The European Production Order – Tackling the Problem of Enforcement Jurisdiction and Extraterritoriality in Cyberspace

On April 17th, 2018, the European Commission proposed new legislation to facilitate and accelerate access to digital evidence across borders in criminal investigations. The proposal aims at providing enforcement authorities with new tools for cross-border investigations in the digital era. European Production and Preservation Orders (the Orders) would allow law-enforcement authorities of a Member State to compel service providers – both domestic and foreign – offering services in the European Union to disclose or preserve user data, regardless of the data’s location. With this proposal, the European Commission moves away from territoriality as the determinative factor for enforcement jurisdiction in cyberspace. Thereby it could possibly set an international precedent to modernize international law in the area of transborder access to e-evidence.

With the proposal, the Commission is reacting to a particular challenge which the digitalized world has posed to law-enforcement. People nowadays make use of online services, such as Gmail, Facebook and Dropbox, that allow them to access their data in the, such as emails and photos, from different devices and different locations at all times. The service providers work with cloud computing, storing data on servers in several different jurisdictions to minimize data transmission and processing times. Facebook, for example, which is based in the US, uses servers not only in the US but also in Ireland, Sweden and Singapore. What is convenient for users, is problematic for law-enforcement authorities, however. If French law-enforcement authorities seek the contents of a Facebook message sent by a French suspect in the context of a crime committed on French soil against a French victim, they have to make use of mutual legal assistance treaties to access this data, as it is stored in foreign territory. Having to rely on this complex and slow mechanism (requests under such treaties take an average of ten months to be processed in the US!), has understandably led to frustration among law-enforcement agencies. This is not only because data can easily be moved, altered or deleted, but also because the data location in a foreign state (the ‘residual state’) is often the only international dimension of the case – making it hard for law enforcement agencies to understand why they should work through international cooperation channels.

How does the proposed EU regulation tackle the problem?

The European Production Order would allow law-enforcement agencies in an EU Member State to request service providers to disclose user data (not only information about the user, but also contents of e-emails, online storage accounts, etc.) within ten days or, in case of emergency, within six hours. The European Preservation Order would allow law-enforcement agencies to compel service providers to preserve data up to 60 days to allow time for requesting assistance from the data’s residual state.

The orders would be binding on all service providers established or offering services in the EU, regardless of the location of their offices. A provider is “offering services” if its service is accessible in a Member State and a sufficient connection between the provider and the territory of that state is established. Such a connection would inter alia exist when the provider offers and advertises the service in a Member State language, or when there are a considerable number of users within a member state’s territory. Facebook, for example, has such a connection with the EU: it offers its services under domestic domain names (Facebook.de; Facebook.it; Facebook.pl), it offers and advertises them in Member State languages (e.g.German, Italian and Polish), and it counts 370 million users per month in the EU.  It is recalled that, in the field of data protection, the Court of Justice of the EU, in the Google Spain case (2014), had, somewhat similarly, considered the EU Data Protection Directive applicable to a foreign operator of a search engine when it ‘sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State’.

Pursuant to the proposed instruments, the orders can pertain to all data at the disposition of the service provider, regardless of its storage location. Taking the example of Facebook, this would mean that Facebook would also have to disclose to French law-enforcement authorities data that is stored on servers in Singapore, the US or any other non-EU state. This can obviously lead to a conflict between the provider’s obligations under the European Production Order and the residual state’s law. Therefore, the legislation allows service providers headquartered in third states to refuse compliance with the European Production (although not Preservation) Order when facing such a conflict of obligations (Article 16). The US Electronic Communications Privacy Act, for instance, forbids service providers in § 2702 to disclose content data without a U.S. warrant. However, if the issuing authority intends to uphold the order, it has to request a review by the competent court in its own state. If that court finds a conflict with laws that protect fundamental rights or interests of national defense and security, it has to consult the competent authorities in the respective third state through official channels, which then have 15 (with an extension possibility to 30) days to object to the order. If the third state’s authorities do not reply in time, the court can release the order for execution after sending a reminder with a five-day deadline. If the conflicting norms do not serve the protection of fundamental interests, the court can make its decision whether to quash the order by balancing the interests of the states in the disclosure of the data and in preventing the disclosure of the data. For this balance of interests, the court has to consider factors such as the degree of connection of the criminal case to either one of the jurisdictions.

