EU may follow US push for easier data sharing across borders
Last month, US lawmakers passed legislation updating how law enforcement gets access to native companies’ data held overseas. The new CLOUD Act, as it’s called, had its supporters (big tech corporations like Apple, Google and Engadget’s parent company Oath) and detractors (privacy advocates like the EFF) and redefines how the US negotiates with other nations for corporate information — including text messages, emails and documents. Now the European Commission has proposed its own version of those rules to speed law enforcement access to data.
Ideally, this will smooth over a process that was so slow and unwieldy that it’s lead to conflict between US and EU authorities, as happened when American authorities unsuccessfully tried to wrest data from Microsoft that was located in Ireland. While the tech titan won that legal challenge, as it happens, the Supreme Court dropped the appeal-in-process earlier this week, as the CLOUD Act essentially ensured Microsoft and other companies won’t be able to enact the same defense next time. Per the new law, US authorities can request that information.
Under the EU proposal, online service providers would be required to respond to authorities’ requests within ten days — or, in emergencies, within six hours. Both are far quicker than the 120-day limit for the existing European Investigation Order used to ask for data. Authorities would also be able to command companies not to delete certain information while the request is being processed. Compliance is mandatory; The existing ‘voluntary cooperation’ model created too many challenges for companies and increased the uncertainty of law enforcement data requests.
The EU proposal only allows requests for ‘electronic evidence,’ which includes everything from communications to subscriber and traffic data, that is relevant to criminal investigations. Crucially, it only applies to stored information, not intercepting it in transit. Much like the US CLOUD Act, it establishes safeguards to protect user privacy. But according to the proposal’s FAQ, the judge allowing the request will likely have to make the final call about whether it violates laws and interests of the country hosting the data.
The European Parliament needs to vote on the proposal before it becomes law, and may amend it along the way.
(25)