Overseas Production Orders: How the Law Is Changing in Data Privacy

On the back of the Crime (Overseas Production Order) Act 2019, which recently received Royal Assent, Lawyer Monthly hears from Andrew Smith, Partner at leading criminal defence law firm Corker Binning.

The Crime (Overseas Production Orders) Act 2019 received Royal Assent on 12 February 2019. To this lawyer at least, the Act is far from boring. It represents a dramatic step-change in cross-border criminal law enforcement.

The Act provides a new way of answering the following question: if electronic data is stored overseas, how can a UK investigator compel its disclosure in the UK? Without the Act, there are currently four possibilities. First, if the overseas data is “accessible” from premises situated in the UK, the occupier must produce it in response to a search warrant executed at the premises.[1] Secondly, if a UK company holds the overseas data, the company must produce it in response to a domestic production order.[2] Thirdly, if a foreign company holds the overseas data, the company must produce it in response to a domestic production order, but only if the company has a “sufficient connection” to the UK and the company is served with the order in the UK.[3] Fourthly, overseas data is compellable pursuant to a letter of request issued to, and granted by, the authorities of the state where the data is stored.[4]

This last possibility is known as mutual legal assistance (MLA). MLA is frequently used but notoriously slow. It can take months and sometimes years for letters of request to be processed. This is plainly inadequate when investigating fast-moving conspiracies, particularly those involving an imminent risk of further harm. Ministers have hailed the Overseas Production Orders (or OPO for short) as the speedy solution to the sluggishness of MLA.

How do OPOs achieve their speed?

A judge of country A can, on the ex parte application of a law enforcement officer of country A, make an OPO against a person in country B to produce specified electronic data. Unlike mutual legal assistance, which is a state-to-state request, the person holding the data in country B, for example a communications provider, is served with the OPO direct. This person has a default period of seven days in which to produce the data. The authorities of country B have no power to review the judge’s decision to grant the OPO. By imposing strict time limits on the recipient of the OPO and by removing the supervisory role of country B’s authorities, it is intended that country A’s law enforcement officers receive the data quickly, and far more quickly than they would have received it had they relied on MLA.

The power to apply for an OPO is available to all major investigating agencies, including the SFO, NCA, police, HMRC and FCA. To grant the OPO, the judge must be satisfied, amongst other things, that there are reasonable grounds for believing that:

1. an indictable offence has been committed and proceedings in respect of the offence have been instituted (or the offence is being investigated);
2. the person against whom the OPO is sought has possession or control of all or part of the data;
3. all or part of the data is likely to be of substantial value to the proceedings or investigation;
4. all or part of the data is likely to be relevant evidence in respect of the offence; and
5. it is in the public interest for all or part of the data to be produced.

The usual carve-outs exist for data protected by legal privilege and confidential personal records. The recipient of the OPO (or any other person affected by the OPO) can apply to a judge in country A to vary or revoke it. Unlike evidence obtained through an interception warrant, evidence obtained through an OPO is admissible in criminal proceedings. The OPO is thus a dangerous as well as a speedy new weapon in the prosecutor’s armoury.

When the Act comes into force, it will only apply to requests between the UK and the US. This is because a designated international cooperation arrangement is a precondition of granting an OPO. To date the only such arrangement being negotiated is with the US. This is unsurprising. The US is home to Facebook, Google and many other major tech companies holding potentially probative electronic data. The text of the UK/US cooperation arrangement is not yet finalised and is not publically available, but Parliament has already declared that it will serve as a “framework for other reciprocal treaties all around the world.”

Objections to the Act have focused on three main issues.

1. First, it is claimed that removing the supervisory role of the authorities in the receiving state entails losing a valuable safeguard against abusive requests. This objection is ill-founded. Mutual trust has long been the cornerstone of MLA; the authorities in the receiving state have extremely limited grounds on which to refuse a letter of request. Moreover, a person affected by an OPO has a remedy. They can apply to vary or discharge the OPO in the requesting state, and can therefore argue that the investigator’s ex parte application lacked the requisite candour or that handing over the data would breach data protection or privacy rights enshrined in the European Convention on Human Rights or similar instruments.

