What you need to know about the US CLOUD Act and the UK COPOA Act

The UK and US governments have signed a new data sharing agreement that allows law enforcement officials quicker and easier access to data held by digital service providers in their counterpart countries. While this law doesn’t allow law enforcement to request data directly from companies on the other side of the Atlantic, data companies store in the cloud could be more easily accessed by foreign agencies.

The new agreement enacts measures first defined in the US CLOUD Act and the UK COPOA Act.

What are the US CLOUD Act and the UK COPOA Act?

Brought about partly due to difficulties the FBI faced in forcing Microsoft to hand over data stored on servers in Ireland, the Clarifying Lawful Overseas Use of Data (CLOUD Act) Act was signed into law in 2018. Under the act, US law enforcement can compel US technology companies to hand over data stored on servers, whether the data is stored in the US or on foreign soil. It also allows bilateral agreements with foreign governments to request electronic data from the US in exchange for reciprocal arrangements.

The UK Crime (Overseas Production Order) Act (COPOA) 2019, which received Royal Assent in February 2019 along with previous legal precedents, allows the UK access to seek access to data held overseas to help with investigations conducted by the Serious Fraud Office (provided the UK has an agreement with the country in which the data is held).

Under these two acts, the UK and US have signed a new data sharing agreement that allows law enforcement on both sides of the Atlantic a far quicker mechanism to gain access to data stored on servers located in the other country. The agreements affect technology companies, broadly defined under the CLOUD Act as email providers, mobile phone companies, social media networks and cloud storage services. It still requires judicial process such as approval from a judge or other authority and does not affect access to encrypted messages.

“The bilateral Data Access Agreement signed under the auspices of the CLOUD Act will enable law enforcement agencies in one country to request data from service providers in the other country directly,” explains Ian Walden, of counsel at legal firm Baker McKenzie, “rather than going through normal mutual legal assistance procedures.”

How data requests work under the CLOUD and COPOA Acts

Previously, the main route law enforcement authorities had to take to obtain data was through mutual legal assistance, a slow and bureaucratic process that can often take months, if not years, to yield results. Now, officers can submit overseas production orders (OPOs), which require those based overseas to produce or give access to electronic data, and the default period for complying with an OPO is seven days from the date of service

While this will help law enforcement investigations, this agreement merely speeds up procedure rather than introducing new powers (and therefore new additional risk for companies worried about their data). “The agreement does not grant law enforcement agencies any new powers. It simply enables a more efficient means for law enforcement to obtain evidence from service providers and removes some legal obstacles to such disclosures,” says Walden. He adds that this agreement does not establish any new legal basis for a law enforcement agency to make a request. They are still held within the national laws. For example, the CLOUD Act essentially extends the provisions of Stored Communications Act’s influence to US servers located overseas.

While companies should already be aware of their requirements around handing over data to law enforcement under domestic laws, Walden recommends that companies brush up on the legal requirements of overseas law enforcement evidence collection legislation, so they are aware under what conditions they are compelled to hand over data.

“The key advice for companies that could be subject to such requests is to make a policy decision about whether they would respond to such a request or would either refuse to comply or request that the demand be made through standard mutual legal assistance procedures,” says Walden. “In terms of process, while it is generally neither appropriate nor feasible for a service provider to judge the validity of the substantive basis for the request, they should be in a position to check that the request contains all the necessary information, as specified in the applicable law, including the identity of the notice giver so that it can be verified.”

Which companies do the CLOUD and COPOA Acts affect?

As well as merely streamlining procedure rather than providing new powers, this bilateral agreement does not apply to all companies holding electronic data. It will affect companies that use technology providers meaningful way.

“The agreement is only applicable to ‘covered providers’, which essentially means traditional telecoms operators, OTT communication service providers and cloud providers, rather than any organization in the UK,” explains Walden. “The agreement will primarily benefit the UK rather than the US, as UK law enforcement often have to seek data from the major US service providers, such as Google, Microsoft and Facebook.”

“The agreement does potentially enable US law enforcement agencies to approach UK service providers directly for evidence. However, a UK service provider will not have any obligation to respond to a request under UK law. Any enforcement action against a service provider would have to be brought under US law and, usually before US courts.”

In the face of Brexit, some companies are already looking to relocate some of their data and operations out of the UK into the EU to avoid any legal headaches around data transfer. VFS Global, an outsourcing company that handles visa and passport issuance-related tasks for governments, has previously said that it has transferred staff and data centres from the UK to mainland Europe as a result of Brexit uncertainty.

Walden says this agreement shouldn’t make the UK an even less appealing location if data can be more easily accessed by the US, especially as the European Commission has a mandate to negotiate a similar agreement with the US. “This will establish an equivalent similar regime for data requests between member states. As such, at some point in the future, there will be reciprocal arrangements between the US and at least some EU states.”

Companies that are based in the UK or EU will likely all be operating in countries that will eventually have agreements about law enforcement having cross-border access to data. Australia is also looking at making an agreement under the CLOUD Act.

After the UK does eventually leave the EU, there will likely be negotiations about giving the UK an adequacy decision to allow the free flow of data without the need for additional legal data protection mechanisms. However, some legal experts have previously said such decision could be delayed by the UK’s Investigatory Powers Act (also known as the “Snooper’s Charter”) and the UK’s membership of the ‘Five Eyes’ alliance if the EU decides they contravene EU citizen’s rights.

When asked whether this data agreement with the US will further impact the UK’s chances of being granted an adequacy decision, Walden says that the issue might raised by those opposed to the UK being given such statue, but such a move will be down to politics more than legal issues.