Non-UK company with non-UK data: Serious Fraud Office’s information powers can still bite

Not holding any data in the UK? Not incorporated in the UK? Not even doing any business in the UK? 

You may still be within immediate reach of the UK SFO’s information powers and, the London High Court finds, this shouldn’t ‘raise an eyebrow’.

The High Court ruled yesterday inR (KBR Inc.) v The SFO that the scope of the SFO’s power to compel the production of data extends to:

• data of a UK company held abroad; and
• data of a non-UK company held abroad, provided there is a ‘sufficient connection’ between that company and the UK.

The background to this decision was summarised in our recent blog post. The Court’s findings are of interest to any potential recipient of an SFO notice to produce information and/or documents - whether as suspect or witness.

Why does data held abroad by a UK company fall within the scope of the SFO’s information powers? Well, because it must…

The Court’s starting point in answering this question was that the SFO’s information powers ‘must have an element of extraterritorial application’. It would otherwise be all too easy for UK individuals and companies, including those ‘intent on frustrating corporate or criminal investigations’, to place their data beyond the reach of the SFO by storing that data on overseas servers.

Extraterritorial application confirmed, but how far can this stretch in respect of non-UK companies? 

Once the Court had concluded that the SFO’s information powers reach beyond the UK, the remaining question was the extent of this reach in the context of non-UK companies. Mindful of public interest factors, the Court identified a need to strike a balance between ‘facilitating the SFO’s investigation of serious fraud’ and making sure that the SFO’s powers are not exercised oppressively or unreasonably in respect of non-UK foreign companies. The Court said the appropriate touchstone was whether compelling non-UK companies to produce data to the SFO would mean that ‘eyebrows might be raised’.

Its solution was to find that the SFO's information powers only bite on foreign companies ‘with a sufficient connection’ to the UK. This test is ‘necessarily fact-specific’, and the Court refused to confine itself to a fixed list of relevant factors. It did indicate (by reference to case law dealing with questions of extraterritoriality) that a sufficient connection might be shown where:

• a non-UK company carries on business in the UK; and/or
• where (as was the case on the facts at hand) there is evidence that a non-UK company was actively involved in the matters being investigated by the SFO, including where the company had a UK-based employee at the time of the matters being investigated.

Merely being parent of a UK company, or having already voluntarily assisted the SFO with its investigation, would not in itself, constitute a sufficient connection with the UK.

Doesn’t the non-UK company need to have some form of presence in the UK to receive an information notice? Yes, but a single (business-)trip can suffice.

As well as being required to establish a sufficient connection to the UK, the SFO must also give notice in the UK to a company before ordering it to produce information and/or documents. On the facts at hand, the SFO had presented the notice to the non-UK company’s General Counsel at a meeting in London. The SFO had specifically requested that the General Counsel (or an alternative officer of the company) attend this meeting.

While commenting that this approach had ‘unappealing features…which might impact on the willingness of others to attend such meetings’, the Court found this put beyond doubt that the General Counsel had been present in the UK as a representative of her employer.

Should the SFO instead avail of Mutual Legal Assistance Treaties (MLAT) when seeking data from non-UK companies? That is a decision for the SFO. 

The Court ruled that the MLAT route, whereby the SFO makes a request for information and/or documents through non-UK authorities, provides an additional option to the SFO when seeking data from outside the UK. However, this option does not preclude the SFO from directly exercising its information powers where those powers, as interpreted yesterday by the High Court, allow it to do so.

SFO notices requiring the production of data held overseas can be problematic for recipients. For example, financial institutions often have to grapple with legal requirements in the country where the data is held, restricting its export or otherwise limiting disclosure (for example data privacy or banking secrecy laws). The Court noted that the use of MLAT powers may be a more appropriate route where compliance with a notice might give rise to ‘complexity, difficulty or conflict of duties’ under the law of the country where the data is held. However these arguments did not arise on the facts at hand.

This is the latest in a series of unsuccessful challenges against decisions of the SFO and prospective judicial review claimants should take heed of the Court’s sensitivity in this case to the public interest in the SFO’s mission.