Search for:

The Crime (Overseas Production Orders) Act 2019 (“Act”) received Royal Assent on 12 February 2019. The Act allows UK law enforcement agencies including the Serious Fraud Office (“SFO”), HMRC and the Financial Conduct Authority to apply for a court order with extra-territorial effect (an Overseas Production Order or “OPO”) to obtain data stored electronically, directly from communications service providers (“CSPs”) based outside the UK, in order to assist with domestic investigations and prosecutions of serious crime.

Before the Act was passed, UK legislation allowing law enforcement and prosecuting authorities to access electronic data was not explicitly extra-territorial and so only effective when the company or individual possessing or controlling the information was based in the UK. Accordingly, prior to the Act, law enforcement agencies had to primarily rely on Mutual Legal Assistance (“MLA”) channels when the required electronic data was held by a company based outside the UK. However, the MLA process can take between six months and two years, resulting in delayed or abandoned investigations or prosecutions. The Act provides an alternative, expedited procedure.

The OPO can be served in a foreign jurisdiction where a designated international cooperation agreement exists between that country and the UK. The UK is in the process of negotiating a data access agreement with the United States, where the world’s largest CSPs are based. Draft terms of the agreement are not yet publically available.

The judge considering the application for an OPO from a representative of a relevant law enforcement agency or prosecutor must be satisfied that there are reasonable grounds for believing that:

  1. the person against whom the OPO is sought is based in or operates in a territory outside the UK which is a party to, or participates in, the designated international cooperation agreement specified in the application;
  2. an indictable offence has been committed and that proceedings in respect of that offence have been instituted or the offence is being investigated, or alternatively, that the OPO is sought for the purposes of a terrorist investigation;
  3. the person against whom the OPO is sought has possession or control of all or part of the data;
  4. the data is likely to be of substantial value to the criminal proceedings or investigation in relation to which it is requested;
  5. all or part of the data is likely to be relevant evidence in respect of the offence (this is not a requirement in respect of terrorist investigations); and
  6. production of the data would be in the public interest.

If the OPO is granted, the CSP has seven days in which to produce the data, beginning with the day on which the OPO is served. This is unless the judge deems that a shorter or longer time period would be appropriate. Any person affected by the OPO may apply to vary or revoke the OPO. However, the OPO may include a non-disclosure requirement preventing the CSP from disclosing the fact or content of the OPO, except with leave of the judge or the relevant law enforcement authority or prosecutor that applied for the order. Even if an OPO is later revoked, the non-disclosure requirement could be maintained. This means that the underlying subject of the OPO – the person, for example, whose email mailbox will be accessed or produced as the result of an OPO – may never know that the OPO has been made and that their data has been made available to a law enforcement agency.

Neither legally privileged information nor confidential personal records (e.g. medical records) would have to be provided by CSPs (though confidential personal records are not excepted in the context of terrorism investigations). However, it appears that, at least initially, the person who decides what data falls into these categories, is the CSP, who may have just seven days to make that determination. How CSPs will navigate the evaluation of issues of legal professional privilege and identify confidential personal information in such a short period, remains to be seen.

What does the new development mean for companies?

The key practical impact of the Act is that UK law enforcement agencies, including the SFO, could have much quicker access to data generated and/or stored abroad by CSPs. Where enforcement agencies need access to data held outside the UK by other foreign companies, e.g. one that might be the subject of an investigation, the SFO’s powers under section 2(3) of the Criminal Justice Act 1987 to compel foreign companies to produce documents held outside the UK provided that there is a “sufficient connection” between the company and the jurisdiction – as opposed to MLAs – will most likely be the fallback.

What should companies do?

Companies with data stored outside the UK need to be conscious that such data will in principle now be far easier to access by the UK authorities, as well as the related impact this may have on expectations when seeking to cooperate with such authorities. Likewise CSPs holding data outside the UK should be alert to the possibility that the UK authorities could serve a binding order on them, which could require compliance within seven days. Appropriate processes and procedures will need to be put into place to deal with such a possibility.

