In complex international criminal investigations it is invariably true that relevant – often electronic – evidence is held overseas. There is often no effective way for law enforcement authorities to obtain such evidence other than by mutual legal assistance (“MLA”). The MLA process is, however, cumbersome and can take months or even years to produce results. It is therefore unsurprising that law enforcement authorities are increasingly seeking new domestic powers to bypass the traditional MLA process.
In the UK, a recent example is the decision in R (on the application of KBR Inc.) v Director of the Serious Fraud Office, which established that, in certain circumstances, the Serious Fraud Office (“SFO”) can compel the production of documents held overseas by a company with no presence in the UK. In that case, a representative of KBR Inc. (the US parent company of a UK suspect, KBR Ltd.) was issued with a notice under section 2(3) CJA 1987 whilst attending a meeting with the SFO in London. The notice required the production of certain material held by the company in the US. KBR Inc. challenged the notice on jurisdictional grounds, but the High Court dismissed the challenge on the basis that there was, in the circumstances of that case, a ‘sufficient connection’ between KBR Inc. and the UK.
Similarly, in the US, the Supreme Court granted a petition in 2017 to resolve the issue of whether the Department of Justice (“DOJ”) had the power to compel Microsoft to disclose customer data that was held on the company’s servers in Ireland. Microsoft had sought to challenge the DOJ’s warrant on the basis of territorial jurisdiction, but ultimately the appeal was dismissed as moot following the introduction of the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) on 23 March 2018.
What is the CLOUD Act?
The CLOUD Act provides that a relevant warrant may require the production of data regardless of whether that data is located outside the US. To give effect to this power, the CLOUD Act also permits the making of bilateral agreements that enable ‘qualifying foreign governments’ to request electronic data from the US in exchange for reciprocal arrangements that allow the US to request electronic data from that country.
When the CLOUD Act was signed into law by President Trump last year, some commentators queried whether any ‘foreign qualifying governments’ would want to enter into such agreements. However, with the introduction of the Crime (Overseas Production Orders) Act 2019 (“the Act”), which received royal assent on 12 February 2019, it is clear that the UK is one country that is keen to take advantage of the new provisions. Whilst the introduction of the Act in the UK has not received as much attention as the judgment in KBR, it potentially has far wider implications.
What are overseas production orders?
The Act enables an ‘appropriate officer’ to apply to the Crown Court for an overseas production order (“OPO”) requiring a person based overseas to produce or give access to ‘electronic data’ regardless of where it is stored. The ‘appropriate officers’ specified in the Act include: a constable; an officer of Revenue and Customs; a member of the SFO; and a person appointed by the Financial Conduct Authority. ‘Electronic data’ is broadly defined as ‘any data stored electronically’, although OPOs cannot require the production of material that is protected by legal professional privilege, or personal confidential records relating, for example, to an individual’s physical or mental health.
In order to make an OPO, a Crown Court judge must be satisfied that there are reasonable grounds for believing that:
- the person against whom the order is sought operates or is based in a country outside the UK which is party to, or participates in, a ‘designated international co-operation arrangement’;
- an investigation has been instituted or proceedings commenced in respect of an indictable offence, or the order is sought for the purposes of a terrorist investigation;
- the person against whom the order is sought has possession or control of all or part of the electronic data;
- all or part of the electronic data is likely to be of substantial value to the investigation or proceedings;
- all or part of the electronic data is likely to be relevant evidence in respect of the offence; and
- it is in the interests of justice for all or part of the electronic data to be produced.
The Act defines a ‘designated international co-operation agreement’ as a relevant treaty, designated by the Secretary of State by regulation, which relates (in whole or in part) to the provision of mutual assistance in connection with the investigation or prosecution of offences. At present, there are no designated agreements in place and therefore certain operative parts of the Act are not in force. Whilst the UK is currently in the process of negotiating a designated agreement with the US (and apparently has been for a number of years), the draft terms are not publicly available. It is, however, difficult to envisage how an OPO could be enforced without specific provisions contained in that agreement.
When fully operational, OPOs will inevitably be used to circumvent the traditional MLA process. This should, in theory, help to expedite cross-border investigations, since the default period for complying with an OPO is a mere seven days from the date of service. In an age when individuals and companies are increasingly storing electronic information in ‘the cloud’ (often on servers hosted by companies based overseas) the potential ramifications of the Act for suspects in UK criminal investigations are profound. In the future, OPOs may prove to be a far more effective tool for the SFO than relying on the case of KBR.
If you’d like to discuss any of the issues raised in this article with one of our solicitors then please get in touch in the strictest confidence.