Categorie archief: Actoren in de gedeelde rechtsorde

The European Production Order – Tackling the Problem of Enforcement Jurisdiction and Extraterritoriality in Cyberspace

On April 17th, 2018, the European Commission proposed new legislation to facilitate and accelerate access to digital evidence across borders in criminal investigations. The proposal aims at providing enforcement authorities with new tools for cross-border investigations in the digital era. European Production and Preservation Orders (the Orders) would allow law-enforcement authorities of a Member State to compel service providers – both domestic and foreign – offering services in the European Union to disclose or preserve user data, regardless of the data’s location. With this proposal, the European Commission moves away from territoriality as the determinative factor for enforcement jurisdiction in cyberspace. Thereby it could possibly set an international precedent to modernize international law in the area of transborder access to e-evidence.

With the proposal, the Commission is reacting to a particular challenge which the digitalized world has posed to law-enforcement. People nowadays make use of online services, such as Gmail, Facebook and Dropbox, that allow them to access their data, such as emails and photos, from different devices and different locations at all times. The service providers work with cloud computing, storing data on servers in several different jurisdictions to minimize data transmission and processing times. Facebook, for example, which is based in the US, uses servers not only in the US but also in Ireland, Sweden and Singapore. What is convenient for users, is problematic for law-enforcement authorities, however. If French law-enforcement authorities seek the contents of a Facebook message sent by a French suspect in the context of a crime committed on French soil against a French victim, they have to make use of mutual legal assistance treaties to access this data, as it is stored in foreign territory. Having to rely on this complex and slow mechanism (requests under such treaties take an average of ten months to be processed in the US!), has understandably led to frustration among law-enforcement agencies. This is not only because data can easily be moved, altered or deleted, but also because the data location in a foreign state (the ‘residual state’) is often the only international dimension of the case – making it hard for law enforcement agencies to understand why they should work through international cooperation channels.

How does the proposed EU regulation tackle the problem?

The European Production Order would allow law-enforcement agencies in an EU Member State to request service providers to disclose user data (not only information about the user, but also contents of e-emails, online storage accounts, etc.) within ten days or, in case of emergency, within six hours. The European Preservation Order would allow law-enforcement agencies to compel service providers to preserve data up to 60 days to allow time for requesting assistance from the data’s residual state.

The orders would be binding on all service providers established or offering services in the EU, regardless of the location of their offices. A provider is “offering services” if its service is accessible in a Member State and a sufficient connection between the provider and the territory of that state is established. Such a connection would inter alia exist when the provider offers and advertises the service in a Member State language, or when there are a considerable number of users within a member state’s territory. Facebook, for example, has such a connection with the EU: it offers its services under domestic domain names (Facebook.de; Facebook.it; Facebook.pl), it offers and advertises them in Member State languages (e.g.German, Italian and Polish), and it counts 370 million users per month in the EU.  It is recalled that, in the field of data protection, the Court of Justice of the EU, in the Google Spain case (2014), had, somewhat similarly, considered the EU Data Protection Directive applicable to a foreign operator of a search engine when it ‘sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State’.

Pursuant to the proposed instruments, the orders can pertain to all data at the disposition of the service provider, regardless of its storage location. Taking the example of Facebook, this would mean that Facebook would also have to disclose to French law-enforcement authorities data that is stored on servers in Singapore, the US or any other non-EU state. This can obviously lead to a conflict between the provider’s obligations under the European Production Order and the residual state’s law. Therefore, the legislation allows service providers headquartered in third states to refuse compliance with the European Production (although not Preservation) Order when facing such a conflict of obligations (Article 16). The US Electronic Communications Privacy Act, for instance, forbids service providers in § 2702 to disclose content data without a U.S. warrant. However, if the issuing authority intends to uphold the order, it has to request a review by the competent court in its own state. If that court finds a conflict with laws that protect fundamental rights or interests of national defense and security, it has to consult the competent authorities in the respective third state through official channels, which then have 15 (with an extension possibility to 30) days to object to the order. If the third state’s authorities do not reply in time, the court can release the order for execution after sending a reminder with a five-day deadline. If the conflicting norms do not serve the protection of fundamental interests, the court can make its decision whether to quash the order by balancing the interests of the states in the disclosure of the data and in preventing the disclosure of the data. For this balance of interests, the court has to consider factors such as the degree of connection of the criminal case to either one of the jurisdictions.

What does the new legislation mean for enforcement jurisdiction in cyberspace?

Pursuant to the Lotus principle (established by the Permanent Court of International Justice as early as 1927), the exercise of enforcement jurisdiction, as an expression of a sovereign state’s power, is strictly limited to a state’s territory. As investigations are measures to enforce the criminal law, states are normally barred from conducting investigations on foreign states’ territory, unless the state has consented to the foreign investigation measures on its soil. However, applying this principle to the challenge posed by cyberspace seems to be contradictory, as cyberspace was designed to be borderless. Moreover, the location of data is just the result of a service provider’s business considerations. Therefore, the European Commission saw the need to move away from data locationto data connectionas the determinative factor for enforcement jurisdiction in cyberspace.

