On October 3, 2019, the Department of Justice announced that the United States and the United Kingdom had reached an Executive Agreement authorized under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) that would allow each country’s law enforcement agencies to request electronic data regarding serious crime (e.g., terrorism, child sexual abuse, cybercrime, and other transnational crime) directly from companies based in the other country. Law enforcement previously sought foreign-held information through Mutual Legal Assistance (MLA) treaties, but those requests could take years to complete. The “US-UK Bilateral Data Access Agreement” opens an alternative path for speedy access to data in appropriate cases.

The CLOUD Act, passed by Congress on March 23, 2018, clarified that, under the Stored Communications Act, 18 U.S.C. §§ 2701, et seq., U.S. law enforcement can compel service providers to disclose electronic communications and records, regardless of whether such information is stored in the United States or abroad. Relevant here, the CLOUD Act also recognized that the Stored Communications Act prohibited service providers (that are subject to U.S. jurisdiction and foreign jurisdiction) from complying with valid requests from foreign law enforcement. Companies are now permitted — but not required — to disclose information to a qualifying foreign government with which the United States has entered into an Executive Agreement.

The CLOUD Act also creates a special legal mechanism for service providers — both foreign and domestic — to challenge requests made under the Stored Communications Act where the provider reasonably believes that the customer is not a U.S. person and does not reside in the United States, and the disclosure would violate the laws of a qualifying foreign government. The United Kingdom will become the first qualifying foreign government, though the exact terms of the agreement have yet to be released and are subject to review by the U.S. Congress and the U.K. Parliament.

There are some limitations on foreign law enforcement requests made directly to companies in the other country. For example, foreign requests may not intentionally target a U.S. person or a person located in the United States. Additionally, the purpose of obtaining information must relate to the prevention, detection, investigation, or prosecution of serious crime. Eligible foreign governments also must, with respect to the permitted data collection, afford robust substantive and procedural protections for privacy and civil liberties, and adopt appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning U.S. persons. The bilateral agreement will subject the United States to similar requirements when making direct requests to U.K. companies under the Stored Communications Act.