by Anastasiya Kazakova,
CEO Projects Coordinator
Recently both the U.S. and the European Commission have announced their plans to make cross-border state investigations more efficient by granting new powers to government authorities. On 23rd March, the U.S. President signed the controversial CLOUD Act, and on 17th April the European Commission prepared its proposal to facilitate access to electronic evidence by police and judicial authorities. Both legislations reflect the increasing concern of the governments and, at the same time, their readiness to go further in a bid for higher national security, even if such measures could affect privacy of their citizens. Here, we are going to look at both documents in order to outline, along with their pros, main risks that they pose to individuals’ fundamental rights and global privacy.
Closer to the point
The U.S. CLOUD Act
The Clarifying Lawful Use of Overseas Data (CLOUD) Act has finalized unofficially a long battle between Microsoft and the U.S. government over the issue whether a government (here, the U.S.) has a right to access data stored under the other state’s jurisdiction. After signing the law, everything becomes simpler for state authorities (yes, for now they have such a right), but not for companies and consumers. Briefly about the core of the law:
The European Commission e-evidence proposal
The e-evidence act is not yet the law, it needs to be reviewed by the European Parliament and the Council, thus being subject to numerous amendments. Nevertheless, its first draft changes the current situation significantly, and a wide range of tech companies would be affected, including Google, Facebook, Microsoft, instant messaging services (WhatsApp, Fb Messenger, Telegram), mobile apps, Internet Service Providers, e-mail providers (Gmail), cloud providers, domain name registries, registrars, proxy service providers and digital marketplaces (Amazon, Wish, Joom).
There are two types of orders:
It will allow judicial authorities in one Member State to request access to e-evidence (emails, text or messages in apps) directly from a service provider’s legal representative in another EU Member State, which will be obliged to respond within 10 days, and within 6 hours in cases of emergency (such as an imminent threat to life or physical integrity of a persona or to a critical infrastructure).
It will allow judicial authorities in one Member State to oblige a service provider or its legal representative in another EU country to prevent e-evidence being deleted before their production request is competed.
Both orders would be legally binding for tech companies regardless of where they are located or user data is stored. Issuing of such orders will only be possible in the context of criminal proceedings. “Service provider’s legal representative” means that service providers not established in the EU would have to appoint their EU legal representatives and that implies additional costs.
What types of data are covered by the proposal? Well, a major problem arises here as the draft law covers almost all types of data, except for real-time communications in contrast to the CLOUD Act:
PROS vs CONS
Both legislations raise valid concerns about privacy protection.
On one hand, there is an important improvement: governments (the U.S. and the EU) would be able to address risks to their national security faster and more efficiently (hopefully). However, the question remains open whether such measures are truly worthy to sacrifice consumers’ privacy? Let’s face main challenges that laws create:
Concluding, we have to say that even though the motivation behind the law is positive, it creates significant concerns of privacy protection and concerns of possible geopolitical tensions caused by its extraterritorial nature. It may lead to even stronger fragmentation and increase of regional divides, which doesn’t improve global cybersecurity and stability. One thing is getting evident already now: national governments, along with growing protectionists policies, tend to create extraterritorial laws, but whether the world would become safer – it remains unclear.