From an international law perspective, for European Production Orders that only have an internal EU dimension (the data is located on a server in an EU Member State), this move is not particularly problematic, as long as there is a valid EU legal basis. Such a basis appears to be present, as the proposed regulation is based on Article 82(1) of the Treaty on the Functioning of the EU, which provides that judicial cooperation in criminal matters is based on the principle of mutualrecognition of judgments and judicial decisions.Thisincludesthe approximation of the laws andregulations of the Member Statesin a number of areas, including computer crime.

In contrast, Production Orders pertaining to data located on a server in a non-EU state, are –from an international law perspective – more questionable. States outside the EU have not, at least not in a general sense, allowed EU-based law-enforcement authorities to carry out investigatory measures on their territory. Accordingly, such European Production Orders risk being in breach of the Lotus principle. Still, these orders respect foreign states’ sovereign interests insofar as they leave room for the affected states to protect their fundamental interests by requiring law-enforcement agencies to go through mutual legal assistance channels. Only when non-fundamental interests are at stake can the investigating state, on the basis of a Production Order, unilaterally access the data. This approach balances the notion of territoriality with the reality of the modern digitalized world.

Concluding observations

Vera Jourová, EU Commissioner for Justice, Consumers and Gender Equality recently said: While law-enforcement authorities still work with cumbersome methods, criminals use fast and cutting-edge technology to operate. We need to equip law-enforcement authorities with 21stcentury methods to tackle crime, just as criminals use 21stcentury methods to commit crime.” The new proposals on EU Production and Preservation Orders hand law-enforcement authorities important tools in the fight against crime that exploit the opportunities offered by de-territorialized cyberspace. In the United States a similar legislative initiative, mooting the Microsoft Ireland Case which was pending before the US Supreme Court, has been taken to tackle such crime: the 2018 US CLOUD Act allows US law-enforcement agencies to compel domestic service providers to disclose data, regardless of its storage location.

At first sight, these initiatives push the boundaries of international law, as they allow for the taking of unilateral enforcement action on the territory of a non-consenting state. However, it must be kept in mind that public international law has been shaped and reshaped by states overstepping boundaries, thereby moulding customary international law (see, e.g., M Hakimi, ‘Unfriendly Unilateralism’, Harvard International Law Journal 2014). These proposals, if they become law, could trigger emerging custom on the permissibility of unilateral production orders.

Esther Vehling and Cedric Ryngaert

The external effects of the EU’s regulation of sulfur dioxide (SOx) emissions

On 10 November 2017, I had the honor to be the sole opponent for the (successful) public defense of Philip Linné’s doctoral thesis on ‘Regulating vessel-source air pollution: standard-setting in the regulation of SOx emissions’, at Gothenburg University (Sweden). The thesis concerns the regulatory response, at different scales, including notably the EU scale, to tackle the environmental and human health impacts caused by sulfur oxide (SOx) emissions from the exhausts of seagoing ships. In this post, I reflect on the international legality and especially the external effects of relevant ‘unilateral’ EU action to tackle SOx emissions, i.e., action that goes beyond what is required by international law. Building on, but also adding to Philip Linné’s insights, I argue that by taking unilateral action, the EU has accelerated the calendar for strengthening global environmental standards in respect of SOx emissions. Lees verder

‘EU Agencies’ label: to what extent should we treat them all as ‘one’?

Twenty years ago, Alexander Kreher wrote one of the first articles on EU agencies arguing for the growing importance of this ‘institutional phenomenon’, which was almost completely ignored within the academic literature of that time. Judging from the countless number of academic articles and the tremendous growth of the cumulative budget (via-s-via the Commission, see Figure 1), it seems that the importance of EU agencies has only grown. The emevelopment in researching and governing EU Agencies has gone from gathering the somewhat scattered creations of agencies in different policy areas, under different treaty provisions, with different powers and for different purposes, etc. to bringing them under one ‘EU agencies’ umbrella as part of the EU executive machinery distinct from the EU Commission. Indeed, EU agencies have been treated as an ensemble for the budgetary purposes, also at the European Parliament, where the practice of three agencies’ directors would defend budgetary proposals on behalf of all ‘EU agencies’. We have seen the creation of the ‘Common Approach’ and later a roadmap with a view of streamlining the creation and revision of the founding acts of EU agencies. Furthermore, EU agencies’ directors have organized themselves in a network of agencies’ directors to discuss common challenges. To what extent, however, should we treat them as one? Lees verder

“Noem het bij de naam: de Europese Politieke Unie komt eraan”

Renforce-onderzoeker Ton van den Brink schreef voor NRC een column  over de hervormingsvoorstellen van de Europese Commissie.

“De omvorming van de Europese Economische en Monetaire Unie (EMU) in een echte politieke unie? Wat lang ondenkbaar leek, zou nu toch zomaar kunnen gebeuren.

