UK – US Electronic Evidence Treaty – One step forward, two steps back?

UK – US Electronic Evidence Treaty – One step forward, two steps back?

Written by Julian Hayes and Michael Drury. Published by The Times, Euronews and PrivSec Report.

On 3 October, in a landmark step for crime-fighting co-operation, Home Secretary Priti Patel and US Attorney General William Barr signed a bilateral agreement paving the way for UK and US law enforcement agencies to obtain data more quickly from electronic service providers operating in each jurisdiction. Given where most of tech power lies, this will inevitably be one way traffic, expediting the UK’s acquisition of evidence from US tech giants such as Facebook, Google and Twitter in the fight against serious crime, including terrorism and child abuse.

Until now, such international data requests were made via the seemingly impossible to reform Mutual Legal Assistance (MLA) arrangements, taking up to two years for authorities to obtain e-evidence, leaving investigations and prosecutions mired in international red-tape. Under the new arrangements, a UK Judge can issue the police, SFO and other specified with an Overseas Production Order (OPO), bypassing cumbersome MLA procedures and, in principle, obtaining electronically stored data from the US within just seven days.

The legislative framework for the treaty – the US CLOUD Act, effective from March 2018, and the UK’s Crime (Overseas Production Orders) Act 2019 – anticipates an agreement that has taken a substantial time to negotiate. The agreement itself, whose details were published by the UK for the first time on Monday, must still be ratified by the US Congress and laid before Parliament.

Available where it is in the public interest to make an OPO and a Judge is satisfied that an order is sought for the purpose of a terrorist investigation, or there are reasonable grounds for suspecting an indictable offence has been committed and an investigation or proceedings underway, the new arrangements have been welcomed on behalf of crime victims by organisations like the NSPCC, which described them as a hugely important step forward.

Anticipating potential concern from campaign groups, the agreement expressly notes the “substantial safeguards for protecting privacy and civil liberties” in the UK and US. It asserts that the processing and transfer of data in execution of an OPO are compatible with each country’s privacy and data protection laws. Data received pursuant to an OPO must not be transferred to a third country without permission from the issuing state unless it is in already in the public domain.

Despite the drafter’s efforts to forestall criticism, the new arrangements have nevertheless been attacked on the basis that they potentially erode key rights. Lawyers have questioned how the baked-in protections for legally privileged material and confidential personal records (known as “excepted electronic data”) can work in practice when the legislation also enables the Court to impose a non-disclosure order preventing electronic service providers from revealing the content or even the fact of an OPO to anyone else. How would a tech company know whether someone else’s material was excepted? The risk is that, in the rush to comply within tight time frames, tech companies might be required to hand over data to which law enforcement authorities have no right.

Similarly, while the legislation and the agreement allow for challenges to OPOs, where the subject of the investigation is unlikely to be unaware of the order, it will effectively fall to the service provider to scrutinise the order to ensure that legal and procedural requirements have been adhered to. If service providers are, in essence, to become the guardians of a suspect’s rights, who will bear the financial cost of them doing so? This problem will become acute when it becomes apparent that jurisdictional disputes, which must be brought “in a reasonable time” after receipt of an order, must take place in the unfamiliar setting of the issuing country’s courts rather than in the country where the service provider is based. When service providers must comply within just seven days, will the clock stop while lawyers are instructed, proceedings are issued and disputes argued?

Questions also remain about how the legislation could practically be enforced. The Explanatory Notes to the UK legislation suggest non-compliance could give rise to contempt proceedings. This may prove effective against service providers with UK-based assets but otherwise the enforceability of the legislation may prove more difficult.

Most crucially of all, how will the requirements of the new arrangements – which expressly include the content of an electronic or wire communication – be reconcilable with the service providers’ desire to provide encrypted services (to which providers themselves have no access), and thus ensure the confidentiality and security of their customers’ data and communications?

These uncertainties augur future challenges in the courts, particularly given the frequent inability of law enforcement to get the basics rights. Nevertheless, the treaty marks a significant development in tackling serious crime which increasingly pays no regard to national boundaries. The new arrangements will initially last for five years with the option to extend, and will be subject to periodic review of compliance. During that time, the UK and US have agreed to inform each other of material changes in domestic laws that would frustrate the operation of the agreement. Having taken over three years to negotiate with the US – almost beyond measure the UK’s most important potential source of e-evidence – it remains to be seen whether and how quickly such treaties can be replicated with other countries to ensure no electronic evidence is beyond the reach of law enforcement.

About the authors:

Julian Hayes is a Partner specialising in all aspects of corporate crime and regulatory work. As well as dealing with high profile fraud and corruption matters, including investigations with an international dimension, he has considerable experience of advising corporates on data protection and cybercrime issues.

Michael Drury is a partner at BCL with a diverse practice, ranging from extradition to representing individuals in regulatory proceedings brought by the FCA; acting in criminal investigations by the SFO; and is a leading expert on surveillance and investigatory powers as well as information law and cybercrime.