On February 12 2019 the UK Parliament passed the Crime (Overseas Production Orders) Act 2019 (the "COPO Act"). This new law gives UK authorities (including the Serious Fraud Office ("SFO") and the Financial Conduct Authority ("FCA")) the power to apply to a UK court to compel a company or individual operating or based outside the UK to provide electronic data stored outside the UK.
The COPO Act brings the UK into alignment with the regime in the United States. In 2018, the U.S. Clarifying Lawful Overseas Use of Data ("CLOUD") Act came into force1. The CLOUD Act increased the scope of U.S. companies' obligations to disclose electronic data stored outside the United States. The CLOUD Act also created a framework by which foreign countries (such as the UK) could seek disclosure of data held by U.S. cloud service providers ("CSPs"), without U.S. co-operation or oversight.
The COPO Act allows UK authorities to side-step the notoriously slow process of mutual legal assistance ("MLA") in favour of obtaining an Overseas Production Order ("OPO"), which can be served directly on the person storing the electronic data. OPOs could make it much easier for UK authorities to obtain electronic data stored outside the UK, and will particularly affect CSPs in the United States.
These two laws – the COPO Act and the CLOUD Act – reinforce the trend we have seen in recent years of increased international cooperation in cross-border investigations, particularly between the U.S. and the UK. It is highly likely that the U.S. is the first place we will see OPOs in action.
in this On Point we explain how OPOs will work in practice, and examine what impact OPOs will have on U.S. (and other) CSPs which store or process electronic data outside of the UK.
- OPOs will allow UK authorities (including the SFO and FCA) to obtain electronic data held overseas from anyone (but particularly CSPs) operating or based outside of the UK. OPOs can only be challenged in UK courts.
- The majority of CSPs are based in the U.S.2, which means that OPOs are likely to be used most widely in the United States.
- OPOs will only be available where the UK has a "designated international co-operation agreement" ("DICA") with the country in which the OPO will be served. The U.S. and the UK have been negotiating such an agreement since 2015. This means that the U.S. is likely to be the first country directly affected by OPOs.
- The fact that a DICA is a precondition of an OPO means we are unlikely to see OPOs in practice in the immediate future.
- A DICA with the U.S. could also grant the U.S. reciprocal rights to serve orders for disclosure on parties in the UK.
A New Year, a New Investigatory Tool
Last year, U.S. Congress passed the CLOUD Act. The CLOUD Act empowers federal and state law enforcement authorities to compel U.S. CSPs to provide electronic data regardless of where in the world the data is stored3. The CLOUD Act also created a framework by which other countries could obtain electronic data from U.S. electronic data companies without U.S. oversight or cooperation4.
Fast-forward to February 2019, and the UK government has gone one step further by creating Overseas Production Orders ("OPOs"). Much like the CLOUD Act – which was passed to address issues raised in the case of U.S. v Microsoft5 – the COPO Act addresses the legal lacuna highlighted in the case of KBR Inc. v Serious Fraud Office ("SFO")6. In KBR Inc., the UK High Court held that the SFO can only serve section 2 notices (to compel the provision of documents) on non-UK parties if there is a sufficient UK nexus. Even in those circumstances, the notice must be served within the UK.
In contrast to the CLOUD Act (which only applies to U.S. companies), OPOs can be served on any individual or company operating or based in a country outside the UK. OPOs cannot be challenged in the country in which the OPO is served; they can only be challenged in the court in which the OPO was made (i.e. in the UK). For that reason, OPOs will only be available where a "designated international co-operation agreement" ("DICA") exists between the UK and the country in which the OPO will be served. The UK has been negotiating such an agreement with the U.S. since 20157. The UK government hopes that a DICA with the U.S. will serve as a template for similar treaties with other countries8.
Assuming a DICA is in place, in order to grant an OPO a UK court must be satisfied that there are reasonable grounds to believe that:
- an indictable offence has been committed and proceedings in respect of the offence have been commenced (or the offence is being investigated);
- the person against whom the OPO is sought has possession or control of all or part of the data;
- all or part of the data is likely to be of substantial value to the proceedings or investigation;
- all or part of the data is likely to be relevant evidence in respect of the offence; and
- it is in the public interest for all or part of the data to be produced.
Failure to comply with an OPO will be dealt with as contempt of court, which could result in a fine or up to two years in prison. Any material disclosed pursuant to an OPO will be admissible in any subsequent prosecution. Courts can also include a non-disclosure requirement as part of the OPO, which prevents the person served with the OPO from disclosing the existence of the OPO to another party (such as is often the case with production orders against banks in the UK).
