The COPO Act brings the UK into alignment with the regime in the United States. In 2018, the U.S. Clarifying Lawful Overseas Use of Data (“CLOUD”) Act came into force1. The CLOUD Act increased the scope of U.S. companies’ obligations to disclose electronic data stored outside the United States. The CLOUD Act also created a framework by which foreign countries (such as the UK) could seek disclosure of data held by U.S. cloud service providers (“CSPs”), without U.S. co-operation or oversight.
The COPO Act allows UK authorities to side-step the notoriously slow process of mutual legal assistance (“MLA”) in favour of obtaining an Overseas Production Order ("OPO"), which can be served directly on the person storing the electronic data. OPOs could make it much easier for UK authorities to obtain electronic data stored outside the UK, and will particularly affect CSPs in the United States.
These two laws – the COPO Act and the CLOUD Act – reinforce the trend we have seen in recent years of increased international cooperation in cross-border investigations, particularly between the U.S. and the UK. It is highly likely that the U.S. is the first place we will see OPOs in action.
in this On Point we explain how OPOs will work in practice, and examine what impact OPOs will have on U.S. (and other) CSPs which store or process electronic data outside of the UK.
Last year, U.S. Congress passed the CLOUD Act. The CLOUD Act empowers federal and state law enforcement authorities to compel U.S. CSPs to provide electronic data regardless of where in the world the data is stored3. The CLOUD Act also created a framework by which other countries could obtain electronic data from U.S. electronic data companies without U.S. oversight or cooperation4.
Fast-forward to February 2019, and the UK government has gone one step further by creating Overseas Production Orders (“OPOs”). Much like the CLOUD Act – which was passed to address issues raised in the case of U.S. v Microsoft5 – the COPO Act addresses the legal lacuna highlighted in the case of KBR Inc. v Serious Fraud Office (“SFO”)6. In KBR Inc., the UK High Court held that the SFO can only serve section 2 notices (to compel the provision of documents) on non-UK parties if there is a sufficient UK nexus. Even in those circumstances, the notice must be served within the UK.
In contrast to the CLOUD Act (which only applies to U.S. companies), OPOs can be served on any individual or company operating or based in a country outside the UK. OPOs cannot be challenged in the country in which the OPO is served; they can only be challenged in the court in which the OPO was made (i.e. in the UK). For that reason, OPOs will only be available where a “designated international co-operation agreement” (“DICA”) exists between the UK and the country in which the OPO will be served. The UK has been negotiating such an agreement with the U.S. since 20157. The UK government hopes that a DICA with the U.S. will serve as a template for similar treaties with other countries8.
Assuming a DICA is in place, in order to grant an OPO a UK court must be satisfied that there are reasonable grounds to believe that:
Failure to comply with an OPO will be dealt with as contempt of court, which could result in a fine or up to two years in prison. Any material disclosed pursuant to an OPO will be admissible in any subsequent prosecution. Courts can also include a non-disclosure requirement as part of the OPO, which prevents the person served with the OPO from disclosing the existence of the OPO to another party (such as is often the case with production orders against banks in the UK).
OPOs will be available in the UK to the police, HM Revenue & Customs, the Serious Fraud Office, the National Crime Agency, the Financial Conduct Authority, and anyone else to be named in regulations.
Perhaps most significantly, the default time period for responding to an OPO will be seven days from service of the OPO. Depending on the scope of the request and the volume of data to be disclosed, this will exert serious administrative pressure on CSPs to identify, separate and prepare the data for disclosure within the requisite time-frame, unless they apply for an extension.
The CLOUD Act and the COPO Act provide powerful tools to authorities on both sides of the pond to request and receive electronic data stored overseas. But while the CLOUD Act will be easily enforceable in U.S. domestic courts, it is difficult to see how the UK will enforce compliance with OPOs in other countries. Presumably, any DICA will include provisions to address this issue, but it is hard to see how an OPO, which cannot be challenged or overturned in the locality in which it is served, could nonetheless be enforced there. As currently drafted, the COPO Act does not confer any punitive powers on UK courts to enforce compliance.
The only option this leaves UK courts is the contempt of court procedure, and that is unlikely to hold much sway with some of the U.S. giants. Mark Zuckerberg, for example, famously declined to travel to the UK to give evidence to the UK digital culture media and sport select committee (“the Select Committee”)9. While the Select Committee does not enjoy the same judicial authority as a court order, Zuckerberg’s refusal to travel to the UK to give evidence to the Select Committee perhaps offers an insight into the approach U.S. CSPs (and other foreign companies) might take when responding to OPOs.
This will be an area to monitor, once the terms of any DICA are agreed. That is, assuming the terms of any DICA are made public.
Refreshingly, this is one issue which will be largely unaffected by Brexit. A DICA is a precondition of any OPO, and a DICA has to be specifically designated as such by the Secretary of State in regulations. This means that the UK will have to negotiate any DICAs with other countries and have them properly designated (which will include laying them before the UK Parliament) before they can be relied on for the purpose of an OPO. The UK government has already indicated that it intends to use the U.S. DICA as a precedent for DICAs with other countries. Accordingly, any DICA with European countries (or the EU as a collective) would have to be negotiated separately to the MLA frameworks currently in place.
The fact that a DICA is a precondition of an OPO means we are unlikely to see many OPOs in practice in the immediate future. The UK government has acknowledged that currently it is negotiating only with the U.S, and those negotiations have been ongoing since 2015. Reaching similar agreements with other countries will take time, and many may simply refuse.
However, where available, OPOs could substantially increase the administrative burden on CSPs operating or based in any country which enters into a DICA with the UK. Given the relatively advanced stages of negotiations between the UK and the U.S., U.S. CSPs in particular would be wise to start preparing now for the increased pace and volume of disclosure requests that they could face, if a DICA between the U.S. and the UK is finalized. As we move towards an environment of global enforcement which is increasingly reliant on cross-border cooperation, it is more likely than not that OPOs will be a reality for U.S. companies in the future.
In last year’s white paper, Dechert proposed a number of practical tips for data companies preparing for the CLOUD Act. Those tips apply equally to any company seeking to prepare for the introduction of OPOs: