Before Brexit…….

With Parliament focussed on Brexit – you may have missed the Conservative Chief Whip’s letter confirming the second reading of the Crime (Overseas Production Orders) Bill on Monday 3 December 2018.

The Bill applies to production of stored electronic data by an overseas service provider, once an International Agreement is in place between the U.K. and the State where the relevant service provider is based. As the House of Lords Briefing Paper outlines, this Bill paves the way for service of U.K. production orders on U.S. service providers once a CLOUD Act Executive Agreement between the U.K. and U.S is finalised.[1]

With almost 90% of e-evidence for U.K. investigations stored by U.S. service providers,[2] this could be a game changer to replace the slow-paced mutual legal assistance process. With such a revolutionary change it is essential to have appropriate procedural safeguards to protect persons affected by overseas production orders.

Searching online, there is little commentary on the Bill. The two articles I have read rightly refer to the lack of proper safeguards and the impact of reciprocal arrangements if overseas production orders are served on U.K. service providers by a Requesting State.

Labour Peers, raising human rights concerns, proposed an amendment in the House of Lords to the Bill, so e-evidence produced from U.K. service providers cannot be used in death penalty cases in a Requesting State.

Clause 1 of the Bill has accordingly been amended as follows:

Clause 1(5): The Secretary of State may not make regulations designating an international agreement under section 52 of the Investigatory Powers Act 2016 (interceptionin accordance with overseas requests) where that agreement provides for requests to be made by the competent authorities of a country or territory, or of more than one country or territory, in which a person found guilty of a criminal offence may be sentenced to death for the offence under the general criminal law of the country or territory concerned.

Clause 1(6): Subsection (5) does not apply if the country or territory has, within the international agreement, given assurances that the death penalty will not be imposed in any case in which or in whose preparation electronic data obtained 5 under this Act has been used.

The clause appears to address the Labour Peers’ concern for intercept product, although does it explicitly address stored electronic data?

It will be interesting to see any impact assessments of how the amended clause will work in practice. For example, a Requesting State may at an investigation stage be considering an offence that doesn’t carry the death penalty when it serves an overseas production order on a U.K. service provider, only for it then to charge such an offence with the evidence already in its possession. How does the U.K. prevent the evidence being used? Or will a death penalty assurance be provided with every overseas production order served on a U.K. service provider from a Requesting State?

Further, can a U.K. service provider served with an overseas production order from another State have an option to challenge it on the basis it is excepted electronic data[3] or breaches U.K. data protection obligations?

In contrast the proposed European Production Order, which it appears the U.K. will not be opting into with the passage of this Bill, confirms, “that rights under the law of the enforcing State are fully respected by ensuring that immunities and privileges which protect the data sought in the Member State of the service provider are taken into account in the issuing State.”[4] Additionally, the EU Regulation for the Production Order has a specific judicial procedure for situations where the obligation to provide data conflicts with a competing obligation arising from a third country law.[5]

Another issue of concern, is the non-disclosure provision in Clause 8 of the Bill, confirming an overseas service provider must not notify a person whose data is requested, to prevent disclosure of the U.K. criminal investigation. Clause 8(3) adds that an overseas production order that includes a non-disclosure requirement, “must specify or describe when the requirement is to expire.”  However, section 44 of the Data Protection Act 2018, implementing Article 13 of the EU Data Protection Directive 2016/680 (Law Enforcement Directive), confirms that a person affected must be informed of the request for data to enable them to review and seek judicial redress where there is no risk of jeopardising an ongoing investigations. The Bill’s provision to “specify or describe when the requirement is to expire” does not appear to be consistent with the Data Protection Act and the obligation to protect the “fundamental rights and legitimate interests[6] of the person affected. It goes without saying that a person affected should not be notified when an investigation could be prejudiced, but for example, when a suspect is arrested, the non-disclosure obligation should not apply unless a, “necessary and proportionate measure to:

(a) avoid obstructing an official or legal inquiry, investigation or procedure;

(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c) protect public security;

(d) protect national security;

(e) protect the rights and freedoms of others”[7]

The Crime (Overseas Production Orders) Bill only sets out the procedure for U.K. production orders being sent to another State where there is an International Agreement. With any International Agreement there will be reciprocal obligations and this Bill was an opportunity to transparently implement a procedure for production orders being received by U.K. service providers from a Requesting State. Does this mean there will be further legislation once any CLOUD Act Executive Agreement is concluded between the U.S. and U.K.? A good model to refer to, providing appropriate safeguards for persons affected and coherent procedures, is the EU Regulation for a Production Order.

For all these reasons I will be a keen observer of Parliament the day before MPs debate our new tomorrow….

Dan Suter is the former U.K. Liaison Prosecutor to the United States and a Consultant for the UNODC Project “Access to E-Evidence Across Borders”

Footnotes:

[1] House of Lords Library Briefing, 5 July 2018, page 10

[2] House of Lords Library Briefing, 5 July 2018, page 2, Paddy McGuinness, the UK’s Deputy National Security Adviser on Intelligence, Security and Resilience from 2014 to 2018  explained in an interview: “[…] our law enforcement and security agencies tell me that US communication services are used by 90 percent of their suspects and that reflects the broader penetration by the British market by these services. So we can read across from that into the figures for serious and organised crime and terrorism […] In almost every [terrorism] investigation we conduct, those we investigate use services provided by US CSPs [communications service providers].”

[3] See definition at clause 3(3) – data subject to legal privilege or a confidential personal record

[4] Explanatory Memorandum, Proposal for Regulation on European Production Order and Preservation Orders for Electronic Evidence in Criminal Matters, summary of the proposed regulation

[5] Articles 15 and 16, Regulation on European Production Order and Preservation Orders for Electronic Evidence in Criminal Matters, 2018/0108 (COD)

[6] Section 44(4) Data Protection Act 2018

[7] Section 44(4) Data Protection Act 2018

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.