By Michael Drury and Julian Hayes
Hailed as a a major breakthrough in the battle against organised crime, terrorism and child abuse, in early October the UK signed a ground-breaking bilateral agreement with the US government to obtain data faster from tech companies such as Facebook and Google. Michael Drury & Julian Hayes, partners in the Privacy & Data Protection Group at BCL Solicitors LLP analyse the impact of the agreement.
On 3 October 2019, in a landmark step for crime-fighting co-operation, Home Secretary Priti Patel and US Attorney General William Barr signed a bilateral agreement paving the way for UK and US law enforcement agencies to obtain data more quickly from electronic service providers operating in each jurisdiction. Given where most of tech power lies, this will inevitably be one way traffic, expediting the UK’s acquisition of evidence from US tech giants such as Facebook, Google and Twitter in the fight against serious crime, including terrorism and child abuse.
Until now, such international data requests were made via the seemingly impossible to reform Mutual Legal Assistance (MLA) arrangements, taking up to two years for authorities to obtain e-evidence, leaving investigations and prosecutions mired in international red-tape. Under the new arrangements, a UK Judge can issue the police, SFO and other specified agencies with an Overseas Production Order (OPO), bypassing cumbersome MLA procedures and, in principle, obtaining electronically stored data from the US within just seven days.
The legislative framework for the treaty – the US CLOUD Act, effective from March 2018, and the UK’s Crime (Overseas Production Orders) Act 2019 – anticipates an agreement that has taken a substantial time to negotiate. The agreement itself, whose details were published by the UK for the first time on Monday 7th October, must still be ratified by the US Congress and laid before Parliament.
An order is available where it is in the public interest to make an OPO and a Judge is satisfied that an order is sought for the purpose of a terrorist investigation, or there are reasonable grounds for suspecting an indictable offence has been committed and an investigation or proceedings underway. The new arrangements have been welcomed on behalf of crime victims by organisations like the NSPCC, which described them as a hugely important step forward.
Anticipating potential concern from campaign groups, the agreement expressly notes the “substantial safeguards for protecting privacy and civil liberties” in the UK and US. It asserts that the processing and transfer of data in execution of an OPO are compatible with each country’s privacy and data protection laws. Data received pursuant to an OPO must not be transferred to a third country without permission from the issuing state unless it is in already in the public domain.
Despite the drafter’s efforts to forestall criticism, the new arrangements have nevertheless been attacked on the basis that they potentially erode key rights. Lawyers have questioned how the baked-in protections for legally privileged material and confidential personal records (known as “excepted electronic data”) can work in practice when the legislation also enables the Court to impose a non-disclosure order preventing electronic service providers from revealing the content or even the fact of an OPO to anyone else. How would a tech company know whether someone else’s material was excepted? The risk is that, in the rush to comply within tight time frames, tech companies might be required to hand over data to which law enforcement authorities have no right.
Similarly, while the legislation and the agreement allow for challenges to OPOs, where the subject of the investigation is unlikely to be unaware of the order, it will effectively fall to the service provider to scrutinise the order to ensure that legal and procedural requirements have been adhered to. If service providers are, in essence, to become the guardians of a suspect’s rights, who will bear the financial cost of them doing so?
This problem will become acute when it becomes apparent that jurisdictional disputes, which must be brought “in a reasonable time” after receipt of an order, must take place in the unfamiliar setting of the issuing country’s courts rather than in the country where the service provider is based. When service providers must comply within just seven days, will the clock stop while lawyers are instructed, proceedings are issued and disputes argued?
Questions also remain about how the legislation could practically be enforced. The Explanatory Notes to the UK legislation suggest non-compliance could give rise to contempt proceedings. This may prove effective against service providers with UK-based assets but otherwise the enforceability of the legislation may prove more difficult.
Most crucially of all, how will the requirements of the new arrangements – which expressly include the content of an electronic or wire communication – be reconcilable with the service providers’ desire to provide encrypted services (to which providers themselves have no access), and thus ensure the confidentiality and security of their customers’ data and communications?
These uncertainties augur future challenges in the courts, particularly given the frequent inability of law enforcement to get the basics rights. Nevertheless, the treaty marks a significant development in tackling serious crime which increasingly pays no regard to national boundaries. The new arrangements will initially last for five years with the option to extend and will be subject to periodic review of compliance. During that time, the UK and US have agreed to inform each other of material changes in domestic laws that would frustrate the operation of the agreement. Having taken over three years to negotiate with the US – almost beyond measure the UK’s most important potential source of e-evidence – it remains to be seen whether and how quickly such treaties can be replicated with other countries to ensure no electronic evidence is beyond the reach of law enforcement.
About the authors
Michael Drury joined BCL in September 2010 from GCHQ where he was Director for Legal Affairs. He is one of the UK’s leading experts on surveillance and investigatory powers as well as information law and cybercrime, and given his unique background, he was invited to give public evidence in April 2106 to the Parliamentary Joint Committee on Human Rights in respect of the human rights compatibility of the Investigatory Powers Act 2016. His practice also covers extradition, where he has been involved in many of the highest profile cases to representing individuals in regulatory proceedings brought by the FCA and acting in criminal investigations by the SFO advising both corporates and individuals in bribery and corruption cases including LIBOR.
Julian Hayes is a partner specialising in corporate and financial crime, computer misuse offences, surveillance and data protection law. He advises individuals and corporates on fraud and corruption investigations by the SFO, enforcement actions by the FCA and HMRC. In addition to cybercrime, he also specialises in advising on the provisions of the Data Protection Act 2018, GDPR and Communication Service Providers on the Investigatory Powers Act 2016 and its associated Codes of Conduct.