Initial Observations on the European Commission’s E-Evidence Proposals

On April 17, the European Commission (EC) published its long-awaited draft legislation on E-Evidence (“E-Evidence”) to facilitate cross-border demands for internet users’ communications content and metadata. Commissioners Jourova (Justice), Avramopoulos (Home Affairs), and King (Security) proposed two separate pieces of legislation: (i) a Regulation (“Regulation”) that enables law enforcement authorities in European Union (EU) Member States to issue production orders on communications and cloud providers based in other Member States or based outside of the European Union, regardless of where the data is located; and (ii) a Directive (“Directive”) that would require Member States to enact legislation compelling providers that offer services in an EU Member State to establish a legal representative in an EU Member State for the receipt of cross-border demands.  

EU Member States and the European Parliament will now begin their review of the proposed legislation. CDT will contribute to this debate. We recognise the concerns about difficulties in obtaining electronic data relevant for criminal investigations that motivate the EC’s initiative. We also recognise that cooperation with communications providers may be enhanced, and that existing MLAT processes may not always be able to scale with the volume of requests. We have participated in a series of stakeholder meetings and a public consultation leading up to these proposals. During this process, we have argued that enhanced access to electronic data by law enforcement authorities cannot come at the expense of fundamental privacy and procedural rights protections. This is the core principle we will base our advocacy on as the legislative process moves forward.

If enacted and implemented, the Regulation and Directive will effectively give each EU Member State access for law enforcement purposes to the data of internet users worldwide. This is because each provider in the scope of the Regulation can be compelled to disclose its users’ data no matter where the user is located and no matter the country of citizenship of the user. This can create an enormous risk to privacy worldwide. Because EU Member States have different national laws that can provide different levels of protection, it is necessary to build strong human rights standards into the E-Evidence proposals.

CDT set out ten human rights standards the EC’s proposals must meet, and has now shown how they match up to these criteria. These are our initial observations. We will develop more detailed positions and suggestions once we have analysed the proposals more comprehensively.

Directive

The preamble to the 10-page proposed Directive paints a picture of inconsistent practices among Member States that the Directive is intended to address partially. Some already require providers to have local legal representatives for the service of process; others take the position that their process works extraterritorially. Member States apply different “connecting factors” to determine whether they have jurisdiction over a provider: some base jurisdiction on the location of the provider’s main office; others base jurisdiction on location of data sought; others base jurisdiction on whether services are offered in the territory of the country. Member States are also inconsistent with respect to whether the demands they issue to providers are obligatory or voluntary.  

The Directive requires certain providers to establish in an EU Member State a legal representative for the receipt of law enforcement demands, including the European Production Orders established in the Regulation described below. The Directive chooses the most minimal of connecting factors as the one that obligates a company to establish a local legal representative: the offer of services in a Member State.  Thus, a start-up in the U.S. that successfully offers its service on global basis would have to have a legal representative in an EU Member State. To partially offset the burden this will create, the EC notes that the legal representative can be a third party shared by multiple providers and could be the same representative the company chose for purposes of compliance with the GDPR. The Directive’s recital 13 indicates that mere accessibility of services in a Member State is not sufficient: there must also be a significant number of users in one or more Member States, or targeting of activities or advertising to one or more Member States. 

The Directive describes very broadly the entities that would have to designate a legal representative to include: providers of electronic communications services, providers of information society services that store data for users — including social networks, online marketplaces and other hosting service providers, and providers of internet names and number services. Entities that offer services for which storage of data is not a defining component are not required to designate a representative, but domain name registrars and registries, and privacy and proxy service providers, are required to do so. Additional clarity is needed to delineate the entities that must appoint a representative. The provider can choose to designate a representative only in a Member State in which the provider has an office or provides services, and particular Member States cannot obligate providers to designate a legal representative on their territory.  

Missing from the Directive is a requirement that disclosure orders issued to a provider’s representative come through a central authority in each Member State.  Such a requirement would promote uniformity and quality in such demands. The absence of a Single Point of Contact (SPOC) is among the features of E-Evidence that drew fire from EuroISPA, the leading trade association among Europe-based ISPs.  

