Supercharged criminal disclosure orders to obtain overseas data will soon be available

United Kingdom

The Crime (Overseas Production Orders) Act 2019 received Royal Assent in February 2019. Its operative provisions are not yet in force, but when they are, it will enable UK authorities, without having to go through the cumbersome mutual legal assistance processes currently in place when seeking evidence overseas, to obtain orders for the disclosure of electronic data from anyone anywhere in the world, to support investigations or prosecutions.

Background

The judgment in R (on the application of KBR Inc.) v Director of the Serious Fraud Office [2018] EWHC 2368 (Admin) highlighted the difficulties faced by the authorities when seeking evidence overseas. The processes available when investigating increasingly complex and borderless activities have not evolved to reflect the means by which documents and data (i.e. evidence) can now be created, communicated, moved and stored anywhere in the world almost immediately. KBR was the first time an English court determined the extraterritorial application of any of the compulsory document production powers available to law enforcement agencies in the UK. The judgment has come under heavy criticism as an example of judicial interference in law-making, and it is understood that KBR are seeking to appeal the decision.

That appeal, even if successful, may have limited application, however, as the Crime (Overseas Production Orders) Act 2019 (the “Act”) may soon amplify the powers of UK authorities to obtain swift disclosure of electronic data held outside the UK by persons outside the UK.

The overseas production order

The Act will allow authorities to sidestep the much slower route of applying for the help of local courts through mutual legal assistance (MLA) requests, which is currently necessary in many cases. It can take months or even years for letters of request to be processed. This is plainly inadequate when investigating fast-moving conspiracies and ongoing criminal offending, particularly those involving an imminent risk of further harm. In announcing the passage of the Act, the Government expressed a hope that overseas production orders may speed up the process to days or weeks.

Under the Act, an appropriate officer (which includes the police, NCA, SFO, HMRC and FCA) can apply to a Crown Court judge for an “overseas production order” (“OPO”) to obtain specified electronic data from someone (“R”) outside the jurisdiction if there is a “designated international co-operation arrangement” (“DICA”) in place with the jurisdiction where R is based or operating. The OPO will be made so long as certain requirements and conditions are fulfilled. If made, the OPO can be served directly on R and will require the production of, or access to, the specified electronic data.

DICAs

A DICA is a treaty providing for mutual assistance in connection with the investigation or prosecution of offences and which has been designated by the Secretary of State as such a treaty. At present, the UK is seeking to conclude such an agreement with the United States. As noted during the debates on the Bill, 90% of the data likely to be sought using powers under the Act is held in the US, as that is where the world’s largest communication and social media providers are based or operating. However, that treaty is not yet finalised and is not publicly available, and so there is presently no DICA under which an OPO can be made.

The requirements

In order to obtain an OPO, a Crown Court judge must be satisfied, amongst other things, that there are reasonable grounds for believing that:

  1. R is based in or operates in a country that is party to the relevant DICA
  2. An indictable offence has been committed and is being investigated or prosecuted
  3. R has possession or control of all or part of the electronic data sought
  4. All or part of the electronic data is likely to be of substantial value (whether or not by itself) to the proceedings or investigation
  5. All or part of the data is likely to be relevant (i.e. admissible) evidence in respect of the offence and
  6. It is in the public interest to grant the order in relation to all or part of the electronic data, having regard to (a) to the likely benefit to the investigation or prosecution obtained from the data and (b) the circumstances under which R has control of the data.

Any regulations made in connection with the Act can provide for additional requirements.

If only part of the data requested meets the above requirements, then the OPO will only be made in respect of that data. Exemptions are also in place for data protected by legal privilege and confidential personal records. Unlike evidence obtained through an interception warrant, evidence obtained through an OPO is admissible in criminal proceedings.

The data will have to be produced within 7 days of service of the OPO, unless a different period is specified as being appropriate in the circumstances. While any order made will not require R to do anything that would result in the person contravening the data protection legislation (as defined in section 3 of the Data Protection Act 2018), it otherwise has effect in spite of any restriction on the disclosure of information (however imposed).

Once served with the OPO, R can apply to vary or revoke it, but the Act contains little information about the circumstances and grounds on which R can do so.

R cannot disclose the fact of the application or OPO

Large parts of the Act are concerned with preventing R disclosing that an application or OPO has been made. Save where there are reasonable grounds for believing that journalistic data (i.e. data created or acquired for the purposes of journalism and stored by or for the person who created or acquired it) is included in the data sought, there is no requirement to give notice of the application for an OPO. Essentially, the application is without notice. (Although s.13 of the Act refers to the possibility of other circumstances when notice of the application must be given to R, there are no such circumstances identified in the Act.)

