Category Archives: Actors

The European Production Order – Tackling the Problem of Enforcement Jurisdiction and Extraterritoriality in Cyberspace

On April 17th, 2018, the European Commission proposed new legislation to facilitate and accelerate access to digital evidence across borders in criminal investigations. The proposal aims at providing enforcement authorities with new tools for cross-border investigations in the digital era. European Production and Preservation Orders (the Orders) would allow law-enforcement authorities of a Member State to compel service providers – both domestic and foreign – offering services in the European Union to disclose or preserve user data, regardless of the data’s location. With this proposal, the European Commission moves away from territoriality as the determinative factor for enforcement jurisdiction in cyberspace. Thereby it could possibly set an international precedent to modernize international law in the area of transborder access to e-evidence.

With the proposal, the Commission is reacting to a particular challenge which the digitalized world has posed to law-enforcement. People nowadays make use of online services, such as Gmail, Facebook and Dropbox, that allow them to access their data, such as emails and photos, from different devices and different locations at all times. The service providers work with cloud computing, storing data on servers in several different jurisdictions to minimize data transmission and processing times. Facebook, for example, which is based in the US, uses servers not only in the US but also in Ireland, Sweden and Singapore. What is convenient for users, is problematic for law-enforcement authorities, however. If French law-enforcement authorities seek the contents of a Facebook message sent by a French suspect in the context of a crime committed on French soil against a French victim, they have to make use of mutual legal assistance treaties to access this data, as it is stored in foreign territory. Having to rely on this complex and slow mechanism (requests under such treaties take an average of ten months to be processed in the US!), has understandably led to frustration among law-enforcement agencies. This is not only because data can easily be moved, altered or deleted, but also because the data location in a foreign state (the ‘residual state’) is often the only international dimension of the case – making it hard for law enforcement agencies to understand why they should work through international cooperation channels.

How does the proposed EU regulation tackle the problem?

The European Production Order would allow law-enforcement agencies in an EU Member State to request service providers to disclose user data (not only information about the user, but also contents of e-emails, online storage accounts, etc.) within ten days or, in case of emergency, within six hours. The European Preservation Order would allow law-enforcement agencies to compel service providers to preserve data up to 60 days to allow time for requesting assistance from the data’s residual state.

The orders would be binding on all service providers established or offering services in the EU, regardless of the location of their offices. A provider is “offering services” if its service is accessible in a Member State and a sufficient connection between the provider and the territory of that state is established. Such a connection would inter alia exist when the provider offers and advertises the service in a Member State language, or when there are a considerable number of users within a member state’s territory. Facebook, for example, has such a connection with the EU: it offers its services under domestic domain names (;;, it offers and advertises them in Member State languages (e.g.German, Italian and Polish), and it counts 370 million users per month in the EU.  It is recalled that, in the field of data protection, the Court of Justice of the EU, in the Google Spain case (2014), had, somewhat similarly, considered the EU Data Protection Directive applicable to a foreign operator of a search engine when it ‘sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State’.

Pursuant to the proposed instruments, the orders can pertain to all data at the disposition of the service provider, regardless of its storage location. Taking the example of Facebook, this would mean that Facebook would also have to disclose to French law-enforcement authorities data that is stored on servers in Singapore, the US or any other non-EU state. This can obviously lead to a conflict between the provider’s obligations under the European Production Order and the residual state’s law. Therefore, the legislation allows service providers headquartered in third states to refuse compliance with the European Production (although not Preservation) Order when facing such a conflict of obligations (Article 16). The US Electronic Communications Privacy Act, for instance, forbids service providers in § 2702 to disclose content data without a U.S. warrant. However, if the issuing authority intends to uphold the order, it has to request a review by the competent court in its own state. If that court finds a conflict with laws that protect fundamental rights or interests of national defense and security, it has to consult the competent authorities in the respective third state through official channels, which then have 15 (with an extension possibility to 30) days to object to the order. If the third state’s authorities do not reply in time, the court can release the order for execution after sending a reminder with a five-day deadline. If the conflicting norms do not serve the protection of fundamental interests, the court can make its decision whether to quash the order by balancing the interests of the states in the disclosure of the data and in preventing the disclosure of the data. For this balance of interests, the court has to consider factors such as the degree of connection of the criminal case to either one of the jurisdictions.

What does the new legislation mean for enforcement jurisdiction in cyberspace?

