Tag Archives: European Parliament

E-Evidence Regulation: Data supermarket for European Law Enforcement?

The idea is old, but the concrete proposal is rather new: Whereas goods flow freely in the EU internal market and digital services are offered across borders, the competence of law enforcement authorities ends at national borders. A police authority that wants to access data in the course of its investigations – for example in a fraud case – needs to contact the authorities of the state where the data are processed. How the foreign authority deal with such a request depends on the law of the country on whose territory the servers are located. The procedures are governed by the applicable international mutual legal assistance treaties (MLAT).

Such assessment is time-consuming and does not always has the result the requested data may be released to the foreign authority. For this reason the law enforcement and security community have been lobbying since years for easier access. Ideally, authorities should have direct access to data stored abroad. On 18 April 2018, the European Commission presented a draft EU regulation on this issue. The European Production and Preservation Orders for electronic evidence in criminal matters (E-Evidence Regulation) is intended to allow law enforcement authorities of the 28 member states direct cross-border access.

Restriction of fundamental rights by fast-track legislation ?

Since then, the European Parliament and the Council of Ministers have been working on the draft. Last week, the European Parliament published a critical study on the Commission’s draft. The Austrian government recently announced the ambitious goal of concluding negotiations in the Council of Ministers by 31 December 2018, when Austria will hand over the Presidency of the Council to Romania.

This legislative fast-track procedure is explosive in several respects: In contrast to a directive, an EU regulation would be directly applicable law in the member states and would not require transposition into national law. The regulation would mean a considerable restriction of fundamental rights, as issuing orders would have to be directly followed by providers of electronic services without a public authority or a court in the host country having examined whether issuing the order would also be permissible under national law.

On the other hand, the legal systems of the member states are not harmonised. They differ with regard to punishability, the levels of punishment and constitutional safeguards. Activities which are punishable in the issuing state but not in the state in which the processing takes place can thus be subject to an obligation to produce personal data. The European Commission is even conducting two proceedings against Poland and Hungary referring to the violation of the rule of law. The initiation of such proceedings against Romania is currently under discussion because the Romanian government also wants to restrict the independence of the courts in this country.

If the E-Evidence Regulation would be adopted in its proposed version, providers of electronic services (such as cloud providers, network operators, social media, hosting and telecommunications companies) would have to follow production orders of the foreign authorities directly without the chance of carrying out a substantive examination.

Comprehensive scope of application

Production Orders may be issued for any type of offence. The requirement to provide content and transaction data only for offences punishable by a maximum term of imprisonment of at least three years in the issuing State is not likely to dispel concerns. Contrary to what the Commission’s explanations on the E-Evidence Package suggest, the three years are not a minimum penalty, but a minimum maximum penalty. A glance at the German Criminal Code shows that this criterion applies to a large number of offences and not only to serious crimes. 

In Poland, for example, abortion is punishable by imprisonment for up to three years. Therefore the condition for a production order would thus be fulfilled. A Dutch or German provider would have to hand over the e-mails and traffic data to the Polish criminal prosecution authority if the latter were to investigate an abortion case, although in these countries abortion is exempt from punishment. The provider of an electronic accounting service the doctor is using could possibly also be the addressee of a corresponding production order.

This problem also becomes clear in the case of the Catalan exile politician Puigdemont, against whom a Spanish arrest warrant for „riot“ had been issued. According to the decision of the Higher Regional Court of Schleswig, the offence did not constitute a comparable criminal offence under German law. The European arrest warrant issued by Spain could not be executed against him in Germany. According to the draft E-Evidence Regulation, the German providers would nevertheless be obliged to issue corresponding electronic documents if a Spanish court issues a production order, because unlike the European arrest warrant, no review by a court of the target state would be required.

Impositions on providers

The situation for providers is completely unreasonable, too: they woul be subject to obligations they cannot check in a procedure that is in accordance with the rule of law. Not only courts and public prosecutors‘ offices, but any competent authority designated by the issuing state can issue a production order. In the 28 EU Member States, a very large number of authorities, possibly more than a thousand, will be given the power under national law to require companies to disclose data across borders, often without confirmation by a court. It is not even possible for companies to seriously examine whether an authority has the appropriate competence, or even whether it is an authority at all. It is true that the respective authorities are to prove that they have been validated in writing by a court or an other judicial authority. However, the draft regulation provides for it should be sufficient for the issuing authority to send a corresponding document by fax.

In view of the very short deadlines (in certain cases companies are obliged to deliver the data within six hours!), it is hardly possible for the recipient to check whether the fax and the stamp of a judicial authority contained on it is genuine, and it is not even certain whether the letter originates from an authority at all. Accordingly, there is a great risk of being taken in by a fake issuing order and transferring personal data to third parties without justification.

If a provider rejects to comply with a production order, he is threatened with considerable financial and criminal consequences. In addition, the considerable violation of the fundamental rights of the data subject brought about in this way represents a considerable liability risk for the provider for having unlawfully disclosed data.

