Brussels Privacy Hub has moved to a new website as of 18 May 2022. The new website is available at www.brusselsprivacyhub.com. This version of the website will be stored for archiving purposes. Please see the new website for the latest updates.

WORKSHOP

SUMMARY

WORKSHOP • 18 APRIL 2018

LUNCHTIME WORKSHOP:

Law Enforcement Data Access Series: US CLOUD-Act: Signalling change in global data flows?

by Sergi Vazquez Maymir, Brussels Privacy Hub, LSTS, VUB

SUMMARY

On April 18, 2018, the Brussels Privacy Hub, in collaboration with the JUD-IT project¹ ,  hosted the event “US CLOUD-Act: Signalling change in global data flows?”, the first event in its recently launched Law Enforcement Data Access Series. Chaired by Professor Gloria González Fuster (Vrije Universiteit Brussel), the event brought together the views of Mr. Mr. Jason Biros (U.S. mission to the European Union), Mr. Juraj Safjert (DG JUST, European Commission), Mrs. Maryant Fernández Pérez (European Digital Rights) and Jens-Henrik Jeppesen (Centre for Democracy & Technology).

The event aimed to provide a first assessment on the passing of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act or the Act) in the United States (U.S.) signed into law on March 23, 2018²,  while taking the opportunity to share the panellists’ first impressions on the two new proposals from the European Commission (EC) on cross border access to electronic data by police and judicial authorities. These proposals, presented on April 17, 2018 consist of a Regulation on the European Production and Preservation Orders for electronic evidence in criminal matters and a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings (hereinafter jointly referred as the EC proposals)³.

Mr. Jason Biros (U.S. mission to the European Union) started his intervention by pointing out the relevance of the CLOUD Act and the proposals presented by the EC, as prove we enter a transitional period in which legislation starts to catch up with the pace of technological developments. He underlined the difficulties faced by law enforcement authorities (LEAs) when responding to data access request under traditional mutual legal assistance treaties (MLATs) system. Most notably in the U.S., where the concentration of technological companies and thus of data stored, has led U.S. authorities and businesses to deal with a disproportionate number of requests coming from all over the globe. In that sense, Mr. Biros stated that the rationale behind the CLOUD Act is precisely to address the burdensome of MLAT system, not only as inefficient mechanism for cross border cooperation in criminal investigations but also as an appropriate safeguard for the rights of individuals.

Mr. Biros then briefly discussed some of the contributions of the CLOUD Act, namely the extraterritoriality of U.S. domestic production orders and the signature of executive agreements with foreign governments seeking access to U.S.-held content. In regard to the former, he argued it could be seen as an adequate answer to the challenges raised by the Microsoft Case⁴,  in the sense that it provides legal certainty to those service providers within the jurisdiction of the U.S. being requested to disclose data stored outside the territory.

With respect to the executive agreements, he pointed out they might be an opportunity to globally raise the standards of data protection, provided that their signature would require countries to -at least- match a level of safeguards equivalent to that of the U.S. Furthermore Mr. Biros examined the legal nature of the instrument chosen, and explained that executive agreements enable the U.S. Government to tackle issues which, based on its authority, it already has the capacity to address without further Congress approval.

Mr. Juraj Safjert (DG JUST, European Commission) then took the floor,clarifying he was participating strictly in his personal capacity. Referring to the EC proposals, he highlighted the importance given in the text to the potential criminal misuse of social media, webmail and messaging services and stressed the differences with the treatment given to the regulation of traditional telephones a decade ago. Overall, he warned on the tendency of perceiving new forms of communications merely as crime facilitators, disregarding the regular use made by the population. In line with that, Mr. Safjert referred to the ruling of the European Court of Human Rights in Gäfgen v Germany, where several violations were found in the methods employed by police officers during the questioning of a suspect

.   In his view the ruling highlights how law enforcement authorities should not easily have access to evidence without considering the overall fairness of the whole criminal procedure.

With regard to the CLOUD Act, Mr. Safjert stressed the Act can be seen as a piece of a bigger puzzle, a puzzle that is composed by: i) the Cybercrime Convention of the Council of Europe and its reforms (hereinafter CC)⁶ , ii) the -still under negotiations- UK-US agreement⁷  iii) the EC proposals and iv) the EU-US Umbrella Agreement⁸.  He pointed out the current existence of instruments already allowing States to access data stored outside their territorial jurisdictions, and remined in that sense that the CC already foresees direct cooperation between LEA’s and service providers through production orders (Article 18 of the CC) or via direct access (Article 32 of the CC). In this context, Mr. Safjert pointed out the heterogeneity of the rules among States, noting not all EU Member States are signatory parties of the CC⁹  and likewise, neither the U.S. or Canada are parties in the Convention 108 on data protection¹⁰. 

