6 Jurisdictional issues
Requests addressed to overseas
CSPs
230. Legislation passed by the United Kingdom
Parliament does not have direct effect outside the jurisdiction.
This raises particular issues where, as here, the legislation
relates to communications with a global reach. Many CSPs, whether
based in the United Kingdom or overseas, operate within and outside
the jurisdiction.
231. The terms in which RIPA is drafted appear
to impose no limits on the telecommunications operators which
may be required to disclose communications data, as long as they
operate in the United Kingdom is does not matter where they may
be based. The reality is rather different. If the CSP is based
outside the jurisdiction only two courses are available to UK
authorities requesting the data. The first is to rely on the goodwill
of the CSP, bolstered by the fact that because they are doing
business in the United Kingdom they have an incentive to cooperate.
The second is to rely on Mutual Legal Assistance Treaties, the
avenue by which the judicial authorities of one State can request
the assistance of those in another State. We look at this more
fully at later in this chapter.
232. The goodwill is not lacking, as was demonstrated
by the evidence we received from a number of overseas operators,
including Hotmail, Yahoo!, Facebook and Twitter. All offer services
to customers in the United Kingdom through overseas operations.
A number of them referred to their existing relationship with
the UK law enforcement authorities and the Home Office and to
the way in which they presently deal with RIPA requests. Stephen
Collins, head of EU Policy, Microsoft when representing Hotmail,
referred to the "extremely cooperative professional relationship"
which presently exists between Hotmail and UK law enforcement
agencies. He explained that in dealing with RIPA requests, Hotmail
relies "a lot on so-called voluntary compliance with RIPA
as it stands at the moment, in accordance with US, Irish and Luxembourg
law".[150]
Sarah Hunter, head of UK Public Policy at Google, explained that
Google presently has a number of ways to enable law enforcement
agencies to access data, including a 24 hour emergency procedure
where there is an immediate risk to life. Google (like Microsoft)
voluntarily complies with RIPA where possible[151]
and encourages use of MLAT procedures in other instances.[152]
Colin Crowell, head of Global Public Policy at Twitter, stated
that Twitter's policy is, once law enforcement agencies inform
Twitter that they are seeking evidence, to preserve it until the
agencies go through the legal process to obtain it.[153]
Simon Milner explained that Facebook has a Dublin based team handling
standard requests from the United Kingdom authorities with a dedicated
team in California handling emergency requests, and that United
Kingdom law enforcement agencies have apparently indicated to
Facebook that they are very happy with the relationship and turnaround
times.[154]
233. These comments are indicative of a generally
cooperative working relationship between overseas CSPs and United
Kingdom law enforcement agencies, with CSPs trying to respond
to RIPA requests while not recognising them as imposing legally
enforceable obligations on them. But we stress that cooperation
has to come from both sides. The relationship was well summed
up by Stephen Collins:
"We are operating in good faith with the UK
authorities, but we have no obligation to do so. We are doing
this because we think it is the right thing to do. If that good
faith is abused, we would have to think much more carefully about
that co-operation." [155]
234. Nevertheless there are problems. Overseas
CSPs will not always disclose communications data even when UK
law enforcement judge it to be important. On our visit to the
Metropolitan Police we were told of a case of serious online harassment
which could not be pursued because the overseas provider who held
the necessary data would not release it. The Met told us that
there is an increasing problem of harassment on social media which
they cannot properly investigate.[156]
Another problem is that operators based outside the European Union
have no obligation to retain data, nor will they normally do so
if they have no business purpose for it. Overseas CSPs are not
always prepared to disclose any communications data which they
hold. Charles Farr emphasised that there is a dialogue with overseas
CSPs and co-operative and collaborative relationships[157]
and a "consistent theme of discussion, coordination and cooperation",[158]
which leads to the provision of considerable amounts of communications
dataup to 75% of what is requested.[159]
However, he also explained that there are CSPs based in hostile
States which have no interest in creating a co-operative working
relationship.[160]
In these circumstances data is difficult to obtain.
235. Two elements of the draft Bill are designed
to address these problems. First, it would enable the Home Secretary
to request a communications provider to retain data, even when
the provider has no business reason to do so and where it may
be offering services in the United Kingdom from overseas.[161]
Secondly, it would enable the Home Secretary to require United
Kingdom CSPs to access and retain third party data crossing their
networks with a view to communications data being accessible where
an overseas CSP does not comply with any notice served on it to
retain or disclose data. The third party data provisions are addressed
in Chapter 4.
236. We asked Home Office officials how they
envisaged the draft Bill would impact on CSPs based overseas.
Charles Farr explained:
"...the obligations do apply to overseas providers
and in the event, which I regard as unlikely, that cooperation
was not possible, an enforcement route would be open to Ministers,
if they chose to exercise it, through civil action. This would
apply as much to overseas providers as to domestic providers.