No examination of legality in the target country

Whereas the European Investigation Order, another EU instrument introduced a few years ago, is subject to enforcement by the authorities in whose territory the processing takes place, the electronic production order is to be issued directly to the foreign provider. The E-Evidence Regulation does not provide for any substantial review by a domestic court or a domestic judicial authority. Procedural safeguards – such as the judge’s approval – might be circumvented if the law of the issuing state does not provide for such. Finally, requirements which the German Federal Constitutional Court has established, e.g. for the protection of the core area of private life, would not be guaranteed.

According to the draft E-Evidence Regulation the main responsibility for the transfer will be subject to the company to which the order is addressed – a problematic delegation to private entities. Companies have only very limited means of reviewing the legality and proportionality of a production order or of refusing to transmit the requested data. According to the draft they may only object to comply with an order if they consider that the information contained in the order indicates that it „manifestly“ infringes the Charter of Fundamental Rights of the European Union or it is manifestly abusive.

Real-time monitoring?

It is subject to the ongoing debate if and to what extent real-time monitoring („live interception“) shall be included in the E-Evidence Regulation in addition to the preservation and production of data already stored. But even if – as is to be expected – corresponding demands of some governments would not be supported by a majority in the European Parliament, the planned regulation would be a profound encroachment on European and national fundamental rights. It would be irresponsible to wave through such a regulation quickly without a thorough debate.

The New EU General Data Protection Regulation – A First Assessment

The results of the trilogue of the EU institutions (European Parliament, Commission and Council) on the data protection reform package is an important milestone on the way into the global information society. The General Data Protection Regulation (GDPR) will replace 28 different data protection laws of the Member States.

The reach of the new legal framework extends beyond the European Union. Even companies with headquarters outside the EU will have to comply with the GDPR so far they are doing business in EU Member States and process data generated here (article 3 para. 2). Compliance with the rules is monitored by independent data protection authorities, which all have in future same, effective sanction powers. In cases of serious infringements they may impose fines up to up to 4% of the global annual turnover against the respective companies (art. 79). It has to be highlighted, that a number of last minute attempts have failed to mitigate or weaken the new privacy requirements in central points, such as on scope of the regulation or the purpose limitation rules.

Nevertheless, there are also areas where the result is less positive than hoped for. Thus, the EP has not been completely successful in the requirements on individual consent to the processing of personal data (‚the data subject’s consent‘ means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative, signifies agreement to personal data relating to them being processed“ – article 4 para 8). Explicit consent is only required if censent refers to „special categories of personal data“ (article 9) – such as health data or genetic information. Also the rules on profiling lag behind the demands of privacy advocates. The relevant provisions are limited to decisions based solely on automated processing, which produce legal effects concerning the data subject or similarly significantly affects him or her (article 20).

During the negotiations critics – in particular from Germany – complained the GDPR would weaken or undermine the data protection requirements defined by national law. Today we can say, this fear did not realize, at least in general. Only in specific areas the new legal requirements are lagging behind the present national laws, for example with regard to the more stringent data protection provisions for Internet services of the German Telemedia Act. On the other hand, the German data protection level is just here high only in theory, but not de facto. This became evident from the example Facebook: German data protection authorities have failed with lawsuits against the company with European headquarters is located in Dublin – to undertake to comply with the German data protection rules. However, every company that does business in Europe in future must comply with the new single European data protection law. This is real progress, even if the GDPR in certain areas lagging behind the national law. In addition, there are other areas – such as the Federal Citizens Registration Act – where data protection requirements of new EU regulation are stricter than the present German legislature. The unconditional dissemination of public register data on request to everybody is not compatible any more with European law and must be terminated.

Light and shadow there is also in the rules on the internal data protection officer (DPO). On the one hand, article 35 obliges public authorities and government agencies – except for courts acting in their judicial capacity – to designate a DPO. Also those private companies have to designate a DPO, whose „core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and stematic monitoring of data subjects on a large scale“ or with core activities consisting „of processing on a large scale of special categories of  data pursuant to Article 9 and data relating to criminal convictions and offences“. However, the significantly more stringent requirements of the German Federal Data Protection Act on DPOs have not completely been included in the GDPR. At least the adopted text allows the national legislators to stick to the mandatory designation of DPO (article 35 (4): „in cases other than those referred to in paragraph 1, the controller or processor … may or, where required by Union or Member State law shall, designate a data protection officer …“) .

Even if, as expected, the provisions now adopted – the GDPR and the Directive on data protection for police and justice – will soon pass the formal EU legislative procedure, a lot of work has to be done at European and at national level prior to their entry into force 2018: At EU level the compatibility of other legal provisions with the GDPR has to be reviewed. This particularly applies to the directive on data protection in electronic communications („ePrivacy Directive“). Governments and parliaments of the Member States are requested to review their national law. This applies in particular for Germany with its numerous sector specific data protection provisions. Many laws need to be revised, some need to be eliminated. A special mission coming to the national legislators is the processing of personal data in the employment context. Article 82 GDPR provides the national legislators with  competence to regulate the handling of employee data in detail. („Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees‘ personal data in the employment context, …“).
National regulators have also to deal with the question of how far the legal provisions for data processing for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties need to be adapted to the requirements of the new Data Protection Directive for police and justice.