De plannen voor hervorming die nu op tafel liggen zijn weliswaar bescheiden, maar niettemin onmiskenbare stappen in die richting. Ze geven EU instellingen rechtstreeks grip op economisch beleid in de lidstaten en leiden tot meer ruimte voor politieke belangenafweging.

Nu dreigt het gevaar dat de hervormingsplannen alleen worden beoordeeld op hun praktisch nut, als oplossingen voor de huidige problemen van de eurozone. Het debat, zeker ook in Nederland, zou in plaats daarvan juist over de transformatie naar een politieke unie moeten gaan. Anders ontstaat later gemakkelijk het beeld dat de EU ons de politieke unie heeft ingerommeld.”

Lees de volledige column bij NRC.

Verkiezingen 2017: staat de aanbesteding op de kaart?


Door Willem Janssen & Laura de Vries      

Op 15 maart 2017 gaat Nederland naar de stembus. Het beloven interessante Tweede Kamerverkiezingen te worden. De economie, werkgelegenheid, immigratie en EU zullen daarin waarschijnlijk een belangrijke rol gaan spelen. Dit blijkt ook uit de – veelal erg lijvige – verkiezingsprogramma’s van politieke partijen. Ook aanbestedingen komen daarin met regelmaat terug. In deze bijdrage geven wij een overzicht van de standpunten en voorstellen met betrekking tot aanbestedingen. Wij beperken ons tot de verkiezingsprogramma’s van partijen die in de recentelijke peiling van Ipsos het grootste waren (50plus, CDA, ChristenUnie, D66, GroenLinks, PvdA, PvdD, PVV, SGP, SP, VVD).

Lees verder

Rem tegen EU-bevoegdheidsoverdracht: drie bezwaren tegen het SGP-plan

Copyright: Tristan Sprarks

De SGP wil de EU beter in de teugels houden. Daarom vindt de partij dat belangrijke wijzigingen van de EU-verdragen in het vervolg alleen met een 2/3 meerderheid in beide kamers van onze Staten-Generaal aangenomen kunnen worden. Het gaat de SGP vooral om verdragen waarin nieuwe bevoegdheden aan de EU worden overgedragen (maar bijvoorbeeld ook de toetreding van nieuwe lidstaten). Of het nodig is om de EU meer in de teugels te houden is vooral een politieke vraag. Echter, ook – en zelfs: juist – als het antwoord op die vraag “ja” is, dan is het plan van de SGP om drie redenen een slecht idee. Lees verder

The Polisario Front Judgment of the EU Court of Justice: a Reset of EU-Morocco Trade Relations in the Offing

Credit: Katarina Dzurekova (CC BY)

On 21 December 2016, the Court of Justice of the EU (CJEU) gave its appeals judgment in the politically contentious Polisario Front case. The Court overruled an earlier decision of the General Court (GC, 2015) and decided that the EU-Morocco trade agreement does not apply to the territory of Western Sahara, which is claimed by Morocco as its own (see Sandra Hummelbrunner and Anne-Carlijn Prickartz’s analysis). The Court then went on to dismiss the action for annulment brought against the EU Council decision endorsing the agreement by the Polisario Front, a national liberation movement representing the Saharawi population indigenous to Western Sahara. In so doing, the Court largely followed Advocate General Wathelet’s advisory opinion, at least its first part (see on this Katharine Fortin’s analysis over at the UCall blog). The dismissal of the Polisario Front’s action may appear to be a victory for the EU Council and Morocco. However, in a manner reminiscent of Pyrrhus’s battles with the Romans in the 3rd century BC, it may well turn out to be a loss, and in fact a boon for the Saharawi. Although the CJEU held that the Front did not have standing to dispute the EU Council decision, this determination precisely followed from the Court’s recognition of the people of Western Sahara’s right to self-determination and the attendant exclusion of the territory from the trade agreement. Henceforth, the EU Council and Morocco have no other choice than to exclude products from Western Sahara from their trade agreements. Lees verder

How Failing Aggregates Brought About a Landmark Decision of the CJEU

by Kilian Klinger & Linda Senden

by tablexxnx

The Court’s recent ruling in the Elliott case can be seen as a landmark decision as it was the first time the Court had to decide upon the normative value of European harmonised technical standards (HTSs). This took its starting point in the mere question brought before the Court, whether or not such acts, adopted by private European standardisation bodies (ESBs), are subject to the Court’s jurisdiction to give a preliminary ruling on their interpretation pursuant to Art. 267 TFEU. Before substantiating on the central argumentative underpinnings of the Court’s judgment, let us first briefly summarize the facts of the case. Lees verder

Ripples from across the pond: Extraterritorial Effects of the Microsoft Ireland Case

water-1117700_1280-2

One of the big internet cases of this year, the Microsoft Ireland case, has come to an end about a month ago as the 2nd Circuit Court has handed down its ruling in favour of Microsoft. The case made quite a splash and has been covered  before at the RENFORCE blog. With the verdict in, the time is ripe to revisit it and look at it again, this time from a different angle. Lees verder