Mr. Safjert concluded referring to a hypothetical signature of an executive agreement between the U.S. and the EU. On that, he expressed the European Commission’s preference that the EU becomes the signatory party, rather than having Member States reaching bilateral agreements individually. Questioned on whether the wording of the CLOUD Act could formally prevent the EU from even sitting at the negotiation table, Mr. Safjert considered such scenario to be unlikely, given EU’s competences in the fields of data protection, the safeguarding the respect of the rule of law framework or the protection of fundamental rights in the EU.

Mrs. Maryant Fernández Pérez (European Digital Rights) began her contribution by questioning the way how the EC proposals frame the discussion. She pointed out the fact that the two proposals are framed in terms of accessing evidence, while in her view it would be more accurate to refer to them in the context of cross border access to data, considering that in most occasions such data does not end up being used at courts. 

Mrs. Fernández continued by expressing her concerns on how MLATs mechanisms are being replaced merely based on speed considerations, while often overlooking relevant factors such as the lack of resources of Member States. She expressed the opinion that MLAT can indeed be enhanced and become a faster and more efficient procedure, but that legal initiatives such as the EC Proposals or the CLOUD Act, clearly seem to have chosen a different path. In that line, Mrs. Fernández questioned whether the EC proposals, if adopted, could stand a court test and encouraged the authorities to consider the assessment made by WP29, in particular to their comments on the legal basis of the initiatives¹¹.  In that regard she questioned whether Article 82(1) of the TFEU on judicial cooperation would serve as basis in the case of the EC Proposals, provided that the type of cooperation presented relates more to private parties than to judicial authorities¹².  Finally, Mrs. Fernández warned about the possibility that direct cooperation with service providers as described in the EC proposals could collide with Court of Justice Grand Chamber’s requirements for a judicial authorization for requests of access to data stored by service providers (referring to CJEU Tele2 Sverige AB ruling)13.

In relation to the CLOUD Act, Mrs. Fernández criticised the fact that the Act was passed as an attachment to the Omnibus Bill, circumstance that affected the chance to deliberate on its content and prevented any possibility to present amendments. In terms of substance, she considered the Act facilitates the circumvention of MLAT channels, and emphasized how this circumstance aligns the role of service providers with that of judicial authorities. With regard to the executive agreements foreseen by the CLOUD Act, Mrs. Fernández raised her concerns on the absence of mechanisms to revoke agreements with nations in case of a deterioration of their democracies or of their observance of human rights.

The last intervention was carried out by Mr. Jens-Henrik Jeppesen (Centre for Democracy & Technology), who generally welcomed the EC proposals, yet underlining the existence of room for their improvement. He questioned whether MLATs should be regarded as the one and only mechanism to deal with cross border access to data by law enforcement. In his view, taking into consideration the needs of either individuals, LEA, companies or NGOs, it seems unlikely that the MLAT system, even if made more efficient, could represent a real solution to the challenges cross border access to data implies. Such a solution, he argued, would need to reconcile LEA’s legitimacy in collecting information during their investigation together with citizens’ claim for foreseeability and protection of their rights and global companies’ demands for legal certainty and predictability on the rules to be applied on them¹⁴.

With reference to the CLOUD Act, he generally subscribed the concerns raised by Mrs. Fernández. Addressing a hypothetical executive agreement between the U.S and the EU, he underlined the importance of that agreement embracing EU’s data protection provisions, stating that if its shortcomings are fixed, the CLOUD Act could be a win for European citizens. Finally, on the EC proposals, Mrs. Jeppesen expressed his general support to the motivation behind the initiative, reiterating his doubts, on whether a MLAT reform could    appropriately deal with the challenges society as whole is facing.

Following their individual interventions, the panellists had the opportunity to react to each other points. The event concluded opening the floor to the audience with a session of Q&A.

____________________________________________________________________________________________________________________________________

  ^{1Judicial Cooperation in Criminal Matters and Electronic IT Data in the EU: Ensuring Efficient Cross-Border Cooperation and Mutual Trust (JUD-IT) accessible}

  ²Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018 ) accessible

  ³European Commission proposals on cross-border access to data (2018)  accessible

  ⁴United States v. Microsoft Corp. (Microsoft Ireland), (Apr. 17, 2018) accessible 

  ⁵Gäfgen v Germany no. 22978/05 , § 165, ECHR 2010  accessible 

  ⁶Convention on Cybercrime (2001)  accessible

 ⁷Financial Times,  UK-US pact will force big tech companies to hand over data, 23, October 2017 accessible   

  ⁸EU/USA Agreement: protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offenses accessible

  ⁹While signatory parties, Ireland and Sweden have not yet ratified the Cybercrime Convention;  source : Chart of signatures and ratifications of Treaty 185 accessible

  ¹⁰The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108) accessible 

  ¹¹Statement of the ART 29 WP on e-Evidence accessible

  ¹²The Treaty on the Functioning of the European Union accessible 

  ¹³CJEU Tele2 Sverige AB (C 203/15), §§120, 2016 accesible

  ¹⁴During his explanations Mr. Jeppesen referred to a CDT Report of 2015 in which possible ways to reform the MLAT system in the context of cross border requests of data were addressed accessible