European Commission Strategy on Criminal Justice in Cyberspace Can Move the Debate Forward

As part of the European Agenda on Security, the European Commission committed to addressing, among many other things, the challenges law enforcement authorities face when obtaining digital evidence for cross-border criminal investigations. The Commission’s strategy is based on the June 2016 Home Affairs Council Conclusions. In December 2016, the Commission’s Directorate-General for Home Affairs (DG HOME) published a ‘Progress Report’ on Improving Criminal Justice in Cyberspace. The strategy includes three main thrusts of action: (1) improving direct cooperation with service providers, (2) enhancing mutual legal assistance with third countries, and (3) enforcement of jurisdiction in cyberspace.

The Commission is expected to publish a Communication before the June 2017 meeting of EU Home Affairs Ministers’, putting forward its conclusions and recommendations for further action. The Commission will surely put forward recommendations on practical, short-term changes to administrative practices to address efficiency needs. It may also conclude that longer-term improvements require new legislation. If that is the case, draft legislation could be proposed during 2018 and would then go through EU legislative procedure.

Law enforcement access to data held by communications and cloud service providers raises difficult questions about which country’s law enforcement agencies can claim access to what data.

Law enforcement access to data held by communications and cloud service providers raises difficult questions about which country’s law enforcement agencies can claim access to what data, the process they must use and the evidentiary thresholds that would apply. These issues came to the fore in 2014 when Microsoft challenged a warrant issued in the United States for data that it stored in Ireland.  The ‘Microsoft Ireland’ case raised knotty questions of jurisdiction over data stored abroad by a service provider whose main seat is within the requesting state.  Just yesterday, the 2^nd Circuit Court of Appeals denied the government’s petition for rehearing in that case, sending resolution of the issue in the U.S. to the Congress and/or the Supreme Court.

CDT has for some time argued that policy solutions are necessary in this field and that any policy solution must include strong human rights protections for both communications content and for traffic data. A robust debate has been taking place on options for US legislative reform.

In the European and international context, similar questions are being debated, for example in the Council of Europe’s Cybercrime Convention Committee. The European Commission’s progress report provides new and very relevant data that can help inform the efforts towards workable solutions. We believe such solutions should serve three purposes: ensure strong protection of user privacy, enable effective criminal investigations, and afford service providers legal certainty. The report was discussed on 12 January at a meeting in Brussels that included a broad range of industry and civil society stakeholders, including CDT. This post sets out some initial reflections.

The report includes particularly informative insights on differing practices and policies among EU Member States and among service providers. Among other things it shows differences in provider response time; disagreement among member states on jurisdictional bases for law enforcement access to user data; absence of law in some member states governing law enforcement demands to foreign providers; the use of antiquated means to transmit Mutual Legal Assistance (MLA) requests (such as letters); that in some member states user notice is required and in others it is prohibited; and that sometimes providers do not respond to surveillance demands, and that they have very different policies regarding the supporting documentation required and the connection they require between the requesting country and the data sought.

The report rightly points to a number of practical short-term improvements that can be made in cooperation between authorities and providers, and between authorities in different countries. Among these ideas are: establishing single points of contact for both providers and for law enforcement in a requesting country, standardisation of request formats, and training for authorities about service provider procedures and policies for voluntary disclosures and the legal requirements for compelled disclosure.

It is important to recognise that high evidentiary standards (such as ‘probable cause’) and formal procedures for disclosure have human rights benefits.

As a general observation, the report reflects primarily views expressed by Member State law enforcement authorities and officials, rather than service providers and public interest groups. Member State representatives tend to view processes and standards for review of requests for data access primarily as obstacles to efficient investigations. However, it is important to recognise that high evidentiary standards (such as ‘probable cause’) and formal procedures for disclosure have human rights benefits. These benefits should not be compromised in the search for more efficiency in meeting law enforcement demands.  The procedures in place today exist in part to ensure that rights are protected and that inappropriate requests for data are not met.

For example, the report communicates Member State views that providers should not be assessing whether requests comply with domestic legal requirements. This criticism is misplaced. Providers have a duty to make this assessment in order to protect their users, particularly because the laws of many Member States include no legal framework for making data demands on foreign providers.

Indeed, the members of the Global Network Initiative (GNI), which include many of the large U.S. tech companies — Google, Microsoft, Yahoo, Facebook, and LinkedIn — have all committed themselves specifically to do just that.  The GNI Implementation Guidelines, as approved by the companies and leading international human rights organizations, including CDT, require that:

Participating companies will adopt policies and procedures which set out how the company will assess and respond to government demands for disclosure of personal information. When required to provide personal information to governmental authorities, participating companies will:

• Narrowly interpret and implement government demands that compromise privacy.
• Seek clarification or modification from authorized officials when government demands appear overbroad, unlawful, not required by applicable law or inconsistent with international human rights laws and standards on privacy.

Member State experts also call on providers to be more transparent about why particular requests are granted or refused. Enhanced provider transparency should be welcomed, but in particular towards the public, and it should concern the criteria and procedures that providers use to evaluate the demands they receive.  There is a need to ensure that those procedures, particularly for voluntary disclosures and emergency disclosures, adequately protect user privacy.  There is also a need to establish “best practices” for such disclosures, which, if properly constructed, would be to the benefit of users, law enforcement, and providers.

It is problematic that some Member States consider that a provider is “domestic” if the provider offers services in-state. This is especially the case where a Member State regards its surveillance demands as mandatory, because this subjects providers to conflicting legal obligations to disclose content, or to refrain from disclosing it.

The report briefly flags data localisation mandates as one possible medium-term solution to the problem of cross-border data demands. As we have said on several occasions, we do not consider this to be a good solution overall.  It also briefly mentions unmediated law enforcement access to users’ communications – government hacking – without reference to the myriad of trust and privacy issues that such conduct can entail.

Overall, the report brings out valuable information that will help move the debate forward.

The report includes a discussion of the issue of jurisdiction, and the different factors that can be argued to determine it. One idea that is supported by some Member State experts is a ‘multi-factor test’ for establishing jurisdiction. This bases jurisdiction over a provider on a series of factors that include elements such as location of the data, connection between the requesting country and the crime, location and nationality of the alleged perpetrator, etc. This approach has appeal, but it is not a panacea for at least two important reasons.  First, the difficulties in establishing one factor as a basis for jurisdiction may be exacerbated by the requirement of establishing many.  For example, the report identifies the inability to determine the location of data as a problem that complicates jurisdictional tests based on data location, but location of data could be one of the factors in the multi-factor test of jurisdiction.  Likewise, establishing location and nationality of alleged perpetrators can sometimes be difficult as well. Second, the entity that decides whether the factors weigh in favor of jurisdiction may not be entirely objective.  No international, representative body would make that determination.  Instead, the law enforcement entity making the surveillance demand or the court issuing the surveillance order will make the determination and both may routinely find that the multi-factor test has been met since this result is in their interest. This could exacerbate the problem of competing jurisdictional claims.

These are some initial reflections. Overall, the report brings out valuable information that will help move the debate forward. We agree with the underlying assumption that today’s legal framework and administrative processes are not well suited for an environment where investigations involve multiple countries and jurisdictions. It is also very positive that the Commission consults widely with civil society. This should include U.S. civil society groups. Their reaction to the Commission’s initiatives in this area is crucial, especially to the extent the recommendations vis-a-vis U.S. providers will require a change in U.S. law. CDT looks forward to contributing actively to this discussion going forward, and working towards solutions that balance the need for effective cross-border investigations with the need to maintain user trust and privacy, and legal certainty for service providers.