UK law enforcement can now obtain an order against a person in or operating in the US for the production of or access to electronic data under a new ‘landmark’ US-UK data sharing agreement.
The agreement has been heralded a step towards removing the barriers that can prevent the speedy disclosure of electronic data, potentially impeding the progress of criminal investigations and proceedings. The US-UK agreement is expected to be the template for similar bilateral agreements in the future. But should we be concerned about how easily the authorities can access this data, and are there sufficient checks and balances in place to ensure it is used judiciously?
A ‘landmark’ data access agreement
On 28 February 2020, the agreement between the UK and the US ‘on Access to Electronic Data for the Purpose of Countering Serious Crime’ (the Agreement) came into force. It is a designated international co-operation arrangement under the Crime (Overseas Production Orders) Act 2019 (the 2019 Act). This means UK law enforcement can obtain an overseas production order (OPO) against a person who operates in or is based in the US, demanding the production of, or access to, electronic data, wherever it is stored.
Under the 2019 Act, ‘electronic data’ is defined as data stored electronically. The US Cloud Act creates a similar framework for US law enforcement, although in reality, the data is located primarily in the US, and it is UK law enforcement who will be the principal beneficiaries under the Agreement.
Previously, in order to obtain material held overseas, the authorities would have to make a request for mutual legal assistance (MLA). As acknowledged in the Explanatory Memorandum to the Agreement (the Memorandum), the MLA process requires considerable resources and it can often be several months or even years before the material sought is produced, which can impede a criminal investigation or prosecution1. Under the Agreement, an OPO must be served within three months and the material produced within seven days, although this may be made longer or shorter by the issuing judge.
It is important to note that nothing in the Agreement or the 2019 Act compels the recipient of an OPO to comply with an OPO. It merely places obligations on the UK and US to remove barriers in domestic law that would otherwise prevent disclosure of the data. Instead, failure to comply with an OPO is to be treated in the same way as a failure to comply with a domestic production order: as a civil contempt of court. For a recipient of an OPO, this may provide some comfort because, as confirmed by the Supreme Court,2 a civil court is not an extraditable offence. However, it should be borne in mind that the MLA process is still available to UK/US authorities and as such would ultimately involve an order of a domestic court.
The 2019 Act is designed to provide the one-size fits all framework for OPOs, but the substance of how any particular agreement should operate is to be found in the bilateral treaties that may be agreed between States. As a result, it is possible that the OPO regime may operate slightly differently depending on the terms of the applicable designated international co-operation agreement. As such, it is interesting to see that the 2019 Act and the Agreement are not perfectly aligned. For example, under the Agreement, an OPO may be made in relation to any ‘serious crime’, which is defined as an offence with a maximum penalty of at least three years’ imprisonment. Under the 2019 Act, an OPO may be made in relation to any indictable offence.3
An interesting feature is the status of encrypted material. The Agreement makes no mention of the format in which the material is to be provided. The 2019 Act, requires that the electronic data is produced or accessible in a visible and legible form, which suggests material must be decrypted. However, in English law, accessing encrypted data is governed by Part III of the Regulation of Investigatory Powers Act 2000 (RIPA). The DOJ has addressed the question of decryption under the US Cloud Act, which it described as ‘encryption neutral’ and not creating ‘…any new authority for law enforcement to compel service providers to decrypt communications. Neither does it prevent service providers from assisting in such decryption, or prevent countries from addressing decryption requirements in their own domestic laws.’4 In short, despite the wording of the 2019 Act, if encrypted material is provided, the UK authorities must turn to the provisions of RIPA.
What safeguards exist?
Sewn into the Agreement are a number of safeguards that limit the scope of this new regime. For example, there are targeting restrictions, which include a prohibition on OPOs that may be used to infringe freedom of speech or to disadvantage certain groups, and prohibition on the sharing of any data received with a third country (or issuing an OPO on behalf of a third country).
The OPO must be targeted at specific accounts and identify its objective. OPOs must also be subject to review or oversight by a judicial body or independent authority.
The Agreement also envisages the designation of an authority designated by the Home Secretary, which will transmit the OPOs.5 The Agreement requires that the designated authority review an OPO to ensure it complies with the Agreement. This requirement is satisfied by section 9 of the 2019 Act, which, by its inclusion, should ensure that any variation between the Agreement, or other designated co-operation arrangement, is reconciled. In addition, the remedy of judicial review against the Secretary of State’s decision to transmit the OPO remains available.
Notwithstanding the availability of judicial review, one of the criticisms of the 2019 Act and the US Cloud Act is that an application for an OPO may be made without notice, and the tight timetable for the production of material sought does not allow much time for a legal challenge. The 2019 Act allows an issuing judge to include a non-disclosure requirement in an OPO, which prevents the recipient from disclosing the existence of the order or its contents to any person without the leave of a judge or written permission from the law enforcement officer who obtained it. The service provider who is likely to be a recipient is a neutral party in any criminal investigation or prosecution, and there does not appear to be any good reason for the absence of a notice requirement in order to allow a challenge to be made prior to the OPO being issued. As currently drafted, a recipient of an OPO may receive – but is not entitled to – notice, and is likely to first become aware of the OPO when it is served.
