US, UK reach CLOUD Act agreement

The U.S. government has reached a tentative data-sharing agreement with the United Kingdom that would give law enforcement agencies in both countries access to digital data and evidence stored within each other's borders.

"Only by addressing the problem of timely access to electronic evidence of crime committed in one country that is stored in another, can we hope to keep pace with 21 century threats," Attorney General Bill Barr said in a statement.

The agreement defines "serious crimes" as offenses that rate maximum prison terms of three years or longer, a Justice Department spokesperson told FCW.

According to an announcement from DOJ, the agreement will cover a "broad class" of crimes and investigations, includes a promise not to use the agreement to target each other's residents and "assure[s] providers that disclosures through the Agreement are compatible with data protection laws." It also contains a provision whereby the United States must get permission from U.K. officials before using such evidence in cases where prosecutors are seeking the death penalty.

This the first bilateral agreement reached under the Clarifying Lawful Overseas Use of Data  (CLOUD) Act passed by Congress last year. It will enter into full force six months following a pending review process by the U.S. Congress and U.K. Parliament.

"I am confident, as more countries update their legal processes, more governments will seek … agreements like the one signed today," said CLOUD Act co-sponsor Sen. Susan Collins (R-Maine).

As companies have dispersed their data center and storage operations across the globe, it has created complications for law enforcement agencies in the U.S. and other countries when obtaining digital evidence. A crime that takes place entirely in the U.S. may involve evidence (email, text messages or other digital traces) that is stored in another country. That has created what many companies view as a no-win scenario when the laws of the investigating country conflict with those of the country where the data is stored.

Prior to the CLOUD Act, countries obtained such data through what are known as Mutual Legal Assistance Treaties. That process has been described by some nations as slow, cumbersome and not suited for the modern age.

Perhaps the most high-profile example was a years-long court battle between the U.S. government and Microsoft over data relevant to a U.S. investigation stored in a data center in Ireland. That case was pending before the Supreme Court before passage of the CLOUD Act rendered it moot.

Perhaps the most high-profile example was a years-long court battle between the U.S. government and Microsoft over data relevant to a U.S. investigation stored in a data center in Ireland. That case was pending before the U.S. Supreme Court before passage of the CLOUD Act rendered it moot.

"The reality is, the world we live in today, everything is digital: Your business records are digital, your phone records are digital, often your communications themselves are digital…. So for us to build cases, we need to have access to electronic evidence," said Sujit Raman, associate deputy attorney general at an Oct. 2 discussion hosted by the Washington Post.