Draft Communications Data Bill - Draft Communications Data Bill Joint Committee Contents

6  Jurisdictional issues

Requests addressed to overseas CSPs

230.  Legislation passed by the United Kingdom Parliament does not have direct effect outside the jurisdiction. This raises particular issues where, as here, the legislation relates to communications with a global reach. Many CSPs, whether based in the United Kingdom or overseas, operate within and outside the jurisdiction.

231.  The terms in which RIPA is drafted appear to impose no limits on the telecommunications operators which may be required to disclose communications data, as long as they operate in the United Kingdom is does not matter where they may be based. The reality is rather different. If the CSP is based outside the jurisdiction only two courses are available to UK authorities requesting the data. The first is to rely on the goodwill of the CSP, bolstered by the fact that because they are doing business in the United Kingdom they have an incentive to cooperate. The second is to rely on Mutual Legal Assistance Treaties, the avenue by which the judicial authorities of one State can request the assistance of those in another State. We look at this more fully at later in this chapter.

232.  The goodwill is not lacking, as was demonstrated by the evidence we received from a number of overseas operators, including Hotmail, Yahoo!, Facebook and Twitter. All offer services to customers in the United Kingdom through overseas operations. A number of them referred to their existing relationship with the UK law enforcement authorities and the Home Office and to the way in which they presently deal with RIPA requests. Stephen Collins, head of EU Policy, Microsoft when representing Hotmail, referred to the "extremely cooperative professional relationship" which presently exists between Hotmail and UK law enforcement agencies. He explained that in dealing with RIPA requests, Hotmail relies "a lot on so-called voluntary compliance with RIPA as it stands at the moment, in accordance with US, Irish and Luxembourg law".[150] Sarah Hunter, head of UK Public Policy at Google, explained that Google presently has a number of ways to enable law enforcement agencies to access data, including a 24 hour emergency procedure where there is an immediate risk to life. Google (like Microsoft) voluntarily complies with RIPA where possible[151] and encourages use of MLAT procedures in other instances.[152] Colin Crowell, head of Global Public Policy at Twitter, stated that Twitter's policy is, once law enforcement agencies inform Twitter that they are seeking evidence, to preserve it until the agencies go through the legal process to obtain it.[153] Simon Milner explained that Facebook has a Dublin based team handling standard requests from the United Kingdom authorities with a dedicated team in California handling emergency requests, and that United Kingdom law enforcement agencies have apparently indicated to Facebook that they are very happy with the relationship and turnaround times.[154]

233.  These comments are indicative of a generally cooperative working relationship between overseas CSPs and United Kingdom law enforcement agencies, with CSPs trying to respond to RIPA requests while not recognising them as imposing legally enforceable obligations on them. But we stress that cooperation has to come from both sides. The relationship was well summed up by Stephen Collins:

"We are operating in good faith with the UK authorities, but we have no obligation to do so. We are doing this because we think it is the right thing to do. If that good faith is abused, we would have to think much more carefully about that co-operation." [155]

234.  Nevertheless there are problems. Overseas CSPs will not always disclose communications data even when UK law enforcement judge it to be important. On our visit to the Metropolitan Police we were told of a case of serious online harassment which could not be pursued because the overseas provider who held the necessary data would not release it. The Met told us that there is an increasing problem of harassment on social media which they cannot properly investigate.[156] Another problem is that operators based outside the European Union have no obligation to retain data, nor will they normally do so if they have no business purpose for it. Overseas CSPs are not always prepared to disclose any communications data which they hold. Charles Farr emphasised that there is a dialogue with overseas CSPs and co-operative and collaborative relationships[157] and a "consistent theme of discussion, coordination and cooperation",[158] which leads to the provision of considerable amounts of communications data—up to 75% of what is requested.[159] However, he also explained that there are CSPs based in hostile States which have no interest in creating a co-operative working relationship.[160] In these circumstances data is difficult to obtain.

235.  Two elements of the draft Bill are designed to address these problems. First, it would enable the Home Secretary to request a communications provider to retain data, even when the provider has no business reason to do so and where it may be offering services in the United Kingdom from overseas.[161] Secondly, it would enable the Home Secretary to require United Kingdom CSPs to access and retain third party data crossing their networks with a view to communications data being accessible where an overseas CSP does not comply with any notice served on it to retain or disclose data. The third party data provisions are addressed in Chapter 4.

