The European Commission has released a proposal to enable EU-member states’ law enforcement authorities to access digital information regardless of where that data is stored. It shares several of the practical and human rights problems as the similar piece of U.S. legislation known as the CLOUD Act, as well raising fresh concerns of its own.
The proposal, labelled “E-evidence – cross-border access to electronic evidence” is now heading to the European Parliament and Council for debate. The EU institutions should review this measure closely before amplifying the errors of the CLOUD Act and raising new problems for cross-border access to electronic evidence. Left unchanged, the Commission proposal will make a difficult situation worse.
What Does the Proposal Mean for Digital Rights?
There will be a lot to debate in the Commission’s proposal as it winds through the EU legislative process. However, two initial areas of concern should be addressed swiftly by EU institutions. First is the fact that this proposal could usher in paradigm shift in the system cross-border access to data in criminal investigations, risking a digital free for all and eliminating critical junctures for judicial review of law enforcement requests for data. The second concern centers around the proposal’s failure to adequately safeguard human rights. We at EPIC pointed to precisely these risks in our amicus brief in the now mooted United States v. Microsoft case concerning U.S. law enforcement access to data stored in Ireland.
A Paradigm Shift: Borderless Law Enforcement Access to Data
Like the CLOUD Act before it, the European Commission’s proposal bypasses procedures for international cooperation on criminal law enforcement access to data stored in a foreign jurisdiction. Instead, under a new “Production Order” providers would be required to produce data regardless of where it is stored, even where that provider has only a slim connection to the requesting member state; providers that merely “offer services” in the EU are covered by the proposal, which can be satisfied by having significant number of EU users or targeting activities toward a member state (for instance, by advertising or using a language of a particular state).The country where the data is stored may never even learn of that the data was transferred outside of its borders without further review by that nation’s authorities.
This is a dramatic shift away from established mechanisms for coordinating international access to data – the Mutual Legal Assistance Treaty. These MLATs add a layer of domestic review and reduce conflicts created by accessing data in another jurisdiction. Yet rather than solve the problems of MLAT inefficiencies by properly resourcing and training staff on the MLAT system, the Commission’s decision seems to endorse a growing trend of states’ access to foreign data based only on their own national law enforcement regimes. This, despite the fact that the soon to be applicable GDPR Article 48 indicates a preference for MLATs. That provision, which enters into force on May 25, states simply:
“Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
If legislation like this becomes a global trend, it will pose human rights concerns that have yet to be fully addressed; while we may be comfortable with foreign orders for domestic stored data from a nation with strong substantive and procedural protections, the picture is less sunny if the trend leads countries without an independent judiciary or a strong rule of law tradition to seize data in other jurisdictions with little oversight or accountability.
Under the Commission’s proposal, no judicial, or any other, authority in the country where the data is located will have the opportunity to review the foreign order. Instead, a digital service provider would receive the order directly from the issuing authority and must decide whether or not to comply. (This is similar to the provisions in the CLOUD Act.) Defense of individual rights would turn on the will of service providers, whose incentives are not necessarily aligned with the individual. And given the proposal’s threat of sanctions and the ten-day default deadline of the Production Order – which can be set even shorter by requesting authorities and pared back to six hours in an emergency – it is unlikely a provider’s review can provide adequate protection to individual rights. Provider objections are also strictly limited. Under the proposal, Production Orders are to be reviewed for necessity and proportionality before being issued. In theory, providers can object where the order “manifestly violates” the European Charter of Fundamental Rights, is “manifestly abusive”, or production would violate certain types laws of the foreign jurisdiction. However, they are not provided the basis for the necessity and proportionality determination, so such a challenge would seem impossible in practice.
