The U.K.-U.S. Data Access Agreement

After more than two years in operation, the initial results are in: The U.K.-U.S. Data Access Agreement (an “e-evidence agreement” enabled by the Clarifying Lawful Overseas Use of Data, or CLOUD, Act) has proved a game-changer. It is quietly serving its purpose, enabling evidence collection, easing conflicts of law over evidence-gathering methods, and offering a promising precedent for other U.S. agreements under negotiation, including with the European Union. As anticipated, however, the U.K. is utilizing the agreement much more than the United States. The U.S. Department of Justice has expressed muted disappointment—which some British observers consider unjustified—with aspects of U.K. implementation.

Meanwhile, controversy erupted at a June 5 House Judiciary subcommittee hearing over an alleged U.K. technical capability notice (TCN) directed at Apple, which purportedly compels the company to be capable of producing data in the clear, that is, a “data decryption order.” This has raised fears that CLOUD Act agreements, which enable the production of data, don’t go far enough in protecting U.S. cybersecurity or privacy interests. The Justice Department may feel compelled, pursuant to the e-evidence agreement, to request that the U.K. government withdraw the alleged order to Apple and refrain from making similar requests to other U.S. providers. Such a step would underscore the U.S.’s determination to maintain influence in matters that might undermine the security of global technology.

Background

Today a criminal investigator building a case confronts a major challenge: Evidence often takes electronic form, and it is often in the hands of a service provider that may be located in a foreign jurisdiction. A European Commission study found that e-evidence is relevant in “around 85% of total (criminal) investigations,” and, in two-thirds of such cases, a request to service providers outside the jurisdiction is needed to obtain the evidence relevant to the investigation.

Investigators outside the United States seeking e-evidence confront a U.S. law barrier, however. The Stored Communications Act (SCA) prohibits U.S.-based service providers from disclosing communications content to a foreign government. Until recently, a principal way for a foreign government law enforcement authority to overcome this blocking statute was formally to seek mutual legal assistance from the U.S. government pursuant to a mutual legal assistance treaty (MLAT), even if the case was purely a foreign criminal matter involving a foreign suspect and victim. As the volume of data requests exploded in recent years, the U.S. Department of Justice struggled to keep up, with responses often requiring many months. As a result, foreign law enforcement investigations dependent on e-evidence in the hands of U.S. providers languished.

Seven years ago, the United States created an alternative route, passing a law allowing a foreign law enforcement authority to directly request communications content from a U.S.-based service provider, provided that a new type of international agreement has been put in place between the United States and the relevant foreign country. As described in Part II of the CLOUD Act, the international agreement must safeguard human rights, rule of law, and privacy, in return for lifting the effect of any blocking statute that would prevent reciprocal access. One requirement is that the subject of the foreign request cannot be a U.S. person.

In the years since, two e-evidence agreements authorized by the CLOUD Act have been reached—the first with the United Kingdom, signed in 2019 and entering into force in 2022, and the second with Australia, signed in 2021 and taking effect in 2024. Negotiations are underway with Canada and the European Union, but both have proved lengthy.

Every five years after signature, the Justice Department must make a renewed determination regarding the implementation of an agreement; it submitted a report to Congress on the U.K.-U.S. agreement in late 2024. Since the Justice Department report on the U.K.-U.S. agreement became public earlier this year, U.S. legal scholars have begun to assess its value for the United States. Its effectiveness for the U.K., however, has not been similarly explored. The United Kingdom has provided only periodic, brief public statements on the effectiveness of the agreement.

In this article, we offer a reaction to the Justice Department report from a U.K. expert perspective. In addition, we aim to illuminate the linkage between the U.K.-U.S. agreement and a recent alleged U.K. government technical capability notice, requiring Apple to produce decrypted communications data. Apple is currently litigating against the power of the U.K. to issue a TCN before the U.K.’s Investigatory Powers Tribunal. Finally, we identify lessons that experience under the U.K.-U.S. agreement may hold for an EU-U.S. e-evidence agreement.

