On Feb. 5, 2021, the United Kingdom (U.K.) Supreme Court issued its judgment in R (on the application of KBR, Inc) v. Director of the Serious Fraud Office, holding that the U.K. Serious Fraud Office (SFO) lacked statutory authority to compel a U.S. company to disclose overseas data under threat of criminal sanction. This judgment has obvious similarities with the so-called Microsoft Ireland decision of the U.S. Second Circuit Court of Appeals, which held that using U.S. Stored Communication Act (SCA) warrants to reach overseas data was an impermissible extraterritorial application of that legislation. Microsoft Ireland was viewed by many as hugely controversial, hindering U.S. law enforcement’s access to overseas data, leading to a Supreme Court appeal and, ultimately, legislative amendments. This new U.K. judgment promises to have an equally significant impact across the Atlantic on equivalent U.K. law enforcement powers.
SFO’s KBR Investigation
The SFO is the U.K. government agency tasked with investigating and prosecuting serious and complex fraud. In February 2017, it opened an investigation into the U.K. company Kellogg Brown and Root Ltd (KBR U.K.), a subsidiary of the U.S. company KBR, Inc. The SFO’s investigation into KBR U.K. arose from “suspected corrupt” consultancy payments, totaling over US$23 million, from KBR U.K. to a foreign business partner, the Unaoil Group.
As part of that investigation, the SFO issued a notice to KBR U.K. in April 2017 requesting various information under section 2(3) of the U.K. Criminal Justice Act 1987 (CJA 1987). Section 2(3) states in relevant part:
The [SFO] Director may by notice in writing require the person under investigation or any other person to produce … any specified documents which appear to the Director to relate to any matter relevant to the investigation or any documents of a specified class description which appear to so relate …
KBR U.K. provided some of the requested information but made clear that other information was only held, if it all, by its U.S parent company, KBR, Inc. While KBR U.K. has extensive UK operations, its ultimate U.S. parent, KBR, Inc, had no fixed place of business in the U.K. and had never carried on business there.
The SFO then requested that officers of KBR, Inc, attend a meeting in the U.K. This meeting took place in July 2017, attended by both the General Counsel and Chief Compliance Officer of KBR, Inc, who flew in from the United States specifically. During this meeting, when these officers refused to confirm that KBR, Inc, would provide the outstanding information, the SFO immediately served a fresh section 2(3) notice, this time addressed to KBR, Inc, itself rather than to KBR U.K.
2018 Divisional Court Judgment
KBR, Inc, challenged the July 2017 notice in the Divisional Court in England. Its main argument was that the new notice went beyond the proper scope of section 2(3), which KBR, Inc, claimed could not be used to compel disclosure extraterritorially from a foreign company overseas.
In April 2018, the Divisional Court rejected KBR, Inc’s challenge, upholding the July 2017 notice. Although U.K. law, like U.S. law, applies a “presumption against extraterritoriality”, the court largely dismissed the relevance of the presumption here. It held that section 2(3) “must have an element of extraterritorial application,” because it would be “scarcely credible” that a U.K. company could refuse a section 2(3) notice on the basis the requested information was held overseas. It therefore focused on “the extent rather than the existence of [section 2(3)’s] extraterritorial reach.”
The Divisional Court ruled that section 2(3) could be used to compel information from foreign companies, so long as those companies had a “sufficient connection” with the U.K. The fact that the SFO could instead have used mutual legal assistance (MLA) – the now-traditional method enabling law enforcement to obtain overseas evidence through requests to their foreign counterparts – did not matter. MLA provided a “separate and distinct” route alongside section 2(3), the court held.
The Divisional Court was “amply satisfied” that KBR, Inc, had a sufficient U.K. connection on the facts. It considered that the mere fact KBR, Inc, had a U.K. subsidiary would not suffice to establish its U.K. connection. However, a sufficient connection was apparent from the SFO’s evidence of the corrupt payments, which indicated that, from at least 2005 onwards, the consultancy payments from KBR U.K. to Unaoil were actually paid and approved by KBR, Inc, in the United States. It was therefore “impossible to distance” KBR, Inc, from KBR U.K. for the purposes of determining the parent company’s U.K. connections, the court determined.
