The stage is set for a legal battle between multinational technology companies and US criminal law enforcement. In July 2016, the Court of Appeals for the Second Circuit agreed with Microsoft that a search warrant did not authorise the Department of Justice (“DOJ”) to seize emails stored on servers outside the US. In October 2017, the Supreme Court granted the DOJ’s petition to review that decision. Apple, Amazon, Google and Facebook have all issued public statements in support of Microsoft.
Microsoft argues that the relevant law under which the search warrant was granted (the Stored Communications Act) does not displace the presumption against extraterritoriality; that interpreting the law extraterritorially creates conflicts with the privacy laws of foreign states where the data is stored; and that the DOJ should apply for mutual legal assistance from those foreign states instead. In addition to these questions of statutory interpretation, Microsoft argues that if the US Government can unilaterally use a warrant to seize emails outside the US, other Governments – including those of authoritarian regimes – will be empowered unilaterally to seize emails inside the US. This argument has added piquancy given the ongoing FBI investigations into state-sponsored email hacking during the last US election.
The case is listed for argument in the Supreme Court in February 2018. The Court’s findings are likely to have profound implications for the conduct of cross-border criminal investigations – and for how multinational technology companies store and maintain electronic data.
How would the same case be decided under English law? This article considers whether search warrants available to UK law enforcement operate extraterritorially in respect of data stored in a virtual location outside the UK.
The accessibility of electronic data
Search warrants available to the police have their statutory basis in s8 and para 13 of Schedule 1 to the Police and Criminal Evidence Act 1984 (“PACE”). Other law enforcement agencies can be granted search warrants specific to their investigations. For example, the SFO under s2(4) Criminal Justice Act 1987; the FCA under s176 Financial Services and Markets Act 2000; the NCA and HMRC under s66 Serious Organised Crime and Police Act 2005; and the CMA under s194 Enterprise Act 2002.
All of these powers must be construed in accordance with s20 PACE, which provides that:
“[…] a constable who has entered premises in the exercise of a power conferred by an enactment shall be construed as including a power to require any information stored in any electronic form and accessible from the premises to be produced in a form in which it can be taken away […]”
Thus if electronic data is “accessible” from the premises being searched, it can lawfully be seized. But this merely begs the question: what does “accessible” mean? Perhaps surprisingly, there is no case law on the subject. The leading textbook on search warrants states that:
“The electronic files need not be stored on a device in the premises entered, but must simply be accessible from them. With the growth in electronic communication systems, this might mean that the file is actually located on a server situated on the other side of the world.”
In positing the theory that s20 PACE might operate extraterritoriality, the authors are right to be cautious. English criminal jurisdiction is territorial. Reflecting this is a principle of statutory construction that, in the absence of clear words to the contrary, conduct occurring overseas is incapable of being tried as an offence by an English court. This presumption against extraterritoriality also applies to court orders made in English criminal proceedings.
Is the word “accessible” in s20 PACE sufficiently clear so as to displace the presumption against extraterritoriality, such that the occupier of the premises is obliged to access electronic data stored overseas if that data is described in the search warrant?
Common sense might dictate that the geographic location of the data makes no difference; the data is likely to be accessible with equal ease, whether it is stored in the UK or overseas. It could also be suggested that it is impractical to require law enforcement officers to determine where the data is stored before requiring access to it (and many occupiers may simply be unaware where the data is stored).
Set against these arguments, there is no evidence that Parliament intended s20 PACE to operate extraterritorially. In none of the debates preceding either the introduction of s20 PACE (in 1984) or the only occasion on which s20 PACE has been amended (in 2003) was it asserted that the purpose of the word “accessible” was to empower law enforcement to seize data stored overseas. The debates focused on ensuring that data could be seized from a place in the UK other than the premises being searched. Had Parliament intended s20 PACE to operate extraterritorially, it could have drafted language which made its ambit explicit. For example, restraint orders, which are acknowledged to create a worldwide in personam jurisdiction, apply to “any realisable property […] wherever situated”. The same clear language is absent from s20 PACE.
Ultimately, the ambiguity of the word “accessible” and the absence of any case law makes it impossible to reach a definitive view on the extraterritorial effect of search warrants. A company that wishes to cooperate fully with an investigation may regard this legal debate as wholly academic. But other companies, during the heat of a search, may simply be unaware that there is a debate to be had. It is certainly an area ripe for challenge by an intrepid company.
Even if one assumes that search warrants operate extraterritorially, are there degrees of accessibility? When does data become inaccessible? Again, there is no case law on the subject. Absent judicial guidance, it is submitted that resolving whether electronic data is “accessible from the premises” is a question of fact. Data is likely to be deemed “accessible” if the occupier of the premises can, of his own volition, retrieve it via an electronic device. That is, if the data can be retrieved at the push of a button, it is accessible, even if the server or cloud on which the data is stored is outside the UK. Likewise, if the data is encrypted, so that the occupier of the premises needs to enter a password in order to retrieve the data, it is still accessible. The process of accessing the data takes place entirely domestically.
