On Aug. 4, the European Commission opened a public consultation to “help Europe’s law enforcement agencies combat crime in the digital age” — that’s code for getting access to more information more easily.
Currently, authorities rely on judicial cooperation mechanisms, like mutual legal assistance treaties, the recently introduced European Investigation Order within the EU, the direct cooperation of service providers, or, last but not least, on “direct access to obtain electronic information” — aka hacking.
But the Commission is convinced this isn’t enough and is stepping up plans that have been on the table since 2015 to address the so-called e-evidence issue.
European Commissioner for Justice Věra Jourová raised the issue back in April: “Our traditional investigation tools are not always fit for the fast pace of the digital world [and] are often considered to be outdated, slow and burdensome. The cloud is the paradigm shift in today's data economy.”
“When member states submit direct requests to service providers for access to data, they all do it in their own way. And the same applies to service providers. In short, there are as many policies on granting access to e-evidence as there are service providers. This situation is undesirable, as it causes problems in practice for both law enforcement authorities and the service providers,” Jourová said.
She presented three legislative options to the European national ministers back in June. Naturally, many of them see an opportunity for a serious land-grab in terms of access to information stored in other countries, with big implications for companies’ ability to guarantee 100 percent data protection. That’s why the consultation is so important right now because although Jourová has come up with ideas, there is, as yet, no formal draft proposal (that is likely early 2018) but anyone in the industry should get their thoughts in now.
Option A: Allow authorities to copy data directly from the cloud. Although Jourová says there would be safeguards and should only be used in emergency situations, this is by far the most intrusive proposal we’ve heard from the Commission.
Option B: Require companies to turn over data if requested by law enforcement authorities from other member countries.
Option C: Companies could be asked to turn over data by law enforcement from other member countries — removing the niceties of consulting the country hosting the data — but would not be obliged by law to hand it over.
Although Option C may sound like the least intrusive, companies will ultimately likely feel pressured into handing over data to foreign authorities. Whatever way you slice it, these proposals are MLATs on steroids.
Lucie Krahulcova, EU policy analyst at Access Now, said that “the technical paper the Commission released before the summer lays out a worryingly deficient approach to ‘direct access’ — which is the Commission’s term for government hacking. We have urged the Commission to review member state hacking practices and have put forward concrete suggestions in order to safeguard human rights.”
Some of those are reflected in the consultation. For example, one question asks under what circumstances direct cross-border requests to service providers should be allowed: only for a specific type of offense; on condition that the act is punishable in both countries; if there are specific safeguards to ensure fundamental rights; provided there's notification of another member state affected by this measure; provided there's a possibility for the notified member state to object the measure; given the targeted person is notified; or that there are legal remedies for the person affected.
Another question asks which types of service providers should be subject to it: electronic communication service providers; information society service providers — including online services, cloud services, social networks, platforms, etcetera; or “other digital services providers relevant for investigation measures.”
“None of these” is not an option in the 70-question questionnaire, made up mostly of selection of multiple choice questions.
Part V addresses international scope, something that has been in the spotlight in recent years thanks to the Microsoft case, in which U.S. law enforcement agencies tried to gain access to emails stored in Ireland without going through the proper MLAT process.
“In your opinion, what could improve criminal investigations with a third country dimension?” the Commission asks. Jourová suggested that “providers with headquarters in non-EU countries, we could 'domesticate' the problem, for instance, by obliging service providers to appoint a legal representative in the EU.”
She added that the Commission was already speaking to the U.S. Department of Justice on the matter.
But tech companies, particularly cloud service providers, are alarmed at the idea, fearing it could erode consumer trust if they thought their data could be seized by foreign authorities, despite specifying the location of the data storage center in contracts.
European countries, in particular, Ireland, are not likely to sympathize. The Irish Justice MLAT guide hasn’t been updated since 2008, meaning it is likely open to “alternative solutions.”
TJ McIntyre, law lecturer at University College Dublin and chair of Digital Rights Ireland, explained: “Freedom of information indicates that [the Irish Department of] Justice is afraid of being swamped by inbound MLAT requests. It’s unlikely they’re adequately resourced to deal with any increase. This is a problem partly of Ireland’s own making — if Ireland were taking part in the European Investigation Order the issue wouldn’t arise to the same extent.”
“Mutual recognition is increasingly going to be challenged by authoritarian tendencies, especially in Poland and Hungary,” he added, highlighting the concerns around fundamental rights.
Bearing in mind recent court cases, not least that data retention has been struck down twice by European courts, the e-evidence final proposal, whatever it is, will likely to face legal challenges.
“This will prove to be another test for the Commission to get the balance right between the ability to fight cybercrime and the respect for privacy as a fundamental right,” said Eduardo Ustaran, CIPP/E, partner in the global Privacy and Cybersecurity practice of Hogan Lovells. “We have seen how robust the ECJ is in this objective, and no doubt the Commission will want to nail it. Ultimately the trick is going to be to ensure that whatever privacy controls are in place — and there will need to be some — they cannot be blamed for being an unreasonable obstacle.”
The consultation is available here and will be open until Oct. 27.
photo credit: Alan Cleaver Crime Scene via photopin(license)