US/UK Announce a Cloud Act agreement for reciprocal access to digital evidence
Agreement will provide for mutual recognition of court orders and remove existing barriers
The United States Department of Justice and the United Kingdom Home Office have announced that the two countries have signed a bilateral agreement “On Access to Electronic Data for the Purpose of Countering Serious Crime”. The Agreement is intended to be a bilateral agreement of the type anticipated under the CLOUD Act. Passed in March 2018, partially to address the litigation against Microsoft related to evidence in Ireland, the CLOUD Act authorizes the United States to enter into executive agreements with other countries that meet specific criteria related to rule of law, civil rights and privacy. Once laid before Congress and approved, the result is to lift each party’s legal barriers that prevent one country’s legal processes from being recognized in the other. Many countries have been seeking an alternative to the traditional channels of mutual legal assistance, which are seen as time consuming and cumbersome. In many cases, US-service providers are prohibited from providing the content of communications except in response to a US court order, requiring the requesting law enforcement agency to go through MLAT and sometimes putting the service provider between a rock and a hard place.
On the UK side of the equation, changes were made in UK law to permit this under the Crime (Overseas Production Orders) Act 2019, which received Royal Assent in February 2019. The Agreement will enter into force following a six-month Congressional review period mandated by the CLOUD Act, and the related review by UK’s Parliament.
Australia has already announced that it is seeking its own CLOUD Act executive agreement, and Canada is rumoured to be in similar discussions.
It should be noted that initial reporting on this was conflated with recent declarations regarding encryption and access to cleartext of communications, so that some outlets reported that this agreement would require access to unencrypted communications, which is specifically excluded from the CLOUD Act.