What does the new legislation mean for enforcement jurisdiction in cyberspace?

Pursuant to the Lotus principle (established by the Permanent Court of International Justice as early as 1927), the exercise of enforcement jurisdiction, as an expression of a sovereign state’s power, is strictly limited to a state’s territory. As investigations are measures to enforce the criminal law, states are normally barred from conducting investigations on foreign states’ territory, unless the state has consented to the foreign investigation measures on its soil. However, applying this principle to the challenge posed by cyberspace seems to be contradictory, as cyberspace was designed to be borderless. Moreover, the location of data is just the result of a service provider’s business considerations. Therefore, the European Commission saw the need to move away from data locationto data connectionas the determinative factor for enforcement jurisdiction in cyberspace.

From an international law perspective, for European Production Orders that only have an internal EU dimension (the data is located on a server in an EU Member State), this move is not particularly problematic, as long as there is a valid EU legal basis. Such a basis appears to be present, as the proposed regulation is based on Article 82(1) of the Treaty on the Functioning of the EU, which provides that judicial cooperation in criminal matters is based on the principle of mutualrecognition of judgments and judicial decisions.Thisincludesthe approximation of the laws andregulations of the Member Statesin a number of areas, including computer crime.

In contrast, Production Orders pertaining to data located on a server in a non-EU state, are –from an international law perspective – more questionable. States outside the EU have not, at least not in a general sense, allowed EU-based law-enforcement authorities to carry out investigatory measures on their territory. Accordingly, such European Production Orders risk being in breach of the Lotus principle. Still, these orders respect foreign states’ sovereign interests insofar as they leave room for the affected states to protect their fundamental interests by requiring law-enforcement agencies to go through mutual legal assistance channels. Only when non-fundamental interests are at stake can the investigating state, on the basis of a Production Order, unilaterally access the data. This approach balances the notion of territoriality with the reality of the modern digitalized world.

Concluding observations

Vera Jourová, EU Commissioner for Justice, Consumers and Gender Equality recently said: While law-enforcement authorities still work with cumbersome methods, criminals use fast and cutting-edge technology to operate. We need to equip law-enforcement authorities with 21stcentury methods to tackle crime, just as criminals use 21stcentury methods to commit crime.” The new proposals on EU Production and Preservation Orders hand law-enforcement authorities important tools in the fight against crime that exploit the opportunities offered by de-territorialized cyberspace. In the United States a similar legislative initiative, mooting the Microsoft Ireland Case which was pending before the US Supreme Court, has been taken to tackle such crime: the 2018 US CLOUD Act allows US law-enforcement agencies to compel domestic service providers to disclose data, regardless of its storage location.

At first sight, these initiatives push the boundaries of international law, as they allow for the taking of unilateral enforcement action on the territory of a non-consenting state. However, it must be kept in mind that public international law has been shaped and reshaped by states overstepping boundaries, thereby moulding customary international law (see, e.g., M Hakimi, ‘Unfriendly Unilateralism’, Harvard International Law Journal 2014). These proposals, if they become law, could trigger emerging custom on the permissibility of unilateral production orders.

