A recent piece of unheralded legislation, the Crime (Overseas Production Orders) Act 2019 (COPOA), has provided UK law enforcement with significantly extended powers to compel the production of electronic data stored overseas.
- COPOA came into force on 12 February 2019 – it gives UK law enforcement agencies the means to apply for a UK court order to compel production of stored electronic data directly from a company or person based outside the UK.
- It overhauls the system previously known as Mutual Legal Assistance (MLA).
- To date, the only cooperation agreement (which is currently still in draft) is between the UK and USA so COPOA will only apply to requests between these countries…BUTit is expected that other countries will sign up to similar reciprocal arrangements (based on these terms) in the near future.
- The power to apply for an Overseas Production Order (OPO) is available to all major investigating agencies, including the Serious Fraud Office, National Crime Agency, police, HMRC and FCA.
- The recipient of an OPO has, as a default, just seven daysto produce the data stipulated in the order, but can apply to the English court to vary or set aside the order.
- There are carve-outs for legal privilege and data protection considerations.
Under the old regime, if a UK law enforcement agency wanted to obtain electronic documents or data from a party based outside the UK, it would make an MLA request to the relevant law enforcement agency in the country where the recipient of the request was based, which would then need to be sanctioned by the judicial authorities in that jurisdiction. This process takes on average 10 months to complete.
The introduction of COPOA is a significant departure from this process. It gives UK law enforcement the right to apply to the English court for an OPO. If this is granted, the UK law enforcement agency can serve the OPO directly on a party based in another jurisdiction and order them to produce data, provided that the host country has signed an international agreement. At the moment, the only country with an advanced agreement is the US, but a similar EU instrument is planned.
The are several criteria which must be satisfied before the Court will make the order including that the data is likely to be of value to the proceedings or investigation by law enforcement and that the OPO is in the public interest. Importantly, COPOA also contains carve outs for legally privileged information and confidential personal information (which would result in a breach of data protection legislation, such as the GDPR).
The introduction of COPOA has attracted significant criticism due to the potential access it grants to individuals’ emails and social media messages, given much of this communication is stored on overseas servers, for example in the USA. It is expected those most likely to receive OPOs will be communications providers. It is a concern that these companies (often with no “skin in the game” as the data is not theirs) will be the ones determining whether the request is appropriate and whether legal privilege applies.
If a company or individual is served with an OPO, they have seven days in which to produce the data stipulated in it; alternatively they may apply to a judge in the English court to vary or revoke it. Failure to comply with an OPO renders the recipient in contempt of court. While this is not an offence for which an individual/director could be extradited, it may lead to significant reputational damage for not doing the ‘right thing’ and could mean the relevant individual is arrested if they travelled to the UK. Some critics have suggested this is the principal shortcoming of the COPOA, as it lacks teeth in enforcement.
Overall, this legislation provides a powerful tool to UK investigating agencies in their efforts to gather data from abroad. While at present its scope is limited by a lack of reciprocal agreements, it is expected that this will change over years to come. Any parties served with an OPO should seek legal advice as soon as possible.