236.  We asked Home Office officials how they envisaged the draft Bill would impact on CSPs based overseas. Charles Farr explained:

"...the obligations do apply to overseas providers and in the event, which I regard as unlikely, that co­operation was not possible, an enforcement route would be open to Ministers, if they chose to exercise it, through civil action. This would apply as much to overseas providers as to domestic providers. I emphasise that is not the purpose of this legislation. The purpose is to facilitate a collaborative, co­operative relationship, building on the relationships that we have already." [162]

237.  Mr Farr also referred to the need for a mandate to require the retention of data not needed for business purposes, and a corresponding power to pay CSPs (including those overseas) for the extra costs incurred.[163] In relation to the collection of third party data from United Kingdom based networks, Mr Farr said that he would not want to "go down the route of collecting third party data from a network here without the collaboration of the service provider," and that he had described it to United Kingdom CSPs as an "in extremis power". He went on to explain:

"I would draw a distinction between our dealings with major UK CSPs and our dealings with smaller niche companies from potentially hostile States. I can imagine that any government may wish to have in its back pocket a power to draw data off a UK network, where a CSP in a hostile State is unwilling to provide it and is not even interested in establishing a cooperative relationship. I think that it is in that sort of context that we envisage using DPI probes, and certainly not, if we can possibly avoid it, in the context of the major CSPs." [164]

238.  We referred in paragraph 231to the cooperative attitude of the overseas operators who gave evidence to us. Some of them did have concerns about the developments proposed in the draft Bill. For Hotmail, Stephen Collins found it "perplexing" to be faced with a Bill with "such broad ramifications" and not to be told by any of the agencies with which Hotmail works that there is a problem, and what that problem is.[165] There is a risk that if they are not treated openly and frankly, that cooperation may be jeopardised.

239.  All the overseas CSPs which gave evidence to us had major concerns about the jurisdictional issues, and in particular about overlapping jurisdiction. Stephen Collins from Hotmail said that the Home Office had not explained how it would address the possibility of obligations in the draft Bill putting Microsoft in a position of legal conflict with its home state laws in the USA, Ireland and Luxembourg.[166] Emma Ashcroft from Yahoo! was concerned that extending jurisdiction would set a "global precedent" with the United Kingdom being the first State to adopt provisions of this type.[167] She believed that other States would follow, using legislation to limit free expression and infringe privacy rights. She felt that the draft Bill "would create a bewilderingly complex patchwork of overlapping and potentially conflicting laws, and put companies like ours in a very difficult position where we have to make difficult decisions about how to be consistent in our approach to law enforcement and protecting our users." [168]

240.  Colin Crowell from Twitter said that there were questions about the assertion of authority over a company subject to US laws,[169] and referred to the "conundrum" of how to deal with use data that might be related to non-UK citizens and that might be part of a communication with a United Kingdom citizen.[170] Simon Milner told us that Facebook would "strongly oppose" a measure requiring it to violate the law of another State. It would want the Government to frame any notice so as to require the retention of data only in respect of United Kingdom users, since otherwise Facebook might be violating the law in the USA or in EU Member States. Facebook would therefore store data only in respect of United Kingdom users, and might resort to the courts in the event of measures requiring the retention of data relating to other users. But this was not a step Facebook would want to take.[171]

241.  We believe that these are significant and valid concerns, and that the Government have not fully considered the jurisdictional issues raised by their proposals or discussed them in detail with the overseas CSPs. It would be wrong to use an United Kingdom statute to seek to impose on the CSPs requirements which conflict with the laws of the countries where they are based, and if this was to happen it would risk jeopardising the good relations which currently exist and on which much depends.

242.  We have heard from the Home Office and some of the overseas CSPs that relations between them are generally good, and that data is routinely provided on request without the need for legislation. The Bill should not jeopardise these good relations.

243.  The Government has no legal authority to ask overseas providers to generate or retain information for which they have no business purpose. If, following proper consultation with overseas providers, it is thought necessary to have a legal basis for the Government to require overseas providers to retain more data, and a legal basis to allow the Government to help with the costs of doing so, it may be sensible to retain the extra-territorial provisions of the legislation, even if they are of doubtful effectiveness. But this should not be done unless consultation demonstrates that it will not jeopardise cooperation with overseas CSPs.

Mutual Legal Assistance Treaties (MLAT)

244.  Where they are unable to access data in any other way, United Kingdom law enforcement authorities can use the arrangements for international mutual legal assistance which allow the judicial and prosecuting authorities of one State to seek from the authorities of another State help in the prevention, detection and prosecution of crime. The procedure is governed by the Crime (International Co-operation) Act 2003. If it appears to a court on an application made by, for example, the Crown Prosecution Service that an offence has been or may be committed, or is being investigated, the court may request assistance from another State which will then pass the request to own its prosecution or law enforcement authorities.

