA Data Access Agreement, the USA can make requests for information directly to UK telecommunications operators, or the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of a serious crime, including terrorist activity.
As such, from October 3rd 2022, when the UK/USA Data Access Agreement comes into force, UK TOs might receive requests for assistance directly from the US central authority, the US Department of Justice.
This is markedly different to the position under the Mutual Legal Assistance Treaty, whereby the USA asks the UK for support, and the Home Office asks a suitable public authority (usually a local police force) to seek the requested information from the UK telecommunications operator.
UK TOs which get what purports to be a request from the US DoJ will want to verify that it is indeed a genuine request from the DoJ, to avoid falling victim to fraudsters.
Lots of UK companies will (theoretically, at least) be in scope
The UK/USA Data Access Agreement permits the USA to serve orders directly on providers in the UK (and vice versa).
The key definition is that of "Covered Provider". It means:
any private entity to the extent that it: (i) provides to the public the ability to communicate, or to process or store computer data, by means of a Computer System ["any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data"] or a telecommunications system; or (ii) processes or stores Covered Data on behalf of an entity defined in subsection (i).
This is broad.
But, in practice - because of the limited targeting criteria, discussed below - the scope is likely to be limited.
There are limits on who the USA can target with requests for communications data or content, which affect which UK telecoms operators are likely to receive such requests
The USA cannot request communications data or content on:
- any governmental entity or authority of the United Kingdom;
- an unincorporated association, a substantial number of members of which are located in its the United Kingdom;
- a corporation located or registered in the United Kingdom; or
- any other person located in the United Kingdom.
Note that, unlike the restrictions on the UK targeting people in the USA, which prohibit the UK targeting US citizens, there is no restriction on the USA targeting UK citizens for comms data or content, as long as they are not located in the UK at the time.
Limiting the scope to people outside the UK is likely to affect which UK TOs will receive requests for comms data or content, with an emphasis on services which can be accessed from outside the UK.
My guess is that UK providers which could expect to receive orders include:
- hosting/storage services
- website operators, perhaps in the context of access logs, or registered users' account details
- VPN services
- services which support roaming (for example, most cellular services)
- over the top communications services (such as email, or messaging, services)
Note that the targeting prohibition relates only to "Covered Orders", which are orders for communications data or content. The prohibition does not relate to subscriber checks (i.e. information about the account holder). See Article 10.
The UK/USA Data Access Agreement covers both communications data and targeted interception
The assistance which the USA can request from a UK TO under the UK/USA Data Access Agreement is not limited to communications data. It can include, for example, assistance with targeted interception.
Order means a legal instrument issued under the domestic law of the Issuing Party requiring the disclosure or production of Covered Data (including any requirement to authenticate such Data) by a Covered Provider, whether for stored or live communications.
The UK/USA Data Access Agreement covers both preservation and disclosure of communications data.
The snappily-titled "Understanding in relation to Subscriber Information and Preservation Process under the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime" contains some useful information in respect of this.
In terms of preservation:
Where the Issuing Party is the United States, preservation process is issued pursuant to Title 18, United States Code, Section 2703(f), which is the domestic law that grants the government authority to request preservation of data by electronic communication service providers and remote computing service providers. Section 2703(f) directs providers to preserve data upon request for an initial period of 90 days, which time period can be extended once for an additional 90 days
In terms of disclosure:
Where the Issuing Party is the United States, all Legal Process for Subscriber Information, as recognised in Article 10 of the Agreement, has a domestic legal basis in Title 18, United States Code, Sections 2703 or 2709, which are the domestic laws that permit governmental entities to obtain legal process seeking to compel disclosure of such information by electronic communication service providers and remote computing service providers. This Legal Process is subject to all rights and protections granted by the Constitution, legal precedent, and the relevant domestic Rules of Criminal Procedure, including the ability to quash such a process where it is unreasonable.
If the request related to real-time traffic then, technically, this is likely to require more work in advance, and so is unlikely to be a common request.
If, however, the request related to a stored communication (e.g. an email on a mailserver, or a voicemail on a voicemail server), then this may be easier, from a technical point of view.
In either case, the UK TO would want to ensure that their conduct was lawful under the Investigatory Powers Act 2016, and that they provided the requested information to the USA in a suitably secure manner.
There is a specific understanding relating to use by the USA of information collected from UK telecoms operators for death penalty cases.
Does a UK TO have to respond to a request from the US DoJ under the UK/USA Data Access Agreement?
The UK/USA Data Access Agreement requires the UK government to remove barriers which would prohibit a UK TO from responding to a valid request from the USA. But it does not compel the UK government to require the UK TO to respond.
The outcome is that, under US law, the UK TO might have an obligation to respond (arising from a court order from a court in the USA), but there is no equivalent legal obligation under English law. This is in contrast to the position under the Investigatory Powers Act 2016, where requests for communications data, or for targeted interception, are binding obligations on the UK TO.
A TO will need to consider the implications of complying with such a request from the perspective of data protection law, if it cannot rely on the lawful basis of "necessity to comply with a legal obligation". The TO is probably looking at either "necessity to perform a task in the public interest", or else "legitimate interests" - both of which require some thinking and documentation.
It might also want to consider the implications of not complying, particularly if it has a presence, or staff, in the USA, or if the USA is a favoured holiday destination of senior members of staff.
What do I need to prepare for the UK/USA Data Access Agreement?
If you have not heard from the US DoJ already, I suspect that the chances of you getting a request is pretty low.
Low, but not zero.
It seems a bit silly to me to spend too much time (and money) preparing for requests, and working out how to handle them, if you are not sure if you are going to get any.
Conversely, if you do not prepare in advance, you might be caught on the hop if you get a request. (Of course, if you do, and you need a hand working out what to do, you can always get in touch.)
If you want to do something:
It would be sensible, from a UK GDPR accountability point of view, to let public-facing staff, or staff who deal with requests from law enforcement, know about this agreement, so that they can be on the look-out for requests. There is no immediate rush for this, as the agreement does not come into force until October 3rd 2022.
Hopefully, you already have processes for handling law enforcement requests, including determining if requests purporting to be from law enforcement are genuine, and for ensuring that you meet all relevant legal obligations when responding to those requests. You might want to dust off those policies and processes, to reflect this new regime.