EU justice ministers are set to approve a regulation this Friday (7 December) that will require EU-based tech companies to turn over electronic evidence within hours of a court order. The regulation, however, could pose a threat to people’s fundamental rights.
In April this year, the Commission had proposed new rules that would allow police and judicial authorities’ to access more quickly electronic evidence such as e-mail or cloud-stored documents they need to conduct investigations and prosecute criminals and terrorists across borders.
According to Commission estimates, almost two-thirds of crimes where e-evidence is held in another member state cannot be properly investigated or prosecuted.
The information held on a service provider in another EU member state has to be handed over by the service provider within 10 days of receiving the warrant through a transnational European production order (EPO), or – in urgent cases – six hours within a request made by judges in one of the EU’s member state.
The powers would further cover the seizure of data held outside the EU by a tech company “offering services in the union and established or represented” in an EU member state, according to the draft text.
After a successful meeting of ambassadors last week on the file, which broke the stalemate in the e-evidence talks, a general approach could be adopted when the Justice and Home Affairs Council meets in Brussels on Friday, says Renate Nikolay, head of Cabinet to Commissioner Jourová.
However, European Digital Rights, a campaigning group, has issued concerns whether the new rules should ensure that human rights and freedoms of all parties involved are respected, an area in which Theodore Christakis, a professor at the Grenoble Alpes Data Institute and member of the French Digital Council, has also highlighted.
“This is a major challenge for law enforcement authorities which are stored abroad,” he said.
“There is the urgent need to think about a legal regime which will enable law enforcement agents to protect us while having sufficient guarantees in terms of human rights and respecting sovereignties of other states.”
The main issue for policymakers will be to consider the privacy rights of tech companies and SMEs and if they will be able to face the requests for evidence.
“There is no legal basis for the proposal in the treaties. Telco operators are not those who should be judges of legal requests,” said Iain Mitchell, Chair of the Surveillance Working Group.
“People trust their own legal system and that there is also accountability when there is political abuse,” said John Frank, Vice-President EU Government Affairs of Microsoft.
“It is in 7% of cases where the requests are cross-border and it gets more challenging, because you are asking people to have confidence in the legal system of other EU countries.”
“When we have different legal systems, different maturities of legal systems and people were more reluctant to put confidence in countries systems they do not know.”
The discussion over the new rules takes place at a time when some of the EU member states have backtracked on the rule of law.
“We have put this proposal out at a moment where we in Europe are discussing rule of law issues in some of our member states,” said Nikolay.
“But as the requests to IT service providers have increased, most of them are still responding to them without any legal guarantees or legal clarifications, because it is voluntary. What kind of protection does that give to our fundamental right system in Europe?”
“That is why we are trying to establish an EU quality standard for e-evidence,” Nikolay concluded.