My Lords, the aim of this Bill is to provide the framework to address the problem of obtaining electronic evidence when it is stored outside the UK. Too often, criminals—including terrorists—are using global communications services to facilitate their criminal activities, and in many cases the companies providing the services being used are located outside the UK. UK law enforcement officers consider this information as a vital source of evidence in the investigation and prosecution of serious crime and we need to make sure that they have timely access to it.
Our existing powers for obtaining stored electronic data are effective when the company or person holding the data is located in the UK. In those circumstances, a law enforcement officer or a prosecutor can apply to a court for a production order to obtain the data. If the judge agrees that the material is required to support the investigation or prosecution, he or she will issue the production order, and the UK-based target will be required to comply.
However, as Members of this House will know, advances in technology, and the increasing globalisation of communications services, mean that it is not always the case that it is a UK-based entity that holds this data, which can be vital evidence. Where evidence is held outside the UK, we must rely on our international partners to help. We must use mutual legal assistance channels—a form of judicial co-operation between states that allows law enforcement officers and prosecutors to obtain evidence from a foreign jurisdiction via the authorities in that jurisdiction. However, the mutual legal assistance process can be slow, and in some cases it may not be timely enough to support an investigation or a prosecution. It requires a formal request to be made to another country, which then assesses it to consider whether it can comply. That country may require a court order or warrant from its own courts to obtain the evidence. This is usually the case for stored electronic data. It would then serve that order or warrant on the service provider in its territory. This process takes time and in some cases might result in delayed or abandoned investigations or prosecutions. It can also delay people being eliminated from a criminal investigation.
The Bill will create an overseas production order. It will provide law enforcement officers and prosecutors with the power to apply here in the UK for an overseas production order, which would allow them to seek stored electronic data directly from service providers based outside the UK in certain circumstances. They would be able to apply for an overseas production order for the purposes of investigating and prosecuting serious crime, including terrorist offences. They would be able to apply for an overseas production order only where a relevant international co-operation agreement is in place between the UK and the territory in which the overseas data holder is based.
This will mean that UK law enforcement officers and prosecutors will need to deal only with domestic UK courts and will have much quicker access to this data to support investigations and prosecutions of serious crime. The Bill will put on an equal footing the way in which a UK law enforcement officer or prosecutor can apply to the court for access to electronic evidence when the data is held by an entity based in the UK with circumstances when they are based in another territory with which the UK has a relevant international co-operation agreement.
The process of applying for an overseas production order will be similar to the existing domestic process for applying for a production order. The Bill’s provisions reflect our existing high levels of privacy protection, respect for freedom of speech and international human rights law. An overseas production order can be sought only for serious criminal offences. The court will, as it does currently, apply robust scrutiny to any application, and stringent tests will need to be satisfied before an order can be granted. These include that the information is reasonably believed to be of substantial value to the investigation or proceedings and that it is in the public interest for the electronic data to be provided.
The Bill also makes it clear what data cannot be sought, such as that which is legally privileged, or the circumstances in which additional protections might apply, such as when confidential journalistic material is sought. Critically, the Bill makes it clear that an overseas production order can be approved by a court only where it is clear that a relevant international arrangement exists. UK law enforcement officers and prosecutors will be obliged to deal with any data they receive under an overseas production order in accordance with existing protections under the Data Protection Act 2018, as is the case with material received under an existing production order or through mutual legal assistance.
I am sure that noble Lords will agree that the increasingly global nature of crime means that we need a global solution to tackle this problem. This means working with international partners to find ways to maximise our efforts in evidence gathering for the safe and effective investigation and prosecution of serious crime. This Bill will provide another avenue—an expedient means for law enforcement officers to seek stored electronic data. Mutual legal assistance will still exist and will remain critical for other types of evidence that are not within the scope of the Bill, and for electronic evidence outside the scope of relevant international arrangements. This Bill seeks to give those agencies that we rely on to investigate and prosecute serious crimes an additional tool to allow them to get timely access to electronic evidence in tightly defined circumstances.