Finally, businesses and public authorities have to adapt their practices to the new rules. New processes and procedures have to be designed, existing procedures need to be changed …

The European Academy for Freedom of Information and Data Protection (EAID), Berlin, will focus in the coming years on the impact of new EU data protection rules. For 2016 we are planning workshops for decision-makers in business, politics and administration on implementation of the new EU rules and on needs for revision of national legislation.

Leaky Umbrella

Update on the Legal opinion of the Legal Service of the EP (18 February 2016)

The Legal Service of the European Parliament issued on 14 February 2016 a legal opinion on the draft EU-US Umbrella agreement concerning the protection of personal data and cooperation between law enforcement authorities in the EU and the US. In this paper, published recently on the Website of Statewatch the Legal Service expressed serious doubts whether the agreement, referring to the US Judicial Redress Act (JRA) would be in line  the Charter of Fundamental rights of the European Union. The experts underline, that Art. 8 of the Charter is addressed to everyone while the Agreemnent and the JRA will limit the right to legal remedies in the USA to Citizens of the EU („This then opens a significant ‚gap‘ in the protection of the personal data of individuals covered by EU law“). The Legal Service comes to the conclusion, that „The EU-US Umbrella agreement is not compatible with primary EU law and the respect for fundamental rights“.

P.Sch.

 

Original Blog Post (18 September 2015)

On 8 September 2015, the European Commission announced the successful completion of the negotiations with the US on a framework agreement („Umbrella Agreement“), that shall apply to the co-operation between law enforcement authorities. „Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic. It will in particular guarantee that all EU citizens have the right to enforce their data protection rights in US courts“, said the competent EU Commissioner Věra Jourová. Prerequisite for the signing of the agreement will be, however, that the US Congress will have approved the necessary legislative changes („Judicial Redress Bill“).

Although the Commission initially did not want to publish the agreement, the text – how ever – has found it’s way into the Internet, enabling the assessment.

First the good news: The agreement contains, in fact, substantial concessions from the US side. It has to be highlighted, that the US shall even provide EU citizens with a right to seek judicial redress if they are of the opinion that their privacy rights have been violated in the context of processing information the respective US authorities have received from the EU. Over years, the US government insisted on granting EU citizens only administrative redress. For Europe such limited redress – ultimately depending on the goodwill of the US administration – would not have provided an adequate level of data protection.

Another positive aspect is that both sides have agreed to commit to the principles of proportionality, necessity and purpose limitation and that they have to determine the use and duration of storage of personal information in accordance with these principles. The concrete purposes of data processing and the retention periods have to be determined by the specific legal acts.

However, although the agreement improves the legal status of EU citizens whose data are transferred to the US, it would be a misperception that the agreement provides EU citizens with the same privacy rights as US persons. If this would have been intended, the rights provided by US Privacy Act of 1974 and other laws, currently limited to US citizens and residents, could have been extended to EU citizens. Instead, the agreement text contains complicated rules, which do not ensure equality in the result. EU citizens have first to seek administrative redress. They may call a US court only after administrative redress definitely was exhausted. In addition, administrative and judicial redress are limited to those privacy rights explicitly specified in the Agreement, as the right to access and correction of the personal information. The agreement will not grant EU citizens – unlike US citizens – further rights to challenge the lawfulness of the entire process of data processing before a US court.

Furthermore, it should be noted that the agreement shall apply only to judicial and police authorities, but not to authorities with the task to guarantee the „national security“. US intelligence agencies like the NSA and the CIA share personal data with law enforcement agencies, even if they have received these information from their European partners. The provisions of the umbrella agreement would not apply in these cases. Last but not least the agreement does not cover data US and European authorities collect on the basis of national laws, i.e. the Foreign Intelligence Surveillance Act (FISA) or similar European legislation.

Another limitation of the umbrella: While according to the European data protection law, all personal data will be protected regardless of the nationality of the persons concerned, the agreement should apply only to data on EU citizens which have been transferred to the US by European authorities or companies based on bilateral or multilateral agreements. So data relating to citizens of third countries remain unprotected.

Finally, the agreement (Art. 21) falls short, however, with regard to the data protection oversight. It lacks an explicit commitment of both parties to ensure an independent data protection supervision. While the European Union commits that the independent data protection authorities shall be competent to check the provisions, the agreement refers with respect to the United States on a variety of oversight institutions, some of them not independent, which are to exercise the supervision of data protection „cumulatively“.

Given these shortcomings, to me the exultation of the agreement seem premature. The European legal bodies which need to approve the ratification of the agreement, in particular the European Parliament and the parliaments of the Member States are called upon to thoroughly examine the agreement, in particular, its compatibility with the provisions of the EU Charter of Fundamental Rights. Depending on the results of such assessment it might be necessary to renegotiating and caulking the umbrella.

Best regards

Peter Schaar