Commission proposes new measures for access to electronic evidence
Possible implications for the security of information society services data held by online platforms
04 September 2018
In April 2018 the European Commission issued a ‘Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters’ (‘the Regulation’) which, if implemented in its current state, would inter alia provide authorities with the power to request judicial authorities in other Member States to directly request a service provider or its legal representative to disclose data about a user within six hours in ‘emergencies.’
In this article, first published in Cyber Security Practitioner (Volume: 4 Issue: 7 (July 2018)) Zoe Osborne, Chris Stott and Herbert Swaniker provide their analysis of the proposed Regulation and what its implications could be for the security of information society services data held by online platforms.
In the digital age, all significant criminal investigations depend on law enforcement authorities obtaining electronic data held across multiple jurisdictions. Social media and messaging platforms and web-based applications are crucial repositories of evidence. However, the development of investigating authorities’ powers to obtain this evidence has not kept pace with technological advancements. For example, the most recent UK legislation implementing mutual legal assistance frameworks (until relatively recently the only channel available to investigators seeking to obtain digital evidence) dates from 2003. At that time, MySpace and Blu-ray were relatively recent innovations in the way in which data was shared and stored. The legislation was designed to provide access to paper records. It has not been substantively updated to reflect the growing gap between the ease with which criminals may use online channels to securely store and move information and communicate with one another, and the difficulties faced by authorities subsequently wishing to obtain that information.
Recognising the shortcomings of the current tools available to investigators gathering electronic evidence across borders, the Commission has announced a package of measures which will, if passed in their current form, make it significantly easier for them to obtain (and/or lock down for future use) swathes of potentially relevant data within much shorter timescales.
Under the proposals, investigating authorities would receive new powers enabling them to obtain orders requiring service providers to produce electronic evidence within short timescales. Alternatively or additionally, they would be able to require providers to preserve specific data which may be relevant to investigations for up to 60 days.
What is proposed?
At present, it can take up to ten months for investigating authorities to obtain material using mutual legal assistance frameworks. Processes are complex and there are significant variations in evidential and procedural requirements between jurisdictions. Since the introduction of European Investigation Orders (which were implemented in the UK in 2017), documents are required to be produced within 120 days. Whilst an improvement, this still allows ample opportunity for data to be altered or deleted.
Latterly, material has been provided by some service providers within shorter timescales under non-binding agreements in place with enforcement authorities. However, this patchwork of bilateral arrangements is widely recognised as unsatisfactory and no substitute for new legislation. Agreements neither set out standardised procedures for the provision of material nor provide cooperating service providers with meaningful indications about how (and against whom) the information may be used by the receiving authority, including to which other authorities it may be passed. Also, and very importantly from the perspective
of assessing and mitigating potential legal liability and avoiding costly litigation associated with such disclosures, they do not give providers certainty that they are not breaching confidentiality obligations owed to customers and others.
The Regulation is heavily based upon existing mutual legal assistance and European Investigation Order frameworks, but sets out significantly accelerated timescales for the provision of data and lays down new, much more granular, prescribed procedures to be followed by investigating authorities seeking particular types of data. In ‘emergencies’ (the definition of which is not yet clear), authorities seeking electronic material held by service
providers would be able to ask judicial authorities in another Member State to directly request a service provider or its legal representative to disclose data about a user within six hours. In other cases, service providers would have ten days to provide the data requested.
The Regulation is accompanied by a directive that, acknowledging the fact that many providers operate without a physical presence in many jurisdictions, would require Member States to pass legislation obliging all service providers operating in the EU to designate a ‘legal representative’ to which all orders made under the Regulation could be addressed. That ‘legal representative,’ which may be a corporate organisation or an individual, would be responsible for ensuring compliance with production and preservation orders.
Which providers and data will be covered by the Regulation?
Both the Production and Preservation Orders can be served on providers of electronic communications services, providers of information society services which have the storage of data as a defining component of the services they provide to users (including social networks to the extent that they do not qualify as electronic communications services), online marketplaces facilitating transactions between their users (such as consumers or businesses) and other hosting service providers, and providers of internet domain name and, numbering services. Services which do not have the storage of data as a defining component of their business are not covered by the Regulation.
The type of data that is covered by the Regulation is quite wide, but is generally subscriber data (e.g. names, identification numbers, etc.), access data (e.g. IP connection records and logs for identification purposes), transactional data for mobile, internet and hosting (e.g. incoming and outgoing traffic information, time and duration of connections, etc.), and content data (e.g. a mailbox or voicemail dump).
The Regulation applies to all service providers that offer services in the EU, including service providers that are not established in EU. Data location is not the relevant test. The rationale is that those organisations actively offering services in the Union should also be subject to the requirements and restrictions of the Regulation.
This extraterritoriality aligns with an increasing global trend of legislators imposing their own regimes on businesses that, in many circumstances, would be outside of their jurisdiction. In this respect, the Regulation has been cited by industry commentators as similar to the recently enacted US Clarifying Lawful Overseas Use of Data Act (‘CLOUD Act’). The CLOUD Act allows US judges to extend a long-arm reach to seek to obtain data from certain service providers that have US operations, even where the data held at issue is held outside of the US - subject to conflicts of laws rules.
