11/20/2020 | Press release | Distributed by Public on 11/20/2020 11:53
In February 2020 the Secretary of State designated the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime (the 'Agreement') as a DICA.3 The Agreement came into force on 8 July 2020 having completed both the UK and U.S. ratification processes.4 In September 2020, the Investigatory Powers Commissioner ('IPCO') (currently Sir Brian Leveson) was appointed to monitor the compliance by UK authorities with the terms of the Agreement.5 In England and Wales, the COPO Act is now fully in force and court rules have been enacted governing the process of applying for OPOs in English and Welsh criminal courts.6
This means that UK authorities including the Serious Fraud Office ('SFO'); the Financial Conduct Authority; HM Revenue & Customs; and the police can now apply for an order requiring CSPs in the U.S. to provide them with electronic data in cross-border criminal investigations into serious crimes including terrorism, fraud, bribery and child exploitation, provided the target of the investigation is not a U.S. citizen or someone who is lawfully admitted in the U.S. for permanent residence; or physically located in the U.S.7
There is some protection for U.S. CSPs within the provisions of the COPO Act and the Agreement.
Firstly, the COPO Act requires that any OPO is served by the Secretary of State, which means all orders will have to be processed and served through the UK Home Office.8 This adds an additional layer of Executive oversight to the process and could lead to administrative and even diplomatic delays, although the COPO Act states that any OPO which is not served within three months of the date it is made will be treated as quashed.9
Secondly, the Agreement stipulates that if a CSP believes that an OPO has wrongfully been served outside of the terms of the Agreement it may raise objections, first with the IPCO as the UK's Designated Authority, and then, if the CSP is dissatisfied with the IPCO's response, with the U.S. Department of Justice ('DOJ') as the U.S.' Designated Authority.10 If the DOJ concludes that the Agreement may not properly be invoked with respect to the OPO, the Agreement ceases to apply to that OPO with the effect that the OPO ceases to be valid.11
Thirdly, the UK has given assurances to the U.S. that it will seek permission before relying on any evidence in UK criminal proceedings which may raise freedom of speech concerns in the U.S. under the First Amendment.12 Those assurances cover offences listed in the agreement letter and include, for example, offences relating to the wearing of articles of clothing associated with proscribed organisations under the Terrorism Act 2000; and offences for acts intended or likely to stir up racial hatred under the Public Order Act 1986, such as hate speech.
Finally, there are additional restrictions and protections within the COPO Act to protect the confidentiality of certain categories of data including data subject to Legal Professional Privilege; and personal data relating to a person's health, religion or welfare where that data was created in circumstances giving rise to an obligation of confidentiality, or it is held subject to a statutory restriction on disclosure or obligation of secrecy.13
The COPO Act is a piece of UK domestic legislation which, pursuant to the terms of the Agreement, allows UK authorities to obtain OPOs against U.S. CSPs. The Agreement creates a reciprocal framework which also allows for the transfer of data from the UK to the U.S. As yet, the U.S. has not passed domestic legislation which would create reciprocal rights for U.S. authorities to obtain data from UK CSPs under the Agreement.
If and when that legislation is passed, we anticipate that the Agreement will come under further scrutiny as UK CSPs seek to balance their obligation to comply with U.S. requests for data against their domestic obligations, in particular in relation to the General Data Protection Regulation ('GDPR').
UK domestic privacy law includes provisions empowering the Secretary of State to make regulations governing the transfer of data by UK CSPs to countries outside the European Union such as the U.S.14 but, as yet, no such regulations have been passed. Currently therefore, any UK CSP seeking to transfer data to the U.S. in response to a U.S. court order would have to ensure that the transfer complied with one or more of the conditions set out in Chapter 5 of the GDPR, and recent case-law shows just how restrictively the UK and European courts will apply those conditions when it comes to transferring data to the U.S.
Firstly, in the recent Schrems II litigation the Court of Justice of the European Union ('CJEU') determined that U.S. law does not offer an adequate level of protection to data subjects, because data transferred to the U.S. is subject to interference by U.S. authorities through the interception and use of such data through domestic surveillance programmes such as PRISM and UPSTREAM under Section 702 of the FISA and E.O. 12333.15 As a result, the CJEU determined the EU-U.S. Privacy Shield (which had been the basis for a large number of commercial data transfers between the U.S. and the EU) is no longer valid. Although that case dealt with commercial data transfers pursuant to standard contractual terms, the CJEU's opinion that the U.S. legislative framework does not currently afford adequate protection or redress to data subjects would be a factor which influences its decision in any case involving the transfer of data by a UK CSP to a U.S. enforcement authority.