This is a short and straightforward Bill. The safeguards it contains and the tests that must be satisfied before an overseas production order can be granted will be familiar to many who have law enforcement experience. It will help provide more timely access to vital evidence for our operational partners. I beg to move.
My Lords, this has been a very short debate; in fact, there has been an absence of debate. However, I am grateful to the Minister for meeting us prior to today to discuss the Bill; speaking with officials was very helpful. I offer the apologies of my noble friend Lady Hamwee, who has an important committee meeting this afternoon and is unable to speak in this debate, but the House can be reassured that she will submit amendments to which she will speak in Committee.
I am grateful to techUK for its advice on this matter. The Bill looks very much like the equivalent of the United States Clarifying Lawful Overseas Use of Data, or CLOUD, Act, which sets out how the US Government can access overseas data for law enforcement where an international agreement is in place. When the United States passed the Act, the British Prime Minister, Theresa May, was the first leader to indicate that the United Kingdom would be willing to establish an agreement with the US on the basis of its Act, which I presume is why we are bringing forward equivalent legislation here.
My briefing on the CLOUD Act is that it clarifies how and when the US and other countries can gain access to data stored in different jurisdictions, allowing bilateral deals with foreign countries on data sharing for law enforcement purposes. The legal clarity which that Act provides, which I presume this Bill will also provide, has been welcomed by tech giants such as Microsoft, Google, Apple and Facebook.
Noble Lords will know that we are part of the Five Eyes group of countries that share intelligence on terrorism issues, along with the United States, Canada, Australia and New Zealand, so it is no surprise that we are looking through the mechanisms of this Bill to establish a reciprocal arrangement with the USA and presumably with the other Five Eyes countries in due course, in addition to other countries as we are able to strike arrangements with them.
It makes sense, rather than relying on mutual legal assistance treaties, to allow law enforcement agencies to apply to the British courts to access data directly from an overseas service provider rather than going through government channels, provided an international agreement is in place with the country concerned. Bearing in mind the vast volume of data handled by service providers based in the United States of America, America will obviously be a priority for the mechanisms in this Bill. I am grateful for the House of Lords briefing on this issue, which outlines the tortuous process of MLAT, which can take up to 10 months to complete, so the need for this Bill is clear.
There are issues of privacy here and therefore of compliance with the GDPR—the general data protection regulation that has recently been introduced—and the UK’s ability to secure a certificate of adequacy from the European Union if we were to become a third-party country after Brexit. Noble Lords will recall that the EU allows data exchange only with third-party countries whose data regulations and privacy laws are considered by the EU to meet EU standards. If the UK enters a bilateral arrangement with a non-EU country whereby it can apply directly to UK service providers to hand over sensitive personal information, presumably the EU will have to be satisfied that the safeguards in the Bill are sufficient for the EU not to withdraw any adequacy certificate for the UK. Perhaps the Minister can explain.
For example, in Clause 3 “excepted electronic data” goes beyond legal professional privilege to include confidential records such as medical records, evidence from the confessional—“spiritual counselling”—and welfare counselling, but in Clause 3(5) these exceptions do not apply to terrorist investigations. Noble Lords will recall that as a member of the European Union we have carte blanche to make whatever arrangements we want as far as terrorist investigations are concerned, but once we become a third-party country the EU will scrutinise those arrangements and take them into consideration in deciding whether an adequacy certificate should be issued: the devil will be in the detail of the Bill.
The European Commission in April 2018 published its own e-evidence proposals for European production orders, which is the EU version of the CLOUD Act. It sets out when law enforcement officers can request data and what the response times from the tech companies should be. These proposals will apply across all EU countries, whereas the US arrangements, which President Trump is said to prefer, deal only with individual countries—they are bilateral arrangements. How do these proposals fit with the EU e-evidence proposals?
As with all UK law that has extraterritorial effect, there are issues of enforcement. The Minister and her officials were good enough to explain to us that, clearly, if the international service provider has offices in the UK, sanctions could be applied, but it would be more difficult if the overseas company had no assets in the UK. One has to ask whether contempt of court is an effective enforcement process if that overseas service provider has no assets in the UK.
