Overseas Production Orders

Zulfi Meerza and Francesca Cassidy-Taylor of Rahman Ravelli detail the UK overseas production order regime, including the main considerations when using it and the issues for corporates.

The Crime (Overseas Production Orders) Act 2019 (the Act) received Royal Assent on 12 February 2019, with its provisions coming into force on 9 October 2019. The Act grants law enforcement agencies and prosecutors the power to apply for and obtain electronic data, via overseas production orders (OPOs), directly from service providers based outside the UK for the purposes of criminal investigations.

OPOs can be served on a huge variety of technology and communications firms, including cloud storage companies, social media providers and messaging platforms. While the agreement is reciprocal, it is anticipated that the bulk of OPOs will flow from UK law enforcement to US communication service providers.

The use of this new wide-reaching power has, however, been tempered by the requirement that an international cooperation arrangement must be in place between respective countries before an OPO can be issued to obtain data in one or the other. The only such data access agreement currently in existence is between the US and UK (the Agreement) which came into force on 3 October 2022. As such, it is unknown which (if any) law enforcement agency has been the first to utilise this new power.

The ratification of the Agreement will be welcomed with open arms by investigators who will be able to circumvent the protracted and overly bureaucratic mutual legal assistance (MLA) channels to obtain electronic data. In contrast to the traditional MLA route, OPOs offer efficiency and expediency as they are served directly on the relevant data controller and impose a seven-day deadline for compliance. In essence, OPOs represent the US government shifting responsibility for electronic data disclosure onto its technology giants to ease the burden on the US taxpayer.

Despite the evident positives, there are a number of factors - that are detailed below – that have to be considered when dealing with OPOs. Companies that are in receipt of an OPO should also be alive to certain practical considerations as regards their obligations under the OPO regime.

Application Conditions

An application for an OPO must be made to a Crown Court judge by an appropriate officer, as defined in section 2 of the Act¹. The application must specify the international co-operation arrangement by reference to which the application is made and must specify or describe the electronic data in respect of which the order is sought.

In order to grant an OPO, a Crown Court judge must be satisfied that there are reasonable grounds for believing the following:

1. The person against whom the order is sought (i.e., the communication service provider which holds or controls the data) operates or is based in a country outside the UK, which is party to, or participates in, a designated international co-operation arrangement.
2. An investigation has commenced or proceedings have been instituted in respect of an indictable offence, or the order is sought for the purposes of a terrorist investigation.
3. The person against whom the order is sought has possession or control of all or part of the electronic data.
4. All or part of the electronic data is likely to be of substantial value (whether or not by itself) to the investigation or proceedings.
5. All or part of the electronic data is likely to be relevant evidence in respect of the offence².
6. It is in the public interest for all or part of the electronic data to be produced or accessed.

If an OPO is granted, it must specify the person to whom the electronic data must be produced - or to whom access must be given - and the period by the end of which the data must be produced or access must be given.

Section 5(5) of the Act specifies that an OPO must be complied with within seven days, beginning on the day on which the order is served, unless it appears to the judge that a longer or shorter period is appropriate in the circumstances. The OPO must be served within three months of issue and can be accompanied by a non-disclosure requirement³. The OPO must be targeted at specific accounts and identify its objective.

Once served, the OPO requires the person named in the order either to produce the data specified or described in the order in a form in which it can be taken away, or to give access to it in a form in which it is visible and legible.

Safeguards

It has been observed that the removal of the supervisory role of the courts in the receiving state removes an important safeguard in the ability to stop abusive or politically-motivated requests for data. However, legal commentators highlight the mutual trust between states that has long been the cornerstone of MLA. Moreover, a person affected by an OPO has a remedy, in that they can apply to vary or discharge the OPO in the requesting state by demonstrating that the requirements for making an OPO under the Act have not been met.

Furthermore, both the Act and the Agreement provide a number of safeguards that limit the operational scope of the new regime. For example, there are targeting restrictions, which include a prohibition on OPOs that may be used to infringe freedom of speech or to disadvantage certain groups, and a prohibition on issuing an OPO on behalf of a third country. Furthermore, provision is made in respect of requests from the US to obtain data from UK companies for use as evidence in prosecutions for offences which attract the death penalty. In such cases, the designated authority of the United States is required to obtain permission from the UK Secretary of State prior to using the data as stipulated (Article 8, paragraph 4 of the Agreement).

Significantly, the Agreement prohibits OPOs that seek to obtain data or information about US corporations, US citizens, national or permanent residents, or any person located in US territory. Conversely, US authorities can obtain data relating to a British citizen where they are located outside the UK.

