The European Commission hopes to set an international standard with its upcoming proposal to give police easier access to data from tech companies, and has already asked the United States to cooperate.
A senior Commission official said on Thursday (9 November) that the EU executive suggested creating a new EU-US arrangement that would allow police to access data from companies that may be located in other jurisdictions. EU officials made that proposal to US Attorney General Jeff Sessions in June, during a joint EU-US justice ministerial meeting in Malta last June, but have not yet received a response from Sessions’ office.
At the end of January 2018, the Commission will propose new rules that will apply within the EU on the access to so-called e-evidence, which will make it faster and easier for law enforcement authorities to obtain data from other member states.
That proposal is still being drafted, but the Commission is already eyeing a similar arrangement that would extend beyond the EU.
“I can’t imagine that we would find something that would be limited to the EU space because that would be not efficient,” Renate Nikolay, the head of cabinet to EU Justice Commissioner Vera Jourova, said on Thursday (9 November). Nikolay was speaking in Brussels at a conference organised by the International Association of Privacy Professionals.
She said the January proposal will be a first step within the EU as part of the bloc’s security union.
Nikolay called the EU’s tough safeguards on data protection a model for how the Commission might have enough leverage to eventually seal such a law enforcement agreement with the US.
Strict new data protection rules will go into effect next year in the EU, and will also apply to companies that could be based in other countries but operate inside the bloc. As a result, the law has raised pressure on firms outside the EU. Several other countries have even taken on parts of Europe’s regulation in their national rules.
“We have to set a pace here, very much also building on what we have done in the GDPR [the new data protection law]. We are well equipped in Europe to actually set standards and we will do that also on electronic evidence,” she said.
The Commission has argued that the upcoming proposal on e-evidence is needed because police often struggle to quickly receive data from other member states when they investigate crimes. Many big technology companies are based in the US, but Nikolay said the EU law will remove barriers that already exist within the bloc.
“Sometimes time matters,” she said.
“We are talking about the new phenomenon of electronic evidence becoming more relevant in criminal proceedings, regardless of whether they are purely national criminal proceedings. Just because the data might be elsewhere. It can be just a local case in a village somewhere in Slovakia and, nevertheless, the cross-border element can be there.”
Nikolay told the conference that there are hurdles slowing down police access to e-evidence that are “not addressed at all with the tools we have at our disposal at the moment”.
“We are talking about efficient law enforcement in general here, not only the big terrorist cases that make the headlines,” she added.
The Commission is still weighing how police will obtain access to data. One option that the EU executive outlined earlier this year included the ability for law enforcement authorities to directly access data from tech firms that could be in another member state.
In addition, the Commission is also considering whether the full content of communications, or metadata, which includes the time an electronic message is sent and to whom, will fall under the new law. Nikolay said the rules should be “as broad as possible” regarding data.
The proposal will also specify the kinds of services that must comply with the rules, which could mean traditional phone calls and text messages, or data from digital services and communications apps. Nikolay said the law will include sanctions if companies do not hand over data to police.
Some tech firms have argued the new proposal could clarify rules and replace more cumbersome legal methods for police to request data.
John Frank, Microsoft’s head of EU affairs, said he favours an e-evidence law within the EU, and wants an international agreement to deal with police requests from outside the bloc.
“The best way for the EU and the US to get an agreement is for the US to realise it needs an agreement because it doesn’t have access to data in Europe,” Frank said, speaking on the panel with Nikolay.
Microsoft has been at the centre of a drawn-out fight over police access to data. Last year, the firm won a legal case against the US federal government, which tried to use a search warrant to obtain data from a Microsoft server in Ireland. The government has appealed to the US Supreme Court.
But the Commission’s planned proposal has also sparked concern among privacy advocates.
Campaigners have warned against any new rules that could allow police to request data directly from companies. Instead, they want the EU executive to reform existing mutual legal assistance treaties so law enforcement authorities in different countries can transfer data to each other more quickly. Those so-called MLAT agreements are often criticised for being too slow.
“The only way to credibly propose any legislation in this area is to address MLAT reform first; not to find ways to bypass them,” Maryant Fernández Pérez, a policy advisor at the NGO European Digital Rights, told EURACTIV.com.