I shall very briefly outline some other areas where we may need to explore further. Clauses 4(5) and 4(6) say that the judge must be satisfied that some or all of the data will be of “substantial value” to the investigation or proceedings and that it is “in the public interest”. The judge will have to weigh the benefit to the proceedings and the circumstances under which the person came into possession or control of the data. This appears to be vague. How high a threshold is this for the applicant investigator to surmount?
In Clause 8, the order may forbid the person against whom it is made to disclose the existence or contents of the order without the permission of the judge or the applicant. This appears to have consequences for open justice.
In Clause 10, is the use of the data as evidence restricted to the offence for which the order is made? What happens if other offences are disclosed? Would a further application be necessary?
Overall, we welcome the Bill, but we will be probing to ensure that the rights of UK citizens are not infringed and that securing an adequacy certificate from the EU if we leave the European Union will not be jeopardised by these proposals.
My Lords, this is perhaps a fairly unique Second Reading, in that the Minister will be making the same number of speeches as the rest of your Lordships’ House. I apologise in advance for the fact that I will probably speak for longer than either the Minister has so far, or the noble Lord, Lord Paddick.
The primary purpose of the Bill is to permit a court in this country to require a person or company located overseas, such as an overseas service provider, to produce stored electronic information, as such a court could if the information were located or controlled in the UK. This is achieved in the Bill by creating a new overseas production order that has extraterritorial scope. However, this jurisdiction can be exercised only if an international co-operation arrangement or bilateral agreement enabling this to happen, and to which we are a party or in which we participate, has been agreed. UK law enforcement officers would apply to a judge for an order requiring the production of electronic evidence for the purposes of investigating or prosecuting serious crime, including terrorism offences. The effect of the overseas production order, if granted, would be to require an overseas provider to disclose electronic information held by them, provided that this is supported by an international co-operation agreement with the country concerned.
The present position in respect of electronic data that is outside the reach of domestic UK court orders and is needed for evidential purposes is that mutual legal assistance is available where a mutual legal assistance treaty has been signed. In 2016, the UK had bilateral mutual legal assistance treaties with some 40 countries and was also party to multilateral MLATs through bodies such as the EU and the Council of Europe. This present form of judicial co-operation means that a requesting country can seek assistance from an executing authority or country, and that authority or country is then responsible for collating the evidence using its own judicial or other processes and orders.
However, as the Minister said, the MLA process can be slow, requiring as it usually does significant government-to-government liaison, and may not be speedy enough in some cases to enable the evidence being sought to be obtained in the timespan required to contribute meaningfully to an investigation or help to secure a successful prosecution. Indeed, MLAT requests submitted to the United States take an average of approximately 10 months to complete. Sir David Anderson, the then Independent Reviewer of Terrorism Legislation, said in a 2015 report,
“there is little dispute that the MLAT route is currently ineffective”.
With electronic information becoming increasingly important in the investigation and prosecution of criminal offences, this is regarded as an increasingly serious lacuna in the pursuit of those committing serious offences, since the companies providing services that generate or store electronic data or do both are often located outside this country. This means that the data they generate or store is currently outside the reach or range of the orders of our courts, which lack extraterritorial scope and cannot be used to require overseas providers to provide timely information.
The impact assessment for this Bill states:
“The issues with access to electronic data held by overseas providers and the use of MLA has been recognised for a while with discussions taking place between the UK and other countries to explore options to address the issues with the MLA process”.
We know from the impact assessment that one of those other countries is the United States, but which are the other countries with whom we have been discussing this issue?
Apparently our law enforcement and security agencies have indicated that US communication services are used by 90% of their suspects and that, in almost every terrorism investigation, those they investigate use services provided by US communications service providers. As far as the United States is concerned, the impact assessment tells us that a bilateral data access agreement is being finalised with the UK, but that,
“in anticipation and preparation for it, the US passed its Clarifying Lawful Overseas Use of Data (CLOUD) Act in March 2018, enabling the US legislative change required to give effect to this agreement”.