U.S. Legal Considerations Relating to E-Evidence

Congress’s authorization for e-evidence agreements cited multiple goals, as one close observer has noted. As mentioned above, it sought to enable foreign countries to more effectively investigate serious crime when the e-evidence trail led to U.S. providers, to reduce conflicts of law for U.S. providers, and to commensurately reduce the strain on the U.S. MLAT system by permitting U.S. providers to disclose user content directly to jurisdictions with which the United States has an e-evidence agreement. The CLOUD Act also sought to deter foreign countries from unilaterally imposing surveillance-related extraterritorial laws on U.S. companies by offering them a consensual solution based on a rights-respecting legal framework.

An e-evidence international agreement is the obvious and graceful way out of the conflicts of law that providers face that arise from the interaction of unilateral extraterritorial evidence-gathering authorities and corresponding foreign blocking statutes. Such e-evidence agreements are considered executive agreements rather than treaties from the perspective of U.S. foreign relations law, since they are concluded by the executive branch on the basis of a congressional authorization. Senate advice and consent to ratification by a two-thirds majority—as is the case for international agreements considered to be treaties—is not needed for executive agreements. E-evidence agreements are subject to mandatory congressional review, however, before taking effect. Like treaties, CLOUD Act agreements are binding under international law.

Unfortunately, such agreements have been slow to materialize, due to their legal complexity, including Congress’s clear stipulations about scrutinizing foreign partners’ legal safeguards. The experience of the United States with the United Kingdom has shown that e-evidence agreements are painstaking to negotiate and complex to implement.

The Department of Justice would need to accelerate the pace of negotiations with foreign partners to meet the level of demand for e-evidence agreements. These challenges have led close observers to suggest that the United States seek scaled-down, simpler versions of CLOUD Act agreements. Still, the coverage of full-scale agreements across Europe could be substantially expanded through an EU-U.S. agreement. We therefore turn to a consideration of the U.K.-U.S. agreement with an eye to its implications for a more expansive U.S. negotiating program.

U.K. Legal Considerations Relating to E-Evidence

The United Kingdom was an ideal candidate for the initial U.S. foray into negotiating an e-evidence agreement. The countries share a common legal ethos. They have similar approaches to investigatory powers, including insistence upon the principles of independent authorization and oversight. Certain features of U.K. and U.S. legal processes governing investigatory powers are not identical, however. For example, the U.K. legal standard of “necessity and proportionality” differs from the U.S. standard of “probable cause,”  although they aim to achieve the same effect.

Part of the Justice Department’s initial certification process was to assess how relevant U.K. law satisfied the general CLOUD Act requirements relating to rule of law. The CLOUD Act also contains specific requirements for the foreign government’s powers that are to be used in implementation. The Justice Department’s certification for the United Kingdom therefore applies only to specific types of U.K. investigative powers: targeted interception warrants and targeted communications data requests, both pursuant to the Investigatory Powers Act 2016 (IPA), and overseas production orders pursuant to the Crime (Overseas Production Orders) Act 2019 (COPOA).

The U.K. began readying its investigatory powers legislation for a U.K.-U.S. e-evidence agreement as far back as 2013. Early preparation included ensuring the explicit extraterritoriality of U.K. interception orders (see the Data Retention and Investigatory Powers Act of 2014) and, via the IPA, requiring independent judicial approval of certain orders. For inbound overseas requests, the IPA introduced explicit provisions for authorizing “interception in accordance with overseas requests made in accordance with a relevant international agreement.” The U.K. duly designated the U.K.-U.S. e-evidence agreement as a relevant international agreement in 2019, just prior to its signing.

The U.K.-U.S. E-Evidence Agreement in Practice

U.K. E-Evidence Authorities

The U.K. has principally used the agreement to make IPA interception requests, which cover access to both stored content and live interception. This made sense since the IPA had long envisaged such requests being made under international agreements. Material produced in response to an IPA interception authorization cannot, save in exceptional circumstances, be adduced as evidence in U.K. criminal proceedings. Had the U.K. not enacted new legislation, that is, COPOA, requests for evidence to be used at trial would still have needed to be made via the bilateral MLAT.

