After the European Commission published two new legislative proposals for law enforcement authorities to be able to reach across EU borders to have access to data directly from service providers, the EU Member States started working on this new “e-evidence” package. The proposal has so far become the object of wide-spread criticism from service providers, and civil society organizations, including EDRi, because it raises serious questions concerning privacy, data protection and basic principles such as the right to defence and access to effective remedies. At the request of very few Member States, the EU Council had a discussion about including two new elements to the already broad scope of the proposals, direct access to data and real-time interception of data. These new proposals add yet more concerns regarding individuals’ rights.
While the objective of this legislationis to improve criminal investigations by facilitating law enforcement authorities’ cross-border access to data in another EU Member State, the proposal creates a shortcut giving private companies a role previously carried out by judicial authorities. According to the existing proposal, companies that store individual’s data – including big companies such as Facebook, Google and Microsoft, but more crucially, small companies without the resources or expertise of the internet giants – will be obliged to give access to individuals’ data if demanded by law enforcement authorities, in some cases without the intermediation of a court.
The new proposal of some EU Member States to have direct access to data takes this practice a step further. It would mean that authorities could access data stored on private companies’ servers at any time. In combination with real-time interception of data, the proposed law could enable mass surveillance of individuals across Europe without appropriate safeguards. On 4 June the EU Council decided to postpone the discussions on whether to include direct access to and real time interception of data in the Regulation to October 2018.
In addition to working on its own legislation, the EU is considering an executive agreement with the US Government based on the flawed US CLOUD Act, which would enable the US to directly access data from European companies and viceversa, and potentially include real time surveillance like in the US CLOUD Act. The agreement would grant the EU and the US mutual access to data.
In conclusion, some EU Member States more making these proposals even more extreme than they already are by pushing for real time interception and direct access to citizens’ data without appropriate safeguards and an agreement with the US that could have even further implications on mass surveillance and individuals’ rights such as data protection and privacy. EDRi warned against these proposals even before the drafts were published and will keep working with other stakeholders and policy-makers to change this worrisome situation.
Council Presidency Note on “E-evidence” (28.05.2018)
Outcome of Council of meeting on Justice and Home Affairs (04-05.06.2018)
EU “e-evidence” proposals turn service providers into judicial authorities (17.04.2018)
EDRi’s response and annex to the European Commission’s consultation on cross-border access to e-evidence (16-27.10.2017)
(Contribution by Anamarija Tomicic, EDRi Communications and Community Officer)