The Crime (Overseas Production Orders) Act 2019 (“Act”) received Royal Assent on 12 February 2019. The Act allows UK law enforcement agencies including the Serious Fraud Office (“SFO”), HMRC and the Financial Conduct Authority to apply for a court order with extra-territorial effect (an Overseas Production Order or “OPO”) to obtain data stored electronically, directly from communications service providers (“CSPs”) based outside the UK, in order to assist with domestic investigations and prosecutions of serious crime.
Before the Act was passed, UK legislation allowing law enforcement and prosecuting authorities to access electronic data was not explicitly extra-territorial and so only effective when the company or individual possessing or controlling the information was based in the UK. Accordingly, prior to the Act, law enforcement agencies had to primarily rely on Mutual Legal Assistance (“MLA”) channels when the required electronic data was held by a company based outside the UK. However, the MLA process can take between six months and two years, resulting in delayed or abandoned investigations or prosecutions. The Act provides an alternative, expedited procedure.
The OPO can be served in a foreign jurisdiction where a designated international cooperation agreement exists between that country and the UK. The UK is in the process of negotiating a data access agreement with the United States, where the world’s largest CSPs are based. Draft terms of the agreement are not yet publically available.
The judge considering the application for an OPO from a representative of a relevant law enforcement agency or prosecutor must be satisfied that there are reasonable grounds for believing that:
- the person against whom the OPO is sought is based in or operates in a territory outside the UK which is a party to, or participates in, the designated international cooperation agreement specified in the application;
- an indictable offence has been committed and that proceedings in respect of that offence have been instituted or the offence is being investigated, or alternatively, that the OPO is sought for the purposes of a terrorist investigation;
- the person against whom the OPO is sought has possession or control of all or part of the data;
- the data is likely to be of substantial value to the criminal proceedings or investigation in relation to which it is requested;
- all or part of the data is likely to be relevant evidence in respect of the offence (this is not a requirement in respect of terrorist investigations); and
- production of the data would be in the public interest.
If the OPO is granted, the CSP has seven days in which to produce the data, beginning with the day on which the OPO is served. This is unless the judge deems that a shorter or longer time period would be appropriate. Any person affected by the OPO may apply to vary or revoke the OPO. However, the OPO may include a non-disclosure requirement preventing the CSP from disclosing the fact or content of the OPO, except with leave of the judge or the relevant law enforcement authority or prosecutor that applied for the order. Even if an OPO is later revoked, the non-disclosure requirement could be maintained. This means that the underlying subject of the OPO – the person, for example, whose email mailbox will be accessed or produced as the result of an OPO – may never know that the OPO has been made and that their data has been made available to a law enforcement agency.
Neither legally privileged information nor confidential personal records (e.g. medical records) would have to be provided by CSPs (though confidential personal records are not excepted in the context of terrorism investigations). However, it appears that, at least initially, the person who decides what data falls into these categories, is the CSP, who may have just seven days to make that determination. How CSPs will navigate the evaluation of issues of legal professional privilege and identify confidential personal information in such a short period, remains to be seen.
What does the new development mean for companies?
The key practical impact of the Act is that UK law enforcement agencies, including the SFO, could have much quicker access to data generated and/or stored abroad by CSPs. Where enforcement agencies need access to data held outside the UK by other foreign companies, e.g. one that might be the subject of an investigation, the SFO’s powers under section 2(3) of the Criminal Justice Act 1987 to compel foreign companies to produce documents held outside the UK provided that there is a “sufficient connection” between the company and the jurisdiction – as opposed to MLAs – will most likely be the fallback.
What should companies do?
Companies with data stored outside the UK need to be conscious that such data will in principle now be far easier to access by the UK authorities, as well as the related impact this may have on expectations when seeking to cooperate with such authorities. Likewise CSPs holding data outside the UK should be alert to the possibility that the UK authorities could serve a binding order on them, which could require compliance within seven days. Appropriate processes and procedures will need to be put into place to deal with such a possibility.