The digital-age has brought with it not only cybercrime but new sources of evidence which are increasingly important in criminal investigations and prosecutions. However, in our globalised world, much of this evidence is stored overseas, hampering law enforcement agencies’ efforts to tackle “borderless” crime.
Until now, states have generally used Mutual Legal Assistance Treaties (MLATs) to obtain electronic evidence from overseas communication service providers. Under an MLAT, a national law enforcement agency obtains assistance from an overseas counterpart through Central Authority intermediaries. Response times under MLATs can be slow though. For example, MLAT requests to the US take an average of 10 months to complete, meaning electronic evidence can arrive too late to be useful.
To overcome such difficulties, governments around the world have been considering measures to expedite the acquisition of overseas-held electronic evidence. The US CLOUD Act, introduced following the FBI’s well-publicised difficulty obtaining material from Microsoft servers in Ireland, was one of the first national measures to grapple with the issue. In force since March 2018, the US CLOUD Act requires US data and communications companies to provide electronic data on US citizens wherever it is located in response to a US warrant, but provides a mechanism for challenge where the target is not a US citizen in the US, or where providing the data would violate the privacy laws of the foreign country hosting the data and it is in the interests of justice to quash or modify the warrant. The US CLOUD Act allows for reciprocal agreements between the US and foreign governments permitting law enforcement agencies to seek data from providers in each other’s country, subject to specific safeguards.
In April 2018 came the European Commission’s proposal for European Production Orders (EPOs). EPOs would allow a judicial authority in one member state to request electronic evidence directly from a service provider offering services in the EU and established or represented in another member state, regardless of the data’s location. As currently envisaged, EPO compliance would be obligatory within 10 days and in emergencies within just 6 hours. A European Preservation Order would oblige a service provider to retain specific data pending a request for its provision pursuant to an EPO, European Investigation Order or an MLAT. With Brexit on the horizon, the UK Government must decide whether it opts into the EU’s EPO scheme.
The UK’s own proposal, issued in anticipation of bi-lateral agreement with the US, is set out in the Crime (Overseas Production Orders) Bill, introduced to Parliament in June 2018. Under it, specific law enforcement agencies would be empowered to apply to the UK courts for an order (OPO) requiring overseas service providers to produce or grant access to electronic data for the purposes of investigating and prosecuting serious crimes. An OPO could only be granted if a judge is satisfied that:
- an indictable offence has been committed and an investigation has begun or a prosecution is underway;
- the data is likely to be of substantial value to the criminal proceedings or investigation for which it is being requested;
- the person against whom the OPO is sought has some or all of the data covered by the application;
- it is in the public interest for the data to be made available; and
- an international agreement is in place between the UK and the territory where the relevant provider is based.
Issues with Overseas Production Orders
Although the Bill may well streamline the process for securing overseas-based electronic evidence, questions remain regarding how the legislation would work in practice. For example, it is unclear how OPOs would be enforced in the event of non-compliance. The Bill’s Explanatory Notes suggest non-compliance could give rise to contempt proceedings; this may prove effective against service providers with UK-based assets but otherwise the enforceability of the legislation would depend on the vagaries of the judicial system of the state hosting the relevant provider. Parliamentary debates on this issue suggest that, in cases of non-compliance, it would still be necessary to resort to the existing MLAT procedure.
Although the Bill seeks to protect legal privilege and confidential personal records (Excepted Electronic Data), in practice, the identification of such material by providers will not always be straightforward, particularly where a Judge grants a non-disclosure order preventing disclosure of the fact and content of the order. Given the time which may be involved in responding to OPOs, and with every possibility that they will proliferate, the Bill is unclear about financial compensation to service providers for the cost of dealing with them.
While in Parliamentary debates it was confirmed that the GDPR and Data Protection Act 2018 would prevail in the event of any conflict with the OPO legislation, the Government has declined to include this in the Bill, potentially jeopardising the UK’s future ability to obtain a data protection “adequacy decision” from the EU for post-Brexit data transfers.
It has taken the UK almost three years to negotiate a bi-lateral agreement with the US to obtain electronic evidence and final agreement has not yet been reached. The negotiation of similar bi-lateral agreements with other states, whose legal systems may differ more markedly from that of the UK, is unlikely to be swift. This is of particular relevance given Brexit is fast approaching and with it, the possibility that the UK may have to negotiate bi-lateral agreements with each EU member state.
The key question, however, is whether the proposals are sufficiently robust to protect against abuse. For example, while the Bill allows for challenges to OPOs issued by a UK Court, until bi-lateral treaties are agreed between the UK and other states, there will be no such clarity about how UK service providers could challenge a request received from overseas. This will be particularly important where requests are received from nations where judicial independence is under attack and where requests might be made for political rather than law enforcement reasons.
The Bill is still under Parliamentary consideration but pressure for greater international law enforcement cooperation seems likely to ensure its eventual enactment, adding to the growing list of data considerations for companies dealing with electronic information.
BCL Partner, Julian Hayes specialises in corporate and financial crime, surveillance and data protection law. He advises individuals and corporates in relation to fraud and corruption investigations by the SFO, enforcement actions by the FCA (insider dealing and market abuse) and offences under the customs and excise legislation prosecuted by HMRC. As well as expertise in relation to computer misuse offences, Julian also specialises in providing advice to Communication Service Providers and others in relation to their obligations under the Regulation of Investigatory Powers Act 2000, the Investigatory Powers Act 2016, the Data Protection Act 1998 and associated Codes of Conduct.
Greta Barkle is a New Zealand qualified lawyer specialising in business crime, regulatory investigations, extradition and cybercrime. Prior to joining BCL Solicitors LLP, Greta worked on a range of complex disputes, including claims against the New Zealand Police and Government Communications Security Bureau in relation to dawn raids and unlawful surveillance of communications. Greta also assisted counsel in New Zealand’s leading white collar crime and extradition case and is an experienced criminal and regulatory prosecutor.