EU considering legislation that would allow police to access data held anywhere

Written by David Adams

The European Union is drafting legislation that – like a draft law under consideration by lawmakers in the US – would effectively give EU law enforcement agencies the ability to request access to personal data even if held on computers outside the EU, according to inside sources who contacted Reuters. One reason why the EU may be considering similar legislation is that this could help smooth the way to a new deal with the US on data sharing for law enforcement and security purposes.

As reported here last week, the US Government is considering passing the Clarity Lawful Overseas Use of Data (CLOUD) Act, which would mean US law enforcement agencies could demand emails and other personal communications from computers overseas, using a judicial subpoena. It would also allow other governments to ask to see the personal data of their citizens stored on computers in the US, subject to sharing agreements. The Act is a by-product of a long-running legal dispute between the US Government and Microsoft, which involves the government trying to access a Microsoft customer’s emails stored on a server in Ireland. The Supreme Court will rule on the matter later in 2018.

Human rights and other online activists are strongly opposed to the CLOUD Act. Camille Fischer, a Frank Stanton Fellow working with the Electronic Frontier Foundation (EFF), has called it “a bill that diminishes the data privacy of people around the world”, because it would effectively “give unlimited jurisdiction to US law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it.”

Fischer advocates strengthening the existing system of Mutual Legal Assistance Treaties (MLATs) instead, which allow law enforcement agencies and governments around the world to cooperate in accordance with national data privacy laws if seeking to obtain data held on computers elsewhere. The MLAT system has been criticised by law enforcement agencies on both sides of the Atlantic as being too slow and bureaucratic to be fully fit for purpose in its current form.

Whatever happens in the US, it tends to take a very long time for EU legislation to be agreed and created. Nonetheless, any company or organisation that holds data on behalf of customers and/or business partners should be paying close attention to both of these developments.