In a bid to keep English law up to date with technological advances, the Crime (Overseas Production Orders) Bill 2018 has passed the committee stage at the House of Lords. The proposed legislation is intended to allow enhanced judicial cooperation to tackle serious crime. However, it adds an additional layer of complexity to the compliance regulations to be followed by each business; it’s also lacking in adequate protections for individual rights, in particular in relation to data protection. In this alert, we will discuss the proposed mechanics of the overseas production order and analyse the implications it may have on companies’ data retention policies and reporting obligations. This alert will be of particular interest to technology and communications companies.
What Is an Overseas Production Order (OPO)?
An OPO will be a Crown Court order requiring companies in cooperating foreign countries to produce electronic data, as needed by UK law enforcement, within seven days. It is expected that OPOs will be deployed under bilateral agreements with reciprocal cooperation extended to foreign-country regulators. After a three-year negotiation, the U.S. is likely to be the first partner to the UK for such requests.
The Bill represents a response to frustrations that law enforcement authorities have voiced in relation to securing electronic evidence overseas. Under the current mutual legal assistance (“MLA”) process, the UK can request another state to take action. However, decisions regarding whether and how to execute the request, and who should be involved, is for that state to decide. This can therefore lead to a long process of gathering evidence through searches, production orders, and testimonies. As a result, it takes an average of 10 months for UK law enforcement to secure the data it needs. By contrast, OPOs would provide a direct route to the information holder, who must then produce the target data within just seven days. As a further advantage over MLA, that data can then be used without restriction.
When Will an OPO Be Granted?
Due to their wide scope, OPOs will only be granted if a judge is satisfied that there are reasonable grounds in relation to five key criteria:
If only some of the data fulfills these criteria, the judge can grant a partial order, i.e., an order that only some of the data requested, that fits within the criteria above, be provided.
Once granted, an order can be altered or revoked at the request of any person who originally sought the order, or any person affected by it.
Limitations on Grant
There are two kinds of “excepted electronic data” for which a judge cannot grant an order. These include information (i) protected by legal professional privilege; and (ii) constituting confidential personal records. These aim to further limit the potentially expansive reach of an OPO.
However, these limitations may not be sufficient in safeguarding individuals’ rights. For example, the current Bill allows law enforcement to prevent people whose data is accessed from discovering that an order has even been made — a powerful form of nondisclosure resembling a “super injunction.” This is a concern, as the only requirement is reasonable grounds for believing an indictable offense has been committed. Arguably, from a privacy standpoint, not all indictable offenses are so serious as to warrant nondisclosure (e.g., public nuisance).
Further, the assessment of whether either of these limitations applies to any of the information requested will fall to the information holders themselves; such assessments may be time-consuming and/or expensive for businesses.
Ultimately, concern about the Bill is focused on the reciprocal arrangements that will subsequently be entered pursuant to it. UK service providers should not have to be exposed to unbridled requests from countries where there may be questions about the adequacy of the data protection regime (e.g., the U.S.), or even independence of the judiciary (e.g., Poland at the moment). There is a clear tension for UK service providers between compliance with such requests on the one hand, and ensuring compliance with the UK’s data protection laws on the other. For example, UK data protection law requires minimum standards to be met before personal data can be transferred to non-EU countries. Data importers are often asked to sign “standard contractual clauses” to guarantee a data protection standard at EU levels. It is unlikely that U.S. law enforcement agencies would be prepared to sign such agreements, putting UK service providers at risk of breaching UK data protection law.
The proposed OPO regime may also have wider repercussions on data flows to the UK post-Brexit. Once the UK ceases to be a Member State, the EU will need to make a decision whether the UK still complies with the EU’s own data protection standards in order to facilitate unhindered transfers of personal data from the EU to the UK. It seems that the UK government will need to tread cautiously, such that these reciprocal information-sharing arrangements do not adversely affect the outcome of the EU’s decision.
 “Confidential personal records” are not the same as “personal data” as defined by the GDPR. They constitute any information concerning any individual, living or dead, that could identify the individual and that relates to his or her physical or mental health (e.g., his or her medical records), spiritual counseling or assistance given to him or her, and/or counseling or assistance given to him or her for the purposes of his or her welfare. Such records are confidential if created in circumstances giving rise to an obligation of confidentiality to the person to whom they relate, e.g., medical records, and if this obligation has been maintained.