The CLOUD Act provides authorisation for a new form of international agreement to be concluded by the United States through which foreign Governments can seek data directly from US companies without such requests having to be reviewed individually by the US authorities. However, the CLOUD Act also requires that when the US concludes an agreement with another country, such as the UK, that country must allow the US reciprocal rights of data access.
Since bilateral agreements with another country or countries will need to be concluded for the provisions of this Bill to be implemented, presumably we shall be required to provide the same access arrangements to electronic data in this country as we are seeking from them—namely, that an order made in their courts will be capable, if necessary, of being enforced here with apparently little or no judicial oversight in this country. The Explanatory Notes say that the electronic data in question may include the “content of private communications” being made available to the state, and that:
“These intrusions into ECHR rights can be justified as necessary in a democratic society for the prevention of disorder and crime and in the interests of national security and public safety, and are proportionate in light of the requirements that must be met before a judge can make an overseas production order, and the other safeguards set out in the Bill. To the extent that the electronic data made available may include journalistic material, the requirement that an order is made by a judge provides prior judicial oversight for the exercise of the power, and accordingly an Article 10 compliant safeguard”.
Those words might not be accepted without question by everyone.
Clause 4 sets out the conditions and restrictions under which an overseas production order may be made. These include that the judge must be satisfied,
“that there are reasonable grounds for believing that an indictable offence has been committed and proceedings in respect of the offence have been instituted or the offence is being investigated”.
Alternatively, the judge must be satisfied that,
“the order is sought for the purposes of a terrorist investigation”.
According to the Explanatory Notes:
“This reflects the criteria under which production orders may already be sought against those in the UK”,
under the Terrorism Act 2000. The judge must also be satisfied,
“that there are reasonable grounds for believing that all or part of the electronic data”,
applied for will be of “substantial value” to the investigation or proceedings, and that it is “in the public interest” that this data is made available to the investigation or proceedings.
In considering whether something is in the public interest, the judge must consider the benefit to the proceedings or investigation that this electronic data is likely to have and,
“the circumstances under which the person against whom the order is sought has possession or control of any of the data”.
Further additional requirements that must be met in order for an overseas production order to be made can be specified by the Secretary of State through regulation under the terms of the Bill. Some of the factors on which the judge has to be satisfied before granting an order are potentially subjective, including whether an order being sought is for the purpose of what could be regarded as a terrorist investigation, whether the data being applied for will be of substantial value to the investigation or proceedings, and that it is in the public interest that the data is made available.
The UK has to be a party to an international co-operation agreement for the terms of the Bill to apply. However, will that arrangement or agreement with another country—and there could be up to 40—have to incorporate the same standards and criteria, and interpretation of those criteria, that would apply in our courts before making an order when a court in that other country makes an overseas production order for a British national or company based here to produce stored electronic data or give access to it? If that is the case—and the Bill has a potential problem if it is not—how will we be able to satisfy ourselves that the other country making such an order will, for example, be interpreting the requirements relating to “substantial value”, “public interest”, “terrorist investigation” and “excepted electronic data” in the same way as we would anticipate our courts interpreting those words in determining whether or not the case has been made for granting an overseas production order?
If we believe that a country with which we have an international co-operation agreement or bilateral agreement has not been applying an appropriate interpretation of the criteria for determining whether to make an overseas production order, can we step in and stop it being enforced against the named person or company in this country? If so, who or what body or authority in the UK can nullify the production order in question? If that cannot be done, is that not a potential concern about the proposed bilateral arrangements set out in the Bill, particularly as they are geared to giving greater speed to the process than the MLA route? Is there any right of appeal in this country against an overseas production order applicable here but made in another country with which we have a bilateral co-operation agreement?
