This paper sets out CDT’s views on the European Commission’s E-Evidence proposals. Immediately after the proposals were published, we posted a set of blogs about the proposals, and this paper builds on the views expressed in these blogs by incorporating additional ideas and analysis.
CDT recognises the validity of the concerns that motivated the drafting of the proposals. There is evidence that law enforcement authorities have difficulty accessing electronic information that can be useful for criminal investigations, and that more and more investigations require access to electronic data. Further, the Commission’s proposals attempt to address the fact that there are no EU-wide rules governing the processes and conditions for law enforcement authorities to obtain data from communications providers. It is in the interest of law enforcement authorities, citizens and users, and communications providers to have predictable and stable EU-wide legislation in this area.
For several years CDT has engaged in discussions about policy solutions in the EU, the U.S. and around the world that could help address this question. Our starting point was to consider a criminal investigation that is “wholly domestic”, by which we mean a crime committed in one country, against a victim located in that country, with an investigation focused on suspects also located in that country. In such a case, electronic evidence, such as communications data, could be relevant and could be held by communications in other countries. Given the domestic nature of such an investigation, it would be sensible to consider exceptions to the principle that law enforcement data requests should be made through Mutual Legal Assistance Treaty (MLAT) procedures, given the time and efficiency constraints associated with them, and provided that the exceptional process had strong human rights protections built in.
However, the E-Evidence proposals take a much broader approach than this. The proposals give European law enforcement unprecedented and almost unlimited access to data, regardless of the nationality and location of the people whose data is sought, and regardless of the location of the provider holding the data. The approach is broader with regard to jurisdiction and connecting factors than the primary international legal instrument in this field: The Council of Europe Budapest Convention. Developing countries could well take inspiration from this very broad assertion of jurisdiction, which could expose European companies to similar demands from countries with a lower rule of law and human rights standards for data they hold about Europeans or people in other countries. This could create new and serious risks to privacy.
The Regulation and Directive will effectively give each EU Member State access for law enforcement purposes to the data of internet users worldwide. Each provider in the scope of the Proposals can be compelled to disclose its users’ data no matter where those users are located and regardless of their country of citizenship. The definition of providers is broad. It encompasses not only electronic communications providers but a wide range of hosting services, online marketplaces and domain and numbering providers. Further, the range of crimes and investigations the European Production Orders (EPO) and Preservation Orders can be used for is also broad. The EPO can be used in a much broader set of criminal investigations than existing criminal justice instruments enabling cross border cooperation, such as the European Investigation Order (EIO) and the European Arrest Warrant.
An instrument that gives authorities such extensive possibilities to access data must be accompanied by very strong privacy and procedural safeguards. Although EU Member States are committed to upholding the European Convention on Human Rights and the EU Charter of Fundamental Rights, it is a fact that States have different national laws that provide different levels of protection. Yet, the proposals assume a very high level of confidence that courts and authorities (which can issue EPOs) meet European standards, with very limited possibilities for authorities in other countries or providers to whom EPOs are addressed.
In conclusion, CDT acknowledges that legislative and policy solutions are required to update existing MLAT-based frameworks. We also recognise several constructive and positive elements in the E-Evidence proposals. However, we believe they must strike a better balance between the legitimate interests of law enforcement authorities, users and citizens, and international communications providers. The suggestions in this paper are intended to help create a solution that strikes such a balance. Primarily, we suggest ways to enhance the review and oversight of EPOs, both by authorities in executing Member States and by providers. Further, we suggest that EPOs should replace the existing, informal and voluntary cooperation schemes that law enforcement authorities currently use to obtain data from providers. We also propose limiting the use of EPOs to a more restricted set of criminal investigations, consistent with the approach taken in existing EU instruments for judicial cooperation. In addition, we propose stronger rules on notification and transparency, more realistic deadlines for compliance with EPOs, harmonised reimbursement, and a requirement to use a central portal for channeling EPOS, or alternatively single points of contact.