The Serious Fraud Office is facing another judicial review of its actions—this time by US engineering and construction company, KBR Inc. [i]
KBR Limited, a UK subsidiary of KBR Inc, is the subject of an on-going SFO investigation.
The issue in dispute is the SFO’s power to compel KBR Inc to produce data held in the US.
Under section 2 of the Criminal Justice Act 1987, the SFO has the power to serve a notice on any person requiring them to produce documents relevant to the subject matter of an SFO investigation. Such notices may be served on suspects or on any other third party (eg the suspect’s bank). Failure to comply, without reasonable excuse, is an offence.
The SFO often seeks to use these section 2 powers to compel the production of documents held overseas, although the territorial scope of these powers has not been determined by the Courts.
The use of section 2 notices to obtain documents held overseas can pose significant challenges to recipients. For example, financial institutions often have to grapple with legal requirements in the country where the data is held restricting its export or otherwise limiting disclosure (for example data privacy or bank secrecy laws).
In the present case, the SFO served a section 2 notice on a representative of KBR Inc whilst she was attending a meeting in the UK. The notice seeks to compel KBR Inc to provide data held on its US servers—some of which was previously held by KBR Limited but sent to KBR Inc for routine archiving before the investigation.
Noting they had not yet reached any decision, the Judges asked the parties to assume they will not accept an ‘open-ended jurisdictional scope of section 2’ that relies solely on a ‘fleeting’ presence of a representative of an overseas company in the UK. With that assumption in mind, the parties have been invited to submit post-hearing representations on the factors that would provide sufficient connection between the UK and an overseas company for the company to be caught by a section 2 notice requesting overseas data.
With this latest judicial review of the SFO’s actions pending, we may be about to get some welcome clarity on the jurisdictional scope of these powers—at least as they relate to overseas entities.
Further, without pre-judging the decision, it appears unlikely this case will assist UK companies seeking to resist section 2 notices requesting their own data held abroad. The judges gave a strong indication they believed documents held abroad belonging to KBR Limited should be brought back within the jurisdiction, if so requested by the SFO. However, the parties’ submissions did not address the question of data privacy or other laws restricting the export of data from overseas. The impact this factor would have on an English Court considering the scope of section 2 may therefore remain unclear.
The English Courts are not alone in grappling with these issues. The Court was referred to the United States v. Microsoft case, argued recently before the US Supreme Court, which addressed the question of whether US law enforcement could compel a US entity to produce data held in Ireland. That case has since been dismissed, without a judgment, in light of the fact US lawmakers, in the intervening period, passed the Clarifying Lawful Overseas Use of Data Act (known as the Cloud Act) which rendered the issue between the parties moot. You can read our blog post on the Cloud Act here.
We will continue to monitor this and report on developments on the risk blog.
[i] Judicial review proceedings allow companies or individuals to challenge the legality of a public body’s decision or actions. The SFO has faced (and won) several such challenges in recent years.