If the Government’s view is that, under the new overseas production orders, there will be no change, in either direction, in the interpretation of the criteria or basis for making or declining overseas production orders for electronic data compared with the current mutual legal assistance arrangements, surely that cannot definitely be the case in the future, because at present it is the court in the country in which the order for electronic data has to be executed that makes the order, whereas under the new arrangements in the Bill it will be the court in the country where the order is being sought that will make the order and determine whether or not the case for the overseas production order has been established. What would be the position if the overseas production order for the electronic data in question was being sought in respect of a case or investigation where the outcome for a defendant, if found guilty, could be the death penalty, as might apply in the United States? Would we allow the electronic data to be handed over or accessed in such circumstances, as we would apparently be required to under the terms of the Bill and any bilateral agreement?
Can the Minister say within what timescale it is expected that overseas production orders will produce the required electronic data or access to it, compared with the time taken through the present mutual legal assistance process? While I appreciate that many service providers and technology companies in other countries, including the US, are likely to provide the electronic data being sought once the overseas production order has been made by a UK court—and, no doubt, vice versa as well—can she confirm what will happen if they decline to do so, since neither the US CLOUD Act nor any international agreement made under it would create a legal obligation for US service providers to comply with a data request from a foreign Government, including that of the UK?
The Explanatory Notes suggest that non-compliance with an overseas production order made by a UK judge could give rise to contempt of court proceedings but, if I am correct, some further detail from the Government as to how this course of action would in practice work and be effective in this situation would be helpful. Likewise, can the Government explain what action could or would be taken if a person or company in this country named in a production order from a country with which we have a bilateral agreement declined to hand over or give access to the electronic data sought under that order?
The Bill, as we know, seeks to provide a speedier alternative to the mutual legal assistance route in respect of electronic data by enabling UK domestic courts to issue a production order rather than, as now, requesting a foreign court to do so following an MLA request. Under the required international agreement with the country concerned, this would almost certainly be a two-way process. Under the current MLA process, first, how many orders have we been seeking per year in respect of electronic data which have required the assistance of another country under MLA in making and executing those orders, and from which countries have we required such assistance? Secondly, how many orders per year sought by other countries have we been asked to make and execute under MLA arrangements in respect of electronic data, and by which other countries? What percentage of overseas orders in both directions under MLA are currently in respect of electronic data per year? What is the anticipated increase in each direction for orders for electronic data under the new arrangements for overseas production orders set out in the Bill, since the Explanatory Notes suggest that applications for overseas production orders for electronic data have been suppressed because of the time delay in executing such orders under the MLA process?
As the noble Lord, Lord Paddick, said, in April this year the European Commission published proposals for EU legislation to create a European production order as part of a package of measures on electronic evidence. The proposed European production order would allow a judicial authority in one EU member state to request electronic evidence directly from a service provider offering services in the EU and established or represented in another member state, regardless of the location of data. Where does the proposed European production order fit in relation to the new overseas production order process set out in the Bill? Do the Government intend to opt into the European production order measure or regulation? Finally, I say simply that while we support the objectives of the Bill, we want responses to the potential concerns we have raised about the possible application of its provisions.
My Lords, there have been so few speakers this afternoon that anyone would think there might be a football match on tonight. However, I thank both noble Lords for their very constructive comments and questions. I have been furiously writing everything down and I hope I also have the answers but if I have not, I will follow them up in writing.
The noble Lord, Lord Paddick, asked whether this could allow for an agreement with the EU. Obviously, we are going through negotiations with the EU on Brexit, but it is absolutely possible that we could eventually make an agreement either with specific countries or with multiple states in the EU. That is almost certainly a possibility. He also quite sensibly asked whether this will affect the adequacy judgment in the context of Brexit. It is about getting data from outside the UK into the UK, but UK providers responding to requests under any agreement would need to comply with data protection law, which is of course aligned with EU standards, as we saw when we were going through the Data Protection Bill recently.
The noble Lord also asked how the Bill affects the evidence proposal published by the Commission. EU member states and wider international partners are considering this very question of cross-border access to electronic data. The European Commission has published proposals on this issue which we are currently considering. The UK’s opt-in applies to the regulation and the Government are committed to taking all opt-in decisions on a case-by-case basis, putting the national interest at the heart of the decision-making process. We are currently scrutinising the regulation, and we will make a decision on whether to participate in due course. The proposed evidence directive could be implemented before the end of the envisaged implementation period.
