Greetings from Brussels!
If you’ll recall, in March of this year, a new EU proposal was put forward by the European Commission that would oblige tech companies to share their users’ personal data — wherever stored — with law enforcement authorities from different member states upon request.
The current arrangements are deemed cumbersome and lengthy in their process, with national law enforcement authorities having to rely on the efficiency of foreign judicial channels to request access to "e-evidence" that they require for criminal investigations and prosecutions. Moreover, as criminal enterprise becomes increasingly international, online media is increasingly favored by criminality for quick and efficient communications across jurisdictions. Věra Jourová said in April, “We need to equip law enforcement authorities with 21st century methods to tackle crime, just as criminals use 21st century methods to commit crime.”
The EU proposal itself is relatively ambitious when you consider the general (usual) pace of enforcement and judicial reform one can expect at national levels. The proposal would force tech companies to hand over data, including the content of emails and messages, as well as metadata and browser history, and the provisions of the proposal foresee a sharing of targeted data within 10 days, or six hours in emergency cases.
I noted in EURACTIV this week that, in a meeting of EU justice ministers this last Monday in Luxembourg, several ministers inferred that they will be pushing for major changes to the proposal that would allow law enforcement agencies to immediately monitor communication data from emails and messages on digital apps. In other words, "real-time" access to communications. For the record, the more vocal member states were Belgium, Portugal, Cyprus, France, Greece, Italy and Estonia. Notably, ministers were divided, with the counter-argument being that such powers would be intrusive and run contrary to the European ethos of individual privacy. Notably, it raises additional legal questions and to what extent those powers will be limited, proportionate, and monitored (independently).
As with all EU proposals, a compromise will need to be stuck with national governments and the European Parliament before the proposed legislation can see the light of day. Not an easy task, given the sensitivity of the proposed powers, current (e)privacy debates, and how such a mechanism would work in transcending sovereign jurisdictions. The commission is all the same, eager and determined, to push the proposal through the current EU Parliament, ahead of Parliamentary elections next year.
There are more tangents to this story: There is also the question of the U.S. CLOUD Act, which, similarly to the EU GDPR, is moving data access requests beyond mere geography. Importantly, the GDPR does come into play here, where Article 48 specifically treats transfers ordered by courts in third countries like the U.S. The GDPR provides that “such orders may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.”
There are still much complex negotiations to be had in the EU arena, and the priority for the European Commission will be to garner member state support for the idea that a collective agreement is in the interests of the EU above national (sovereign) agreements with the U.S. The U.K. is already in bilateral talks with the U.S. to come to an arrangement, perhaps unsurprisingly given the advent of a Brexit reality. Member states will be following those talks closely.
If you want to comment on this post, you need to login.