This judgment had significant implications. It “provide[d] a significant boost to the SFO’s investigatory powers,” one author noted. Another commentator emphasized that the decision “caused much concern” generally, warning it could be seized on as a precedent by other U.K. law enforcement agencies seeking to use their powers extraterritorially. Building on this, a third suggested that the judgment “may well signal the slow demise of [MLA] in criminal investigations” as U.K. law enforcement shifted towards unilaterally using statutory information-gathering powers to obtain overseas information, in preference to the cooperative MLA process.
KBR, Inc, gained permission to appeal directly to the U.K. Supreme Court on the question of the extraterritorial scope of section 2(3), “exceptionally” bypassing the Court of Appeal through a special “leapfrog” procedure. Its appeal was heard on Oct. 13, 2020, and the court’s judgment was issued three and a half months later, on Feb. 5, 2021.
Supreme Court Judgment
The Supreme Court overturned the Divisional Court’s decision, ruling that section 2(3) of the CJA 1987 did not “confer on the SFO power to [unilaterally] compel a foreign company to produce documents held abroad, on pain of a criminal penalty in this jurisdiction.”
The “starting point,” the court explained, was the presumption in U.K. law “that legislation is generally not intended to have extra-territorial effect.” The court explained that this presumption could be overcome in two scenarios. First, a statute may make “express provision” for extraterritoriality. Alternatively, extraterritorial scope may be implied “from the scheme, context and subject matter of the legislation.”
It was undisputed that the CJA 1987 did not expressly extend section 2(3) extraterritorially. The court therefore considered whether such extraterritorial scope should be implied, focusing on the SFO’s argument that “the purpose of the legislation could not effectually be achieved without” its extraterritorial application over foreign companies. The court declined to adopt the Divisional Court’s reasoning – that the CJA 1987 “must have an element of extraterritorial application” so U.K. companies could not escape its reach by holding data abroad. It expressly left open how section 2(3) would apply in the “very different circumstances” of a U.K. company attempting to skirt enforcement by holding data abroad.
To determine the scope of section 2(3) in this case, the court instead analyzed in detail how the U.K. regulates law enforcement cross-border information requests, tracking developments all the way from the genesis of the CJA 1987 – a 1986 review of fraud trials – through to the present day. That 1986 report, far from recommending the creation of unilateral extraterritorial compulsion powers of the type the SFO now claimed, “emphasize[d] the importance of establishing reciprocal arrangements for obtaining evidence from abroad,” the court noted. And, since then, successive legislation has suggested that the U.K. Parliament’s consistent intention was that “evidence should be secured from abroad by international co-operation”, i.e. MLA, “subject to various protections and safeguards”. The court therefore concluded:
It is to my mind inherently improbable that Parliament should have refined this [MLA] machinery as it did, while intending to leave in place a parallel system for obtaining evidence from abroad which could operate on the unilateral demand of the SFO, without any recourse to the courts or authorities of the State where the evidence was located and without the protection of any of the safeguards put in place under the scheme of mutual legal assistance.
The court’s analysis of U.K. case law provided further support for this conclusion. It described its own 2012 judgment Perry v. Serious Organised Crime Agency as “strikingly similar.” Perry had declined to give extraterritorial scope to similar powers claimed by a related U.K. law enforcement agency, concluding that “[t]o confer such authority in respect of persons outside the jurisdiction would be a particularly startling breach of international law” – language KBR quoted approvingly. In contrast, the tax and insolvency cases relied on by the SFO – in which extraterritorial schemes had been implied into other statutes – were distinguishable, the court held, due to “important differences in the word, purpose and context” of their legislation.
Finally, the court rejected using the Divisional Court’s “sufficient connection” test to regulate section 2(3)’s claimed extraterritorial scope. That test “would be inherently uncertain,” particularly as its application would be left to the SFO itself. In any event, to read in that test “would exceed the appropriate bounds of interpretation,” thus “illegitimately re-writing the statute” beyond what Parliament had intended.