Esther Vehling and Cedric Ryngaert

Legal Status of Robots: The RENFORCE/UGlobe Seminar and Why I Decided to Sign the Open Letter

Photo credits: iStock/Global_PhonlamaiPhoto

Should a robot enjoy any legal status independent of its human creators? If so, what kind of legal status would that be? Should the robot enjoy its/her/his “rights”? One’s answers to these futuristic questions might in part depend on whether one’s image of autonomous robots comes from the film Bicentennial Man (1999) based on Isaac Asimov’s novel or a more recent movie Ex Machina (2014). In the film version of Bicentennial Man, a highly autonomous robot played by Robin Williams exhibits humorous, friendly, and warm-hearted characteristics that co-exist with human communities. By contrast, in Ex Machina, a beautiful human-looking robot ended up deceiving a man and achieving freedom by taking advantage of the trust that the man developed towards the robot. While we cannot tell if such a self-governing robotic machine could ever be built, these two movies depict diametrically opposed scenarios that robots can have both beneficial and disturbing consequences to human beings. Lees verder

Cambridge Analytica and Facebook Fallout: The Renforce/UGlobe Seminar

On 11 April 2018, Facebook founder and CEO Mark Zuckerberg appeared at the US congressional hearings. At the heart of the testimony was the Cambridge Analytica fallout on the misuse of Facebook users’ data, which continues to reveal the vulnerabilities of social media companies and their impact on politics. The business model of social media companies is based on the sale of advertisements and the provision of apps which allow the social media platforms to make the most of users’ data. Their businesses’ unique strength resides in the “targeted advertising” of potential consumers — and voters. While Facebook and other similar social media generate an enormous benefit of sharing information, the companies’ reliance on users’ data triggers an unprecedented risk of information misuse, not only in a commercial sense, but also for political campaigns. Lees verder

Disrupting Technologies – A UGlobe Dialogue on Bulk Interception of Communications

Photo credits: iStock/Global_PhonlamaiPhoto

The UGlobe Dialogue Series “Disrupting Technologies?” hosted its first event on 15 March 2018, in the week before the Referendum on a new Dutch Law on the Intelligence and Security  Services (the Wet op de inlichtingen- en veiligheidsdiensten, Wiv). This new law would extend the possibilities of secret services to monitor online behavior. Technology has changed since the usage of fixed telephony and dialup internet-access in the 1990s to the widespread use of smartphones, 4G and Wi-Fi-hotspots in 2018.  So changes in the law regulating the intelligence services are necessary, and in view of the upcoming referendum it is necessary to engage in a debate on the new competences regarding these new technologies and the framework of supervision of these intelligence and security services. Lees verder

Rotten fisheries: EU Advocate-General finds EU-Morocco Fisheries Agreement incompatible with international law 

Credit: Katarina Dzurekova (CC BY)

The validity and scope of EU-Morocco trade agreements with respect to Western Sahara – a territory occupied by Morocco – has kept the Court of the Justice of the EU (CJEU) rather busy lately. In 2016, in a case brought by the Front Polisario, a movement fighting for the national liberation of the people of Western Sahara (the Sahrawi), the CJEU ruled that the territorial scope of the EU-Morocco Liberalization Agreement, which liberalizes trade in mainly agricultural products, did not extend to Western Sahara (see for a comment on this blog here, and for other comments here, here and here). Currently, a request for a preliminary ruling, referred by a UK court, concerning the validity of the EU-Morocco Fisheries Partnership Agreement is pending before the CJEU. This Agreement gives EU vessels access to fisheries in Moroccan fishing zones, in return for which the EU provides Morocco with financial contributions. On its face, this Agreement appears to apply not only to the waters off the coast of Morocco proper, but also those off the coast of Western Sahara. The case raises issues of self-determination of the Sahrawi in respect of the exploitation of ‘their’ natural resources, and the role of the EU in this respect. In January 2018, Advocate-General (A-G) Wathelet of the CJEU delivered his opinion in the case, proposing that the Fisheries Agreement should be considered invalid on the ground that it violates the right to self-determination of the Sahrawi people. This post commends the opinion for its detailed, although not always accurate, engagement with international law, and highlights the political salience of the case.

