The CLOUD Act Agreement signed between the U.S. and U.K. on 3 October 2019 means that the U.S. will be able to serve U.K. Internet and Online Service Providers directly with U.S. legal process requiring production of electronic evidence.
Undoubtedly, direct service of legal orders obtained in the U.K. on U.S. service providers, such as Facebook and Google, will save significant time compared to the delays in the Mutual Legal Assistance process. But what happens when the FBI serve an Electronic Communications Privacy Act warrant or wire tap on Sky or British Telecom in the U.K? What processes have U.K. Internet and Online Service Providers planned to ensure that U.K data protection laws are enforced and that no electronic evidence will be disclosed of persons resident in the U.K.?
The U.S. Department of Justice press release confirms that the Agreement is reciprocal, and was signed following the passing of the U.K. Criminal Justice (Overseas Production Orders) Act in February 2019. As I wrote before the second reading of the Bill in my post Before Brexit…….there were no provisions on incoming requests from the U.S. This is equally confirmed in the Overarching Fact Sheet on the Criminal Justice (Overseas Production Orders) Act, which makes no mention of any provisions about requests from another country to the U.K..
I questioned academics, and U.K. practitioners on this issue and no one could help. So are there any processes to handle these new requests from the U.S. once they come into force in six months? Whilst there has been considerable cooperation with the U.S. Internet and Online Service Providers – has the same been considered in the U.K.? I hope so, as all it takes is one matter to go wrong which will result in potential injustices and trust in the Agreement being undermined.
It appears, from the just released text of the Agreement, that a ‘Designated Authority’ in the U.S. will review the legality of Orders issued by a U.S. judicial authority and before direct transmission to a U.K. Internet or Online Service Provider (Articles 5(6) and (7)). It is not clear who this ‘Designated Authority’ will be in the U.S..
Article 5(11) of the Agreement provides that if a U.K. Internet or Online Service Provider receives an Order and has any objection, in the first instance it should raise the issue with the Designated Authority in the U.S. If the issues remain unresolved then the U.K. Internet or Online Service Provider can raise objections to the U.K Designated Authority (again unknown who this will be). There is no other redress mechanism and begs the question as to what a U.K. Internet or Online Service Provider must then do to challenge any Order – judicially review?
Further, who will be doing the ‘minimization’ process in Article 7 of the Agreement to ensure that U.K. residents are not ‘targeted’? Will this be U.K. law enforcement who will review the product before it is transmitted back to the U.S. or the Internet and Online Service Providers themselves? How will any review establish that any subject is not a U.K. resident? If there is any doubt will caution ensure that the U.K. doesn’t share? What processes are in place if an Internet or Online Service Provider believes production is in breach of data protection or other privileges, such as protecting sources for investigative journalism?
As reported yesterday may be the Australian Service Providers have a system in place as the next five eyes partner to sign a CLOUD Act Agreement?
As always our team of experts are ready to assist – so if any U.K. Internet or Online Service Providers, large or small, need training – please don’t hesitate to contact us at firstname.lastname@example.org