Direct access: a sea change in data gathering in U.S./UK criminal investigations
02 September 2020
A new UK/U.S. bilateral agreement for accessing electronic data in cases of serious crime (the Agreement), which was negotiated and released in autumn 2019, has entered into force.
The Agreement represents a sea change in cross-border investigations. The Agreement envisages criminal authorities in each country being able to obtain electronic data directly from a range of telecommunications companies (so-called Covered Providers) in the other country – without any need to go through the domestic authorities in the recipient country, a mutual legal assistance treaty (MLAT) or any of the other cumbersome routes currently used. The agreement has already been implemented in the UK via the Crime (Overseas Production Orders) Act 2019 (COPO).
This could have a major impact on any U.S. company whose business satisfies the definition of Covered Provider: social media platforms; data hosting, storage and processing; cloud storage; or potentially any other company to the extent it provides clients with an ability to communicate, process or store data. Here is a summary of the key features of the Agreement and thoughts on some of the thorny issues that are likely to emerge.
U.S./UK Data Access Agreement: scope and direct requests from foreign authorities
As international agreements go, the Agreement has a relatively narrow scope:
- Only Covered Providers can be served with an Order for production; Covered Providers are defined as “any private entity to the extent that it (i) provides to the public the ability to communicate, or to process or store computer data, by means of a Computer System or a telecommunications system; or (ii) processes or stores Covered Data on behalf of an entity defined in subsection (i)”. (Art. 1(7)) As noted above, this could encompass a wide range of social media and tech companies, as well as other companies that may provide communication or data services incidentally to their businesses.
- Orders can only be sought under the Agreement if they relate to the “prevention, detection, investigation or prosecution” of a Covered Offence, meaning conduct that, under the law of the party issuing the request, constitutes a crime punishable by a maximum term of imprisonment of at least three years. (Art. 4(1))
The UK government can issue an Order directly to a Covered Provider in the U.S. once it has obtained a court order. So, for example, the UK Serious Fraud Office (SFO) could obtain an order from the English court which would be served directly on a U.S. Covered Provider. (Art. 5(5))
Typically in a cross-border investigation, vast amounts of time are spent grappling with the various restrictions and risks caused by the incompatibility of differing systems of laws when it comes to production of information. In that sense, this Agreement is a welcome change and helps to resolve the intractable conflicts of law issues faced by businesses involved in such matters. However, as discussed below, this efficiency raises a range of concerns.
Mum’s the word – confidentiality orders
One of the most interesting features about the Agreement is its clear focus on telecommunications firms. They are the electronic equivalent of witnesses, dragged into an investigation simply because they hold relevant information. In some cases at least, they will also be subject to confidentiality orders that prevent them from informing their clients – i.e., the parties on whose behalf they are holding data – that they are required to produce that data. For orders emanating from the UK COPO provides for the possibility of a judge adding a non-disclosure requirement that would prevent the U.S.-based recipient of the order from saying anything about it. That creates risk for the recipient Covered Provider when its clients are also expecting it to safeguard their data and alert them to any issues.
The U.S. and UK governments plan to use the Agreement primarily to target those who use telecommunications systems as an essential means to commit a range of crimes, including terrorism. As such, at first glance it may seem that the Agreement will not be deployed much with respect to potential business crime. However, given that gathering evidence under the Agreement will take a fraction of the time required under an MLAT, it will be very tempting for law enforcement authorities to rely on the Agreement when investigating a range of issues including business and financial crime. Indeed the SFO and the Financial Conduct Authority are both able to use this new regime.1
If that happens, one of the more difficult issues will be how a Covered Provider deals with material it holds on behalf of a client which may be legally privileged. Dealing with privilege is never quick or easy. It is always significantly more difficult when the material being reviewed implicates the privilege of another party, as that party may take a different (but still reasonable) view of what is and is not privileged. However, the Covered Providers under the Agreement, particularly if they are subject to the gag order provision described above, may have to make calls regarding another party’s privilege without the benefit of that party’s input. The Agreement does not mention privilege (although COPO specifies that an order cannot call for privileged material) and it is unclear how best a Covered Provider should deal with this issue. Those potentially subject to a COPO order should also take note that the default time period for production of the required data following service is just seven days – barely time to get a significant document review exercise initiated, let alone completed.
