On April 17th, 2018, the European Commission proposed new legislation to facilitate and accelerate access to digital evidence across borders in criminal investigations. The proposal aims at providing enforcement authorities with new tools for cross-border investigations in the digital era. European Production and Preservation Orders (the Orders) would allow law-enforcement authorities of a Member State to compel service providers – both domestic and foreign – offering services in the European Union to disclose or preserve user data, regardless of the data’s location. With this proposal, the European Commission moves away from territoriality as the determinative factor for enforcement jurisdiction in cyberspace. Thereby it could possibly set an international precedent to modernize international law in the area of transborder access to e-evidence.
With the proposal, the Commission is reacting to a particular challenge which the digitalized world has posed to law-enforcement. People nowadays make use of online services, such as Gmail, Facebook and Dropbox, that allow them to access their data in the, such as emails and photos, from different devices and different locations at all times. The service providers work with cloud computing, storing data on servers in several different jurisdictions to minimize data transmission and processing times. Facebook, for example, which is based in the US, uses servers not only in the US but also in Ireland, Sweden and Singapore. What is convenient for users, is problematic for law-enforcement authorities, however. If French law-enforcement authorities seek the contents of a Facebook message sent by a French suspect in the context of a crime committed on French soil against a French victim, they have to make use of mutual legal assistance treaties to access this data, as it is stored in foreign territory. Having to rely on this complex and slow mechanism (requests under such treaties take an average of ten months to be processed in the US!), has understandably led to frustration among law-enforcement agencies. This is not only because data can easily be moved, altered or deleted, but also because the data location in a foreign state (the ‘residual state’) is often the only international dimension of the case – making it hard for law enforcement agencies to understand why they should work through international cooperation channels.
How does the proposed EU regulation tackle the problem?
The European Production Order would allow law-enforcement agencies in an EU Member State to request service providers to disclose user data (not only information about the user, but also contents of e-emails, online storage accounts, etc.) within ten days or, in case of emergency, within six hours. The European Preservation Order would allow law-enforcement agencies to compel service providers to preserve data up to 60 days to allow time for requesting assistance from the data’s residual state.
The orders would be binding on all service providers established or offering services in the EU, regardless of the location of their offices. A provider is “offering services” if its service is accessible in a Member State and a sufficient connection between the provider and the territory of that state is established. Such a connection would inter alia exist when the provider offers and advertises the service in a Member State language, or when there are a considerable number of users within a member state’s territory. Facebook, for example, has such a connection with the EU: it offers its services under domestic domain names (Facebook.de; Facebook.it; Facebook.pl), it offers and advertises them in Member State languages (e.g.German, Italian and Polish), and it counts 370 million users per month in the EU. It is recalled that, in the field of data protection, the Court of Justice of the EU, in the Google Spain case (2014), had, somewhat similarly, considered the EU Data Protection Directive applicable to a foreign operator of a search engine when it ‘sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State’.
Pursuant to the proposed instruments, the orders can pertain to all data at the disposition of the service provider, regardless of its storage location. Taking the example of Facebook, this would mean that Facebook would also have to disclose to French law-enforcement authorities data that is stored on servers in Singapore, the US or any other non-EU state. This can obviously lead to a conflict between the provider’s obligations under the European Production Order and the residual state’s law. Therefore, the legislation allows service providers headquartered in third states to refuse compliance with the European Production (although not Preservation) Order when facing such a conflict of obligations (Article 16). The US Electronic Communications Privacy Act, for instance, forbids service providers in § 2702 to disclose content data without a U.S. warrant. However, if the issuing authority intends to uphold the order, it has to request a review by the competent court in its own state. If that court finds a conflict with laws that protect fundamental rights or interests of national defense and security, it has to consult the competent authorities in the respective third state through official channels, which then have 15 (with an extension possibility to 30) days to object to the order. If the third state’s authorities do not reply in time, the court can release the order for execution after sending a reminder with a five-day deadline. If the conflicting norms do not serve the protection of fundamental interests, the court can make its decision whether to quash the order by balancing the interests of the states in the disclosure of the data and in preventing the disclosure of the data. For this balance of interests, the court has to consider factors such as the degree of connection of the criminal case to either one of the jurisdictions.
What does the new legislation mean for enforcement jurisdiction in cyberspace?
Pursuant to the Lotus principle (established by the Permanent Court of International Justice as early as 1927), the exercise of enforcement jurisdiction, as an expression of a sovereign state’s power, is strictly limited to a state’s territory. As investigations are measures to enforce the criminal law, states are normally barred from conducting investigations on foreign states’ territory, unless the state has consented to the foreign investigation measures on its soil. However, applying this principle to the challenge posed by cyberspace seems to be contradictory, as cyberspace was designed to be borderless. Moreover, the location of data is just the result of a service provider’s business considerations. Therefore, the European Commission saw the need to move away from data locationto data connectionas the determinative factor for enforcement jurisdiction in cyberspace.
From an international law perspective, for European Production Orders that only have an internal EU dimension (the data is located on a server in an EU Member State), this move is not particularly problematic, as long as there is a valid EU legal basis. Such a basis appears to be present, as the proposed regulation is based on Article 82(1) of the Treaty on the Functioning of the EU, which provides that judicial cooperation in criminal matters is based on the principle of mutualrecognition of judgments and judicial decisions.Thisincludesthe approximation of the laws andregulations of the Member Statesin a number of areas, including computer crime.
In contrast, Production Orders pertaining to data located on a server in a non-EU state, are –from an international law perspective – more questionable. States outside the EU have not, at least not in a general sense, allowed EU-based law-enforcement authorities to carry out investigatory measures on their territory. Accordingly, such European Production Orders risk being in breach of the Lotus principle. Still, these orders respect foreign states’ sovereign interests insofar as they leave room for the affected states to protect their fundamental interests by requiring law-enforcement agencies to go through mutual legal assistance channels. Only when non-fundamental interests are at stake can the investigating state, on the basis of a Production Order, unilaterally access the data. This approach balances the notion of territoriality with the reality of the modern digitalized world.
Vera Jourová, EU Commissioner for Justice, Consumers and Gender Equality recently said: “While law-enforcement authorities still work with cumbersome methods, criminals use fast and cutting-edge technology to operate. We need to equip law-enforcement authorities with 21stcentury methods to tackle crime, just as criminals use 21stcentury methods to commit crime.” The new proposals on EU Production and Preservation Orders hand law-enforcement authorities important tools in the fight against crime that exploit the opportunities offered by de-territorialized cyberspace. In the United States a similar legislative initiative, mooting the Microsoft Ireland Case which was pending before the US Supreme Court, has been taken to tackle such crime: the 2018 US CLOUD Act allows US law-enforcement agencies to compel domestic service providers to disclose data, regardless of its storage location.
At first sight, these initiatives push the boundaries of international law, as they allow for the taking of unilateral enforcement action on the territory of a non-consenting state. However, it must be kept in mind that public international law has been shaped and reshaped by states overstepping boundaries, thereby moulding customary international law (see, e.g., M Hakimi, ‘Unfriendly Unilateralism’, Harvard International Law Journal 2014). These proposals, if they become law, could trigger emerging custom on the permissibility of unilateral production orders.
Esther Vehling and Cedric Ryngaert