European businesses are rightfully concerned about keeping control of their data in the cloud. The proposed European regulation on access to electronic evidence by law enforcement (e-Evidence regulation) is an important step in the right direction, writes Kim Gagné.
Kim Gagné is the executive director of the European Cloud Alliance.
The proposed European e-Evidence regulation is meant to provide consistent rules governing law enforcement access to data in the cloud. For European companies which use or provide cloud computing services, one provision of the draft law is of particular importance: the requirement that governments should direct data requests to the customers themselves, rather than to their cloud service providers.
The European Cloud Alliance calls on EU lawmakers to ensure this provision remains in the regulation as it moves toward adoption.
European businesses have found that use of the cloud has resulted in cost-savings and improved productivity. They have realized these benefits by locating their digital assets within the shared resource facilities of cloud service providers.
Critically, while the data “resides” in the service providers’ facilities, it remains in the control of the businesses themselves. The service providers are properly viewed as “trustees” rather than owners of the data. Each business remains in control of its own data and must determine whom can have access to it.
This is only right. If a business is managing its data in its own premises, law enforcement has always had to request data access from the business itself, and the business could examine any warrant before disclosing the data.
Businesses moving to the cloud should not be in a worse position regarding the protection of their data from government seizure, as they would be if law enforcement could first approach a cloud provider to seek data access.
Otherwise, European businesses would be reluctant to take advantage of cloud services, and society would not realize the substantial gains that result from the use of new technologies.
Practically speaking, this means that the e-Evidence regulation should require that data requests go directly to the cloud customer.
While this principle is not yet embedded into European law, the proposed regulation embraces this approach, stipulating in Article 5.6 that data requests should always be addressed to the customer unless “investigatory measures addressed to the company or the entity are not appropriate, in particular, because they might jeopardize the investigation.”
Moreover, in instances where the request is not directed to the cloud customer, the customer should be notified so that the organization’s legal rights and obligations can be assessed, and, where possible, challenged before any data is seized.
Absent extraordinary circumstances, which are anticipated by the proposal, seeking data directly from cloud customers will not compromise a law enforcement investigation or result in a danger to public safety.
Neither businesses using cloud services nor cloud service providers want to prevent law enforcement authorities from protecting public safety. But all have an interest in a rule of law that clarifies the extent of the governmental power to seize data.
This proposal is in line with the approach taken by the US Department of Justice in its recommended practices on “Seeking Enterprise Customer Data Held by Cloud Service Providers” issued last December.
When conducting criminal investigations law enforcement’s first reflex should be to seek data directly from the cloud customer, rather than from the service provider. European businesses need to be in full control of their data so that they can confidently take advantage of cloud services.
The proposed e-Evidence, in article 5.6, embraces this approach. It is crucial that it stays like that, for citizens, businesses and law enforcement alike.