A new step in cross-border access to data – Overseas Production Orders to come online in October
Following ratification by the US Congress, the Data Access Agreement between the US and the UK under the Clarifying Lawful Overseas Use of Data (CLOUD) Act will enter into force on 3 October 2022, three years after it was originally signed. Under the agreement, investigators in each country will be able to obtain electronic data directly from service providers in the other jurisdiction without the need for a mutual legal assistance request, provided certain minimum conditions are met.
In a joint statement the countries announced that this will be “the first agreement of its kind, allowing each country’s investigators to gain better access to vital data to combat serious crime in a way that is consistent with our shared values and mission of protecting our citizens and safeguarding our national security.”
A new tool for investigators
The agreement enables UK police forces and investigators such as the Serious Fraud Office to apply to a UK judge for an Overseas Production Order (OPO) for both metadata and content held in the US, which will then be served directly on the relevant US service provider. The service provider must provide the documents within 10 days with no further legal processes.
The scope of these orders has been described in terms of emails or other electronic communications, however the definition used in the Crime (Overseas Production Orders) Act 2019 (which is the UK’s enabling legislation) refers, at s3, to any “data stored electronically” with exceptions only for “an item subject to legal privilege” or “a personal record which is a confidential personal record”, which roughly correlates with sensitive personal data under the GDPR.
This appears to mean that OPOs could be made for any documents, images or other files held, for example, by a cloud storage provider. Furthermore, the OPO can be made against the data controller, such as Google, Meta or Apple, thereby gaining access to documents held by these service providers on behalf of other companies without the input, or even knowledge of the individuals whose data is being collected. Given the ubiquity of companies hosting their data, or at least backups, in the cloud, the reach of an OPO potentially is vast.
The purpose of the agreement is described in terms of helping “law enforcement agencies gain more effective access to the evidence they need to bring offenders to justice, including terrorists and child abuse offenders”. However, the definition of Serious Crime, as set out in Article 1, s14 of the Data Access Agreement includes any “offense that is punishable by a maximum term of imprisonment of at least three years”. Therefore, the ramifications of the regime due to begin in October are significantly wider both in terms of the data that can be collected and the scope of criminal investigations to which it can be applied than the initial statements suggest.
The agreement is due to run for five years, until 3 October 2027, when the parties may “agree in writing, through an exchange of diplomatic notes, to extend the Agreement for a further five years”.
Welcome tool for the SFO?
One individual who may want to take full advantage of the new regime is the head of the SFO, former US federal prosecutor, Lisa Osofsky as she approaches the final year of her current term as Director. Ms Osofsky has previously discussed the challenges the SFO faces due to the international nature of the crimes it investigates and has urged greater cross-border co-operation between national agencies. The new regime is an important development in the powers such investigative forces have and there will be many in the UK and US looking forward to the 3 October this year. In due course, it is hoped that the UK and US authorities will publish data showing the types of offences and categories of data for which OPOs have been issued.