OPOs are a game-changer not just for law enforcement, but for all individuals or companies with possession or control of large volumes of data stored by US-based providers. They carry risks for firms and opportunities for law enforcement. This article takes a closer look.

Investigations of cross-border crime in this digital age require new powers, and these bring new dangers when considering due process of law and the protection of privacy. In this age of social media and expanding data about all of us, certain issues come into play. The following article examines what are called overseas production orders, and how they aid law enforcement, but also create business dangers. The article is by Nick Vamos, partner, and Eamon McCarthy-Keen, associate at Peters & Peters.

The editors are delighted to share these detailed insights; the usual disclaimers about external contributors’ comments apply. Please, if readers want to jump into debate, email tom.burroughes@wealthbriefing.com and jackie.bennion@clearviewpublishing.com

On 3 October 2019, the UK Home Secretary and US Attorney General signed a UK/US electronic data sharing agreement (“DSA”) aimed at drastically reducing the time it takes to access emails and other communications data in the investigation of serious crime. The agreement is intended as a solution to the ubiquitous use of US-based email providers by fraudsters, child sex offenders and terrorists when planning and committing their crimes, but it has the potential to prove extremely costly for high net worth individuals. 

US market dominance means that a high proportion of UK investigations require access to data held by Google, Microsoft, Facebook and others. Previously, UK agencies could obtain metadata (e.g. the time, date and IP address) directly from the providers on an ad-hoc, intelligence-only basis, but never the content, which necessitated a formal, clunky, diplomatic process via a Mutual Legal Assistance Treaty (MLAT) to obtain a US court order, taking months if not years.  

In hot pursuit along the information superhighway, investigators simply could not keep pace with their targets. This new agreement allows police to apply to a UK court for an Overseas Production Order (“OPO”) under the Crime (Overseas Production Orders) Act 2019 for both metadata and content, which is then served directly on the US provider who must deliver within 10 days, bypassing any further legal processes. In making the OPO, the UK judge has to be satisfied that there are reasonable grounds for believing that:

1.    the person against whom the order is sought operates in or is based in a country outside the UK which is party to an international cooperation agreement;
2.    an indictable offence has been committed and proceedings in respect of the offence have been commenced (or the offence is being investigated);
3.    the person against whom the OPO is sought has possession or control of all or part of the data;
4.    all or part of the data is likely to be of substantial value to the proceedings or investigation;
5.    all or part of the data is likely to be relevant evidence in respect of the offence; and
6.    it is in the public interest for all or part of the data to be produced.

The DSA provides that OPOs can only be used to obtain information about “serious crimes”, which is defined as any offence carrying a maximum sentence of at least three years. This is a very low threshold, and will catch far wider offending (e.g. shoplifting, if not dealt with summarily, carries a maximum custodial sentence of seven years). 

Both the UK and US must ratify (or incorporate into domestic law) the DSA before it becomes operational, which is expected to be in the next six months.

Not just emails
Although public discussion has focussed exclusively on speeding up access to emails, electronic data is defined as any data “stored electronically” and the agreement extends to “any private entity… that… provides to the public the ability to… process or store computer data” – in other words, any data stored by a cloud storage provider. Although data in the cloud is likely to be stored across multiple servers and jurisdictions, the legislation gives primacy to the location of the data controller rather than the location of the data. Individuals and companies store vast amounts of data in the cloud, often without knowing it.

This is the minutiae of people’s lives or the entirety of a company’s corporate, financial and commercial records, although legally privileged or confidential personal data is excluded. Companies which store data with US-based providers may find their data has been accessed without their consent or input. The judge will know only what the investigators choose to reveal, which, as Operation Midland demonstrates, is an imperfect system. The effect on privacy could be huge and unpredictable.  

On what grounds can I challenge an OPO?   
The DSA places responsibility for compliance squarely with the service providers. If Google or Facebook think that a UK order is unlawful (ie, too broad or speculative), it has no remedy under US law – it just has to hand the data over. Failure to comply with an OPO will be treated as a contempt of court, which is a UK offence punishable by imprisonment, although it is not an extraditable or extra-territorial offence. In the UK, “anyone affected by the order” - e.g. suspects, defendants, witnesses or entities in possession/control of the data - can challenge the OPO, by applying to the issuing UK court to revoke or vary it. That is assuming that the person applying is aware of the OPO’s existence, because a police officer can apply for a non-disclosure order of the OPO itself. Therefore, the opportunity to challenge the order may only arise once the data is already in the hands of the police and they have already started to analyse it.

Grounds to revoke/vary the OPO could include that the application did not satisfy the duty of full and frank disclosure (e.g. important information was omitted, which might have impacted the court’s decision to grant the application) or the OPO breached the data subject’s human rights, such as the right to privacy, correspondence and family life. However, certain human rights can be restricted in the interests of national security, public safety or the economic well-being of the country.   

What other safeguards does the DSA provide to companies/individuals?
The DSA provides for oversight and quality control by “designated authorities”. The agreement provides affected entities with rights of objection and review procedures and the opportunity to raise such objections with the designated authorities in both countries. However, as stated, this does not include judicial oversight in the country where the data is held. Any challenges to OPOs will need to be conducted in the jurisdiction of the issuing court.  

The DSA also prohibits the targeting of certain categories of individuals depending on their nationality or location. A UK court cannot issue an OPO to obtain the data of US nationals, wherever in the world they are located. However, the UK offers less protection to its citizens, only excluding UK residents from the scope of US court orders. Therefore, UK nationals living outside the UK could potentially have their data accessed by US law enforcement and could not challenge that order in the UK. 

What about encryption?
Facebook and other providers are already looking to gain a competitive advantage through encryption, effectively neutering the agreement. Encrypted data would still have to be handed over but it would be scrambled, useless gibberish. Users concerned about privacy will swap to email and cloud storage providers offering full encryption. Ultimately, the expansive scope of the agreement may lead eventually to its own obsolescence.

Game-changer
OPOs are a game-changer not just for law enforcement, but for all individuals or companies with possession or control of large volumes of data stored by US-based providers. Companies or HNWIs handling financial or other data likely to be of interest to investigators should put in place procedures to respond to or challenge OPOs, as the case may be, by preparing the relevant teams (IT, Legal) within their firms, if necessary in consultation with external lawyers.

With thanks to Katie Jones, Peters & Peters Solicitors LLP, and James Dawes QC, 2 Harcourt Buildings, for their contributions.