UK-US Bilateral Agreement on Data Access

This is a proposed agreement that would essentially allow UK interception warrants and content demands to be valid in the USA in relation to UK or non-US persons, on the basis of recognition of each others’ legal systems.

The UK government argues that changes to UK law made in the Investigatory Powers Act 2016 should make it much easier for the USA to accept the UK legal framework as sufficiently robust.

US legislative change needed

Our Governments have been working with US technology companies on a proposed UK-US Bilateral Agreement on Data Access. This would be about reciprocal targeted access to data, enabling companies based in one country to comply with lawful orders from the other. US nationals and persons in the US would be excluded. Such an Agreement would recognise the high standards of authorisation and oversight that the UK and US have in place. The UK’s Parliament passed legislation in 2016 that strengthened its already robust investigatory powers framework by introducing judicial authorisation, and making such international agreements possible in UK law. However, for the UK and US Governments to progress and sign a Bilateral Agreement, legislative change is required in the US to make provision for such Agreements.^[1]

It would include strong safeguards and maintain rigorous privacy protections for US persons. The UK could only use the Agreement to request data on non-US persons located outside the US.

For an Agreement to be possible, Congress would need to amend US law to remove the legal bar preventing US companies from complying with lawful UK requests for data.^[2]

Suggested approach

Solution: Bilateral Data Access Agreement

To address this problem, our Governments have been working with the companies on a proposed UK-US Bilateral Agreement on cross-border access to data. The Agreement would recognise the high standards of authorisation and oversight that the UK and US have in place and allow companies based in one country to comply with lawful orders for the contents of electronic communications from the other. The Agreement is specifically intended to permit access to data to combat serious crimes, including terrorism.^[3]

Key principles, including “real time” access

Key Principles of an Agreement

The Department of Justice published a White Paper in March 2016 outlining the key principles for US legislation to resolve these issues, and any Bilateral Agreement. This was followed by a legislative proposal that was sent to Congress in July 2016. Her Majesty’s Government is in full agreement with the principles outlined in these documents. In particular we agree that the agreement should:

i. Not allow the UK to get data on US nationals or anyone in the US.

ii. Limit access to targeted orders for data (i.e. a specific individual, phone number, email address or other identifier), and not bulk access to data.

iii. Be limited to prevention, detection, investigation or prosecution of serious crime, including terrorist activity or the proliferation of chemical, biological, radiological or nuclear weapons.

iv. Permit orders for “surveillance” or “real-time” access in order to prevent attacks and crimes before they occur.

v. Be “encryption neutral”. Any Agreement should not include terms on encryption which should continue to be discussed by Governments and companies as a separate issue.^[4]

MLAT “not suitable”

Mutual Legal Assistance Treaties are important, but they are not the answer to the cross border data problem. They are designed for obtaining evidence after a crime has been committed. Even in those cases, it can sometimes take too long to receive the necessary evidence in order to progress an investigation and secure convictions. It is widely acknowledged that MLAT processes are too slow for rapidly developing counter terrorism and serious crime investigations. The UK’s highly respected former Independent Reviewer of Terrorism Legislation, David Anderson QC, in his 2014 Report “A Question of Trust” said:

“There is little dispute that the MLAT route is currently ineffective. Principally this is because it is too slow to meet the needs of an investigation, particularly in relation to a dynamic conspiracy. For example a request to the United States might typically take nine months to produce what is sought.”^[5]

Metadata “insufficient”

Others have proposed relying on metadata, rather than content, to meet law enforcement’s investigative requirements. This is not feasible. Although it is currently an important investigative and prosecutorial tool, metadata can never replace content. It can provide the “who, where, when and how” of a communication, but not the “what”. The content of communications, including its “live” interception, is essential to ascertaining intent, location and imminence of a threat.^[6]

“High UK standards” mean mutual recognition is a reasonable approach

Privacy is at the heart of the UK’s investigatory powers regime. The Investigatory Powers Act strictly limits which authorities can use investigatory powers, imposes high thresholds for the most intrusive powers and sets out in unprecedented detail the safeguards that apply to material obtained under the Act.

It contains an over-arching privacy clause which makes clear that warrants or other authorisations should not be granted where information could be reasonably obtained by less intrusive means. It also requires persons exercising functions under the Act – including Government Ministers and the new Judicial Commissioners – to have regard to the public interest in the protection of privacy, the public interest in the integrity and security of telecommunication systems, as well as other principles that underpin the legislation.

The UK does not believe the type of Bilateral Agreement sought here should require countries to have identical legal frameworks. What is important is that there are shared high standards of authorisation, transparency, privacy protection and oversight. The UK’s laws reflect the view of the British people and Parliament. These will, like all countries, reflect our history, values and political system. The Act recognises both the importance of independent judicial authorisation and that Ministers are also accountable to Parliament for the actions of the Executive. This is important to the UK as a parliamentary democracy.^[7]

Call for Congress to legislate in 2017

Conclusion

Amended US legislation and a UK/US Bilateral Agreement on Data Access will demonstrate that countries can work constructively with industry to overcome jurisdictional conflicts and that practical steps to improve public safety can be taken with due regard for transparency, online freedoms and the rule of law.

Congress now has the opportunity to set new global standards for cross-border data access, improve UK and US ability to protect each others’ citizens and tackle global threats, through introducing and advancing this ground breaking legislation. The UK Government stands ready to assist in this important work and hopes that Congress can pass relevant legislation as a priority in 2017.^[8]

External links

• See Written Statement of Mr Paddy McGuinness, Deputy National Security Adviser, United Kingdom Before the Committee on the Judiciary House of Representatives June 15, 2017
• See also: Oral hearing, Paddy McGuinness

References