Crime is a cross-border and now highly digitalised phenomenon, but law enforcement agencies around the EU have long complained that they lack the tools to access evidence stored in other countries. In April 2018, the European Commission set out to correct this by proposing the e-evidence package.
The package sets out new rules that would allow police and judicial authorities in an EU member state to access electronic evidence stored in another EU member state — or, adding global ramifications, evidence stored in a third country by a company established and offering services in the EU.
Under the Commission’s proposal, authorities will gain the power to order the preservation of evidence for later use and require that service providers hand over evidence in as little as 6 hours if there is an urgent threat to life. Codifying these requirements will reduce uncertainty and introduce a universal procedure across the EU, but the rapid responses required will test providers — especially if the Parliament or Council introduces further responsibilities when they respond to the proposal.
The Commission’s proposal introduces two new instruments for authorities. The first is the European Production Order: an authority would issue one to a service provider or its representative in an EU state to obtain electronic evidence, in most cases giving the service provider 10 days to respond. In urgent cases, however, they would be obliged to react within 6 hours.
This is much faster than the existing methods for gathering electronic evidence. The European Investigation Order, currently used to share evidence between EU law enforcement agencies, takes an average of 120 days and is much easier to refuse than the proposed Order, since it relies on member state law. Mutual Legal Assistance procedures, used for example between the EU and the US, take 10 months before evidence is handed over.
The second instrument is the European Preservation Order, which would oblige service providers to hold on to electronic evidence for agencies to request the information at a later date.
A judicial authority must either issue or validate both types of Order, but the data subject does not need to be informed. Indeed, in most cases, service providers are obliged not to tell the data subject.
While the proposal reduces legal uncertainty and streamlines the processes for service providers, the proposal introduces new burdens. For example, the Commission draft suggests that it is the responsibility of the provider to assess whether the Production or Preservation Order respects fundamental rights. Given the tight time frames to respond to the Orders, service providers will struggle to complete a full assessment. In most cases, they will also not receive reimbursement for the costs of processing these Orders.
One already visible stumbling block is its US cousin, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which obliges US-based service providers to turn over electronic data to federal law enforcement regardless of the nationality of the data subject or the location of the data.
The CLOUD Act also creates a framework for agreements between the US and foreign governments so that foreign law enforcement agencies can request data from US service providers. Without an agreement, US providers are prevented from sharing evidence with foreign authorities.
The Commission’s problem is in the wording. The CLOUD Act suggests that such agreements must be “bilateral” – that is, agreements must be conducted with individual member states, putting the idea of a single European process in jeopardy. Despite this, on 5 February, the Commission announced it would begin negotiations with the US to agree on mutual access to electronic evidence. The Commission claims its negotiating position would create a reciprocal, equal basis for transferring electronic evidence, smooth out potential legal conflicts, and provide strong safeguards.
Problems in Parliament…
Closer to home, the European Commission has struggled to convince lawmakers in the European Parliament that the legislation is necessary. The MEP responsible for the file, Birgit Sippel, has also warned that the Commission draft could create legal uncertainty for providers and threaten fundamental rights.
Other MEPs working closely on the file, like Sophie in ‘t Veld, oppose the idea that foreign governments would hold power over local evidence gathering and are demanding stronger safeguards for citizens’ rights. Many MEPs and digital rights groups are questioning the logic of creating a new system rather than improving the existing European Investigative Order.
…And at Council
Although the member states have now come to a negotiating position, several EU countries had major concerns. While some, like France, wanted to expand law enforcement powers further, a major issue for many member states was the responsibility of service providers to assess the legality of requests, with no judicial intervention planned. The Netherlands, Germany, the Czech Republic, Finland, Latvia, Sweden, Hungary and Greece wrote to Commissioner for Justice Věra Jourová asking for more stringent judicial oversight and suggesting including a “notification procedure” to inform the member state hosting the content or the service provider.
Both the Parliament and Council will try to shoehorn further safeguards and steps into the e-evidence proposal. We can expect Parliament to introduce new requirements for informing data subjects, while the Council has already inserted a “notification procedure” to involve other affected member states.
While this would remove some of the burdens and could create more legal certainty if the judicial process is strengthened, it would also lose the efficiency that the proposal initially promised. Meanwhile, legal uncertainty will only grow if the Commission fails to come to an agreement with the US. Service providers need a clear framework for processing requests for e-evidence with sufficient judicial review and legal clarity on their responsibilities.
MEPs will try to finalise their own position on the proposal before the European elections in May. If they are able to do so, the EU institutions will begin final deliberations on the text. With so many diverging opinions, it seems unlikely that the final version will closely resemble the Commission’s proposal.
Author: Kirsten Williams, Policy Analyst, Access Partnership
You may also find interesting:
- US CLOUD Act Now Law
- Trends to Watch 2019: EU Digital Policy Up in the Air
- Trends to Watch 2019: Finding the “Right” Regulation for Online Platforms
- Trends to Watch 2019: Digital Tax in the EU Gets Real
- Trends to Watch 2019: GDPR Goes Global
- ‘The GDPR on steroids’: The ePrivacy Regulation
- Introducing the new European Electronic Communications Code (EECC)