Where the information sought may include journalistic data, R (and, if different, the relevant journalist) must be served with the application (unless the judge directs otherwise in respect of service on the journalist). Once served with the application, R/ the journalist cannot disclose that fact pending the outcome of the application – even to an employer or to a lawyer. R can also not conceal, destroy, alter or dispose of any of the electronic data specified or described in the application. These restrictions can be softened with leave of the judge or agreement of the appropriate officer.

These requirements could be very onerous as immediate steps would need to be taken to preserve the specific data referred to in the application pending its outcome and the recipient of the application is not even, as of right, able to seek legal advice as to their options. Given that the purpose of the Act is to enable these orders to be made against people or companies who may have almost no connection to the UK, it is unlikely that they will have much, if any, awareness of this Act or their legal rights under UK law, and so the failure to incorporate a protection to enable legal advice to be taken is difficult to understand. It is almost inevitable that R will have to contact the appropriate officer or, failing that, apply to the judge, to be allowed to seek legal advice, but they may not even appreciate that they are allowed to do that.

The judge can also include a non-disclosure requirement in the OPO, which would prevent R from disclosing the fact that the order has been made, except with leave of a judge or the written permission of the appropriate officer. If such a provision is included, it must specify or describe when that restriction will expire.

Service

The OPO must be served within 3 months or else it lapses. It can only be served by the Secretary of State, by any means allowed by the rules of court, including electronically. It can also be served at any place of business that R has in the UK or in accordance with any specific arrangements made for service by the Secretary of State. Exceptionally, it can be served by making it available for inspection in the UK so long as (i) it is not reasonably practicable to serve it by any other means and (ii) appropriate steps are taken to bring its contents and availability for inspection to R’s attention.

Comment

Improvements are obviously needed to the means by which law enforcement authorities are able to obtain electronic data that is relevant to their investigations, whether in the UK or overseas. The Act marks a potentially dramatic shift in the approach to obtaining such evidence, subject to DICAs being put in place and subject to the approach of judges to applications they receive. Unlike the current mutual legal assistance process, an overseas production order can be served directly on the relevant respondent, rather than having to go through the overseas country’s courts and central authority. However, that may place these powers into conflict with the laws in the relevant countries that prevent the provision of data overseas or prevent foreign authorities or others from conducting investigations in their territory. At the moment, this remains theoretical, as the main provisions of the Act will only come into force when regulations to that effect are made by statutory instrument. This is unlikely to happen until at least one DICA is available – presumably the prospective treaty with the United States.

Of particular note are the wide territorial parameters of the Act, which allow orders to be made against persons based in or operating in a DICA jurisdiction. Under the Act, a person is based in a country if it is his habitual place of residence or, in the case of a body corporate, if it is incorporated in, or has its principal place of business in, that country or territory. On the other hand, a person “operates” in a country or territory if he or she creates, processes, communicates or stores data by electronic means in that country or territory (whether or not the person also creates, processes, communicates or stores data by electronic means in the United Kingdom). This is obviously very wide and is likely to mean that the UK will focus on putting in place DICAs with some key jurisdictions initially (such as the US), which will then give them game-changing levels of potential access to data.

One notable omission from the Act is that it fails to impose any penalty on a person who fails to comply with an order made under it. A refusal by a company to disclose the relevant material could result in its directors being in contempt of court. However, that is not an offence for which the directors can be extradited to the UK. Although, many companies may not want to risk damage to their reputations by refusing to comply with such an order, and may instead want to be seen to be assisting criminal investigations, there are limited teeth to provide for effective enforcement of such orders.

At the same time, the requirements preventing any alteration or destruction of data once an application has been served on a respondent, while understandable, create potentially significant practical difficulties, depending on the nature of the data sought. There are safeguards in that the application for an OPO must relate to specific data (and so should not be capable of applying to bulk data for example). However, OPOs could be particularly problematic for larger tech businesses holding data in cloud storage in multiple locations where segregating specific data against potential breach of such restrictions may be difficult.

Similarly, the requirement that any data specified in the order must be provided within seven days of effective service is potentially onerous and no provision is made to compensate innocent third parties who hold potentially relevant data for the cost of complying with such an order. If these orders become commonplace and replicated around the world to provide similar powers to authorities overseas, large tech businesses and communications providers may face significant costs in having to comply with large numbers of orders of this kind. Time will tell how onerous such an approach may become for such businesses.