Man in clouds Photo: Shutterstock

U.S. attorney general William Barr and U.K. home secretary Priti Patel earlier this month signed the first bilateral data access agreement, a new mechanism created after last year's CLOUD Act was implemented.

However, the agreement signed on October 3 isn't likely to assuage law firms' privacy concerns about storing sensitive client data on the cloud, as it only requires government agencies to notify service providers, and not the person whose data is accessed, when data is requested. But observers note that the agreement allows government authorities similar data access granted prior to the CLOUD Act's implementation. 

The agreement was made possible because of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which amended the Stored Communications Act (SCA) in 2018. The bill included language that would compel U.S. providers of "electronic communication service or remote computing" to adhere with government authorities' requests for information belonging to U.S. citizens but stored outside the U.S. The measure also compels U.S. providers to comply with similar requests from other nations seeking information belonging to their citizens.

The law also allows the U.S. attorney general to negotiate data transfer agreements between nations, with a six-month timeframe for Congress to review. To be sure, U.S. and foreign law enforcement agencies have previously requested and accessed citizens' data held in foreign jurisdictions through Mutual Legal Assistance Treaties (MLATS), which had to be approved by two thirds of the U.S. Senate.

But in the press release announcing the U.S-U.K. agreement, the U.S. Department of Justice said: "The current legal assistance process can take up to two years, but the agreement will reduce this time period considerably, while protecting privacy and enhancing civil liberties."

At the time of the bill's passage, Gregory Nojeim, senior counsel at the Center for Democracy & Technology, said the new approval process granted the DOJ "enormous discretion to choose which countries will be able to make these direct demands on U.S. providers and, in essence, gain access to their worldwide user base".

A year after the CLOUD Act, the first data-sharing agreement is most relevant to U.K. law enforcement agencies having access to the vast data held by U.S.-based tech companies, said Trisha Anderson, a Covington & Burling partner and former DOJ associate deputy attorney general.

"The most significant impact is the access it affords to U.S.-based data providers," she said. "But it doesn't expand access beyond [that] which was already available."

For law firms concerned about truly safeguarding their encrypted client data, even when they own the encryption keys, Anderson noted the CLOUD Act prohibits any agreement from allowing legal authorities to mandate the decryption of encrypted data.

"What this agreement does is it provides a privacy framework that imposes certain restrictions on the circumstances for which the U.K. government can access that data, and the matter with which they access and maintain that data once it is obtained," she said.

Likewise, because the CLOUD Act provides the agreement's framework, Anderson said the U.S-U.K. agreement could serve as a model for other nations' data-sharing agreements with the U.S.

Indeed, other nations are already in discussion with the U.S. to set up an agreement under the CLOUD Act, according to the DOJ's press office. A few days after signing the U.S-U.K. agreement, the DOJ announced it was in formal negotiations with Australia to strike a CLOUD Act agreement. Meanwhile, in late September, the European Commission and U.S. Department of Justice said it started formal negotiations on an agreement to "facilitate access" to electronic evidence in criminal investigations.