Contrasting KBR with Microsoft Ireland
As may be familiar to Just Security readers, the 2016 case of Microsoft Corp v. United States (commonly known as Microsoft Ireland) addressed a similar question: whether U.S. law enforcement could use the SCA to obtain data held by Microsoft in an overseas data server in Ireland. In July 2016, the Second Circuit ruled that the SCA’s use to compel data stored overseas would be an “extraterritorial application” inconsistent with the SCA’s “privacy focus.” Although leave to appeal was granted by the U.S. Supreme Court, which heard oral argument in February 2018, the case was famously mooted by the enactment of the U.S. CLOUD Act the following month.
KBR and the Second Circuit’s decision in Microsoft Ireland have obvious similarities: each relied on the presumption against exterritoriality of legislation to curb the use of statutory law enforcement powers extraterritorially. However, they in fact address different, albeit overlapping, questions. Microsoft Ireland considered whether compulsory U.S. statutory powers could be used to compel a U.S. company – i.e. Microsoft – to disclose data held by that company overseas. KBR was one step removed, considering whether equivalent U.K. statutory powers could extend to entirely foreign companies holding overseas data. Although it is commonly assumed that the SCA does not apply extraterritorially to such foreign companies, Judge Raggi, dissenting from the Second Circuit’s denial of an en banc rehearing in Jan. 2017, considered this an open question.
The U.K. Supreme Court did not rule on the question addressed in Microsoft Ireland. Its judgment does, however, provide support for the idea that section 2(3) and similar powers could be used to compel overseas data from U.K. companies. Indeed, this assumption was “common ground” between the parties. The court itself considered it “questionable” whether using section 2(3) that way required giving the CJA 1987 “any material extra-territorial effect.” It commented that “the presumption against extra-territorial effect, if it applies at all, applies with much less force to legislation governing” U.K. companies abroad. This chimes with similar analysis in the 2020 Search Warrants report (at paras 16.28–16.60) of the Law Commission of England and Wales.
KBR’s significance
The initial reaction to KBR should be sighs of relief from corporate counsel across the globe. The fear of a sudden ‘knock at the door’ by U.K. law enforcement demanding disclosure of data under section 2(3) or equivalent legislation, even where those corporations have no U.K. operations, can dissipate – at least for now. But the issue is far from settled. There are already predications that the U.K. may try partly to “reverse” KBR through new legislation, as happened following Perry. Nonetheless, while each statute must be considered on its own terms, KBR provides clear guidance to U.K. law enforcement that the extraterritorial scope of statutory law enforcement powers has firm limits.
KBR should also be welcomed by those, such as Professor Jennifer Daskal – the newly appointed Deputy General Counsel (Cyber and Technology) at the U.S. Department of Homeland Security – who have criticized (at pp 477–478) the U.K. for enacting legislation like the Investigatory Powers Act 2016, purporting to unilaterally provide broad extraterritorial data gathering powers. In emphasizing “the importance of establishing reciprocal arrangements for obtaining evidence from abroad,” KBR may ultimately be seen as a strong rebuke against such unilateral extraterritorial conduct.
Much, however, remains unresolved. As noted, the court has cautiously supported, but not expressly ruled on, using section 2(3) powers to compel overseas data from purely U.K. companies. It also expressly left open whether section 2(3) could be used to compel information from foreign companies with a U.K. registered office or where those companies otherwise carried on business in the U.K.
Finally, it is unclear how the U.K. Supreme Court would view the new generation of ‘direct access’ law enforcement data sharing mechanisms, such as the CLOUD Act executive agreement between the U.S. and U.K., shortly due to come into force. These retain MLA’s reciprocity, but purport to significantly speed up access to overseas information, in part by stripping out many of MLA’s safeguards, which the U.K. Supreme Court referred to approvingly. Ultimately, the compliance of these new mechanisms with U.K. law, particularly with rights protected by the Human Rights Act 1998, remains to be seen.