The European Union wants to make it easier for law enforcement authorities to get electronic evidence directly from tech companies like Facebook and Google even when stored in another European country.
In the wake of the deadly Islamist-inspired attacks in Europe over the past two years, tech companies have come under increased pressure to do more to help police investigations, and law enforcement officials have bemoaned the slow process required to access data stored in the cloud in other EU member states.
The European Commission will present three options to EU ministers which will form the basis of a future legislative proposal, including the possibility for police to copy data directly from the cloud, EU justice commissioner Vera Jourova said.
“I am sure that now in the shadow of the recent terrorist attacks and increasing threats in Europe there will be more understanding among the ministers, even among those who come from countries where there has not been a terrorist attack,” she said.
EU justice ministers meet in Brussels today and will discuss the Commission’s options. Based on their preferences, the EU executive will then come forward with a proposal by the end of the year or early 2018, Jourova said.
The least intrusive option involves allowing law enforcement authorities in one member state to ask an IT provider in another member state to turn over electronic evidence, without having to ask that member state first.
The second option would see the companies obliged to turn over data if requested by law enforcement authorities in other member countries.
As an example, police in Italy seeking electronic evidence stored in Ireland would currently have to ask the Irish authorities to retrieve the evidence for them, a process critics say is slow and cumbersome.
However, many in the tech community have voiced concern about allowing governments to force companies to turn over data stored in another country, fearing it could erode customers’ privacy and make them less likely to use cloud services if they thought the data could be seized.
Microsoft fought and won a high-profile battle in the United States against the Department of Justice’s request that it turn over emails stored on a server in Ireland.
The Commission weighed in for Microsoft in that case, saying data held by companies in the EU should not be directly accessed by foreign authorities outside formal channels of cooperation.
The most intrusive option being considered by the EU could be envisaged in situations where authorities do not know the location of the server hosting the data or there is a risk of the data being lost, Jourova said.
“This third option is kind of an emergency possibility which will require some additional safeguards protecting the privacy of people,” she said.
Such safeguards include requiring that law enforcement requests are necessary and proportionate.
“You simply cannot massively collect some digital data for some future use,” Jourova said.
The types of data that could fall within the scope of the law will also be discussed today, with options ranging from non-content data such as location or traffic data to personal communications data.
“My preference is to go for this as an extraordinary measure for extraordinary threats, for high gravity criminal offences such as terrorism and there I am in favour of enabling the use of personal data,” Jourova said, adding that no decision has yet been taken.