COPOA provides the U.K. with an evidentiary power by which law enforcement agencies and prosecutors can apply for and obtain electronic data directly from service providers based outside the U.K., pursuant to international agreements such as the U.K.-U.S. e-evidence agreement. It has taken some time for the United Kingdom to operationalize COPOA, and, as a result, the U.K.’s usage of that law under the e-evidence agreement trails well behind its use of the agreement for non-evidentiary purposes.

Data Protection

As part of the CLOUD Act certification process, the U.K. had to demonstrate there were no barriers in its law preventing U.K. providers from responding to U.S. requests. Notably, it examined relevant data protection law. The Justice Department’s report to Congress has highlighted this as an area of contention, however, noting some U.K. providers have been “reluctant to comply” with requests on the basis of U.K. data protection law.

The reported reluctance suggests that not all providers are satisfied with the CLOUD Act construct. While CLOUD Act e-evidence agreements create binding obligations between the parties’ governments, they only ensure there are no legal barriers that prevent a provider from responding to a request from the other government. In other words, the agreement itself does not compel a provider to comply with a foreign government request.

Some U.K. providers argue privately that clear, irrefutable compulsion under U.K. law to respond to requests made pursuant to an international agreement would be preferable, as it would avoid any perception that they might be voluntarily sharing customers’ personal data with another government. Indeed, from a U.K. data protection law perspective, a provider’s processing of data in response to a clear legal obligation laid down in domestic law would present a much more straightforward basis to apply than the other bases they might otherwise rely on, such as legitimate interest.

It’s extremely unlikely, however, that the U.K. government would consider imposing a domestic legal compulsion on U.K. providers to comply with U.S. requests—or that the United States would do likewise with respect to U.K. requests—since doing so would contradict the fundamentals of the CLOUD Act construct. The Justice Department’s report does however note that the U.K. plans to change its U.K. data protection law to put beyond doubt that processing in response to an international agreement is in the U.K. public interest.

The Justice Department also complains that U.K. providers are not properly taking into account the data protection safeguards contained in the Agreement between the United States of America and the European Union on the Protection of Personal Information relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses (DPPA), which was incorporated into the U.K.-U.S. agreement. They also observe that the U.K. government is failing to sufficiently apprise U.K. providers of the existence of these safeguards.

To comply with data protection legislation, a U.K. provider assessing a U.S. request must ensure there is a legal basis for both the processing of the data and for its international transfer. Regarding international transfer, the U.K. government has made clear in pending legislation that since the e-evidence agreement creates binding international obligations between public authorities or bodies, its safeguards, including those incorporated from the DPPA, are sufficient to ensure compliance with the transfer requirements contained in the U.K. General Data Protection Regulation (GDPR) Chapter 5, Article 46(2)(a). What the U.K. government cannot do, however, is to assert that the various applicable safeguards (including the DPPA) automatically satisfy a legal basis for processing—since that judgment is to be made exclusively by the provider.

Providers in the United Kingdom are naturally risk averse when processing personal data, given the penalties for noncompliance under U.K. data protection law. As a result, some U.K. providers have sought additional information from the Justice Department beyond what it would normally include in a U.S. domestic order; U.S. providers have made the same request for additional information in respect to U.K. requests. The Justice Department’s frustration at submitting more information than it believes is legally required is understandable, but it is also a necessary compromise to keep providers comfortable with the international process.

Real-Time Intercepts

The U.K. is primarily using the agreement pursuant to IPA targeted interception warrants. However, the IPA’s definition of real-time interception in relation to telecommunication systems (see IPA Part 1, Section 4) includes the content of a communication where it is stored in or by the provider’s system. Indeed, some providers are only capable of providing stored content. In other words, although the lawful authorization in most cases has been an interception warrant, the data obtained is not always real-time “wiretap” data. Moreover, some U.K. agencies authorized to request intercept data—and thus also stored content—are not permitted to request stored content using COPOA, meaning they must use an interception warrant to obtain stored communications content from a U.S. provider.