Excepted and Journalistic Data

Section 3 of the Act provides for the protection of ‘Excepted Electronic Data’ i.e., material which cannot be disclosed pursuant to an OPO. Defined in section 3 of the Act, excepted electronic data is data that is either protected by legal professional privilege or a personal record which is a confidential personal record.

Criticism has been levelled at the ex parte nature of the OPO application, which deprives the data subject of an opportunity to make representations regarding the presence of excepted electronic data. There is also no incentive for a communications service provider to assume the burden and expense of that filtering task on the data subject’s behalf. Despite concerns, requesting authorities are likely to be reluctant to obtain excepted material due to the requirement to establish a procedure for preserving such material and to consult independent counsel to determine the privileged status. Journalistic material is also protected from disclosure under an OPO by virtue of section 12 of the Act. In cases where it is anticipated that the disclosure sought may include journalistic material, applications must be made on notice so that the data subject has an opportunity to object.

Failure to comply with the order may render the recipient (and in certain circumstances, a director or officer of the recipient) liable to contempt of court proceedings in the country where the OPO was made. Note, however, that contempt of court has limited practical consequences; it is not a criminal offence for which an individual can be extradited to the UK. Despite the Act’s lack of teeth in relation to this, most companies are likely to be keen to avoid the reputational harm that refusing to comply with an OPO could produce.

Act vs Agreement

Legal commentators have highlighted several discrepancies between the language of the Act and the Agreement. By way of example, the legislation establishes that OPOs can be used to gather evidence where there are reasonable grounds for believing that an indictable offence has been committed, and proceedings in respect of the offence have been instituted or the offence is being investigated. In contrast, the Agreement states that the purpose of data sharing is to combat “serious crime”, which it defines as an offence that is punishable by a maximum term of imprisonment of at least three years (Article 1, paragraph 14). The Agreement is also silent on the timeframe in which a data controller must comply with an OPO, whereas the Act specifies that the data controller has seven days from the date the order is served unless the judge determines otherwise (section 5(5)). The Agreement simply “recognises that timely access to electronic data for authorized law enforcement purposes is an essential component” of the data sharing regime.

The Agreement is also silent on how conflicts of laws should be navigated. For instance, what should happen if an OPO is served on a US company that stores its data on a server located in a European country or another country with a blocking statute? In the absence of guidance, the US company will have to weigh up the potential consequences of breaching domestic law or failing to comply with the OPO in breach of the Agreement and Act. In such situations, companies would be best served opening a channel of communication with the relevant authority in the jurisdiction in which the data is held / stored.

The Agreement requires that the designated authority review an OPO to ensure it complies with the Agreement. This requirement is satisfied by section 9 of the 2019 Act which designates the UK Home Secretary as the relevant authority. This should ensure that any variation between the Agreement or other designated cooperation arrangement is reconciled. However, it is expected that OPOs will be challenged on a number of grounds, including breach of local data protection laws and privilege grounds. The appropriate venue to challenge OPOs sent by UK law enforcement will be the courts of England and Wales. It is, however, likely that challenges will be made concurrently in the US. Given that the UK courts are duty bound to apply the legislation in the event of a conflict, the scene is set for important legal challenges to be made to help determine how the new process should be applied in practice.

Practical Considerations for Companies

Communications service providers in the UK and US should be alert to the possibility that they could be served with a binding order with which they will need to comply within seven days from receipt⁴. Companies should ensure that they have appropriate processes and procedures in place to deal with such requests in a timely manner.

Such processes and procedures should reflect the fact that:

• Companies should give careful consideration to the contents of an OPO before taking any steps to comply. OPOs are only available against the company that physically possesses and controls the data sought and are not available if the data is held by a foreign subsidiary of the company.
• Companies should also be aware of the type of data which can be compelled using an OPO under the current Agreement. As detailed, disclosure which could lead to a breach of data protection legislation and data subject to legal professional privilege cannot be compelled. OPOs also cannot be used to infringe upon freedom of speech and cannot be used to target a US citizen or US incorporated company.
• If a company is not satisfied with the terms of an OPO, the Agreement provides a formal dispute procedure (Article 5, paragraph 11). Any complaints by a US data controller should be lodged with the UK Secretary of State. Failing resolution, if there are grounds to object to the OPO, communication service providers can challenge its terms in the UK courts by way of judicial review.

¹ Which includes officers from the SFO, NCA, police, HMRC and the FCA.

² This condition does not apply in respect of investigations / prosecutions for terrorist offences.

³ A non-disclosure requirement prevents the recipient from disclosing the existence of the Order or its contents to any person without the leave of a judge or written permission from the law enforcement officer who obtained it.

⁴ In practice, where OPOs require disclosure of large quantities of data, it is anticipated that the courts will extend this timeframe.