11 January, 2019
Legal memo with respect to Law Enforcement Access to Data across Borders - Legal Challenges for Digital Service Providers and Citizen Rights
This legal memo investigates the challenges for private sector service providers of complying with recent initiatives that facilitate cross border law enforcement access to data across borders, with a particular emphasis on potential impacts on the European electronic communications and ICT industries.
Specifically, it examines two recent legislative initiatives in greater detail:
1) Firstly, the proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (hereafter the “eEvidence Regulation”). Notably, this memo examines to what extent Europe-based service providers have a right or an obligation to assess the lawfulness of Production and Preservation Orders that target them, and what degree of legal certainty the proposal affords them and European data subjects.
2) Secondly, the recent United States CLOUD Act, including the question to what extent companies in Europe would be able to lawfully comply with US law enforcement requests allowed under this Act, notably in light of conflicting obligations with the General Data Protection Regulation (GDPR) and other European Union data protection laws.
As this memo will argue, these two recent initiatives are likely to create legal uncertainties for EU based service providers in relation to their ability or obligation to comply with law enforcement requests originating from countries other than those in which they are established.
For the former initiative – the eEvidence Regulation – the cause of uncertainty is the fact that service providers’ responsibilities and liabilities in the validation of Production and Preservation Orders are not unambiguously defined in the current proposal. Notably, the proposal does not systematically ensure independent judicial review of such Orders by a public authority known to the service provider. As a result, the proposal effectively appears to assign at least some responsibility for ensuring lawfulness of Orders to the service providers themselves, even though they may have neither the resources, nor the information or the legal authority to play this role.
This issue could be resolved by modifying the proposal to ensure that such independent judicial review by public authority known to the service provider (i.e. either within the service provider’s jurisdiction or organised at the EU level) takes place systematically so that the service provider could reasonably assess the formal lawfulness of the request without examining any issues of substance. Alternatively, the proposal could introduce stronger liability exemptions clarifying that the service provider cannot be held responsible or liable for complying with an Order that appeared formally compliant with the terms of the Regulation, explicitly excluding any issues of substance (notably relating to the facts at hand, the legal qualification of these facts, and the competences of the issuing authority), since these are topics which cannot be reasonably assessed by a private sector company.
In relation to the Cloud Act, it seems plausible that EU companies could be targeted by US law enforcement requests provided that a US court would agree that the company has a minimum contact in the US and that the resulting burden on the company satisfies US legal appreciation of fair play and substantial justice. This places such service providers in a legally vulnerable position, since complying with a US request that implies the transfer or disclosure of personal data would require an assessment whether that request is permissible under the GDPR. US law allows for objections against a request to be raised, but will only consider objections based on non-US law (including the GDPR) where an executive agreement exists between the US and the service provider’s country. In other cases, only US common law will apply, creating the possibility that the service provider would be liable under US law when not complying with the request, or liable under EU law when complying with it.
The challenges presented by both initiatives underline the importance of organising independent judicial review in cross-border cooperation cases, since private sector service providers cannot reasonably be expected to resolve legal tensions that legislators have been unable or unwilling to address themselves. The creation of legal frameworks that nonetheless require service providers to do so, and that subjects them to liability irrespective of their decisions, is not a sustainable policy.
Full document available here.