A new EU proposal will force tech companies to share their users’ personal data with law enforcement authorities from different member states upon request.
One European Commission official close to the file called the legal overhaul “revolutionary” because it will give police and prosecutors the power to demand data directly from companies that operate messaging apps, social media platforms and other digital services even if they are headquartered in another country.
Currently, law enforcement authorities go through judicial officials in other countries to request access to data that they need for investigations, which is known as e-evidence. National governments have complained that the process is too slow to be useful for criminal investigations, especially since criminals can communicate quickly online.
EU Justice Commissioner Věra Jourová said on Tuesday (17 April), “We need to equip law enforcement authorities with 21st century methods to tackle crime, just as criminals use 21st century methods to commit crime”.
She described law enforcement authorities’ investigative methods as “cumbersome”, while “criminals use fast and cutting-edge technology to operate”.
The EU proposal will force tech companies to hand over data including the content of emails and messages, as well as metadata and browser history. They will need to share the information within 10 days, or six hours in emergency cases. EURACTIV previously reported on the details of a leaked draft of the regulation at the end of March.
Commission officials in charge of drafting the legislation argue that it has a number of features to make sure police cannot misuse the quicker system to request huge amounts of personal data. Judges will have to approve orders to obtain data showing the more detailed content of communication. For metadata and less detailed information, prosecutors will also be able to sign off on orders.
Authorities can only demand data for serious crimes that carry prison sentences of at least three years, for example, terrorism and murder.
Currently, American tech giants often receive police forces’ data requests. They do not need to hand over information without a warrant, but this proposal will require them to comply with new forms of official orders for e-evidence, as long as they are required to investigate crimes.
Privacy rights groups have criticised the Commission’s plan, arguing that it will encourage companies to share too much of their users’ personal data.
Maryant Fernández Pérez, senior policy advisor at the NGO European Digital Rights, said the proposal creates “dangerous shortcuts”.
“If companies are coerced into handing over citizens’ data, our existing rights are put at risk,” she said.
To the best of my knowledge, the forthcoming EU proposals on cross-border access to data (or "e-evidence") relate to criminal investigations and can cover the data of innocent people. Presenting these proposals as targeted to "terrorists" is misleading. https://t.co/URWuLE1Pl1
— (((Maryant))) (@maryantfp) April 17, 2018
Between 2013 and 2016, European law enforcement authorities’ requests for data from Google, Twitter, Facebook, Microsoft and Apple rose by 70%, according to Commission figures. Today, more than half of criminal investigations in the EU involve such cross-border requests for electronic data.
Under the new proposal, companies will be able to appeal authorities’ demands if they think they are unjustified. But if firms refuse to comply, they can face sanctions.
The bill creates two new legal procedures that are designed to make sure authorities can access data more quickly than they currently can using mutual legal assistance treaties or MLATs, the agreements between countries to allow investigative data sharing.
Legal battles have been raging in recent years over law enforcement authorities’ access to data located in different countries, and especially outside the EU.
Last month, that tension exploded into a political tug of war between Europe and the United States when a bombshell legislative overhaul in the US sent the Commission scrambling to present its own e-evidence bill.
The EU executive wants the proposal approved quickly – possibly even before the current administration’s term ends next year. All EU legislation must be approved by the European Parliament and national governments before it can go into effect.
“It’s very important for the EU to take a position on this and to lead on this,” one Commission official said.
The US Congress passed legislation known as the CLOUD Act in a fast-track vote in March, giving authorities the right to demand data even if it stored in another country.
That frustrated the Commission – Brussels has been trying to negotiate a bilateral arrangement for law enforcement data sharing with the US since last year.
Jourová expressed her disapproval of the CLOUD Act after it was passed and vowed to continue pushing for a deal with the EU.
A Commission official criticised the US legislation as “not a fully fledged solution to a broader problem”, which should be negotiated with the EU.
The source accused US lawmakers of passing through a law that was “stitched up” to “get rid of the Microsoft case”. Hearings started earlier this year in a high-profile case at the Supreme Court over Microsoft’s refusal to share data with US authorities because it is stored in Ireland. Under the CLOUD Act, Microsoft could now be required to hand over that data.
Shortly after the Commission announced its proposal on Tuesday afternoon, the Supreme Court dismissed the case.
The Commission has cited the huge number of data requests that European prosecutors send to American authorities as proof that an EU-US deal is needed. US authorities are slow to respond to European prosecutors’ demands for data under the current MLAT treaty system, according to the official.
Now that the US has its own legislation in place to force companies abroad to hand over data, the Commission is worried that individual EU member states may jump ahead of a broader arrangement between the US and the entire bloc, which could take a longer time to negotiate.
But any agreement with single member states could lead to fragmentation and give a handful of European countries privileged access to criminal data, Commission officials argue.
One Commission source suggested that the US government might pressure member states to agree to such a one-on-one deal.
In an effort to avoid that kind of fragmented system, the Commission is starting to accelerate its efforts to negotiate an agreement with the US.
Jourová will meet US Attorney General Jeff Sessions next month. A Commission official said negotiations over an EU-US e-evidence deal will “for sure” be on the agenda.