New privacy challenges: easier access to cross-border electronic evidence

in Advisory, 03.05.2019

Two mandates for international negotiations

According to the EU Commission, electronic evidence is needed in around 85% of criminal investigations. In two-thirds of these investigations, evidence must be obtained from online service providers in other jurisdictions. Between 2013 and 2018, the number of requests for electronic evidence made to major online service providers grew by 84%.

As a result, in February 2019, the European Commission requested two mandates to negotiate the facilitation of cross-border access to electronic evidence.

Mandate 1: EU – US Agreement on cross-border access to electronic evidence

The first mandate requested by the EU Commission is about opening negotiations for an agreement between the EU and the US on cross-border access to electronic evidence for judicial cooperation in criminal matters (COM/2019/70 final).

The motivation for focusing on the US is that access requests for electronic evidence made by EU Member States based on Mutual Legal Assistance are mainly addressed to the US because the major online service providers are headquartered there. The current cooperation between US online service providers and law enforcement authorities in the EU is on a voluntary basis, which makes for many pitfalls. US law restricts giving EU authorities direct access to electronic evidence. The US Cloud Act, adopted in March 2018, allows the conclusion of executive agreements with foreign governments. This then is the basis on which US online service providers will be able to provide content data and non-content data directly to law enforcement authorities in the EU.

The negotiation between the EU and the US hopes to find an agreement focusing on the following:

  • Ensuring timely access to electronic evidence for law enforcement authorities in the EU and the US by greatly speeding up the process. At present, the provision of the requested data takes on average 10 months. This period is to be reduced to 10 days.
  • Preventing legal conflicts by agreeing on definitions and types of data to be collected, clarifying legal obligations and ensuring reciprocal rights for the contracting parties.
  • Guaranteeing strict safeguards regarding data protection, privacy and procedural rights.

Mandate 2: Additional Protocol to the Budapest Convention on Cybercrime

The second mandate requested by the EU Commission is about participating in negotiations on a second Additional Protocol to the Council of Europe Convention on Cybercrime (COM(2019) 71 final).

The Convention on Cybercrime of the Council of Europe from 2001 (CETS No. 185, also known as the “Budapest Convention on Cybercrime”) is a multilateral treaty. It contains guidelines for the development of national legislation and creates a legal framework for an international cooperation for the fight against crimes committed over the Internet or over other computer networks. It deals in particular with computer-related fraud, child pornography, violations of network security and infringements of copyrights. At present 62 countries are parties to the Convention, including the 26 EU Members States, Switzerland, the US, Canada, Japan and Australia. In June 2017, negotiations started on the Second Additional Protocol to the Convention, which should be concluded by December 2019. The negotiations focus on improving:

  • International cooperation between law enforcement and judicial authorities (Mutual Legal Assistance) and direct cooperation between authorities and service providers.
  • Conditions and safeguards for access to information by authorities, including stronger data protection requirements.

So why negotiate two mandates simultaneously?

The EU Commission thinks that both the negotiations with the US and the Second Additional Protocol to the Budapest Convention on Cybercrime cover areas relevant to existing and future rules of the EU. This is particularly true for cross-border access to electronic evidence. Already in April 2018, the EU Commission proposed the following new rules:

  • Directive laying down harmonized rules on the appointment of legal representatives to gather evidence in criminal proceedings (COM/2018/226 final – 2018/0107 (COD)).
  • All providers offering services in the EU will be required to designate a legal representative in the EU to receive, comply with and enforce decisions and orders, even if their headquarters are in a non-EU country.
  • Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (COM/2018/225 final – 2018/0108 (COD)).
  • A European Production Order will allow a judicial authority in one EU Member State to obtain electronic evidence directly from a service provider or its legal representative in another EU Member State within 10 days, and within 6 hours if it is an emergency. At present up to 120 days are required for European Investigation Orders or an average of 10 months for a Mutual Legal Assistance procedure. Service providers subject to the Regulation include providers of electronic communications services, internet domain name and IP numbering services, and so-called “information society services”, which include social networks, online marketplaces and other hosting services. Categories of data that can be obtained with a European Production Order will include both content data (such as e-mails and photos) and non-content data (such as subscriber and access data or traffic information).
  • A European Preservation Order will allow a judicial authority in one EU Member State to request that a service provider or its legal representative in another EU Member State prevent the deletion of electronic evidence before their production request is completed.

Will this cause additional financial and administrative burdens?

There are concerns that especially the EU Regulation on European Production and Preservation Orders for electronic evidence in criminal matters will create additional financial and administrative burdens. Service providers in the scope of the regulation will require additional resources to comply with an order to deliver electronic evidence within 10 days or even 6 hours. Beyond that, service providers must develop subject matter expertise to assess whether they have to comply with orders and whether compliance with the orders could conflict with local laws prohibiting disclosure of the data concerned, such as local data protection laws.

So what’s next?

The EU Council must now adopt a decision to authorize the EU Commission to start negotiations as set out in the requested mandates. As soon as the mandates are adopted, the EU Commission will be able to start negotiations

And what does it mean for you?

Service providers should vigilantly watch the development of these initiatives and assess in time the necessary technical and organizational measures to comply with the upcoming requirements. In order to mitigate possible fines, they should also investigate from whom they could obtain the necessary subject matter expertise for upcoming cases that might entail raising an objection and triggering a judicial review.

 

 

Our services and further information:

 


Leave a Reply

Your email address will not be published.