OPOs will be available in the UK to the police, HM Revenue & Customs, the Serious Fraud Office, the National Crime Agency, the Financial Conduct Authority, and anyone else to be named in regulations.
Perhaps most significantly, the default time period for responding to an OPO will be seven days from service of the OPO. Depending on the scope of the request and the volume of data to be disclosed, this will exert serious administrative pressure on CSPs to identify, separate and prepare the data for disclosure within the requisite time-frame, unless they apply for an extension.
All Bark and no Bite?
The CLOUD Act and the COPO Act provide powerful tools to authorities on both sides of the pond to request and receive electronic data stored overseas. But while the CLOUD Act will be easily enforceable in U.S. domestic courts, it is difficult to see how the UK will enforce compliance with OPOs in other countries. Presumably, any DICA will include provisions to address this issue, but it is hard to see how an OPO, which cannot be challenged or overturned in the locality in which it is served, could nonetheless be enforced there. As currently drafted, the COPO Act does not confer any punitive powers on UK courts to enforce compliance.
The only option this leaves UK courts is the contempt of court procedure, and that is unlikely to hold much sway with some of the U.S. giants. Mark Zuckerberg, for example, famously declined to travel to the UK to give evidence to the UK digital culture media and sport select committee ("the Select Committee")9. While the Select Committee does not enjoy the same judicial authority as a court order, Zuckerberg's refusal to travel to the UK to give evidence to the Select Committee perhaps offers an insight into the approach U.S. CSPs (and other foreign companies) might take when responding to OPOs.
This will be an area to monitor, once the terms of any DICA are agreed. That is, assuming the terms of any DICA are made public.
Refreshingly, this is one issue which will be largely unaffected by Brexit. A DICA is a precondition of any OPO, and a DICA has to be specifically designated as such by the Secretary of State in regulations. This means that the UK will have to negotiate any DICAs with other countries and have them properly designated (which will include laying them before the UK Parliament) before they can be relied on for the purpose of an OPO. The UK government has already indicated that it intends to use the U.S. DICA as a precedent for DICAs with other countries. Accordingly, any DICA with European countries (or the EU as a collective) would have to be negotiated separately to the MLA frameworks currently in place.
In the Distance but Gaining Ground...
The fact that a DICA is a precondition of an OPO means we are unlikely to see many OPOs in practice in the immediate future. The UK government has acknowledged that currently it is negotiating only with the U.S, and those negotiations have been ongoing since 2015. Reaching similar agreements with other countries will take time, and many may simply refuse.
However, where available, OPOs could substantially increase the administrative burden on CSPs operating or based in any country which enters into a DICA with the UK. Given the relatively advanced stages of negotiations between the UK and the U.S., U.S. CSPs in particular would be wise to start preparing now for the increased pace and volume of disclosure requests that they could face, if a DICA between the U.S. and the UK is finalized. As we move towards an environment of global enforcement which is increasingly reliant on cross-border cooperation, it is more likely than not that OPOs will be a reality for U.S. companies in the future.
Practical Guidance Tips
In last year's white paper, Dechert proposed a number of practical tips for data companies preparing for the CLOUD Act. Those tips apply equally to any company seeking to prepare for the introduction of OPOs:
- Consult with key members of your Legal and IT teams to assess the potential impact of the COPO Act on current and future operations.
- If you have not already done so, map your cloud data so you know where your data is stored.
- Review your current contracts with CSPs to see what notification provisions are currently in place.
- Designate a point person to monitor this area so critical developments can be shared in real time with key stake holders or decision makers.
- Dechert published a white paper on the CLOUD Act in 2018, which can be accessed here.
- Home Office Impact Assessment, Title: Crime (Overseas Production Order) Bill, 11 May 2018, p. 4. See also the House of Lords Library Briefing: Crime (Overseas Production Orders) Bill [HL], 5 July 2018, p. 1.
- Forecasting the Impact of the New US CLOUD Act, Dechert LLP, 2018, p. 3.
- 584 U.S. _ 2018.
-  EWHC 2368.
- House of Lords Library Briefing: Crime (Overseas Production Orders) Bill [HL], 5 July 2018, p. 5.
- Home Office Impact Assessment, Op. Cit., p. 5.
- "Mark Zuckerberg has 'no plans' to go to UK to give evidence to MPs", The Guardian, 15 May 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.