Lees verder

The external effects of the EU’s regulation of sulfur dioxide (SOx) emissions

On 10 November 2017, I had the honor to be the sole opponent for the (successful) public defense of Philip Linné’s doctoral thesis on ‘Regulating vessel-source air pollution: standard-setting in the regulation of SOx emissions’, at Gothenburg University (Sweden). The thesis concerns the regulatory response, at different scales, including notably the EU scale, to tackle the environmental and human health impacts caused by sulfur oxide (SOx) emissions from the exhausts of seagoing ships. In this post, I reflect on the international legality and especially the external effects of relevant ‘unilateral’ EU action to tackle SOx emissions, i.e., action that goes beyond what is required by international law. Building on, but also adding to Philip Linné’s insights, I argue that by taking unilateral action, the EU has accelerated the calendar for strengthening global environmental standards in respect of SOx emissions. Lees verder

‘Regeerakkoord vergeet EU bij voorstellen mededingingsrecht’

Prof. Anna Gerbrandy schreef voor NRC een column over het mededingingsrecht en het regeerakkoord:

De nieuwe regering wil meer aandacht voor niet-economische belangen in het mededingingsrecht, zo blijkt uit het regeerakkoord. Ze houdt echter weinig rekening met het EU-mededingingsrecht. Ten eerste wil de nieuwe regering dat het mededingingsrecht aandacht heeft voor de ‘machtsbalans’ in de eerstelijnszorg. Zij stelt voor “dat het mededingingstoezicht daar rekening mee houdt” wanneer “samenwerking in het belang van patiënten gefrustreerd wordt door (toepassing) van mededingingsregels”. Dan “is aanpassing van (de toepassing van) deze regels aangewezen”. Ook in de land- en tuinbouwsector moet het mededingingsrecht tegenwicht bieden aan “ongelijke machtsverhoudingen”. Daarom wordt “de mededingingswet (…) aangepast” en “samenwerking (…) expliciet toegestaan”. Verder moet het mededingingsrecht in algemene zin meer ruimte geven aan gezamenlijke duurzaamheidsinitiatieven van ondernemingen: “We onderzoeken of en hoe de mededingingswetgeving kan worden aangepast als deze samenwerking met het oog op duurzaamheid, tussen bedrijven en in ketens, in de weg staat.”

Lees verder op NRC.nl.

Ambtelijke fusies tussen gemeenten opgelet: einde aan de verruimde btw-vrijstelling?

Door mr. Willem A. Janssen & mr. Nathan Meershoek

Overheden krijgen vaak te maken met fiscale wetgeving. Zo kan er een verplichting bestaan om btw af te dragen wanneer overheden samenwerken. De interpretatie van dit fiscale kader is sinds 15 september jl. in beweging. Uit een Kamerbrief van de staatssecretaris van Financiën blijkt namelijk dat gemeenten, die samenwerken op basis van een ambtelijke fusie, vanaf 1 januari a.s. mogelijk weer btw moeten gaan betalen over de geleverde diensten.

Lees verder

‘EU Agencies’ label: to what extent should we treat them all as ‘one’?

Twenty years ago, Alexander Kreher wrote one of the first articles on EU agencies arguing for the growing importance of this ‘institutional phenomenon’, which was almost completely ignored within the academic literature of that time. Judging from the countless number of academic articles and the tremendous growth of the cumulative budget (via-s-via the Commission, see Figure 1), it seems that the importance of EU agencies has only grown. The emevelopment in researching and governing EU Agencies has gone from gathering the somewhat scattered creations of agencies in different policy areas, under different treaty provisions, with different powers and for different purposes, etc. to bringing them under one ‘EU agencies’ umbrella as part of the EU executive machinery distinct from the EU Commission. Indeed, EU agencies have been treated as an ensemble for the budgetary purposes, also at the European Parliament, where the practice of three agencies’ directors would defend budgetary proposals on behalf of all ‘EU agencies’. We have seen the creation of the ‘Common Approach’ and later a roadmap with a view of streamlining the creation and revision of the founding acts of EU agencies. Furthermore, EU agencies’ directors have organized themselves in a network of agencies’ directors to discuss common challenges. To what extent, however, should we treat them as one? Lees verder