Regulation

The 29-page proposed Regulation would authorise judicial authorities in one Member State to issue “European Production Orders” (“Production Orders”) that compel a provider or a provider’s representative in another Member State to disclose stored communications content and transactional records in a criminal investigation.  Production Orders for subscriber information and a new category of information called “access data” do not require judicial authorisation or approval. “Access data” is data related to the commencement and termination of a user access session to a service that is used, with IP address, by an access service provider to identify the user. The Regulation would also authorize prosecuting authorities in one Member State to issue “European Preservation Orders” (“Preservation Orders”) that compel a provider in another Member State to preserve content, transactional records, access information, and subscriber information until a Production Order or a request under a Mutual Legal Assistance Treaty or similar instrument can be obtained. Preservation Orders, including those for content, do not require judicial authorisation or approval and can be issued in investigations of petty crimes.  

The Regulation will effectively operate against providers that offer services in a Member State which have no physical presence in a Member State, other than the representative that must be designated under the proposed Directive. Like the Directive, the Regulation broadly describes the providers on whom such orders can be served to include all of the entities covered by the proposed Directive.  

Production Orders for subscriber information and access data can be issued in investigations of petty crimes and without judicial authorisation. This creates a risk that providers will be inundated with such demands. Production Orders for content and transactional records can only be issued in criminal investigations of cyber crimes, fraud and counterfeiting of non-cash means of payment, child pornography and child sexual abuse and exploitation, and terrorism, as well as in investigations of any other crime for which the maximum penalty is at least three years in custody.  Limiting Production Orders for content and transactional records to serious crimes is a sensible step, and the European Parliament and Council should consider further limitations for Production Orders for subscriber and access information.

The Regulation states that, as a general matter, when data being sought is held by an entity which is not in the scope of the Regulation, but the entity uses an infrastructure service of a provider covered by the Regulation, a data request should be addressed to the entity, not the service provider. This is a sensible principle.

The Regulation does not require that Member States reimburse providers for costs incurred in reviewing and executing orders. Article 12 says that if a Member State reimburses domestic service providers for their costs, it must reimburse providers elsewhere for their compliance costs. Instead, reimbursement of costs should be mandatory. This would serve a dual purpose of protecting small providers against excessive costs, and more importantly, it would have a privacy-protective effect by making it less likely that Production Orders are issued unless there is a clear need and justification, particularly with respect to orders for access data and subscriber data, which can be sought in investigation of petty crimes.

The provider does not see the information in a Production or Preservation Order that shows the grounds upon which the order was determined to be necessary and proportionate. Instead, they see a Certificate that the order has been issued, and the Certificate provides in a standardised format the information necessary to identify the account from which data are sought. Articles 9 and 15 indicate that a provider can challenge a Production Order that, if complied with, would violate the rights of the individual concerned. Such challenges may be brought in the jurisdiction in which the order is served. However, the Regulation and Annex 1 make it clear that the provider will generally not receive the information that would be necessary to bring such a challenge, particularly in the case of a Production Order that would violate fundamental rights.

In addition, the Regulation does not require dual criminality — that is, that the conduct alleged to be criminal is a crime in both the issuing Member State and the Member State in which the provider’s representative is present, or the Member State in which the person to whom the data pertains resides or is a national of. This presumes a high level of confidence in the adherence to fundamental rights in all Member States because all Member States can issue Production Orders.  

The Regulation imposes tight deadlines for provider response: 10 days normally, and six hours in an emergency when there is an imminent threat to life or physical integrity of a person, or to critical infrastructure. This creates a risk that providers will comply with requests that are improper just because the deadline for compliance is approaching. The 10-day limitation creates a risk that providers will prioritize less important demands (including demands in petty criminal cases) as the clock on them runs out instead of responding promptly in just a few days to more important, non-emergency demands. Annex 1, which contains the form for the European Production Order Certificate that the provider receives, is not faithful to these deadlines. It permits issuing authorities to specify other deadlines in non-emergency situations and does not contain any parameters for the duration of those deadlines.  

The confidentiality provisions of the Regulation in Article 11 may deprive persons whose data is being sought of notice of a Production Order in many circumstances.  The Regulation authorises issuing authorities to gag a provider receiving a Production Order when notice to the person to whom the data pertains would obstruct the criminal proceedings. It does not require issuing authorities to provide notice to such person, except in the case where the provider is gagged. Notice can be delayed to avoid obstructing the criminal proceedings. The question is whether the Law Enforcement Data Protection Directive’s (2016/680) Article 13 ensures that individuals are notified in such cases.