A few straightforward revisions could be made to temper these risks. To the extent that the EU grants member states access to foreign stored data, the EU could include data minimization and transfer limitations for non-EU persons whose data they collect. For instance, in sensible albeit too limited step, the CLOUD Act requires minimization and transfer limitations for any data of U.S. persons a foreign country may incidentally collect. However, the Act did not include reciprocal protections for non-U.S. persons when U.S. law enforcement accesses foreign stored data. If the Commission’s proposal enshrined minimization and transfer limits for both EU and non-EU persons, it would represent a step toward reasonable data protection in this new regime of borderless access to data. This approach is consistent with the EU standard contained in the General Data Protection Regulation. If such protections are already provided to foreigners elsewhere in EU law (in for instance the Law Enforcement Data Protection Directive), this should be clarified and consolidated in the Commission’s proposal.
The EU should also expand the basis for providers to challenge Production Order for data stored abroad. Under the current proposal, providers are not allowed to see the ground that issuing authorities base their necessity and proportionality assessments upon, something that is essential to challenging an order on rights-based grounds. If providers are to replace national authorities as the points of review in a foreign jurisdiction, they should not also be excluded from reviewing the grounds for the necessity and proportionality assessment and objecting.
Missing Individual Rights Protections
The European Commission’s Proposal also still has a way to go to adequately protect individual rights. The Proposal lacks appropriate safeguards for a system of cross-border law enforcement access to data in criminal investigations. To start, there are essentially no individual rights safeguards for new “Preservation Orders” that would be created by the Proposal. Using the Preservation Order, providers can be ordered to prevent the removal, deletion or alteration of data. These Orders may be issued by prosecutors alone, for all types of data, for any crime, under gag order, and are not subject to challenge by providers or individuals. This must change. The Court of Justice of the European Union held in Digital Rights Ireland and Tele2/Watson data retention must be subject to a range of safeguards.
It is equally eyebrow raising that prosecutors are entitled to issue Production Orders for subscriber and access data stored in another jurisdiction without judicial review and for low level crimes. Production Orders for transactional and content data require prior review by a judge or court, while those for subscriber or access data can be issued by a prosecutor alone. Similarly, subscriber data and access data can be obtained for any criminal offense, while orders for transactional and content data can only be issued for more serious offenses. The CJEU also made clear in Digital Rights Ireland and Tele2/Watson that metadata can be just as sensitive as communications contents. In the same vein, the European Court of Human Rights recently found a violation of European Convention on Human Rights Article 8 privacy rights in Benedik v. Slovenia, a case involving law enforcement access to subscriber information associated with a dynamic IP address.
Similarly, the proposal’s provisions concerning notice fall short. Providers may be gagged from disclosing either a Production or Preservation Order if it is deemed “necessary and proportionate to avoid obstructing the relevant criminal proceedings,” If a gag is used, the issuing authority must only inform individuals about Production Order against them after such risk to the proceedings has passed. In addition to this requirement, there is no independent obligation in the Commission’s proposal to provide the individual with notice of the Order to produce their data, even after the matter is concluded. Notice may be supplemented by requirements of Article 13 of the Law Enforcement Data Protection Directive to provide information to data subjects. However, especially for foreigners whose data is impacted, the relationship should be clarified if notice is not made an explicit requirement in the Commission’s proposal.
Another key area of concern is the failure to provide specific limitations on Production Orders for data in another jurisdiction. The strongest limitation in the proposal is the requirement that a Production Order be reviewed for necessity and proportionality and to conform with the issuing state’s own national laws. The proposal contains no baseline standards that the issuing state’s own laws must meet, nor are any additional such protections layered on by the proposal. This simply provides too much deference to national laws and procedures. European institutions would do well, for instance, to protect human rights by expressly requiring member states only issue orders which comply with the baseline standards established by the European Court of Human Rights for law enforcement surveillance of communications data in cases such as Zakharov v. Russia and the European Court of Justice in Tele2/Watson.
The CLOUD Act in the U.S. and the Commission proposal for cross-border access to electronic evidence raise concerns about the protection of fundamental rights. Both frameworks will extend the authority of law enforcement agencies to seize personal data stored abroad and fail to provide the necessary safeguards and oversight. While the CLOUD Act has been signed into law, the European Parliament and the European Council have the opportunity to establish a better solution to the challenge of accessing electronic evidence across national borders.