Microsoft supports efforts by EU lawmakers to enshrine strong fundamental rights protections in the E-Evidence Regulation. The EU’s new rules on accessing digital evidence stored in another EU member state need to help law enforcement solve serious crime, but at the same time protect the fundamental rights of European citizens.
We recognize the challenges that law enforcement authorities face in protecting people in today’s complex digital world, and we understand that law enforcement agencies often have legitimate needs to access the online data of individuals and organizations to keep the public safe. We also recognize that the current system for obtaining such data should be improved. For these reasons, we supported in principle the Commission’s proposal for an E-Evidence Regulation issued in April 2018. The Commission’s proposal made a strong effort at balancing citizens and organizations’ privacy interests with the needs of public safety and security.
However, we have serious reservations with the proposed E-Evidence text issued by the Council of the European Union in December 2018. The Council proposal falls short of the principles that Microsoft believes all legal regimes governing law enforcement access to data in the cloud should enshrine.
The European Parliament’s Committee for Civil Liberties, Justice and Home Affairs is taking a different approach and we are looking forward to the draft report on E-Evidence by rapporteur MEP Birgit Sippel, which is expected to be published and discussed in the coming days.
At Microsoft we believe that the Council’s E-Evidence proposal is missing at least four principal safeguards, which are necessary to ensure service providers are in the best position to accommodate public safety needs while also ensuring that Europeans and their data is protected. We call on EU legislators to:
- Establish notice-by-default for persons targeted by orders issued under the Regulation. The Regulation should permit service providers to notify users of any order seeking access to their data unless the order is accompanied by a separate non-disclosure order from a judge prohibiting such notice. To keep the order secret, issuing authorities should be required to establish, before an independent judicial authority, that notice would imperil an ongoing investigation or endanger public safety. Authorities should also demonstrate that the order is limited in scope and duration to what is necessary and proportionate to avoid infringing fundamental rights.
- Require a means to ensure EU Member States can invoke protections for their citizens and the organizations that maintain their data. Law enforcement authorities may demand access to data belonging to individuals or organizations located in a different EU Member State. The Member State where the target resides will be in the best position to identify any applicable protections and will have the strongest interest in defending these protections. This safeguard should not be unduly burdensome. In Microsoft’s experience, only around 7% of demands by law enforcement agencies for user data involve targets located in a different Member State.
- Give service providers the right to contest an order when they believe the demand is unlawful, overbroad, or otherwise inappropriate. The first line of defense to stop unlawful orders is the judge who must authorize the order and assess compliance with the EU treaties. But in some cases, a second line of defense is warranted, when only the service provider is in a position to identify problematic orders. Providers should have a clear means to contest orders in these rare circumstances.
- Require law enforcement agencies to use European Production Orders or other Union measures for cross border scenarios rather than domestic procedures. EU Member States can continue using their domestic procedures for domestic matters but allowing Member States to bypass the EU framework for cross border scenarios undercuts the important protections of the E-Evidence proposal. Reverting to their national orders creates an exception that could swallow the entire rule.
Microsoft has been centrally engaged in the legal, political and policy debates on how law enforcement agencies should be able to access data that is stored abroad to solve serious crime. In 2013 we challenged the U.S. Government in court over the use of outdated domestic laws to request data stored in Europe and we fought the case all the way to the U.S. Supreme Court. We continue to advocate for modern laws to govern how law enforcement data should be regulated, and we support negotiations for international treaties in which governments agree on balanced rules to access data that is stored outside of their jurisdictions. But we believe that robust protection of fundamental rights must be a paramount concern in each law and treaty.