I emphasise that is not the purpose of this legislation. The purpose
is to facilitate a collaborative, cooperative relationship,
building on the relationships that we have already."
[162]
237. Mr Farr also referred to the need for a
mandate to require the retention of data not needed for business
purposes, and a corresponding power to pay CSPs (including those
overseas) for the extra costs incurred.[163]
In relation to the collection of third party data from United
Kingdom based networks, Mr Farr said that he would not want to
"go down the route of collecting third party data from a
network here without the collaboration of the service provider,"
and that he had described it to United Kingdom CSPs as an "in
extremis power". He went on to explain:
"I would draw a distinction between our dealings
with major UK CSPs and our dealings with smaller niche companies
from potentially hostile States. I can imagine that any government
may wish to have in its back pocket a power to draw data off a
UK network, where a CSP in a hostile State is unwilling to provide
it and is not even interested in establishing a cooperative relationship.
I think that it is in that sort of context that we envisage using
DPI probes, and certainly not, if we can possibly avoid it, in
the context of the major CSPs." [164]
238. We referred in paragraph 231to the cooperative
attitude of the overseas operators who gave evidence to us. Some
of them did have concerns about the developments proposed in the
draft Bill. For Hotmail, Stephen Collins found it "perplexing"
to be faced with a Bill with "such broad ramifications"
and not to be told by any of the agencies with which Hotmail works
that there is a problem, and what that problem is.[165]
There is a risk that if they are not treated openly and
frankly, that cooperation may be jeopardised.
239. All the overseas CSPs which gave evidence
to us had major concerns about the jurisdictional issues, and
in particular about overlapping jurisdiction. Stephen Collins
from Hotmail said that the Home Office had not explained how it
would address the possibility of obligations in the draft Bill
putting Microsoft in a position of legal conflict with its home
state laws in the USA, Ireland and Luxembourg.[166]
Emma Ashcroft from Yahoo! was concerned that extending jurisdiction
would set a "global precedent" with the United Kingdom
being the first State to adopt provisions of this type.[167]
She believed that other States would follow, using legislation
to limit free expression and infringe privacy rights. She felt
that the draft Bill "would create a bewilderingly complex
patchwork of overlapping and potentially conflicting laws, and
put companies like ours in a very difficult position where we
have to make difficult decisions about how to be consistent in
our approach to law enforcement and protecting our users."
[168]
240. Colin Crowell from Twitter said that there
were questions about the assertion of authority over a company
subject to US laws,[169]
and referred to the "conundrum" of how to deal with
use data that might be related to non-UK citizens and that might
be part of a communication with a United Kingdom citizen.[170]
Simon Milner told us that Facebook would "strongly oppose"
a measure requiring it to violate the law of another State. It
would want the Government to frame any notice so as to require
the retention of data only in respect of United Kingdom users,
since otherwise Facebook might be violating the law in the USA
or in EU Member States. Facebook would therefore store data only
in respect of United Kingdom users, and might resort to the courts
in the event of measures requiring the retention of data relating
to other users. But this was not a step Facebook would want to
take.[171]
241. We believe that these are significant and
valid concerns, and that the Government have not fully considered
the jurisdictional issues raised by their proposals or discussed
them in detail with the overseas CSPs. It would be wrong to use
an United Kingdom statute to seek to impose on the CSPs requirements
which conflict with the laws of the countries where they are based,
and if this was to happen it would risk jeopardising the good
relations which currently exist and on which much depends.
242. We have heard from the
Home Office and some of the overseas CSPs that relations between
them are generally good, and that data is routinely provided on
request without the need for legislation. The Bill should not
jeopardise these good relations.
243. The Government has no
legal authority to ask overseas providers to generate or retain
information for which they have no business purpose. If, following
proper consultation with overseas providers, it is thought necessary
to have a legal basis for the Government to require overseas providers
to retain more data, and a legal basis to allow the Government
to help with the costs of doing so, it may be sensible to retain
the extra-territorial provisions of the legislation, even if they
are of doubtful effectiveness. But this should not be done unless
consultation demonstrates that it will not jeopardise cooperation
with overseas CSPs.
Mutual Legal Assistance Treaties
(MLAT)
244. Where they are unable to access data in
any other way, United Kingdom law enforcement authorities can
use the arrangements for international mutual legal assistance
which allow the judicial and prosecuting authorities of one State
to seek from the authorities of another State help in the prevention,
detection and prosecution of crime. The procedure is governed
by the Crime (International Co-operation) Act 2003. If it appears
to a court on an application made by, for example, the Crown Prosecution
Service that an offence has been or may be committed, or is being
investigated, the court may request assistance from another State
which will then pass the request to own its prosecution or law
enforcement authorities.