Another concern is the lack of clarity about the oversight mechanism. The 2019 Act provides for an application to be made to vary or revoke an OPO. The recipient of an OPO, as a ‘person affected by the order’ can make the application, which must be based on one of the specified grounds. In short, it must be demonstrated that the requirements for making an OPO under the 2019 Act have not been met.
The Agreement provides for an additional process for raising an objection that is not mentioned in the 2019 Act. It provides that an objection in the first instance should generally be made with the designated authority in the issuing state, in the UK, the Secretary of State, in a reasonable time after receipt of the OPO. The Secretary of State is required to respond to those objections and, if not resolved, the objections may be raised with the designated authority in the receiving state. The two designated authorities can then confer ‘in an effort to resolve’ the objections. Whether the recipient of the OPO will be privy this process of decision making is unclear.
Another significant safeguard is that an OPO must not conflict with domestic data privacy laws. This means that a recipient of an OPO must also comply with GDPR obligations. In addition, the UK will not provide data where it is to be used in relation to an offence attracting the death penalty, and the US will not provide data in relation to targeted US persons or, in relation to specific offences that may raise freedom of speech concerns.6
How will the data access agreement work in practice in the UK?
Under the 2019 Act, the Serious Fraud Office, the Financial Conduct Authority, Her Majesty’s Revenue and Customs, the police or any other “appropriate officer”7 can apply to the court for an OPO.
To be successful, the enforcement authorities will need to satisfy a UK judge that, among other things, the entity has possession or control of the data – that the data is likely to be of “substantial value” to the investigation or proceedings and that accessing or producing the data is in the public interest.
If the application is successful and the order is granted by the UK court, the Secretary of State will serve it directly on the service provider.
Failure to comply with the OPO would constitute a civil contempt of court, resulting in a potential fine or up to two years in prison for company directors.8 As mentioned, this is not an extraditable offence, despite the punitive element.
It is worth noting that safeguards for personal confidential data and material protected by legal professional privilege ‘excepted electronic data’.
In practice, UK-based law enforcement authorities should be able to get access to data held abroad more quickly and more easily than ever before, but this depends on a willingness to comply with the OPO where there is no real consequence for non-compliance, and where the encrypted format in which it may be provided will be of no use.
Where the recipient, the data holding entity, chooses not to comply, the seven-day deadline for producing the data is likely to exert significant pressure, particularly as the burden will fall on them to identify and exclude data that may be privileged, confidential or subject to GDPR concerns. All of this has the potential to be overly burdensome for companies that possess and control vast amounts of electronic data.
A new reality for criminal investigations?
The Agreement will remain in place for five years and whether it proves to be as useful as it was proclaimed will be proven by how many OPOs are issued, how prolific they are and the success of any challenge. As it currently stands, no OPOs have been made, and the absence of any ‘teeth’ may mean that law enforcement may have to resort to the previously used and cumbersome MLA process. The OPO is novel and perhaps imperfect, but it is part of the drive to ensure swifter and less bureaucratic access to data relevant to criminal investigations. Although not yet concluded, the EU is in the process of negotiating a similar agreement with the US to create a European Production Order (EPO), in recognition of the fact that more than half of all criminal investigations include a cross-border request to access electronic evidence. Imperfect or not, OPOs or similar powers are here to stay in one form or another. Although in the US, data access agreements are made under the US Cloud Act, the OPO regime and any future EPO framework may differ, so companies with operations in different jurisdictions will have to become familiar with both.
If OPOs do become the favoured process, companies that store vast amounts of electronic data would do well to prepare now. Communications service providers and companies that store or process data must be ready to respond at short notice. Mapping out cloud data, knowing and documenting where data is stored and being sure that people in the business are keeping this information up to date will be essential. A good understanding of legal privilege and data protection legislation will be necessary, too.
No company, or its shareholders, wants its directors or officers held in contempt of court, but it would be wise to decide upon the strategy to be adopted, as very little time will be permitted to ‘take stock’ once an OPO has been served. There is a balance to be struck between the reputational damage caused by a finding of contempt and being seen as obstructive to investigations involving what may be very serious crimes, including terrorism and child sex abuse, and undermining consumer confidence.
Should an OPO be challenged, complied with or ignored? This is the question many service providers will have to grapple with. Responding will require flexibility and a framework for action that ensures the most suitable response, whilst also taking into account that in the background is the lingering presence of a more toothy MLA process.
1 ‘Explanatory Memorandum to the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime’.
2 R v O’ Brien [2014] UKSC 23.
An indictable offence in English law is any offence which may be tried on indictment in the Crown Court includes offences with a maximum penalty of less than three years’ imprisonment.
4 White Paper ‘Promoting Public Safety, Privacy and the Rule of Law Around the World: The Purpose and Impact of the Cloud Act, April 2019.
5 Under the 2019 Act, the Home Secretary has designated herself as such an authority and OPOs may only be transmitted by her office.
6 ‘Understanding in relation to the Death Penalty under the Agreement between the Government of the United
Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime’
7 Section 2 of the 2019 Act.
8 Section 15 of the 2019 Act.
[View source.]