245.  The procedure is governed by bilateral mutual legal assistance treaties (MLAT). The United Kingdom has MLATs with most other states with which it has good relations. The invariable pattern of these agreements is for each State party to designate a central authority through which all incoming and outgoing requests are channelled. In the United Kingdom the Home Office is the central authority through which requests for communications data held overseas will be sent to the central authority of the State where the communications data is held. That authority will seek the requested information through its own procedures and forward it back to the central authority of the requesting State which will transmit it back to the original requesting authority.

246.  There are a number of problems:

  • the time involved;
  • the fact that the request must be seen to have been initiated by a prosecuting authority such as the CPS, rather than the police;
  • the premature involvement of the CPS (who have limited resources) in an investigation or operation that is at a formative stage;
  • the detail and amount of information required to satisfy the standards of the various treaties (for example full summary of evidence, witness statements, transcripts of interviews etc).

247.  A number of our witnesses criticised the system. Charles Farr explained:

"MLATs have not been designed, either by us or by the Department of Justice, to facilitate ongoing investigations on a day to day basis. They never have been, and it would be very difficult to turn them into that. ... Neither we nor the Department of Justice can easily see how an MLAT can be transformed into an almost real-time tool for the exchange of data." [172]

248.  In the case of child exploitation time is often crucial, and Peter Davies, the Chief Executive of CEOP, was also critical:

"I think it works slowly. It certainly does not work in operational fast time … It works with those countries with which we have a mutual legal assistance treaty, but not with those with which we do not, and my centre is quite often in the position of having to ask for help in the absence of any such treaty. Generally, we do quite well at getting it, but it is pretty random. I would not see the MLAT process as an alternative to the legislation as proposed." [173]

249.  Just as there is nothing to stop the authorities requesting data from CSPs, so there is, as Mr Davies said, nothing to stop them seeking help informally from authorities in other countries, whether or not the United Kingdom has MLATs with them. United Kingdom police forces often seek information in this way from colleagues in other countries with which they have good relations. But the MLAT system has the advantage that the legality of obtaining the information, and its admissibility in evidence, is not in doubt since it is based on an agreement with the State from which the information is sought.

250.  Not surprisingly, a number of overseas CSPs supported the MLAT system as a means of resolving jurisdictional issues. For Yahoo! Emma Ashcroft explained:

"The mutual legal assistance treaty recognises that jurisdiction has limits. Regardless of what is written in this Bill, the UK jurisdiction has limits somewhere, and the mutual legal assistance treaty structure is designed specifically to address that issue. UK law enforcement uses that framework frequently, and there may be room to improve it, but for us it is a framework that gives us legal clarity and gives some order to this very complex international legal framework under which we have to operate."[174]

251.  Sarah Hunter agreed, and said that where Google cannot voluntarily comply with a RIPA request it encourages use of MLAT. But she and Stephen Collins from Microsoft both suggested that the system should be speeded up, and that the Government had a part to play.[175]

252.  We understand that the slowness of the system can be particularly frustrating when data is required at the investigatory stage. To some extent the remedy is in the hands of the Government. The Home Office is the United Kingdom central authority; it could speed up internal United Kingdom procedures, and attempt to influence foreign States to do the same. The MLAT system will never be as fast as direct approaches to overseas CSPs but, as our witnesses emphasised, it has the advantage of legal certainty.

253.  It does not require legislation for the United Kingdom, when it is the requesting State, to minimise the bureaucratic delays in this country in the operation of the MLAT process, and to prioritise its own requests. This is something the Home Office, as the United Kingdom central authority, should address forthwith. Given that many of the overseas CSPs are based in the United States, the Government should take advantage of the special relationship with the United States to ensure that bilateral arrangements with them are expedited.

150   Q 557 Back

151   Q 568 Back

152   Q 558 Back

153   Q 656 Back

154   Q 627 Back

155   Q 594 Back

156   See appendix 4 Back

157   Q 48 Back

158   Q 930 Back

159   Ibid. Back

160   Ibid. Back

161   "Overseas" in this context means from outside the EU; CSPs in the EU already have an obligation to retain data under the various laws of the Member States implementing the Data Retention Directive. Back

162   Q 48 Back

163   Q 926 Back

164   Q 930 Back

165   Q 557 Back

166   Q 550 Back

167   Q 554 Back

168   Q 582 Back

169   Q 610 Back

170   Q 617 Back

171   Ibid. Back

172   Q 931 Back

173   Q 1077 Back

174   Q 556 Back

175   QQ 558, 563 Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 11 December 2012