Today, 17 April, the European Commission unveiled two proposals: a Regulation on cross-border access to and preservation of electronic data held by service providers and a Directive to require service providers to appoint a legal representative within the EU.
The core of the Commission’s “e-evidence” initiative is that national judicial or administrative bodies can ask a service provider, such as Facebook, based in another EU Member State, to produce and to preserve data for the investigation or prosecution of a crime. Currently, national judicial authorities receive and authorise foreign requests, in order to ensure that fundamental rights are protected. The European Union very recently adopted the European Investigation Order to improve the efficiency and speed of cross-border criminal investigations within the EU. Member States had until 22 May 2017 to implement it. Before any proper assessment of this measure has been possible, the EU now seems to be rushing into making these new proposals, following in the steps of the United States.
“The Commission is proposing dangerous shortcuts to allow national authorities to obtain people’s data directly from companies, basically turning them into judicial authorities”, said Maryant Fernández Pérez, Senior Policy Advisor at European Digital Rights (EDRi). “States have legal obligations to respect and defend people’s fundamental rights. Companies do not have such legal obligations. If companies are coerced into handing over citizens’ data, our existing rights are put at risk.”
EDRi is concerned that, if adopted, this Regulation would be putting companies at the same level as a court or a state. In fact, companies would be exempted from liability if they hand over data in response to an illegal or incorrect order. This means that if there is an invalid order which the company complies with (due to fear of sanctions for non-compliance), and if an exception to user-notification is used to keep this order secret, it will be very difficult for the user to defend her/his rights.
The only way to credibly propose any legislation in the area of cross-border access to data would have been to comprehensively improve and enhance the existing judicial cooperation framework. The current framework is based on “mutual legal assistance treaties” (MLATs) for cooperation with countries outside the EU. Inside the EU, the recently adopted European Investigation Order (EIO) facilitates efficient cross-border access to data. The European Commission chose to propose a new legal shortcut to bypass existing measures, maximising risks for fundamental rights violations. The proposals will now be subject to the scrutiny of the European Parliament and Member States gathered in the Council of the European Union.
EDRi’s response and annex to the European Commission’s consultation on cross-border access to e-evidence (16-27.10.2017)
Statement of the ART 29 WP on e-Evidence (07.12.2017)
CLOUD Act: Civil society urges US Congress to consider global implications (19.03.2018)
The U.S. CLOUD Act and the EU: A Privacy Protection Race to the Bottom (10.04.2018)
European Commission proposals on cross-border access to data (17.04.2018)