As digitalization speeds up and the number of daily digital interactions continues to rise, law enforcement agencies are increasingly relying on digital evidence to investigate crimes. In Europe, this trend has reconfirmed the need to update, improve, and strengthen the current European legislative framework for law enforcement access to digital evidence, especially in cross-border cases. While Member States have a long history of working together on criminal investigations, the growing amount of digital evidence—including emails, IP addresses, and documents stored in the cloud—requires creating new tools and strengthening existing ones to improve cooperation across the EU and ensuring data subjects’ fundamental rights are protected.
More than half of all criminal investigations today include a cross-border request to access electronic evidence. The current system for accessing e-evidence across jurisdictions in Europe and outside relies on the European Investigation Order (EIO) and on Mutual Legal Assistance Treaties (MLATs). The EIO provides for a European system to request the carrying out of investigative activities (including access to physical and digital evidence) while MLATs provide bilateral coordination frameworks, but in practice, they have become one of the chief concerns for law enforcement authorities today. According to the latest Europol SIRIUS EU Digital Evidence Situation Report, MLATs and the EIO are not agile enough to access digital evidence expeditiously. They also use a variety of different formats for requesting data from service providers that creates inefficiencies even for lawful requests, which a harmonized framework could address.
Service providers—including BSA and its members—have long supported an EU-wide legislative framework that would replace the current instruments and provide a single, harmonized system for access to digital evidence. The European Commission’s e-Evidence package aims to achieve just that. First put forward in 2018, trilogue negotiations on the e-Evidence package launched in February this year. Talks are now focusing on two key aspects.
First is ensuring appropriate judicial checks before data is released. Negotiations center around ensuring that EU law enforcement authorities can quickly and readily access digital evidence across jurisdictions while protecting citizens’ fundamental rights.
The European Parliament has significantly improved the Commission’s original proposal, putting forward a position that would require a stronger set of checks and balances between Member States. In particular, the Parliament’s position would establish a notification system whereby data access requests would be checked by a judicial authority in the issuing country and would also be checked—within time limits—by the judicial authority of the country where the service provider is established. On the latter point, the place of establishment should continue to be the discriminating factor on the cross-border nature of an investigation, as it would ensure that service providers are compliant with both the law enforcement authority’s request and the laws of the country where it is established.
Negotiations are now focused on finding a compromise to ensure such safeguards are maintained for the most crucial categories of data—so-called content data—in a manner that is both practical for Member States and protects the fundamental rights of data subjects. According to Europol, the vast majority of law enforcement access requests focus in the first instance on less sensitive “subscriber information,” roughly constituting 90 percent of requests. One realistic compromise would be to establish an enhanced notification system only for more sensitive data (content data), while subscriber information would rely on the judicial control of the issuing country. A compromise along these lines would be an important step towards finalizing negotiations on the e-Evidence Regulation.
Second, in their respective positions on the e-Evidence package, the Commission’s, Council’s, and Parliament’s initial negotiation positions recognize that the role of service providers is much more active than traditionally reflected in MLATs, which generally consider service providers as mere executors of data access requests. While current negotiations have signaled the possibility of limiting the role of service providers, the final version of the Regulation should retain this recognition to ensure that service providers can play a role in helping both citizens and Member States navigate the complex waters of cross-border law enforcement data access. This recognition is important not only from a purely technological standpoint but also because service providers are often well placed to voice concerns on data access requests before national courts.
Allowing service providers to oppose requests both on formal and substantive grounds would help maintain trust in digital service providers by ensuring that law enforcement access requests are further verified—if warranted—on both formal and substantial grounds during the investigation, rather than overwhelmingly during trial. In a similar vein, service providers should be allowed to notify customers when their data is being sought by law enforcement authorities, which should rely on so-called “gag orders” only when approved by a judicial authority and only on an exceptional basis for a limited duration. Increased transparency and accountability would benefit citizens’ trust in law enforcement investigations and in the management of their personal data.
To this end, the software industry continues to seek ways to address concerns related to law enforcement access to data and fundamental rights. Several leading cloud service providers recently released a set of five Trusted Cloud Principles to promote public safety and protect privacy and data security in the cloud. The key to achieving these objectives is the commitment to multistakeholder cooperation—among the tech sector, public interest groups, and governments worldwide.
As Europe’s e-Evidence negotiations continue, it is crucial to make sure that the three key objectives of the Regulation are maintained. They include:
- Creating an instrument that facilitates cross-border cooperation;
- Establishing clear rules and safeguards; and
- Ensuring that all entities involved have a voice and a role in the proceedings.
It is imperative that the negotiations on the Regulation are concluded as soon as possible to provide Europe with a modern, efficient, and effective framework to govern access to digital evidence across borders. The proposed system should strengthen citizens’ protections, allow law enforcement authorities better access to the digital evidence they need, and provide service providers with a uniform and harmonized system that would allow them to both respond speedily to law enforcement authorities and ensure the best protection of their customers’ data.
For detailed recommendations on strengthening Europe’s rules on law enforcement access to data, read BSA’s Position Paper on the e-Evidence Regulation.
