The law would give European police the power to force companies to turn over emails, text messages, photos, videos, etcetera, within 10 days — or as little as six hours when there is “imminent threat to life or physical integrity of a person or to a critical infrastructure” — for investigation of crimes carrying a minimum jail sentence of three years.

Tech companies around the globe will be forced to hand over data to European authorities under the European Union version of the U.S. Clarifying Lawful Overseas Use of Data Act, unveiled April 17.

After many months of discussion and a public consultation, the European Commission presented its proposal for a “Regulation on cross-border access to and preservation of electronic data held by service providers,” along with a law requiring all service providers to appoint a legal representative within the EU.

The law would give European police the power to force companies to turn over emails, text messages, photos, videos, etcetera, within 10 days — or as little as six hours when there is “imminent threat to life or physical integrity of a person or to a critical infrastructure” — for investigation of crimes carrying a minimum jail sentence of three years.

The proposed “European Production Order” would apply to data even when it is stored on servers outside the EU, “regardless of whether it is encrypted or not,” and would also apply to cybercrime with no minimum penalty requirement.

In addition, the proposals foresee “Preservation Orders” to prevent any electronic evidence being deleted.

According to the Commission, “these instruments will provide for new rules to make it easier and faster for law enforcement and judicial authorities to obtain the electronic evidence they need in investigations to prosecute and convict criminals and terrorists.” Currently, requests for access to electronic evidence can take up to 10 months, the EU executive body said.

Obviously, this will have a big impact on the likes of Google, Facebook and Microsoft (fresh from their own Ireland warrant case) but will also include any company that offers, even incidental, messaging services — for example, cloud providers, domain name registries, online gaming or digital marketplaces that allow peer-to-peer transactions.

The European Internet Service Providers Association raised concerns about the ability of smaller companies to comply with the proposed law.

“Challenges consist of the multitude of legal systems across the EU, as well as security issues and the feasibility of verification of requests from other member states. These are of significant concern for due process, legal clarity and liability for European ISPs, the majority being SMEs without their own legal departments,” it said.

Although companies will be able to appeal legal orders and may be entitled to some reimbursement for costs, they face sanctions if they refuse to respond to demands.

Local appointee

“Given the borderless nature of the internet, such services can be provided from anywhere and do not necessarily require a physical infrastructure, corporate presence, or staff in member states where the services are offered,” the regulation says.

Therefore, any company providing services will be required to appoint a legal representative in the EU to respond to law enforcement requests for data. This includes companies whose services are available only via app stores in the EU, regardless of where the data is stored or processed.

International agreements

The Commission eventually wants to set up the same arrangement with the U.S., but there are concerns that the recently enacted the CLOUD Act “narrows the room for the potential compatible solution between EU-US,” according to Justice Commissioner Věra Jourová.

The current system is (supposed to be) based on “mutual legal assistance treaties.” However, the Microsoft warrant case revealed that this doesn’t always work. It is worth noting that the European Commission submitted an amicus brief to the Supreme Court in that case.

CLOUD allows U.S. judges to issue warrants for data stored overseas, but companies can still object if the request conflicts with local law. How this will play out post-GDPR remains to be seen. In many ways, CLOUD raises more questions than it answers.

Likewise, the EU E-Evidence proposal includes the possibility for companies to appeal the seizure request if there is a conflict of jurisdictional laws. 

Users’ rights

“The proposed legislation would also improve legal certainty and the protection of fundamental rights for service providers and their users,” the Commission said.

Not so, digital rights group EDRi responded.

“The Commission is proposing dangerous shortcuts to allow national authorities to obtain people’s data directly from companies, basically turning them into judicial authorities. States have legal obligations to respect and defend people’s fundamental rights. Companies do not. If companies are coerced into handing over citizens’ data, our existing rights are put at risk,” said Maryant Fernández Pérez, EDRi senior policy adviser.

Under the proposals, companies would be exempt from liability for handing over data in response to an illegal or incorrect order. EDRi says this will make it very difficult for users to defend their rights.

“The only way to credibly propose any legislation in the area of cross-border access to data would have been to comprehensively improve and enhance the existing MLATs framework,” said the organization.

As it stands, it looks as though MLATs’ days are numbered.  

photo credit: Cyber Security - Cyber Crime via photopin (license)