U.S., U.K. improve anti-corruption coordination with data access agreement

The data access agreement between the countries, authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act in the United States, entered force Oct. 3. Under the terms of the pact, data requests by the countries can only be made for offenses that relate to the prevention, detection, investigation, or prosecution of serious crime that could result in a maximum jail term of at least three years, such as fraud, bribery, and money laundering.

The Department of Justice will oversee the agreement in the United States, with the U.K. Home Office serving as its counterpart.

The landmark transatlantic agreement was first discussed in 2018. It will initially stay in force for five years but can be extended a further five years.

The drive for closer cooperation between the countries stems from frustrations in the United Kingdom that crucial evidence for the prosecution of U.K.-related crimes is based on U.S. soil, while legal experts suggest the United States is keen to foster better working relationships with foreign law enforcement agencies. President Joe Biden in December 2021 announced a U.S. strategy to clamp down on corruption by working with like-minded governments overseas.

Most of the commonly used messaging services providers, such as WhatsApp and Facebook Messenger, are based in the United States, where U.S. law prohibits them from being able to share certain data in response to direct requests made by a foreign government or non-U.S. law enforcement agency.

Mutual legal assistance requests tried to solve this problem, but the process was slow and ineffective. In some cases, the activities being investigated were effectively allowed to continue for years.

While the agreement does not create any new powers or obligations on service providers, legal experts believe data will now be handed over in weeks—even days—rather than months or years.

The agreement works by requiring each country to ensure their laws permit a tech firm or telecommunications operator to lawfully respond to direct requests for data made by a relevant agency in the other jurisdiction, without the firm violating any laws. Concerns regarding such communications have caused firms in the past to be reticent toward processing requests, said Michael Buckworth, managing partner at law firm Buckworths.

Will Richmond-Coggan, a technology and privacy specialist at law firm Freeths, said the agreement should make companies and individuals being investigated assume “a wider pool of information will be accessible to the investigating authorities.”

“In all likelihood, there will be difficulty in challenging the reliance on that data once it has been shared,” he said.

Tom Epps, a white-collar defense and investigations partner at law firm Cooley, expects U.K. law enforcement agencies like the Serious Fraud Office, National Crime Agency, and HM Revenue & Customs will view the agreement “as a significant new tool in their armory.”

“It is the first time U.K. authorities will be able to directly compel U.S. tech companies that provide communications services to hand over personal data, and therefore it has the scope to dramatically broaden their reach for electronic data,” he said. “Those individuals and companies under investigation for serious criminal offenses may well find that a greater volume of their data held overseas is easily accessible to authorities.”

Helen Simm, partner at law firm Browne Jacobson, believes data protection issues could still arise when U.K. organizations respond to U.S. requests, both in relation to the response to an overseas production order (OPO) to access the data and the transfer of that data to the United States.

“U.K. companies receiving an OPO will need to be careful they do not breach data protection legislation or provide material subject to legal professional privilege when they respond,” she said.