But what if the process of accessing the data requires the consent of persons located outside the UK? In this scenario, the occupier of the premises is unable ultimately to control whether the data can be retrieved; s20 PACE does not explicitly compel a person situated overseas to assist in rendering the data accessible in the premises being searched. A line has been crossed because the process of accessing the data does not take place entirely domestically. Accordingly, it is submitted that the data would likely be deemed inaccessible for the purposes of s20 PACE.
There are good policy reasons for rendering certain types of foreign-stored data inaccessible. For example, producing certain data in the UK may create criminal liability in the foreign state under banking secrecy, data protection or other laws. Moreover, it is difficult to see how – as a matter of practice – a person situated overseas could be compelled to assist in the execution of a domestic search warrant absent a request for mutual legal assistance. But in fact, that is precisely what other areas of English criminal law have sought to do.
Interception warrants and communications data
Over the past two decades, Parliament has legislated for a succession of statutes – the Regulation of Investigatory Powers Act 2000 (“RIPA”), the Data Retention and Investigatory Powers Act 2014 (“DRIPA”) and the Investigatory Powers Act 2016 (“IPA”) – all of which are stated to apply extraterritoriality in respect of overseas data, and which purportedly compel people outside the UK to assist in the retrieval of overseas data.
ss11, 12 and 22 RIPA impose controls on the circumstances in which UK law enforcement can intercept communications (such as emails, voicemails or social media messages) or obtain communications data (such as data on service users, electronic devices and communications locations). The Government’s position during Parliamentary debates was that each of these sections of RIPA had extraterritorial effect. In 2014 the Government amended ss11, 12 and 22 RIPA through s4 DRIPA so as to spell out their extraterritorial effect in explicit terms.
s4 DRIPA did this in three ways. First, the amended s11 RIPA specified that an interception warrant may be served on a person located overseas, and that a person providing telecommunications services to customers within the United Kingdom, but who is located overseas, has a duty to provide assistance when served with that warrant. Secondly, the amended s12 RIPA specified that where a notice is served under that section, the person on whom it is served must put in place the necessary infrastructure to give effect to an interception warrant, regardless of whether that person is situated in the UK. Thirdly, a notice under the amended s22 RIPA for the provision of communications data may be served on a person outside the UK (albeit the law in the country where the person is located must be taken into account when determining whether it is reasonably practicable for that person to give effect to the notice).
In December 2016, all of these amendments were repealed through a sunset clause, found in s8 DRIPA, which anticipated the repeal of RIPA and the coming into force of replacement provisions under IPA, all of which were also stated to apply extraterritorially. At the time of writing, however, these provisions of IPA have not been brought into force. The result is a legal limbo: ss11, 12 and 22 RIPA remain in force, but without the amendments made by s4 DRIPA, and with no date appointed for the coming into force of the replacement IPA provisions.
This limbo arguably reflects the legal uncertainty of the provisions themselves. The unilateral assertion of extraterritoriality (under RIPA or IPA) would in some circumstances be met by foreign blocking statutes. Moreover, it remains wholly unclear how the provisions could be enforced in practice. If the targets of interception warrants and requests for communications data are technology companies, then as the DOJ/Microsoft case shows, they would likely refuse to comply in all but the most serious cases, citing a libertarian ethos which foregrounds privacy rights at the expense of orders made by foreign investigators.
But the practical solution proposed by Microsoft – that mutual legal assistance should be used instead of asserting extraterritoriality – has inherent problems. Principally this is because mutual legal assistance is often too slow to meet the needs of certain criminal investigations, particularly investigations into dynamic conspiracies such as terrorist plots involving the imminent risk of death or serious injury.
In drafting legislation regulating access to foreign-stored data, the challenge is to achieve legal certainty and enforceability without compromising the effectiveness of an investigation into serious cross-border crime. Rather than asserting extraterritoriality through statutes which purportedly compel overseas persons to comply with a domestic order, thereby bypassing mutual legal assistance, the more desirable solution is to improve mutual legal assistance so as to secure faster and better access to foreign-stored data. An improved system of mutual legal assistance would be legally enforceable, avoid extraterritoriality concerns and reduce the risk of the data being held to be inadmissible in a criminal trial.
Such improvements are already afoot. Within the EU, the European Investigation Order (“EIO”) is a judicial order made by a recognised judicial authority (including prosecutors) within one Member State for the execution of one or more investigative measures in another Member State – including requests for electronic and communications data. Because the EIO is an EU instrument based upon the principle of mutual recognition, there is a strong and explicitly stated expectation that EIOs will be recognised and given effect to by receiving Member States. The grounds for challenging EIOs are therefore deliberately limited, and more limited than the grounds on which conventional mutual legal assistance can be challenged. The EIO has been in force since May 2017.
Measures such as the EIO strike the right balance between the competing demands of the cross-border digital age and the territorial nature of English criminal jurisdiction. It is a better solution than both the older generation of statutes (such as s20 PACE, which was not drafted with overseas data in mind) and the new generation of statutes (such as RIPA and IPA, which are much clearer in their assertions of extraterritoriality, but which are likely to be legally unenforceable). Whether the Government amends s20 PACE to bring it into line with these newer statutes, and whether IPA is ultimately brought into force, will depend in part on how foreign agencies regard the extraterritorial ambit of their own search warrants – and how the US Supreme Court resolves the forthcoming battle between Microsoft and the DOJ.