EU member states have approved a mandate for the European Commission to launch international negotiations with the U.S. to speed and streamline cross-border access to electronic evidence in criminal investigations. 

The EU has yet to finalize its own internal rules on cross-border e-evidence and has said that it will do this before it finalizes any agreement with the U.S. Nevertheless, that is not standing in the way of the talks getting underway already, and these two processes are running in parallel.

EU Commission Spokesperson Christian Wigand said the new legislation and getting agreement with the U.S. is incredibly important because e-evidence "is needed in around 85% of criminal investigations, and in two-thirds of these investigations there is a need to obtain evidence from online service providers based in another jurisdiction.”

The fact that most service providers in possession of content or data are headquartered in the U.S. means that there is a “clear interest” for the EU to reach a joint agreement with U.S. authorities, Wigand points out.

In addition, Wigand said, “U.S. law often prevents these service providers from sharing content data with member states’ authorities.”

European Commissioner for Justice, Consumers and Gender Equality Věra Jourová has stressed in public that any agreement with the U.S. will have to guarantee the strong privacy and data protection rights and safeguards that already exist within the EU.

But at the national level, there are different priorities, reflecting important differences in national histories and experiences.

Terrorist attacks on Brussels airport and metro stations in March 2016 acted as a catalyst for action, and EU justice and home affairs ministers have since then prioritized passing measures to secure and obtain digital evidence.

But while MEPs from countries that have suffered terror attacks, such as Spain and France being among the biggest supporters of the negotiations, there are serious concerns in Germany over the potential threat to privacy and civil liberties that the legislation might pose.

EU civil rights groups also share those concerns.

“There is an assumption underlying the proposal that criminal law is essentially similar in all of the member states of the EU. In reality this isn’t the case,” says Jan Penfrat, senior policy advisor at digital rights group EDRi. “Criminal law is one of the least harmonized areas of policy in the EU. Some actions are illegal in some member states but totally lawful in others."

EU officials agree that it was the U.S. Clarifying Lawful Overseas Use of Data Act that provided a clear opportunity and a trigger for the latest EU moves.

Under the U.S. CLOUD Act of 2018, the U.S. can issue warrants for information from U.S. companies even if they are based abroad.

The core innovation of the CLOUD Act, and the focus will be in the EU-U.S. talks over the e-evidence proposal, is that data can be taken directly by a foreign law enforcement agency from the service provider. This potentially radical element of the negotiating mandate and could reduce the average time for obtaining e-evidence from over a year to a matter of days.

For Wojciech Wiewiórowski, assistant supervisor at the European Data Protection Supervisor, it was “the CLOUD Act that changed everything.”

The latest EU-US talks are just “one more slip in the same direction.”

But Wiewiórowski pointed out that the issues at stake in the talks do not impinge directly on privacy.

“Most of the doubts that have been raised are connected with judicial oversight (of the cross-border access to e-evidence) rather than privacy issues.”

But he reckons that “some kind of fix is possible” to this problem. Indeed, one proposed solution would impose informational requirements on law enforcers seeking e-evidence from foreign-based service providers.

The danger, for Wiewiórowski, is more that a “backdoor” could be inadvertently opened in the course of new legislation or in negotiations with the U.S. that might be exploited in the future.

“When one is trying to create something constitutionally new and trying to fix what doesn’t work … you create back doors,” Wiewiórowski said.

Importantly, however, law enforcement agencies will still have to abide by the principles of the EU General Data Protection Regulation as transposed into the EU’s Law Enforcement Directive, he added.   

The EDPS will be providing ongoing advice to the commission while it negotiates with the U.S., although it will not be actually participating in the talks.

As far as the timeline for the negotiations goes, officials and lawyers are not holding their collective breath. The mandate of the current commission expires at the end of October this year, and the talks will be nowhere near conclusion by then.

EU representatives maintain it is possible and practical to achieve progress on the internal EU legislation and in the EU-U.S. negotiations in parallel rather than having to wait for the EU to agree internally on the legislation.

“It goes without saying that negotiations would only be concluded on the basis of a final agreement on legislation within the EU. Negotiations will take some time, and progress can already be made on issues that do not depend on the outcome of the internal legislative process,” Wigand said.

This way of doing things is not uncontroversial, however.

Penfrat described the launch of the talks with the U.S. as “scandalous” given that the legislation has not even been approved by the EU yet. He worries it is an attempt to try and sideline the European Parliament’s role in the legislation.

That is not to say the EU-U.S. talks will themselves be a cake walk.

Difficult topics will include, for instance, how to determine if an EU state meets the independent judiciary criteria of domestic U.S. legislation to qualify for access to e-evidence held by U.S. providers. There will also need to be a discussion of what kind of safeguards should be built in. The judicial process involved will also have to be outlined, as will ways in which requests may be legally challenged. Getting the U.S. Congress to accept that all EU member states should be recognized under the CLOUD Act will also likely be a big debate.

And there are other major obstacles, too. "Hate speech," for instance, is not actually recognized as a crime in the U.S. Another concern is how EU authorities would feel about U.S. requests for e-evidence in crimes that could be punished by a potential death or life sentence in the U.S.

Officials concede the talks will be complex and difficult but note that this is to be expected in any international negotiation on judicial cooperation.

For service providers, there will clearly be a lot in the mandate that they themselves will not like, but lawyers are welcoming the legal certainty the legislation will bring, ostensibly helping them out of a situation where they are often "caught in the middle."

Service providers want to be able to assure their customers that they don’t lightly hand over their data, but at the same time, they don’t want to refuse compliance with an official request. An official order from an official authority might make life simpler for them.

Officials believe the legislation will also help them address the shift in public attitudes toward online platforms that has followed incidents like the Christchurch mosque massacres in New Zealand and the role of platforms in spreading harmful content in general.

That said, the EU has a new Parliament to deal with and the new European Commission has yet to be named even. Insiders say it's not likely we'll see a conclusion on an e-evidence agreement by the end of 2019, so it's anyone's guess as to which European presidency will be the one to claim it got it done.

Photo by Bill Oxford on Unsplash