14 Nov 2014

DIGITALEUROPE Position paper - Law Enforcement Access to Data in the European Cloud

DIGITALEUROPE Position paper - Law Enforcement Access to Data in the European Cloud

DIGITALEUROPE represents the digital technology industry in Europe. DIGITALEUROPE wants European businesses and citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the world’s best digital technology companies.

Such benefits, and economic growth in Europe, can derive from widespread adoption of cloud computing technology, as recognized in the European Commission’s EU Cloud Computing Strategy. However, Europeans may be hesitant to embrace cloud services because of lack of clarity about how their data stored in data centres in different countries might be accessed by law enforcement authorities. The multijurisdictional dimension of cloud computing presents a number of legal challenges.

This paper addresses one of the specific concerns – the extraterritorial reach of law enforcement authorities to access data in the context of routine criminal investigations. We believe that this concern can be effectively corrected by a multilateral dialogue that will enhance the public’s trust while also increasing the effectiveness of law enforcement.

A recent US court case has highlighted an approach taken by US law enforcement authorities towards access to personal data stored in European data centres. In this specific case, a US district court judge in New York has upheld a warrant requiring a global cloud provider to deliver a customer’s email content, stored in Ireland, to US prosecutors for a criminal investigation. The court held that location of the data was not a relevant factor in deciding whether it had authority to order seizure of the data, and did not require the criminal prosecutors to seek cooperation of Irish authorities, pursuant to the Ireland-US or EU-US Mutual Legal Assistance Treaties (MLATs), in order to obtain the data.

The case raises concerns about how to balance the needs of law enforcement in an Internet-connected world with the sovereignty of individual nations. To the extent the EU has insights and a point of view on these issues, we encourage the EU to consider filing an amicus brief with the appellate court, utilizing the procedure created under U.S. law to ensure that courts have the benefit of this type of information before making a decision. In addition, we urge the EU to call for a multilateral dialogue with the aim of:

1. Encouraging governments to respect sovereign boundaries, and, therefore, to use MLATs when seeking evidence stored in another country in furtherance of routine criminal investigations in non-exigent circumstances; and

2. Calling for further investment in the development of MLAT processes so that they function effectively, which will increase the effectiveness of law enforcement, and obviate the need for cross-border demands directly to providers. To the extent that MLAT procedures are not being used and there is any gap in their scope with regard to digital evidence, we believe that this needs to be addressed.

Maintaining the trust of our users by protecting their privacy and guarding against unreasonable government intrusions is fundamental to the companies. We understand that governments have a need for legitimate access to user data in confronting crime and in strengthening national security, but a better balance must be struck that allows governments to address criminal threats while at the same time preserving the right to privacy.

To achieve this balance, governments should follow a proportional, clear, transparent and periodically reviewed legal framework when they need to access personal data. They should clarify under what circumstances and how they access people’s personal data, ensuring that any action ends up being authorized by a court or a judge from the country where user data is located, and is limited to what is absolutely necessary to achieve a legitimate purpose.

Governments around the world have long had the authority to obtain data about citizens for law enforcement purposes. Companies are obliged to cooperate with law enforcement requests, yet also have an obligation to their customers to protect their data from unwanted or unauthorized intrusion. Governments should also cooperate with each other and avoid conflicts of law with other jurisdictions by recognizing that international companies are subject to the local laws wherever they operate.

MLATs between Ireland and the US, and between the EU and the US, establish procedures of cooperation for law enforcement authorities that the Court should have been considered. By using clear and agreed procedures, law enforcement authorities can obtain evidence they need; customers can be sure that laws in their own countries are respected; and companies can provide assurances to governments and to customers that they are not subject to action by law enforcement authorities in another country without respective checks and balances and authorization by a court or judge of the country that receives the request and where the data is stored.

Customers and companies expect that governments will use procedures agreed in MLATs where they apply, and such practices can help provide a greater degree of confidence in cross-border cloud services. If MLAT procedures do not function as efficiently as is necessary to protect public safety, respect for the national sovereignty requires that such procedures be improved, rather than set aside. The result will not only be more respect for national laws, but also improved coordination in cross-border criminal investigations or other government requests for data access in a third country.

DIGITALEUROPE would like to promote long-term efforts to clarify rules relating to law enforcement access to data stored in data centres. We observe with concern that increasingly around the globe governments are adopting law enforcement access laws with extraterritorial reach. As noted above, we think the preferred route is multilateral agreement on “rules of the road” for obtaining digital content across borders that respect privacy, ensure law enforcement swift access to the evidence it needs, and that respect national sovereignty. Legislation recently introduced in the United States Senate3 , highlights some helpful principles that could perhaps inform this debate.

DIGITALEUROPE would again encourage the European Commission to engage more vocally in this debate and to engage in a dialogue about the importance of MLAT procedures and national sovereignty.

Back to Digital transformation
View the complete Policy Paper
PDF
Our resources on Digital transformation
Press Release 05 Sep 2019
DIGITALEUROPE proposes key recommendations for a successful implementation of Strong Customer Authentication (SCA)
Policy Paper 05 Sep 2019
DIGITALEUROPE proposes 5 key recommendations for a successful implementation of Strong Customer Authentication (SCA)
Policy Paper 05 Sep 2019
Response to ENISA consultation on EU ICT industrial policy
Hit enter to search or ESC to close