U.S. provider concerns about the high volume of U.K. requests are understandable, particularly given the likely upward trajectory. As noted by the Justice Department, the United Kingdom made 20,104 requests in the two years between entry into force and October 2024, with less than 1 percent of those being evidentiary COPOA requests. Given the number of U.K. public officials authorized to use COPOA, the U.K. expects the number of requests based on this law to increase significantly as investigators, prosecutors, and judges become more familiar with the process, potentially eventually surpassing the number of IPA-based requests.

This projected growth in e-evidence requests emphasizes the imperative for standardization of request and handover mechanisms that both are secure and can operate at scale. Providers cannot afford to implement and operate separate systems for each e-evidence agreement. To that end, the United Kingdom has worked hard to align its technical request and handover mechanisms with those used by the United States.

Apple Decryption Order

The U.K.’s technical capability notice regime—and in particular the recent allegation that a TCN served on Apple included a request for access to unencrypted data—has created an international stir, with Apple formally raising its objections to the U.K.’s Investigatory Powers Tribunal (IPT). Although the U.K. Home Office position will neither confirm nor deny the TCN’s existence, the IPT’s recent ruling that certain facts regarding Apple’s appeal should be made public supports that the U.K. has so acted.

TCNs have been available under the IPA since its inception, with a similar power available within its predecessor, the Regulation of Investigatory Powers Act 2000. The U.K. government regards TCNs as helping to ensure that providers utilize consistent and sustainable means to give effect to IPA authorizations, including interception warrants. They are typically meant for larger providers, such as those expected to be served with high numbers of interception warrants (see Section 7 of the IPA Notices Regime Code of Practice).

The so-called decryption obligation can be found within the IPA technical capability regulations where it refers to the “removal by a relevant operator of electronic protection applied by or on behalf of that operator to any communications or data.” The recipient would be expected to determine the most appropriate technical response—which in the case of Apple would appear to be through their preventing U.K. subscribers from enabling its Advanced Data Protection encryption.

Both Democratic and Republican members of the U.S. Congress have called for the U.S. administration to review and/or renegotiate the e-evidence agreement with the United Kingdom in light of this disclosure. A June 5 hearing held by the House Judiciary Subcommittee on Crime and Federal Government Surveillance highlighted bipartisan concern that U.K. decryption orders directed at U.S. providers create cybersecurity and privacy risks for the United States. The U.S. director of national intelligence also commissioned an internal review of whether the rights of U.S. citizens have been affected. In particular, U.S. critics have asked whether a U.K. decryption obligation in a TCN directed at a U.S. provider conflicts with the CLOUD Act and the U.K.-U.S. e-evidence agreement—particularly since the CLOUD Act states that international agreements created under its authority “shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.”

The Justice Department addressed this criticism in its report to Congress, noting that the effect from a TCN arises exclusively from U.K. law, and not from the U.K.-U.S. e-evidence agreement itself. The U.K. doubtless will argue to the IPT in the Apple proceeding that the decryption obligation is necessary to preserve public safety and must remain a law enforcement tool potentially applicable to any provider offering services in its territory.

Moreover, even if a U.S. provider (subject to a TCN or otherwise) has responded to a U.K. request under the e-evidence agreement, Article 4(3) of the agreement precludes the United Kingdom from targeting U.S. persons, or any person located within U.S. territory. In addition, the U.K., as required under the agreement, has adopted minimization procedures closely aligned with Section 101 of the U.S. Foreign Intelligence Surveillance Act (FISA).

