The EU’s e-evidence & the U.S. CLOUD Act: race only to start

by Anastasiya Kazakova,
CEO Projects Coordinator

Recently both the U.S. and the European Commission have announced their plans to make cross-border state investigations more efficient by granting new powers to government authorities. On 23^rd March, the U.S. President signed the controversial CLOUD Act, and on 17^th April the European Commission prepared its proposal to facilitate access to electronic evidence by police and judicial authorities. Both legislations reflect the increasing concern of the governments and, at the same time, their readiness to go further in a bid for higher national security, even if such measures could affect privacy of their citizens. Here, we are going to look at both documents in order to outline, along with their pros, main risks that they pose to individuals’ fundamental rights and global privacy.

Closer to the point

The U.S. CLOUD Act

The Clarifying Lawful Use of Overseas Data (CLOUD) Act has finalized unofficially a long battle between Microsoft and the U.S. government over the issue whether a government (here, the U.S.) has a right to access data stored under the other state’s jurisdiction. After signing the law, everything becomes simpler for state authorities (yes, for now they have such a right), but not for companies and consumers. Briefly about the core of the law:

It allows the U.S. government and its law enforcement agencies (LEAs) to request by warrant to provide communications data regardless of its location – whether inside or outside of the United States. Fortunately, the service provider has the right to modify or quash the motion where he/she believes that the customer is not a U.S. person (and is not a resident of the U.S.) and that disclosing such data would force the provider to violate foreign law.
It adds an exception to the Stored Communications Act (SCA) and permits the U.S. President to enter into “executive agreements” with qualifying foreign countries to directly access data held by U.S. tech companies. To be qualified, foreign governments would need to get a certificate from the U.S. Attorney General and provide adequate human rights protection. Once they get such a certificate, they would have access to the content of the U.S. providers directly, instead of following the lengthy request-process under the Mutual Legal Assistance Treaty (MLAT) regime.

The European Commission e-evidence proposal

The e-evidence act is not yet the law, it needs to be reviewed by the European Parliament and the Council, thus being subject to numerous amendments. Nevertheless, its first draft changes the current situation significantly, and a wide range of tech companies would be affected, including Google, Facebook, Microsoft, instant messaging services (WhatsApp, Fb Messenger, Telegram), mobile apps, Internet Service Providers, e-mail providers (Gmail), cloud providers, domain name registries, registrars, proxy service providers and digital marketplaces (Amazon, Wish, Joom).

There are two types of orders:

The European Production Order

It will allow judicial authorities in one Member State to request access to e-evidence (emails, text or messages in apps) directly from a service provider’s legal representative in another EU Member State, which will be obliged to respond within 10 days, and within 6 hours in cases of emergency (such as an imminent threat to life or physical integrity of a persona or to a critical infrastructure).

European Preservation Order

It will allow judicial authorities in one Member State to oblige a service provider or its legal representative in another EU country to prevent e-evidence being deleted before their production request is competed.

Both orders would be legally binding for tech companies regardless of where they are located or user data is stored. Issuing of such orders will only be possible in the context of criminal proceedings. “Service provider’s legal representative” means that service providers not established in the EU would have to appoint their EU legal representatives and that implies additional costs.

What types of data are covered by the proposal? Well, a major problem arises here as the draft law covers almost all types of data, except for real-time communications in contrast to the CLOUD Act:

Subscriber data – everything that identifies a customer, e.g. name, date of birth, postal address, telephone number, email address etc. (Simply saying, personal data).
Metadata – data which cannot identify a customer but is extremely necessary for identification. (It sounds difficult, but is much simpler in practice: it’s date/time of use or the log-in/log-off from the service, IP address etc).
Transactional data – all data that relates to the service and its distribution, e.g. destinations of a message, location of the device, date, time, duration, route etc.
Content data – any stored digital data, e.g. texts, images, audios, videos etc.

PROS vs CONS

Both legislations raise valid concerns about privacy protection.

On one hand, there is an important improvement: governments (the U.S. and the EU) would be able to address risks to their national security faster and more efficiently (hopefully). However, the question remains open whether such measures are truly worthy to sacrifice consumers’ privacy? Let’s face main challenges that laws create:

The CLOUD Act would allow foreign governments to get access to the U.S. tech companies’ real-time communications. Before, they needed to obtain a warrant from the Department of Justice and the Department of State through the MLAT process. The Wiretap Act also only permitted the U.S. government to obtain a wiretap order in investigations in case of an enumerated list of serious crimes with providing evidence that one of those crimes occurred, is occurring, or will occur. Obviously, foreign governments would not be under the same legal restrictions.

The European Commission’s e-evidence proposal would create additional financial and administrative burden for tech companies.
First, compliance with ‘10-days or 6-hours-data delivery’ requires significant additional resources to maintain, making it hard to compete with non-European companies who don’t have such obligations.
Second, companies of different scale and size, would need to develop additional resources/expertise for processing data access requests from LEAs of other jurisdictions. For instance, a local e-mail service provider in Spain would need to have capacities to process legal requests from Estonian judicial authorities.
Third, the e-evidence proposal would contradict with third-party data protection regime (e.g. a Canadian privacy law – Personal Information Protection and Electronic Documents Act PIPEDA or Russian Federal Law No. 149-FZ “On Information, Information Technologies, and Protection of Information”) and thus create an ambiguous and unclear legal situation for companies which would be at risk of non-compliance fines.
Fourth, as the e-evidence proposal obliges the companies to provide the access to subscribers’ data (meaning personal data) and this fact would obviously lead a request to decrypt the data. The reaction of info security community to weakening of encryption is under the question as well as the final wording of the future legislation.
Both laws may interfere with the principle of territoriality which provides a fundament for establishing privacy standards.

Concluding, we have to say that even though the motivation behind the law is positive, it creates significant concerns of privacy protection and concerns of possible geopolitical tensions caused by its extraterritorial nature. It may lead to even stronger fragmentation and increase of regional divides, which doesn’t improve global cybersecurity and stability. One thing is getting evident already now: national governments, along with growing protectionists policies, tend to create extraterritorial laws, but whether the world would become safer – it remains unclear.