Data access and data protection
One of the most interesting provisions of the Agreement is its treatment of data protection requirements. Some provisions clearly derive from data protection legislation, for example provisions in Article 7 that require the UK to minimise the amount of data it holds.
But Article 9, entitled “Privacy and Data Protection Safeguards”, simply makes the bald assertion that “The processing and transfer of data in the execution of Orders subject to this Agreement are compatible with the Parties’ respective applicable laws regarding privacy and data protection”.
It is an eye-catching statement, insomuch as interpretation of the laws has always been the province of the judiciary, rather than the executive branch (which has negotiated and signed the Agreement). It would seem to have been included at least in part to address s6(4)(c) COPO, which states that a person subject to an overseas production order is not required to do anything that contravenes data protection legislation.
But we are not sure that saying a thing actually makes it true, and the head of the European Data Protection Board (EDPB) has raised concerns on multiple occasions, including recently stating in a letter to the European Parliament that “the EDPB has doubts as to whether the safeguards in the agreement for access to personal data in the UK would apply in case of disclosure obligations applicable to providers of electronic communication service or remote computing service under the jurisdiction of the United States, regardless of whether the data requested is located within or outside of the United States”.2
In what may be an attempt to address these concerns, the UK Home Office announced that the Investigatory Powers Commissioner (IPC), Sir Brian Leveson, will be responsible for providing independent oversight of the UK’s use of the Agreement: “the Agreement requires UK and US agencies using the Agreement to maintain high standards of data protection and privacy safeguards, and the IPC will be reviewing compliance of UK agencies with the Agreement…”.
A party in receipt of a production order will need to consider data protection issues very carefully and may still find itself in a conflict of laws position despite the hope that the Agreement would avoid such a conflict.
Challenging an Order
There are bound to be a spate of challenges from Covered Providers in receipt of early orders under this new regime. We predict challenges around the issues above, plus notice, timing extensions, encryption, whether the data is really needed for the stated purpose, and public interest. The Agreement provides in Article 5(11) that a Covered Provider who wishes to dispute an Order must raise objections to the foreign government issuing the Order and, if they are not resolved, it can raise the objections with its domestic government agency that serves as the designated authority under the Agreement. Ultimately, a domestic designated authority has the ability to conclude that an Order issued by the other country is invalid.
If that process is unsatisfactory, judicial challenge may follow. In the UK, any challenge to the UK government could, of course, be followed by an application for judicial review. In the U.S., we may see challenges on the basis that Orders issued in the UK violate rights under U.S. law, including that they seek material that is privileged under U.S. law but not under English law (given the former’s broader scope).
We can expect the UK authorities to request Orders under the Agreement with frequency, given the game-changing efficiency it gives them. No doubt that efficiency will be tested by the issues above (and others) and there are likely to be numerous challenges, especially in the early days of use. The U.S. is yet to implement domestic legislation which allows it to use the Agreement, in the same way that the UK currently can, to obtain data from a Covered Provider which has no connection with the U.S..
It is reported that both Australia and the EU are in negotiations with the U.S. to conclude similar agreements, though one can imagine that the EU-U.S. agreement may not be simple to achieve, given the issues noted above.
Companies that may be Covered Providers should be considering how they will respond to a request under the Agreement, including whether their current processes are sufficient to provide data within what may be very short time frames such as those set out under COPO. Both Covered Providers and their clients should also be considering whether their commercial agreements require any amendments to take account of this; standard agreements should make exceptions for confidentiality when legally compelled but it may be worth considering, for example, whether provision needs to be made for legally privileged material that a Covered Person may be required to review.
2See also concerns raised by the EDPB in July 2019 at https://edps.europa.eu/sites/edp/files/publication/19-07-10_edpb_edps_cloudact_annex_en.pdf.