Secondly, the U.S. has given the UK government assurances pursuant to two ancillary agreements regarding the use by U.S. authorities of evidence obtained under the Agreement in U.S. proceedings which might engage issues relating to prisoners held (or nominated for detention) at Guantanamo Bay16 or in proceedings in which the death penalty is being contemplated.17 The recent UK Supreme Court decision in the case of Elgizouli v Secretary of State for the Home Department ('Elgizouli') suggests that those assurances might not go far enough.18 In Elgizouli, Lord Carnwath considered whether the UK Home Department had ensured that appropriate safeguards were in place to justify the transfer of data to U.S. enforcement authorities in an investigation in which the death penalty was being contemplated. Lord Carnwath concluded that 'appropriate safeguards' ought to be read as amounting to safeguards ensuring that the data 'will not be used' to justify or execute a death penalty.19 The assurances given to the UK by the U.S. in the Understanding in relation to the Death Penalty do not go that far.
In the event that the U.S. does enact legislation empowering U.S. authorities to request electronic data from UK CSPs, these two decisions highlight how important it will be for UK CSPs to carefully consider their obligations under GDPR before responding. The financial penalties for breaching the GDPR can be severe.
Although the COPO Act is now in force, the complex and often confidential nature of cross-border investigations will usually require applications for OPOs to be heard in private.20 Respondents may be subject to strict non-disclosure obligations,21 meaning that OPOs are unlikely to make headlines in the near future. However, the recent court battle between the SFO and U.S. company KBR Inc. over the extent of the SFO's extra-territorial jurisdiction clearly demonstrates the UK authority's appetite for exercising its investigatory powers over non-UK entities. The case was heard by the Supreme Court in October this year.22 We anticipate that the SFO and other investigatory authorities in the UK will seek to use these powers quickly.
Consequently, U.S. CSPs should not underestimate the importance of preparing to respond promptly to an OPO. This is particularly important given the COPO Act sets the default period for responding to an OPO at just seven days.23 In particular, the General Counsels of UK subsidiaries should be prepared to respond at short notice to enquiries and requests for support from their U.S. parent companies, as any litigation arising from the COPO Act would be conducted in UK courts.24
With significant expertise in cross-border investigations and compliance in both the UK and U.S., Dechert can offer multi-jurisdictional expertise from a cross-disciplinary team of advisors to advise U.S. CSPs (and their UK affiliates) on how to take a proactive approach to ensuring compliance with their obligations under the COPO Act and the CLOUD Act, as well as representing U.S. CSPs in any application brought by the UK authorities for an OPO.
If you have any questions or would like to discuss any of the issues raised in this On-Point further please contact one of our experts listed below.
1) The Long Arm of The Law Gets Longer - UK Introduces Overseas Production Orders, March 07, 2019.
2) The Long Arm of UK Law Enforcement Reaches a Handshake Deal with U.S. DOJ on UK-U.S. Electronic Data, October 09, 2019.
3) The Overseas Production Orders and Requests for Interception (Designation of Agreement) Regulations 2020, regulation 2(a).
4) 16 January 2020 letter from Assistant Attorney General Stephen E. Boyd to the Committee on Foreign Affairs and Committee on the Judiciary here; CP 178 here.
5) The Functions of the Investigatory Powers Commissioner (Oversight of the Data Access Agreement between the United Kingdom and the United States of America and of functions exercisable under the Crime (Overseas Production Orders) Act 2019) Regulations 2020, regulation 2.
6) The Criminal Procedure Rules 2020, S.I. 2020 No. 759 ('CrPR'), Part 47, Section 11.
7) Agreement done at Washington on 3rd October 2019, between the Government of the United Kingdom of Great Britain and Northern Ireland and the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, CP 178, Articles 1(12) and 4(3) and (4).
8) The COPO Act, section 9(2).
9) The COPO Act, section 9(1).
10) AG Order No. 4876-2020
11) The Agreement, Articles 5(11) and (12).
12) Understanding in relation to Freedom of Speech under the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, 3 October 2019 here.
13) The COPO Act, sections 1(7), 3, 5(2).
14) Data Protection Act 2018 section 18.
15) Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems and intervening parties, Case C-311/18 ('Schrems II'), paras 164 - 165; 180.
16) Understanding in relation to GTMO under the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, 3 October 2019 here.
17) Understanding in relation to the Death Penalty under the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, 3 October 2019 here.
18)  UKSC 10, para 220.
19)  UKSC 10, para 220.
20) CrPR, Part 47.67(1)(a).
21) Section 8 of the COPO Act and CrPR, Part 47.68(3)(l).
22) R on the Application of KBR Inc. v the SFO  EWHC 2368 (Admin); 23) The COPO Act, section 5(5).
24) The Agreement, Article 3(2).