Timescales for new measures
Julian King, the EU Commissioner in charge of the EU Security Union, has indicated that he hopes to conclude negotiations before the European Parliament elections in May 2019. The Regulation is one of the Priority Dossiers under the Austrian EU Council Presidency, which runs until December 2018. There is considerable political consensus in relation to measures aimed at removing obstacles to pan- European criminal investigations, particularly following the multiple terrorist attacks across Europe in recent years (including in Brussels in March 2016).
However, the Regulation is still subject to negotiations amongst the EU institutions. This is a potentially lengthy process and there are some areas where it is likely that there will be significant debate about the safeguards proposed to ensure that accelerating investigative measures does not erode individuals’ privacy and other rights.
EU Ministers for Justice are still negotiating the possibility for authorities to intercept communication data from emails and messages in real time. Some countries like Belgium, France and Italy are in favour of such a possibility, while others like Ireland and the Netherlands are reluctant to introduce new powers like these for police and judicial authorities. Vera Jourova, the EU Justice Commissioner, said this possibility has not been included in the Commission’s analysis and may slow down the negotiations and the adoption of the proposed Regulation if it were.
Once the Regulation is adopted and published in the Official Journal of the European Union, the Regulation will apply six months after its entry into force (per Article 25 of the current proposal). At the time of writing, as negotiations continue in relation to the terms on which the UK will leave the EU, there remains considerable uncertainty as to whether or how the proposals would be implemented in the UK.
The exact scope of obligations to be imposed on service providers under production and preservation orders will be shaped as the Regulation progresses through the EU’s legislative processes. The new orders may alleviate some of the issues associated with existing imperfect and inconsistent voluntary arrangements for the disclosure of electronic data to investigating authorities. However, if, as is likely, investigating authorities use their new powers to obtain enthusiastically when they receive them, identifying, isolating and providing relevant data will place substantial additional burdens on service providers.
Some delicate judgements on competing privacy, data protection and other regulatory obligations will be required. Some of the likely issues are set out below.
Are there any limitations on what may be required to be produced or preserved?
There may be instances where the transactional or content data obtained under production orders is protected by immunities or privileges granted by the service provider’s Member State, or impacts fundamental interests of the Member State’s national security and defence. In those cases, it will be for courts in the issuing State to assess relevance and admissibility as if the grounds provided for remedy were part of their own national law.
The Regulation also includes safeguards for respecting EU fundamental rights, such as the right to privacy and data protection. Cross border investigations will involve information concerning identifiable individuals (‘personal data’).
The Regulation introduces a collection of potentially intrusive measures that, if not carefully tempered, threaten to conflict obligations under new international data privacy and data protection rules. In this regard, the proposed Regulation clarifies that personal data covered by the Regulation will continue to be regulated by (and must be processed in accordance with) the General Data Protection Regulation (Regulation (EU) 2016/679) and the Data
Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) which came into effect in May 2018.
It remains to be clarified who will be responsible for establishing that a request under the Regulation complies with data privacy and data protection rules. Service providers are already seeking to position responsibility for compliance with data rules with the party that makes the production or preservation request. The overarching message is, however, that organisations will need to continue to be alive to the issues that e-evidence will raise - particularly where personal data is concerned.
Will service providers be able to challenge excessive or unreasonable requests?
Under the Regulation as currently drafted, recipients of orders will be able to pursue challenges based on certain restricted grounds, namely:
- the order not being properly issued by a qualifying issuing authority;
- the order not relating to the correct type of offence (for production orders only);
- impossibility of providing the data or force majeure;
- upon receiving the order, it does not concern data stored by or on behalf of the service provider;
- the service is not one covered by the Regulation; or
- the order appears to violate or abuse the Charter of Fundamental Rights of the EU.
At present, the likely breadth of these exemptions, and thus the likely frequency and prospects of success of challenges to orders remains unclear. Similarly, there is not yet any substantive guidance on practical points such as service providers’preservation and other obligations whilst challenges by recipients (or others) are being considered by the courts.
Individuals or bodies who are not suspects or defendants in criminal proceedings would be able to challenge the legality of orders, including on the basis of whether it is necessary and proportionate to require access to their information. Service providers may need to inform these persons that their data has been produced and inform them of their legal remedies. As the proposal is still at a relatively early stage, the extent to which service providers’ exposure to litigation arising from the sharing of data with investigating bodies, and the extent to which they may point to the resource implications of compliance with orders both remain to be seen (although these have been live issues at the consultation stage).
How and when would authorities be able to use evidence obtained?
It would only be possible for authorities to use data collected under production orders in criminal investigations and proceedings. Orders requiring subscriber and access data to be produced would be available in respect of any criminal offence. However, orders to produce transactional or content data would only be available in respect of criminal offences punishable in the issuing Member State by a custodial sentence of a certain time frame, or for certain specific crimes linked to electronic tools and offences covered by the Terrorism Directive (2017/541/EU).