The Agreement on Access to Electronic Data for the Purpose of Countering Serious Crimes (‘Agreement’) signed between the U.S. and U.K. on 3 October 2019, allows for direct requests to be served on service providers in each country for the production of data.
The Agreement was certified to the U.S. Congress by the U.S. Department of Justice on January 10 2020 for the required 180 days prior to going into effect. Congress took no action to reject it, and there were no review hearings. Equally, the Agreement was laid before the U.K. Parliament in October 2019 for ratification and there were no objections within 21 sitting days pursuant to Part 2 of the UK Constitutional Reform and Governance Act 2010.
A July 16 interview with the U.S. Department of Justice, confirmed the agreement will take effect after an exchange of diplomatic notes, which has not yet occurred.
The Agreement is a game changer for requesting e-evidence, as U.K. orders can be served directly on U.S. service providers, pursuant to the Crime (Overseas Production Orders) Act 2019.
Gone soon, will be the days where the police await the outcome of a mutual legal assistance request in terrorism, cybercrime and serious organised crime cases for e-evidence. This sensible reform now permits an application to a U.K. court for production of the e-evidence and the order served directly on the U.S. service provider.
Undoubtedly, with the majority of online service providers being located in the U.S., the main purpose of the Agreement was to ensure speedier responses to U.K. requests in serious crime investigations. Of course, the Agreement has reciprocal provisions that permit U.S. authorities to serve their legal process directly on U.K. service providers. Although the need will be far less for U.S. authorities to seek production from U.K. service providers, significantly, there is no enabling legislation for U.S. authorities to serve U.K. service providers.
As a dualist state, the U.K. needs legislation for provisions of any international Agreement or treaty to be law. For example, the European Convention on Human Rights was ratified by the U.K. in 1951 – but it did not become law in the U.K. until the passing of the Human Rights Act in 1998.
As I wrote before the second reading of the Crime (Overseas Production Orders) Bill in my post Before Brexit……. no provisions were included on requests for data from another country to the U.K. This is equally confirmed in the Overarching Fact Sheet on the Crime (Overseas Production Orders) Act, which makes no mention of any provisions about requests from another country to the U.K.
I have asked academics and practitioners and all agree there are no provisions in U.K. law for requests for production of data, pursuant to the Agreement, by U.S. authorities to U.K. service providers. Indeed, for an interesting review on the subject, read Jen Daskal’s article about real-time interception, and the lack of change in U.S. authority after the CLOUD Act: https://www.crossborderdataforum.org/just-security-correcting-the-record-wiretaps-the-cloud-act-and-the-us-uk-agreement/
What does all this mean? Well any U.S. requests for e-evidence from U.K. service providers will have to go through the mutual legal assistance process until a change in U.K. law – but for U.K. requests to the U.S. the game changer is in play!