This new law will undoubtedly be heralded as a necessary power to law enforcement in the fight against serious crime and terrorism in this digital age.
Yet this new law has seemingly as drifted onto the statue books without much commentary. This is probably due to our preoccupation with the 'B'* word that we can't seem to get off our lips. But now Overseas Production Orders [OPO's] are here, is it too late for them to be an issue of concern?
In short OPO's provide a legal mechanism for law enforcement agencies to make an application ex parte to the Crown Court for an Order to approach foreign companies to obtain data about UK citizens for use in criminal investigations and proceedings.
Since the 2015 WikiLeaks and Ed Snowden scandal, we have been aware of authorities gaining access to our data without our knowledge through the process of covertly gathering this data. Now OPO's provide the legitimacy of gathering data from companies such as Google, Facebook and Twitter and unlike before, this obtained data is now admissible in court which has not previously been the case.
The previous admissible mechanism for law enforcement authorities to gather internationally held data for use in legal proceedings was a cumbersome exercise. It involved submitting data requests to companies like Google and having to file a request to authorities in California, which then had to be sanctioned in both the UK and the USA. The previous regime took on average of 12 months. Now OPO's could reduce this process down to just weeks, or even days.
On hearing an application from say a Police or NCA Officer, a Crown Court judge must be satisfied that the data is likely to be of substantial value to the criminal proceedings or the investigation in relation to which it is requested, and that production of the data would be in the public interest.
In order to be able to serve the OPO from the UK on a company in another jurisdiction, it is likely there will have to be a reciprocal agreement in place and in keeping the same example as above, this means that law enforcement agencies in the US are also going to be able to access UK data. This seems to have avoided media or public scrutiny in the passing of this new law.
In addition, OPO's can be backed up with a non-disclosure agreement [NDA] so a data subject may not know for the life of the NDA that their data has been obtained.
When companies are asked to comply with an OPO, trust will now be placed in their hands to recognise what material remains protected and not appropriate to hand over. This includes information such as medical data or material that is covered by Legal Professional Privilege. In order to reduce the complexity and burden of this exercise, providers such as Google or Facebook are likely to just hand over all the material they hold on the requesting agency so that they are seen to be complying with the OPO.
It will then be left to the already under resourced law enforcement agencies and lawyers to sift through the material and the mass of information which has been obtained. This will almost certainly lead to further problematic issues relating to disclosure of electronic material in criminal proceedings.
*Brexit, for anyone who is unsure!