EU Council & Commission plan to give law enforcement authorities access to data of foreign IT companies

By EDRi · May 25, 2016

EU Commissioner Věra Jourová revealed plans to increase the competences of criminal law enforcement authorities in a speech at the European Criminal Law Academic Network. She announced that the Council of the European Union is currently drafting Conclusions. This draft document calls for law enforcement agencies to have direct cross-border access to personal data held by foreign service providers, without a mutual legal assistance procedure. This is more than worrisome for the privacy of European citizens.

Initially Jourová pointed out that it is important to “accelerate and streamline” mutual legal assistance (MLA) requests between national authorities, in order to collect digital evidence easier. However, “where mutual legal assistance is not suitable or available” (what this means is not explained – the Data Retention Directive was proposed in part because MLATs are time-consuming but, in the last 8 years were not seen as a priority for reform) it is important that certain types of data, including personal data, can be requested from IT companies directly.

Intransparent Council discussions

Jourová says that the new data protection rules allow for a smoother cooperation and exchange of information between police and justice authorities, as they provide common standards of data protection. Those rules “will ensure that personal data, for instance of victims or witnesses of crime, is properly protected”. The Council draft goes by the name “Conclusions on improving criminal justice in cyberspace”, however, there is no document number assigned yet.

Commissioner Jourová did not release further details about the draft. However, EDRi received a copy of a document by the German government (only in German, pdf) which provides more information regarding the content and goals of the draft Conclusions. In order to improve “criminal justice in cyberspace”, the draft wants to introduce measures that help securing electronic evidence, which otherwise would have to be deleted. This is being described especially problematic in cross-border cases (echoing the analysis from ten years ago in relation to the Data Retention Directive). The aim is to set up rules that allow a short-term access to certain data categories of information, in particular personal data. One way to achieve that, is to improve the direct cooperation of law enforcement agencies with foreign service providers.

The Council Conclusions were also discussed controversially in the Committee on Internal Security (COSI), with Member States expressing their concerns over the proposal. It was considered especially problematic that a mere “business link” of a provider to a state will constitute a sufficient legal basis for data requests by foreign law enforcement authorities. According to the proposal it would not even require a business establishment in the concerned Member States to enable direct information claims. Some EU countries were pointing out that their sovereignty must not be undermined by such measures. France allegedly expressed concern that it was not legal under national law for providers to provide foreign law enforcement agencies with data.

In the end, there was wide-ranging agreement that future discussions must include other stakeholders, such as law enforcement authorities and IT businesses.

The Conclusions will be presented at the meeting of the Justice and Home Affairs Council on 9 June. The European Commission was asked to present analysis and, where appropriate, proposals before the summer 2017.

................................................................. Support our work - make a recurrent donation! .................................................................

Mutual Legal Assistance Agreement between the US and the EU

In parallel to the draft Conclusions, the Council is also working on an Agreement with the United States regarding mutual legal assistance (pdf). This Agreement aims to modify and refine the old MLA Agreement, which entered into force in 2010. It aims to ensure an effective cooperation between participating Members States of the EU and the US in the field of criminal justice and combating organised crime and terrorism. At the moment, the Council is waiting for the Committee of Article 36 (CATS) to approve the draft text, to allow the text to be formally agreed in June 2016.

The Agreement plans to make available “the ability to obtain information on bank accounts, form Joint Investigation Teams (JITS), transmit requests using faster means of communications, obtain witness evidence by video conferencing, and secure evidence for use by administrative bodies where subsequent criminal proceedings are envisaged.”

In contrast to the Conclusions discussed above, this US-EU Agreement does not plan to bypass the current MLA system. Despite the fact that the Agreement mentions the possibility of “direct access of EU-Member States to data held by Internet Service Providers”, it wants to ensure that this conduct still requires so-called “probable clause”. To meet this criterion, the government must present specific, detailed and reliable facts to a court to demonstrate that a criminal offence has been committed. Without “probable clause” it would not be possible to request data.

(Article written by Claudius Determann, EDRi intern)