United Kingdom given right to directly request data from American companies

The British government has this week been given the right to directly request data from American technology companies under a new Data Access Agreement (DAA) between the two nations.

According to the U.K.’s Home Office, the DAA "will fundamentally transform" how investigators in the U.K. collect digital evidence from U.S. platforms. British law enforcement agencies have repeatedly complained of delays and miscommunications under the existing regime.

A large proportion of modern crimes committed in Britain have a digital element in the U.S. even if the crime itself was not committed there, but American law prohibits social media platforms and communications service providers from being able to share data in response to legal requests from a foreign government.

Instead, police and other investigators are forced to navigate the slow process of Mutual Legal Assistance Treaties (MLATs) to collect evidentiary data stored on the servers of American companies. The process often takes many months to complete and these delays potentially allow suspects to continue to offend.

In the U.K., during the prosecution of a man called Stephen Nicholson — a care worker who was ultimately found guilty of raping and murdering 13-year-old Lucy McHugh — a request to Facebook for online messages between the pair was only returned on the first day of his trial.

Delays, miscommunications and the fear of acting too slowly to catch offenders in other cases have led to transposition errors — often involving IP resolution requests — which have caused police to enter the wrong homes and detain innocent people when executing warrants for child abusers.

Graeme Biggar, the Director General of the U.K.’s National Crime Agency, said he was “extremely proud” to have supported the “historic agreement” coming into force and hailed it as “a major milestone which will greatly enhance our response to serious and organized crime – one of the most significant threats to our national security.”

“This represents a huge step forward for U.K. law enforcement, bolstering our ability to disrupt criminals in quicker time and prevent vulnerable people from being targeted. It is the difference between stopping a dangerous channel crossing before it happens and safeguarding a child before they become a pedophile’s next victim.”

The agreement will now allow technology companies based in either the U.S. (or Britain, although this is less common) to “respond to qualifying, lawful orders for electronic data issued by the other country, without fear of running afoul of restrictions on cross-border disclosures,” according to the Department of Justice.

The DAA “fosters more timely and efficient access to electronic data required in fast-moving investigations” for the purposes of preventing, detecting, investigating, and prosecuting serious crime “including terrorism, transnational organized crime, and child exploitation, among others,” added the DoJ.

Police officers in the United Kingdom won't have direct access to file legal requests to American technology companies but will send them through the Investigatory Powers Unit at the Home Office as the designated authority. The Department of Justice's Office of International Affairs will provide the same service to federal, state, local and territorial authorities in the United States.

The agreement is the first of its kind in the United States authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It prohibits British investigators from targeting "U.S. persons or persons located in the United States" and American authorities from targeting "persons located in the UK."