2. Secondly, it is claimed that the aforementioned remedy may be unavailable to a suspect in a criminal investigation, in that the suspect may be unaware that his or her data has been sought under an OPO. Indeed, the Act provides that a judge making an OPO may include a non-disclosure requirement which prevents the person against whom the OPO is made from disclosing its existence. This objection is also ill-founded. The criminal law routinely operates so that evidence is gathered from innocent third parties (such as banks) who hold data about suspects, in circumstances where the suspects may not know, or are prevented from knowing, that their data has been disclosed.

3. Thirdly, concerns have been raised as to whether the UK will hand over data which may be used in US prosecutions carrying the death penalty. It is true that the Act does not require the US authorities to provide assurances against the death penalty before serving an OPO on a UK person. This may seem surprising given that, absent such assurances, the UK refuses to extradite persons to the US in relation to capital crimes. However, in the Parliamentary debates, not one case was identified from the past 20 years where data was provided to the US authorities pursuant to a letter of request and subsequently used in a prosecution for which the defendant was sentenced to death. Moreover, only last month the Lord Chief Justice confirmed that the Secretary of State had been entitled to authorise MLA to the US which could lead to the prosecution of a British suspected terrorist for offences carrying the death penalty, without assurances that the death penalty would not be sought.[5] Death penalty assurances are mandatory for the cross-border transfer of persons, but not for the cross-border transfer of evidence.

These three objections are outweighed by the public interest in expediting investigations which involve an examination of overseas data. The OPO recognises not only that evidence which proves or disproves a crime is increasingly electronic, but that it is increasingly meaningless to suggest that electronic data has a fixed location – or that it somehow belongs to the country in which it happens to be stored. Take an example. Let us suppose that two terrorists, two members of a child abuse ring, or two white-collar criminals are leaving evidence of their crimes on a US-based end-to-end encrypted communications app. The duo is based in the UK and their crime is committed here. Currently the encryption may prevent UK law enforcement from accessing the messages, which are, in any event, stored on a US platform. Given that those breaking the law can send, receive and act upon the messages whilst they are in the UK, it is difficult to argue that UK law enforcement should be prevented – or should have to wait many months pending the outcome of MLA – before being able to access the same messages. Further crimes could be committed in the intervening period.

The principal shortcoming of the Act is that it fails, albeit understandably, to impose an effective penalty on a person who refuses to comply with an OPO. The directors of a communications provider that refuses to disclose data sought under an OPO may be found to be in contempt of court in the country where the OPO was made. However, contempt of court has limited practical consequences; it is not an offence for which the directors can be extradited.[6] Set against that, most companies would not want to incur the reputational harm that refusing to comply with an OPO may engender, and would instead want to do the “right thing” by assisting criminal investigations. Governments have struggled in recent years to make Facebook and its ilk police themselves for extremist content, or to ensure that vulnerable users are not abused. The OPO is part of the same trend. Contrary to the views expressed in the House of Commons, the OPO is an important – but also an interesting – new mechanism for compelling powerful tech giants to become more responsible global citizens.

[1] Section 20 Police and Criminal Evidence Act 1984.

[2] Such as that available to the SFO under section 2(3) Criminal Justice Act 1987. See para 64 of R (on the application of KBR Inc.) v Director of the Serious Fraud Office [2018] EWHC 2368 (Admin).

[3] See para 71 of R (on the application of KBR Inc.) v Director of the Serious Fraud Office [2018] EWHC 2368 (Admin).

[4] Section 7 Crime (International Cooperation) Act 2003.

[5] R (on the application of El Gizouli) v Secretary of State for the Home Department [2019] EWHC 60 (Admin).

[6] R v O’Brien [2014] UKSC 23