Author

Charles Thomson is a partner and solicitor advocate in Baker McKenzie’s Dispute Resolution Practice Group in London. He co-manages the Business Crime Unit, and is part of the Financial Institutions Disputes, Contentious Trusts and Compliance and Investigations Groups. Charles joined the Firm as a trainee in 2002, and concurrently spent three months on secondment as a judicial assistant at the Royal Courts of Justice in the Civil Appeals Division. A solicitor advocate since 2007, Charles appears as an advocate in all Higher Courts in England and Wales. Chambers and Legal 500 both commend Charles for his legal practice. Charles is also listed as a Rising Star in Litigation by Legal Week.

Author

Joanna Ludlam is a partner in the Dispute Resolution team in Baker McKenzie's London office, where she leads the market-leading Regulatory, Public & Media law team and also co-leads the office's Compliance & Investigations Practice Group. At an international level, she co-chairs the Firm's Global Compliance & Investigations Steering Committee. In 2016, Joanna was named as one of The Lawyer’s “Hot 100” for her practice, and is recognised by Legal 500 and Chambers & Partners.

Author

Jonathan chairs the firm's Financial Institutions Global Industry Group and is a partner in the London Dispute Resolution practice. Jonathan has deep experience in advising boards, executive teams and individuals dealing with issues of market integrity, ethics, brand and reputation impact, conduct risk, whistleblowing, market misconduct, systems and controls failings and remediation, public statements and investor relations, financial crime, fraud, regulatory investigation and enforcement, public policy, public law and civil and criminal litigation. Jonathan's substantial in-house experience delivers a highly strategic and commercial focus aimed at re-establishing confidence in the brand and individuals. Jonathan joined Baker McKenzie from Barclays Bank PLC. Spanning a decade of unique pressure in the financial sector amidst the global financial crisis, he led the global litigation, investigations and enforcement function and established the bank's financial crime legal team. Jonathan was responsible for a series of high-profile regulatory and criminal investigations in EMEA, the US and Asia Pacific regions and led a significant portfolio of wholesale and retail litigation. Supporting the bank's risk and compliance functions, he implemented and improved systems and controls in respect of money laundering, bribery and corruption, fraud and international sanctions. Jonathan worked with UK and US law enforcement and government intelligence agencies on counter-terrorism, organised crime and other domestic and international security initiatives. Jonathan is the contributing author to a number of leading legal and sector publications, including: Banks and Financial Crime: International Law of Tainted Money (Oxford University Press 2008, 2016); Global Investigations Review - The Evolution of Risk Management in Global Investigations (GIR 2016, 2017, 2018); and Risk.net's annual Top 10 Operational Risks (2018-2022).

Author

Tristan Grimmer is a partner in Baker McKenzie's London office and the UK Head of the International Trade Practice Group. He is also a member of the Compliance & Investigations and the International Trade and Competition practice groups. Tristan joined Baker McKenzie as a trainee in March 2004, qualifying in March 2006. He has advised on parallel investigations by authorities in the United States, Switzerland, Brazil and Japan, and has spent time working in Baker McKenzie's Chicago office. Tristan is named as a "Leading Individual" for EU And Competition: Trade, WTO Anti-Dumping and Customs in the UK Legal 500 2023 directory.

Author

Henry Garfield is a senior associate in Baker McKenzie's Dispute Resolution department based in London. Henry's practice focuses on fraud, asset tracing, internal investigations and business crime. He also undertakes general commercial litigation. Henry has just completed an 11 month secondment to the Serious Fraud Office, during which he was the Case Lawyer on an investigation into a £60 million fraud. The investigation involved unravelling trust and company structures in several offshore jurisdictions and has recently resulted in two individuals being charged with fraud and forgery offences.

Author

Yindi is a partner in the Baker McKenzie Dispute Resolution team based in London, and a member of the Compliance and Investigations group. Yindi’s practice includes a broad spectrum of complex and high-value international and domestic commercial litigation for multinational clients, with specialist expertise in anti-bribery and corruption investigations, compliance and trust disputes.