Crime (Overseas Production Orders) Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for International Development
Lord Paddick
Main Page: Lord Paddick (Non-affiliated - Life peer)Department Debates - View all Lord Paddick's debates with the Department for International Development
Crime (Overseas Production Orders) Bill [HL]
Lord Paddick ExcerptsWednesday 11th July 2018
(5 years, 9 months ago)
Lords ChamberRead Full debate Crime (Overseas Production Orders) Act 2019 View all Crime (Overseas Production Orders) Act 2019 Debates Read Hansard Text Read Debate Ministerial Extracts
Lord Paddick (LD)
My Lords, this has been a very short debate; in fact, there has been an absence of debate. However, I am grateful to the Minister for meeting us prior to today to discuss the Bill; speaking with officials was very helpful. I offer the apologies of my noble friend Lady Hamwee, who has an important committee meeting this afternoon and is unable to speak in this debate, but the House can be reassured that she will submit amendments to which she will speak in Committee.
I am grateful to techUK for its advice on this matter. The Bill looks very much like the equivalent of the United States Clarifying Lawful Overseas Use of Data, or CLOUD, Act, which sets out how the US Government can access overseas data for law enforcement where an international agreement is in place. When the United States passed the Act, the British Prime Minister, Theresa May, was the first leader to indicate that the United Kingdom would be willing to establish an agreement with the US on the basis of its Act, which I presume is why we are bringing forward equivalent legislation here.
My briefing on the CLOUD Act is that it clarifies how and when the US and other countries can gain access to data stored in different jurisdictions, allowing bilateral deals with foreign countries on data sharing for law enforcement purposes. The legal clarity which that Act provides, which I presume this Bill will also provide, has been welcomed by tech giants such as Microsoft, Google, Apple and Facebook.
Noble Lords will know that we are part of the Five Eyes group of countries that share intelligence on terrorism issues, along with the United States, Canada, Australia and New Zealand, so it is no surprise that we are looking through the mechanisms of this Bill to establish a reciprocal arrangement with the USA and presumably with the other Five Eyes countries in due course, in addition to other countries as we are able to strike arrangements with them.
It makes sense, rather than relying on mutual legal assistance treaties, to allow law enforcement agencies to apply to the British courts to access data directly from an overseas service provider rather than going through government channels, provided an international agreement is in place with the country concerned. Bearing in mind the vast volume of data handled by service providers based in the United States of America, America will obviously be a priority for the mechanisms in this Bill. I am grateful for the House of Lords briefing on this issue, which outlines the tortuous process of MLAT, which can take up to 10 months to complete, so the need for this Bill is clear.
There are issues of privacy here and therefore of compliance with the GDPR—the general data protection regulation that has recently been introduced—and the UK’s ability to secure a certificate of adequacy from the European Union if we were to become a third-party country after Brexit. Noble Lords will recall that the EU allows data exchange only with third-party countries whose data regulations and privacy laws are considered by the EU to meet EU standards. If the UK enters a bilateral arrangement with a non-EU country whereby it can apply directly to UK service providers to hand over sensitive personal information, presumably the EU will have to be satisfied that the safeguards in the Bill are sufficient for the EU not to withdraw any adequacy certificate for the UK. Perhaps the Minister can explain.
For example, in Clause 3 “excepted electronic data” goes beyond legal professional privilege to include confidential records such as medical records, evidence from the confessional—“spiritual counselling”—and welfare counselling, but in Clause 3(5) these exceptions do not apply to terrorist investigations. Noble Lords will recall that as a member of the European Union we have carte blanche to make whatever arrangements we want as far as terrorist investigations are concerned, but once we become a third-party country the EU will scrutinise those arrangements and take them into consideration in deciding whether an adequacy certificate should be issued: the devil will be in the detail of the Bill.
The European Commission in April 2018 published its own e-evidence proposals for European production orders, which is the EU version of the CLOUD Act. It sets out when law enforcement officers can request data and what the response times from the tech companies should be. These proposals will apply across all EU countries, whereas the US arrangements, which President Trump is said to prefer, deal only with individual countries—they are bilateral arrangements. How do these proposals fit with the EU e-evidence proposals?
As with all UK law that has extraterritorial effect, there are issues of enforcement. The Minister and her officials were good enough to explain to us that, clearly, if the international service provider has offices in the UK, sanctions could be applied, but it would be more difficult if the overseas company had no assets in the UK. One has to ask whether contempt of court is an effective enforcement process if that overseas service provider has no assets in the UK.
I shall very briefly outline some other areas where we may need to explore further. Clauses 4(5) and 4(6) say that the judge must be satisfied that some or all of the data will be of “substantial value” to the investigation or proceedings and that it is “in the public interest”. The judge will have to weigh the benefit to the proceedings and the circumstances under which the person came into possession or control of the data. This appears to be vague. How high a threshold is this for the applicant investigator to surmount?
In Clause 8, the order may forbid the person against whom it is made to disclose the existence or contents of the order without the permission of the judge or the applicant. This appears to have consequences for open justice.
In Clause 10, is the use of the data as evidence restricted to the offence for which the order is made? What happens if other offences are disclosed? Would a further application be necessary?
Overall, we welcome the Bill, but we will be probing to ensure that the rights of UK citizens are not infringed and that securing an adequacy certificate from the EU if we leave the European Union will not be jeopardised by these proposals.
