The day after the European Commission’s presentation of its legislative proposals on electronic evidence (see EUROPE 12003) on Wednesday 18 April, several stakeholders described it as a hasty response to the US CLOUD Act and have raised a number of concerns in this connection.
In a press release on Tuesday, the European Digital Rights (EDRi) organisation stated, “Before any proper assessment [of the existing framework: Ed] has been possible, the EU now seems to be rushing into making these new proposals, following in the steps of the United States”
The Business Software Alliance (BSA), which brings together major software manufacturers such as Microsoft expressed the same concern. It would have preferred the Commission to focus, first of all, on resolving the problems of access to electronic evidence in the EU, before shifting towards an extra-territorial application.
It should be recalled that the US CLOUD Act was adopted during fast track procedure at the end of March but without a joint solution being found with the EU. It stipulates that US service providers will be obliged to comply with US data disclosure orders irrespective of where this data is stored (see EUROPE 11990).
In her response to EUROPE, Maryant Fernández Pérez, the EDRi’s policy adviser explained that the existing tool in the EU in this field, the European Investigation Order was still relatively new and the member states had had until 22 May 2017 to apply it, which therefore made for a hasty introduction of the new system.
This is even more the case, she explains, because there had been some examples of effective international cooperation, particularly after the terrorist attacks in January 2015 at the Charlie Hebdo offices where the French authorities obtained access to the emails of the two accounts held by Microsoft in 45 minutes.
The organisation effectively considers that these texts are in danger of transforming businesses into judicial authorities by conferring them, in certain cases, with the onerous task of deciding whether the request of the authorities complies with fundamental rights. The BSA is also concerned by the “short deadline” (10 days or six hours in urgent cases), which businesses have to respect in response to requests for cross-border data.
Going a little more into detail, the organisation also considers that the legal basis chosen by the European Commission, Art. 82 of the TFEU political cooperation in criminal matters, is in doubt.
The EDRi has serious doubts about the Commission’s “creative interpretation”, which believes that this legal basis can be extended to direct cooperation between a legal authority and service providers - doubts that the Article 29 working party, which brings together EU member states' data protection authorities, had already expressed in an opinion in November 2017.
In communication terms, the EDRi is surprised with the presentation of these texts as initiatives to tackle terrorism because this could lead to confusion, given that these texts also apply to crime in general.
At a broader level, Maryant Fernández Pérez, is concerned by a kind of European schizophrenic approach to data protection and stated, “In the EU there is a certain contradiction because we will soon have the general regulation on data protection introducing strict personal data protection and at another level, in criminal matters, the Commission is putting texts on the table that compel businesses to provide access to this data”. (Original version in French by Marion Fontana)