The noble Lord also asked whether contempt of court is enough if the CSP has no assets in the UK, which slightly goes to the point the noble Lord, Lord Rosser, made about seizing assets. Both are a possibility, but we anticipate working closely with overseas providers to create a high compliance environment. Given the general support for this, we hope that is the case. It is possible that some providers may have no UK assets, but those firms are unlikely to be within reach of any enforcement mechanism. We can always resort to MLA in the case of non-compliance.
The noble Lord, Lord Paddick, asked about what happens if you get more evidence than you asked for. The data received will be subject to the usual data protection laws and existing laws on data handling and retention. Law enforcement will be provided with guidance on how to handle data when using an overseas production order. I think he also asked about what happens if you need multiple different requests.
My view would be that, yes, you would because it would be a new request, but I will confirm that in writing. I would not wish to give the noble Lord misinformation at the Dispatch Box.
The noble Lord, Lord Rosser, asked how the US or other countries will be able to get information from the UK. The proposed agreement will be reciprocal and we would expect any country with which we have an international co-operation arrangement also to benefit from this more streamlined process for data and evidence gathering. The condition for any international arrangement or future arrangement is that each country recognises the other’s rule of law—that is an important concept for the Bill—due process and judicial oversight for obtaining and dealing with information and evidence with regard to serious crime. Each agreement will be specific in scope in respect of the circumstances in which it can be used. Section 52 of the IP Act 2016 will be used to designate international agreements, and that will be the basis for another country to request information from UK service providers. The Secretary of State has the power to impose additional conditions when designating an agreement under that section.
The noble Lord, Lord Rosser, asked what would happen if the other country had a lower threshold for what is regarded as reasonable belief. What do we do if this arrangement is all about the mutual recognition of legal systems? The UK would not agree to any arrangement where the threshold for obtaining data did not provide similarly protective standards to those in the UK. The agreements will recognise a shared acceptance of the laws in another country with which we are entering into an agreement. It will recognise the other’s rule of law, due process and judicial oversight for obtaining and dealing with information and evidence with regard to serious crime.
Under any proposed agreement the UK would require the other country to set out the powers it intended to use in pursuance of requests made under the agreement. The UK would also ask the other country to commit that it would not rely on another power unless agreed by both parties. In addition, it would specify the evidential standard required before requests were made and ensure that the UK was satisfied with those standards before designating an agreement for incoming requests.
The noble Lord asked which countries we are negotiating agreements with. We expect the first relevant international arrangement to be with the US, unlocking the potential for streamlined access by UK law enforcement, but any future international arrangements would, like the agreement with the US that we have been discussing, be based on the recognition that robust protections for privacy are present in each country. Of course, not every country would meet those high standards, and any agreement that we reached with another jurisdiction would be subject to parliamentary scrutiny in the usual way. As discussed, that usually involves laying the agreement in Parliament for 21 sitting days without either House having resolved that it should not be ratified.
The noble Lord asked what powers exist to nullify incoming requests. The Bill is about requests from the UK rather than to the UK, but UK-based providers will not be compelled to comply with overseas orders and, if they do, must comply with data protection law. The agreement itself will be subject to the usual scrutiny by Parliament, as I have said.
The noble Lord also asked about the timescales for production orders versus MLA. Under an overseas production order, the standard time for compliance is seven days. However, the judge may shorten or extend this time depending on the circumstances of the case. Therefore we expect this to be a much quicker process compared with MLA, which can take up to 10 months unless there is a particular urgency. The noble Lord asked how many we were anticipating. We anticipate approximately 40 to 50 outgoing requests for electronic data. I will write on the other point regarding MLA numbers. I am guessing that there are more because it has a broader scope, but I will write to the noble Lord.
I have tried to cover every point; I am not sure that I have but I will of course follow up in writing any that I have not. In the meantime, I beg to move.
Bill read a second time and committed to a Grand Committee.