Pursuant to the Lotus principle (established by the Permanent Court of International Justice as early as 1927), the exercise of enforcement jurisdiction, as an expression of a sovereign state’s power, is strictly limited to a state’s territory. As investigations are measures to enforce the criminal law, states are normally barred from conducting investigations on foreign states’ territory, unless the state has consented to the foreign investigation measures on its soil. However, applying this principle to the challenge posed by cyberspace seems to be contradictory, as cyberspace was designed to be borderless. Moreover, the location of data is just the result of a service provider’s business considerations. Therefore, the European Commission saw the need to move away from data locationto data connectionas the determinative factor for enforcement jurisdiction in cyberspace.

From an international law perspective, for European Production Orders that only have an internal EU dimension (the data is located on a server in an EU Member State), this move is not particularly problematic, as long as there is a valid EU legal basis. Such a basis appears to be present, as the proposed regulation is based on Article 82(1) of the Treaty on the Functioning of the EU, which provides that judicial cooperation in criminal matters is based on the principle of mutualrecognition of judgments and judicial decisions.Thisincludesthe approximation of the laws andregulations of the Member Statesin a number of areas, including computer crime.

In contrast, Production Orders pertaining to data located on a server in a non-EU state, are –from an international law perspective – more questionable. States outside the EU have not, at least not in a general sense, allowed EU-based law-enforcement authorities to carry out investigatory measures on their territory. Accordingly, such European Production Orders risk being in breach of the Lotus principle. Still, these orders respect foreign states’ sovereign interests insofar as they leave room for the affected states to protect their fundamental interests by requiring law-enforcement agencies to go through mutual legal assistance channels. Only when non-fundamental interests are at stake can the investigating state, on the basis of a Production Order, unilaterally access the data. This approach balances the notion of territoriality with the reality of the modern digitalized world.

Concluding observations

Vera Jourová, EU Commissioner for Justice, Consumers and Gender Equality recently said: While law-enforcement authorities still work with cumbersome methods, criminals use fast and cutting-edge technology to operate. We need to equip law-enforcement authorities with 21stcentury methods to tackle crime, just as criminals use 21stcentury methods to commit crime.” The new proposals on EU Production and Preservation Orders hand law-enforcement authorities important tools in the fight against crime that exploit the opportunities offered by de-territorialized cyberspace. In the United States a similar legislative initiative, mooting the Microsoft Ireland Case which was pending before the US Supreme Court, has been taken to tackle such crime: the 2018 US CLOUD Act allows US law-enforcement agencies to compel domestic service providers to disclose data, regardless of its storage location.

At first sight, these initiatives push the boundaries of international law, as they allow for the taking of unilateral enforcement action on the territory of a non-consenting state. However, it must be kept in mind that public international law has been shaped and reshaped by states overstepping boundaries, thereby moulding customary international law (see, e.g., M Hakimi, ‘Unfriendly Unilateralism’, Harvard International Law Journal 2014). These proposals, if they become law, could trigger emerging custom on the permissibility of unilateral production orders.

Esther Vehling and Cedric Ryngaert

The external effects of the EU’s regulation of sulfur dioxide (SOx) emissions

On 10 November 2017, I had the honor to be the sole opponent for the (successful) public defense of Philip Linné’s doctoral thesis on ‘Regulating vessel-source air pollution: standard-setting in the regulation of SOx emissions’, at Gothenburg University (Sweden). The thesis concerns the regulatory response, at different scales, including notably the EU scale, to tackle the environmental and human health impacts caused by sulfur oxide (SOx) emissions from the exhausts of seagoing ships. In this post, I reflect on the international legality and especially the external effects of relevant ‘unilateral’ EU action to tackle SOx emissions, i.e., action that goes beyond what is required by international law. Building on, but also adding to Philip Linné’s insights, I argue that by taking unilateral action, the EU has accelerated the calendar for strengthening global environmental standards in respect of SOx emissions. Continue reading

‘EU Agencies’ label: to what extent should we treat them all as ‘one’?

Twenty years ago, Alexander Kreher wrote one of the first articles on EU agencies arguing for the growing importance of this ‘institutional phenomenon’, which was almost completely ignored within the academic literature of that time. Judging from the countless number of academic articles and the tremendous growth of the cumulative budget (via-s-via the Commission, see Figure 1), it seems that the importance of EU agencies has only grown. The development in researching and governing EU Agencies has gone from gathering the somewhat scattered creations of agencies in different policy areas, under different treaty provisions, with different powers and for different purposes, etc. to bringing them under one ‘EU agencies’ umbrella as part of the EU executive machinery distinct from the EU Commission. Indeed, EU agencies have been treated as an ensemble for the budgetary purposes, also at the European Parliament, where the practice of three agencies’ directors would defend budgetary proposals on behalf of all ‘EU agencies’. We have seen the creation of the ‘Common Approach’ and later a roadmap with a view of streamlining the creation and revision of the founding acts of EU agencies. Furthermore, EU agencies’ directors have organized themselves in a network of agencies’ directors to discuss common challenges. To what extent, however, should we treat them as one? Continue reading

