Ministers from across the EU backed plans on Friday (7 December) that will allow law enforcement authorities to bypass EU member states when making judicial orders for electronic evidence in criminal matters abroad. Germany, the Netherlands, Hungary, Sweden, Finland, Greece, Latvia, and the Czech Republic all voted down the plans.
EU justice ministers are set to approve a regulation this Friday (5 December) that will require EU-based tech companies to turn over electronic evidence within hours of a court order. The regulation, however, could pose a threat to people’s fundamental rights.
European businesses are rightfully concerned about keeping control of their data in the cloud. The proposed European regulation on access to electronic evidence by law enforcement (e-Evidence regulation) is an important step in the right direction, writes Kim Gagné.
EU justice chief Vera Jourova will push for a new data access agreement with the United States when she meets next week with her American counterpart, amid growing transatlantic tensions over issues including the Iran nuclear agreement and trade.
A new EU proposal will force tech companies to share their users’ personal data with law enforcement authorities from different member states upon request.
EXCLUSIVE / Messaging apps and other digital services will be forced to give their users’ data to law enforcement authorities within ten days of receiving requests, or six hours in emergencies, according to a leaked draft of an upcoming EU legal overhaul.
Tech giants should share the technology they develop to detect hate speech with smaller companies, EU Justice Commissioner Vera Jourova said in an interview.
The European Commission hopes to set an international standard with its upcoming proposal to give police easier access to data from tech companies, and has already asked the United States to cooperate. A senior Commission official said that the EU executive offered US Attorney General Jeff Sessions to consider an EU-US arrangement that would allow police to ask for data even if companies are located in other jurisdictions. EU officials made that proposal in June, during a joint EU-US justice ministerial meeting in Malta, but have not yet received a response from Sessions’ office. The Commission will propose new rules on the access to so-called e-evidence at the end of January 2018 that will apply within the EU, and make it faster and easier for law enforcement authorities to obtain data from other member states. That proposal is still being drafted, but the Commission is already eyeing a similar arrangement that would extend beyond the EU. “I can’t imagine that we would find something that would be limited to the EU space because that would be not efficient,” Renate Nikolay, the head of cabinet to EU Justice Commissioner Vera Jourova, said on Thursday (9 November). Nikolay was speaking in Brussels at a conference organised by the International Association of Privacy Professionals. She said the January proposal will be a first step within the EU as part of the bloc’s security union. Nikolay called the EU’s tough safeguards on data protection a model for how the Commission might have enough leverage to eventually seal such an agreement with the US. Strict new data protection rules will go into effect next year in the EU, and will also apply to companies that could be based in other countries but operate inside the bloc. As a result, the law has raised pressure on firms outside the EU. Several other countries have even taken on parts of Europe’s regulation in their national rules. “We have to set a pace here, very much also building on what we have done in the GDPR [the new data protection law]. We are well equipped in Europe to actually set standards and we will do that also on electronic evidence,” she said. The Commission has argued that the upcoming proposal on e-evidence is needed because police often struggle to quickly receive data from other member states. Many big technology companies are based in the US, but Nikolay said the EU law will remove barriers that already exist within the bloc. “Sometimes time matters,” she said. “We are talking about the new phenomenon of electronic evidence becoming more relevant in criminal proceedings, regardless of whether they are purely national criminal proceedings. Just because the data might be elsewhere. It can be just a local case in a village somewhere in Slovakia and, nevertheless, the cross-border element can be there.” Nikolay told the conference that there are hurdles slowing down police access to e-evidence that are “not addressed at all with the tools we have at our disposal at the moment”. The Commission is still weighing how police will obtain access to data. One option that the EU executive outlined included direct access between law enforcement authorities in one member state and tech firms. In addition, the Commission is also considering whether the content of communications or, for example, metadata, which includes when an electronic message might be sent and to whom, will fall under the new law. Nikolay said the rules should be “as broad as possible” regarding data. The proposal will also specify the kinds of services that must comply with the rules, which could mean regular phone calls and text messages, or data from digital services and communications apps. Nikolay said the law will include sanctions if companies do not hand over data to police. Some tech firms have argued the new proposal could clarify rules and replace more cumbersome legal methods for police to request data. John Frank, Microsoft’s head of EU affairs, said an e-evidence law within the EU would be helpful. He favours an international agreement to deal with police requests from outside the bloc. “The best way for the EU and the US to get an agreement is for the US to realise it needs an agreement because it doesn’t have access to data in Europe,” Frank said, speaking on the panel with Nikolay. Microsoft has been at the centre of a drawn-out fight over police access to data. The firm won a case against the US federal government, which tried to use a search warrant to obtain data from a Microsoft server in Ireland. The government has appealed to the Supreme Court. But the Commission’s planned proposal has also sparked concerns among privacy advocates. Campaigners have warned against any new rules that could allow police to request data directly from companies. Instead, they want the EU executive to reform existing mutual legal assistance treaties so law enforcement authorities in different countries can transfer data more quickly. Those MLAT agreements are often criticised for being too slow. "The only way to credibly propose any legislation in this area is to address MLAT reform first; not to find ways to bypass them,” Maryant Fernández Pérez, a policy advisor at the NGO European Digital Rights, told EURACTIV.com.
MEPs are pressuring the European Commission to propose new cyber crime rules on hacking vulnerabilities, encryption and information sharing between EU countries, ahead of a legal overhaul planned for September.