The controversial practice where law enforcement officers seek access to data stored overseas through use of local criminal law powers has been playing out recently in the US and UK, both in the courts and legislatures. Singapore has now weighed in on the issue by passing a law that allows for Singapore law enforcement officers to use very broad powers to access data stored overseas through a computer located in Singapore.
The new law, included in recent amendments to the Criminal Procedure Code, allows for police to access computers which they have reasonable cause to suspect is or has been used in connection with, or contains or did contain evidence relating to an arrestable offence. Police may use any such computer, which operates in or from Singapore, to search any data contained in or available to such computer, even when it is located outside Singapore. Police may also order people to provide assistance in gaining access to the computer, including by providing any username, password or other authentication information required for access. Anyone who fails to comply shall be guilty of an offence and liable for up to $10,000 for a company, or up to $5000 and/or 6 months imprisonment for an individual.
In the US, Microsoft recently challenged the government’s warrant under the Stored Communications Act (“SCA”) to get emails that its foreign subsidiary held on servers in Ireland. The case made it all the way to the US Supreme Court before becoming apparently moot by the enactment of the Clarifying Lawful Overseas Use of Data Act or “CLOUD Act,” which amended the SCA to make clear that the warrants do indeed cover evidence located abroad so long as the person subject to the warrant has possession, custody or control. Similarly, in the UK, KBR Limited has challenged the Serious Fraud Office’s use of its powers under section 2 of the Criminal Justice Act 1987 to compel production of documents held overseas, in this case on US servers. That case is still pending before the courts.
One of the more challenging issues with this practice are potential conflicts with the laws of the country where the data is stored that restrict its export or limit disclosure (eg data privacy or bank secrecy laws). For example, there is no obvious mechanism in the new Singapore law to challenge police ordering access to data where compliance with the Singapore law would conflict with data privacy laws elsewhere governing the processing of such data. Compare this with the CLOUD Act which does allow for such a mechanism, but only where the target is a non-US person. Multinational companies that come under investigation in Singapore, like the US and UK, may find this a very challenging dilemma.