The June 5 hearing nonetheless revealed deep disquiet about the U.K.-U.S. agreement, and the CLOUD Act more generally, in relation to decryption demands. Members of Congress objected to the secrecy requirement that shrouds U.K. TCNs from disclosure, and the lack of any counterbalancing transparency measures in the U.K.-U.S. agreement. They also expressed concern about the possibility of U.K. authorities incidentally collecting information on Americans, similar to a worry expressed about FISA Section 702.

The hearing delivered a clear message to the Justice Department that key congressional figures regard as unacceptable any use of the U.K.-U.S. agreement to obtain e-evidence from a U.S. provider pursuant to a U.K. TCN that contains a decryption order. The Justice Department will need to consider engaging with the Home Office to mitigate the effect of the alleged order on Apple, including the potential for future such orders to be served on other providers. One option could be to draw upon Article 12(3), which allows a party to disapply the agreement to a category of legal process, thus opening an avenue for resolving the controversy without formally reopening the text of the agreement.

Lessons for Europe From the U.K.-U.S. E-Evidence Agreement

Initial experience in implementing the U.K.-U.S. e-evidence agreement offers valuable lessons for the ongoing negotiation between the United States and the European Union. The benefits that U.K. authorities have seen—arrests of serious criminals, narcotics and firearms seizures, progress against child exploitation and organized crime, and prevention of crime—could readily be enjoyed by Europe as well.

The EU’s goals, as delineated in its negotiating mandate, are broadly similar to those the United Kingdom sought in its agreement with the United States. Both entail mechanisms for obtaining evidence for serious crime purposes, and both would apply similar safeguards. For example, the EU, similar to the United Kingdom, would exclude the possibility of data being supplied from its territory for U.S. criminal proceedings that could lead to the death penalty (Article 8 of the U.K.-U.S. agreement).

However, there are important differences in ambition as well. Notably, the EU, unlike the United Kingdom, does not envisage member-state law enforcement authorities making requests for real-time intercept data. The total volume of requests under an EU agreement could therefore be less, on a member state basis, than is the case under the U.K.-U.S. agreement. However, some major EU member states, such as Germany and France, would likely use the agreement extensively for stored content requests, as providers’ transparency reports document.

One particularly instructive area of comparison relates to data protection. The EU, like the United Kingdom, seeks to incorporate the safeguards contained in the EU-U.S. DPPA. But, as practice under the U.K.-U.S. agreement has shown, simple incorporation of the DPPA by reference is not enough to settle all the important data protection issues. The EU’s negotiating mandate for an agreement with the United States expressly recognizes that DPPA protections will require supplementation.

Providers operating in the EU, for example, will still need to determine the appropriate legal basis for processing data sought pursuant to a U.S. request. Governmental negotiators should ease providers’ decisions by settling between themselves the questions arising under the processing articles of the GDPR, identifying for providers a clear, unambiguous legal basis by which they can evaluate each request.

Building on the U.K. experience, the EU and the United States need to devise solutions to manage the potentially large volume of requests that an e-evidence agreement would generate. The U.K.’s initiative in standardizing request and response mechanisms could be generalized to the EU level. A single EU-wide body should guide this effort, as well as unify the technical solutions associated with sending requests to, and receiving data from, providers. There is also a looming need to develop and formalize a standard mechanism for reimbursing providers for their compliance costs.

Finally, an eventual EU-U.S. agreement will need to take account of the solidification of sentiment in the Trump administration and Congress against data decryption demands. The EU’s e-evidence regulation does not address technical capability measures, but the United States will need to clarify during negotiations whether any EU member state has such a capacity under its own criminal procedure laws. To avoid situations like the one following the alleged U.K. TCN on Apple, it would be advisable to include tailored transparency requirements in an EU-U.S. agreement, compelling notification to the Justice Department and the U.S. Congress if any EU member state adopts a technical capability measure. The EU would doubtless insist that such a provision be reciprocal in nature. Avoiding any possibility that an agreement could serve as a backdoor for any member state to obtain decrypted e-evidence seems essential to satisfy the current concerns of the U.S. administration.