On April 17, the European Commission is slated to announce an initiative to facilitate cross-border demands for internet users’ communications content. Reportedly, the E-Evidence initiative will include a regulation (which has the force of law upon adoption by the European Parliament and Council of Ministers) meant to compel social networks, cloud providers, companies that offer apps available in an EU Member State, and others – including those without offices or servers anywhere in an EU Member State – to turn over their users’ data within 10 days of receiving a law enforcement demand for that data. It will also reportedly include a directive that will requires EU Member States to enact legislation that will compel foreign providers such as those located in the U.S. to have EU-based legal representatives who can receive and respond to these demands. These requirements will no doubt be welcomed by law enforcement entities in the EU and cause headaches for U.S. companies, especially small companies with a worldwide user base.
But will the E-Evidence proposals protect the rights of Europeans and others whose data will be made available to law enforcement if the proposals become law? Keep one thing in mind: a law enforcement entity that can compel disclosure from a company with a worldwide user base can gain access to data on anyone, anywhere. It is critically important that the E-Evidence initiative guarantees that human rights are protected in the cross-border mechanisms that it proposes.
Accordingly, CDT has prepared this list of human rights protections that should be built into any mechanism designed to facilitate cross-border law enforcement demands. After the E-Evidence proposal is unveiled, we intend to grade it against this list. Since some Member States do not include all of these criteria in national laws, the E-Evidence initiative must provide these protections. The criteria below are derived from the applicable Necessary & Proportionate Principles to which CDT and over 400 other civil society organizations around the world have subscribed. Those principles are in turn derived from treaties, court decisions interpreting human rights protections, and national laws. Since they also include elements of the necessity and proportionality inquiries under European law, we’ve also prepared a supportive memorandum. Here’s a checklist of human rights protections that should be built into the E-Evidence proposal:
____ Legality: Data demands must be connected to a crime published in a statute that gives sufficient detail to give an accused person notice that her actions are unlawful. In the U.S., this is considered a “due process” right.
____ Judicial Authorization: Data demands must be authorized by an independent entity – preferably judicial in nature – that is independent from the prosecutorial function.
____ High Probability: There must be a high degree of probability: (i) that a crime has been, is being, or will be committed; and (ii) that evidence of the crime would be revealed by the compelled disclosure.
____ Particularity: Demands should be limited to seeking only data relevant to the crime and should specify the device, account, or person to whom the data demanded relates. This is an element of the “proportionality” requirement in Europe.
____ Least Intrusive Means: If less intrusive mechanisms could readily be used to obtain the information necessary to prosecute the case, they should be used instead.
____ Seriousness: Demands should be limited to serious crimes only, which can be articulated by type of crime (e.g., terrorism) and maximum sentence. This is an element of the “legitimate aim” requirement in Europe.
____ Notice: Users must be notified that their information has been sought or obtained. Notice can be delayed in limited circumstances to protect the integrity of an investigation. Provider notice should be permitted, but is no substitute for required notice from the government.
____ Minimization: Only information necessary to the investigation can be retained, and excess information must be destroyed or returned.
____ Transparency: Publication of numbers of data demands made and granted, and types of offenses specified.
____ Redress: There must be a process through which a person whose rights are interfered with because these criteria were not met can obtain redress.
We are looking forward to grading the E-Evidence proposal against this list and issuing a “Report Card” of sorts. Call it an “adequacy test” of whether the E-Evidence proposal measures up to human rights standards.