Law Enforcement Access to Electronic Evidence: Will Europe Get It Right?
The European Commission will soon publish new rules aimed at improving law enforcement access to “digital evidence” held by online service providers during criminal investigations (often referred as the e-evidence proposals). These proposals intend to remove technical and administrative hurdles that law enforcement agencies sometimes face when requesting data from service providers. But only if the law provides meaningful safeguards and avoids placing service providers in legal conflicts with foreign laws can it truly improve the efficiency of criminal justice across the EU.
We all use apps and software to communicate and store our data on a daily basis. And so do suspects of crimes and criminals. Evidence of crimes has increasingly moved to the digital world and it only makes sense that law enforcement should be able to access such evidence when appropriate. That’s why responsible tech companies have a history of complying with requests for data from European law enforcement in the context of criminal investigations. If anything, transparency reports about government requests published and regularly updated by online service providers unequivocally show the extent of the cooperation between public and private organisations.
But the industry recognizes that several administrative and technical hurdles persist across the 28 Member States and that the current practices might not be enough to provide relevant data to the competent authorities in a timely fashion.
In practice today, companies sometimes deal with sweeping requests to access data with little to no justifications or legal bases. Some agencies still insist that companies supply data by fax without providing any guarantee of securing the storage of records. Additionally, companies receive multiple requests from various national authorities across all Member States for all sorts of criminal investigations, from misdemeanors to felonies. The sheer number of requests can be challenging for companies, especially small and medium-sized enterprises, to handle in a timely fashion. New EU-wide rules can help remedy these shortcomings by streamlining processes for law enforcement to request access to data and for companies to respond.
But removing technical and administrative hurdles is not enough for the new legislation to truly help law enforcement access online evidence. Three key elements will determine whether the upcoming law will be a success or not: targeted access, the implementation of due process safeguards, and creating “synergies” and avoiding conflicts across legal regimes.
First, the scope of the law should be specific enough to avoid its annulment by the European Court of Justice in the years to come. The new rules should therefore adopt the legal standards set by the Court of Justice in the Digital Rights Ireland case and the Tele2 Sverige case (respectively C‑293/12 and C‑203/15). In non-legalese, this means that serious interference into people’s privacy may be justified if the measures are targeted to serious crimes. This is common sense after all: in the physical world, the arsenal of investigative powers that law enforcement can deploy varies greatly depending on the severity of the crime. There is no reason why it should be any different in the digital space.
However, the case-law goes further than that by placing a great deal of emphasis on due process safeguards. At a minimum, the new EU rules should ensure that the information requested by law enforcement is limited to what is strictly necessary for and proportionate to the investigation in question. That means only individuals implicated in a serious crime should have their data accessed by law enforcement. Access to other persons’ data should only be allowed if there is objective evidence suggesting that the data might make an effective contribution to combat serious crimes, particularly in cases where vital national security, defence or public security interest are threatened by terrorist activities. All requests should have a clear legal basis and be duly justified and reviewed against strong legal standards by a judicial or other independent authority (e.g. probable cause for content data). Service providers should also be able to notify any individuals whose data has been accessed by law enforcement as soon as the notification is no longer liable to jeopardise ongoing investigations.
Implementing due process safeguards in the legislation is not just a matter of compliance with EU case-law, it’s also an opportunity to facilitate reciprocity with the U.S. This would open the door to agreements enabling national law enforcement to access certain data stored outside their jurisdiction without resorting the cumbersome mutual legal assistance process and U.S. government review. In this context, introducing additional safeguards recently enacted in the U.S. CLOUD Act are not just nice-to-haves but an opportunity to truly improve European law enforcement access to data. These requirements include, among others, the implementation of data minimisation and secure storage procedures, and the ability for service providers to challenge a request on several grounds, including a likely conflict of laws, insufficient particularity, or an impermissible use or purpose. These requirements resemble principles enshrined in U.S. law but afford flexibility to countries interested in obtaining national agreements with the U.S. pursuant to the CLOUD Act.
At the very least, the upcoming European rules should not conflict with foreign legal obligations to which online service providers are subject. To ask companies which laws to break, be they European or foreign, is not just unfair but also highly unsustainable. Since laws constantly evolve, a meaningful and workable comity clause is key to ensure that national courts take due consideration into conflicting foreign laws before deciding whether to quash or uphold a request.
Europe has a chance to bring its law enforcement investigative powers into the 21st century, improve criminal justice, and champion due process and the rule of law in the process. Will it seize that opportunity?