245. The procedure is governed by bilateral mutual
legal assistance treaties (MLAT). The United Kingdom has MLATs
with most other states with which it has good relations. The invariable
pattern of these agreements is for each State party to designate
a central authority through which all incoming and outgoing requests
are channelled. In the United Kingdom the Home Office is the central
authority through which requests for communications data held
overseas will be sent to the central authority of the State where
the communications data is held. That authority will seek the
requested information through its own procedures and forward it
back to the central authority of the requesting State which will
transmit it back to the original requesting authority.
246. There are a number of problems:
- the time involved;
- the fact that the request must be seen to have
been initiated by a prosecuting authority such as the CPS, rather
than the police;
- the premature involvement of the CPS (who have
limited resources) in an investigation or operation that is at
a formative stage;
- the detail and amount of information required
to satisfy the standards of the various treaties (for example
full summary of evidence, witness statements, transcripts of interviews
etc).
247. A number of our witnesses criticised the
system. Charles Farr explained:
"MLATs have not been designed, either by us
or by the Department of Justice, to facilitate ongoing investigations
on a day to day basis. They never have been, and it would be very
difficult to turn them into that. ... Neither we nor the Department
of Justice can easily see how an MLAT can be transformed into
an almost real-time tool for the exchange of data."
[172]
248. In the case of child exploitation time is
often crucial, and Peter Davies, the Chief Executive of CEOP,
was also critical:
"I think it works slowly. It certainly does
not work in operational fast time
It works with those countries
with which we have a mutual legal assistance treaty, but not with
those with which we do not, and my centre is quite often in the
position of having to ask for help in the absence of any such
treaty. Generally, we do quite well at getting it, but it is pretty
random. I would not see the MLAT process as an alternative to
the legislation as proposed." [173]
249. Just as there is nothing to stop the authorities
requesting data from CSPs, so there is, as Mr Davies said, nothing
to stop them seeking help informally from authorities in other
countries, whether or not the United Kingdom has MLATs with them.
United Kingdom police forces often seek information in this way
from colleagues in other countries with which they have good relations.
But the MLAT system has the advantage that the legality of obtaining
the information, and its admissibility in evidence, is not in
doubt since it is based on an agreement with the State from which
the information is sought.
250. Not surprisingly, a number of overseas CSPs
supported the MLAT system as a means of resolving jurisdictional
issues. For Yahoo! Emma Ashcroft explained:
"The mutual legal assistance treaty recognises
that jurisdiction has limits. Regardless of what is written in
this Bill, the UK jurisdiction has limits somewhere, and the mutual
legal assistance treaty structure is designed specifically to
address that issue. UK law enforcement uses that framework frequently,
and there may be room to improve it, but for us it is a framework
that gives us legal clarity and gives some order to this very
complex international legal framework under which we have to operate."[174]
251. Sarah Hunter agreed, and said that where
Google cannot voluntarily comply with a RIPA request it encourages
use of MLAT. But she and Stephen Collins from Microsoft both suggested
that the system should be speeded up, and that the Government
had a part to play.[175]
252. We understand that the slowness of the system
can be particularly frustrating when data is required at the investigatory
stage. To some extent the remedy is in the hands of the Government.
The Home Office is the United Kingdom central authority; it could
speed up internal United Kingdom procedures, and attempt to influence
foreign States to do the same. The MLAT system will never be as
fast as direct approaches to overseas CSPs but, as our witnesses
emphasised, it has the advantage of legal certainty.
253. It does not require
legislation for the United Kingdom, when it is the requesting
State, to minimise the bureaucratic delays in this country in
the operation of the MLAT process, and to prioritise its own requests.
This is something the Home Office, as the United Kingdom central
authority, should address forthwith. Given that many of the overseas
CSPs are based in the United States, the Government should take
advantage of the special relationship with the United States to
ensure that bilateral arrangements with them are expedited.
150 Q 557 Back
151
Q 568 Back
152
Q 558 Back
153
Q 656 Back
154
Q 627 Back
155
Q 594 Back
156
See appendix 4 Back
157
Q 48 Back
158
Q 930 Back
159
Ibid. Back
160
Ibid. Back
161
"Overseas" in this context means from outside the EU;
CSPs in the EU already have an obligation to retain data under
the various laws of the Member States implementing the Data Retention
Directive. Back
162
Q 48 Back
163
Q 926 Back
164
Q 930 Back
165
Q 557 Back
166
Q 550 Back
167
Q 554 Back
168
Q 582 Back
169
Q 610 Back
170
Q 617 Back
171
Ibid. Back
172
Q 931 Back
173
Q 1077 Back
174
Q 556 Back
175
QQ 558, 563 Back
|