Baroness Williams of Trafford
My Lords, there have been so few speakers this afternoon that anyone would think there might be a football match on tonight. However, I thank both noble Lords for their very constructive comments and questions. I have been furiously writing everything down and I hope I also have the answers but if I have not, I will follow them up in writing.
The noble Lord, Lord Paddick, asked whether this could allow for an agreement with the EU. Obviously, we are going through negotiations with the EU on Brexit, but it is absolutely possible that we could eventually make an agreement either with specific countries or with multiple states in the EU. That is almost certainly a possibility. He also quite sensibly asked whether this will affect the adequacy judgment in the context of Brexit. It is about getting data from outside the UK into the UK, but UK providers responding to requests under any agreement would need to comply with data protection law, which is of course aligned with EU standards, as we saw when we were going through the Data Protection Bill recently.
The noble Lord also asked how the Bill affects the evidence proposal published by the Commission. EU member states and wider international partners are considering this very question of cross-border access to electronic data. The European Commission has published proposals on this issue which we are currently considering. The UK’s opt-in applies to the regulation and the Government are committed to taking all opt-in decisions on a case-by-case basis, putting the national interest at the heart of the decision-making process. We are currently scrutinising the regulation, and we will make a decision on whether to participate in due course. The proposed evidence directive could be implemented before the end of the envisaged implementation period.
The noble Lord also asked whether contempt of court is enough if the CSP has no assets in the UK, which slightly goes to the point the noble Lord, Lord Rosser, made about seizing assets. Both are a possibility, but we anticipate working closely with overseas providers to create a high compliance environment. Given the general support for this, we hope that is the case. It is possible that some providers may have no UK assets, but those firms are unlikely to be within reach of any enforcement mechanism. We can always resort to MLA in the case of non-compliance.
The noble Lord, Lord Paddick, asked about what happens if you get more evidence than you asked for. The data received will be subject to the usual data protection laws and existing laws on data handling and retention. Law enforcement will be provided with guidance on how to handle data when using an overseas production order. I think he also asked about what happens if you need multiple different requests.
Lord Paddick
The question was: if you identify further offences from the information that you have requested, would you then need to go back to a judge to enable that evidence to be used?
Baroness Williams of Trafford
My view would be that, yes, you would because it would be a new request, but I will confirm that in writing. I would not wish to give the noble Lord misinformation at the Dispatch Box.
The noble Lord, Lord Rosser, asked how the US or other countries will be able to get information from the UK. The proposed agreement will be reciprocal and we would expect any country with which we have an international co-operation arrangement also to benefit from this more streamlined process for data and evidence gathering. The condition for any international arrangement or future arrangement is that each country recognises the other’s rule of law—that is an important concept for the Bill—due process and judicial oversight for obtaining and dealing with information and evidence with regard to serious crime. Each agreement will be specific in scope in respect of the circumstances in which it can be used. Section 52 of the IP Act 2016 will be used to designate international agreements, and that will be the basis for another country to request information from UK service providers. The Secretary of State has the power to impose additional conditions when designating an agreement under that section.
The noble Lord, Lord Rosser, asked what would happen if the other country had a lower threshold for what is regarded as reasonable belief. What do we do if this arrangement is all about the mutual recognition of legal systems? The UK would not agree to any arrangement where the threshold for obtaining data did not provide similarly protective standards to those in the UK. The agreements will recognise a shared acceptance of the laws in another country with which we are entering into an agreement. It will recognise the other’s rule of law, due process and judicial oversight for obtaining and dealing with information and evidence with regard to serious crime.
Under any proposed agreement the UK would require the other country to set out the powers it intended to use in pursuance of requests made under the agreement. The UK would also ask the other country to commit that it would not rely on another power unless agreed by both parties. In addition, it would specify the evidential standard required before requests were made and ensure that the UK was satisfied with those standards before designating an agreement for incoming requests.
The noble Lord asked which countries we are negotiating agreements with. We expect the first relevant international arrangement to be with the US, unlocking the potential for streamlined access by UK law enforcement, but any future international arrangements would, like the agreement with the US that we have been discussing, be based on the recognition that robust protections for privacy are present in each country. Of course, not every country would meet those high standards, and any agreement that we reached with another jurisdiction would be subject to parliamentary scrutiny in the usual way. As discussed, that usually involves laying the agreement in Parliament for 21 sitting days without either House having resolved that it should not be ratified.
The noble Lord asked what powers exist to nullify incoming requests. The Bill is about requests from the UK rather than to the UK, but UK-based providers will not be compelled to comply with overseas orders and, if they do, must comply with data protection law. The agreement itself will be subject to the usual scrutiny by Parliament, as I have said.
The noble Lord also asked about the timescales for production orders versus MLA. Under an overseas production order, the standard time for compliance is seven days. However, the judge may shorten or extend this time depending on the circumstances of the case. Therefore we expect this to be a much quicker process compared with MLA, which can take up to 10 months unless there is a particular urgency. The noble Lord asked how many we were anticipating. We anticipate approximately 40 to 50 outgoing requests for electronic data. I will write on the other point regarding MLA numbers. I am guessing that there are more because it has a broader scope, but I will write to the noble Lord.
I have tried to cover every point; I am not sure that I have but I will of course follow up in writing any that I have not. In the meantime, I beg to move.