Yesterday, after extensive work and consultation, the European Commission announced its proposal on European Production Orders for electronic evidence in criminal matters. This is another important step on the path towards a more coherent international framework for lawful access to data in the cloud computing era.
The Commission’s proposal contains many safeguards and limitations that could form the basis of an acceptable framework for the EU, and explicitly foresees the need to work towards international agreements with third countries, particularly the U.S.
All citizens and organizations are rightfully concerned about any access to their personal and confidential data stored in cloud services or digital devices. While cloud providers like Microsoft, as custodians of customer data, must protect it vigilantly, society also expects law enforcement authorities to do their job to protect the public safety. There also needs to be lawful ways for law enforcement to access data as evidence in investigations when necessary, but in full respect of fundamental rights. Developing the means by which such lawful access can be achieved, especially when law enforcement needs to reach across borders to obtain such evidence, requires careful balancing of fundamental rights, security interests, and sovereign interests. That balance requires safeguards and limitations on these police powers, and a framework for international cooperation, that citizens can accept.
We need a better and more harmonized approach in the EU and beyond, so it is important that European legislation be adopted in a reasonable time. The Commission’s proposal deserves careful study and discussion. We hope a consensus can be found during this Parliament’s term.
We are encouraged by a number of elements in the proposal:
- The proposal provides a clear categorization of the types of crimes and types of data that this proposal would apply.
- It covers only stored data (not wiretaps, for example).
- It also does not attempt to address the controversial area of “direct access” of data by governments (known as “government hacking”).
- Importantly, the proposal lays out a clear mechanism for dealing with conflicts of laws, when service providers could face inconsistent obligations regarding the disclosure of data.
- The proposal also recognizes that law enforcement authorities should not always seek data from service providers, especially when data is directly controlled by enterprises or is protected by specific immunities and privileges.
- Furthermore, the proposal leaves in place the current European Investigative Order and Mutual Legal Assistance procedures when they are more appropriate processes.
We appreciate that the Commission has engaged with civil society, law enforcement and industry on this topic, and has worked hard to take into account stakeholders concerns in the consultation process. This is an encouraging start. We are looking forward to further supporting the work of the EU legislative institutions on this proposal in the coming months.