How Failing Aggregates Brought About a Landmark Decision of the CJEU

by Kilian Klinger & Linda Senden

Copyright: Tablexxnx

The Court’s recent ruling in the Elliott case can be seen as a landmark decision as it was the first time the Court had to decide upon the normative value of European harmonised technical standards (HTSs). This took its starting point in the mere question brought before the Court, whether or not such acts, adopted by private European standardisation bodies (ESBs), are subject to the Court’s jurisdiction to give a preliminary ruling on their interpretation pursuant to Art. 267 TFEU. Before substantiating on the central argumentative underpinnings of the Court’s judgment, let us first briefly summarize the facts of the case. Continue reading

Ripples from across the pond: Extraterritorial Effects of the Microsoft Ireland Case


One of the big internet cases of this year, the Microsoft Ireland case, has come to an end about a month ago as the 2nd Circuit Court has handed down its ruling in favour of Microsoft. The case made quite a splash and has been covered  before at the RENFORCE blog. With the verdict in, the time is ripe to revisit it and look at it again, this time from a different angle. Continue reading

(R)evolution in the EU System of Political Accountability: Joint Parliamentary Scrutiny mechanism


Source: Lex van Lieshout

Source: Lex van Lieshout

On 11 May 2016, the European Parliament adopted a new regulation for Europol, which will enter into force on 1 May 2017. This Regulation establishes the – so far unprecedented political accountability mechanism in the EU – Joint Parliamentary Scrutiny. The introduction of a mechanism, which links political accountability fora of the EU and the national levels, is a revolutionary development for the evolving multi-level accountability system (of EU agencies). To enhance democratic legitimacy of the EU structures and decisions, the legislative and accountability roles of the European Parliament have grown significantly in the last decennia (Scholten 2014). Yet, never before did national parliaments become involved in holding EU entities to account, too. Continue reading

Going it alone – the EU adopts its own maritime emissions monitoring scheme as the IMO lags behind

9507368339_93b407a9be_mWhile the consequences of climate change have activists up in arms, the international community’s response has been fraught with stagnation, and remains somewhat disillusioning. After a series of disappointing Conferences of the Parties to the United Nations Framework Convention on Climate Change (UNFCCC), all hopes are set on the Paris summit to be held later this year. In the midst of this stalemate, the EU has been profiling itself as a protagonist of the global climate, with an ambitious Climate and Energy Package. In its latest move, the EU has adopted Regulation (EU) No. 2015/757 (‘the Regulation’), which came into force on 01 July 2015, and lays out a monitoring, reporting and verification scheme (MRV) for ships. The MRV requires ships to monitor their CO2 emissions according to a verified monitoring plan, and report the results to the Commission. This step has been on the EU’s agenda for over five years, and forms the first concrete phase of the inclusion of maritime emissions in the Union’s own reduction commitment. While according to the EU, the scheme would bring ‘momentum for international agreement’, the shipping industry reacted coolly, warning that the EU initiative risked putting multilateral negotiations ‘in jeopardy’.

Continue reading

Facebook, the NSA and Data Protection: not so ‘frivolous and vexatious’ anymore? [i]

A look at the Advocate General’s opinion in Maximillian Schrems v Data Protection Commissioner.

UntitledYour average Facebook-using EU resident, whilst often being blissfully unaware of the laws that apply to his or her personal data acquired by Facebook, has probably shown some concern about privacy rights, especially since the 2013 Snowden revelations. Then a young Austrian law student, Maximillian Schrems decided to take this concern further and in 2013 lodged a complaint with the Irish Data Protection Commissioner about Facebook transferring EU residents’ personal data to the US, where, he asserted, it was insufficiently protected. The complaint was rejected, and the case went before the Irish High Court and eventually the Court of Justice of the European Union (CJEU). CJEU Advocate General Yves Bot (AG) issued an opinion on 23 September, advising the Court in how to decide upon the case. Privacy activists, including Schrems, have welcomed this opinion and commentators are now rushing to speculate what the consequences will be. Whatever the eventual outcome, the AG’s opinion is in line with recent CJEU decisions that emphasise the importance of the fundamental right to data protection over other rights, freedoms, concerns and/or interests. Continue reading