Law enforcement authorities have a problem: Evidence from crimes is often digital, such as emails or documents in the cloud, but investigators cannot easily access data stored in another country. While this issue is global, it is particularly acute within the EU. According to the European Commission, nearly two-thirds of crimes involving e-evidence held in another member state cannot be properly investigated because of lengthy delays by which time the evidence may be destroyed. To address this problem, the European Union should adopt new rules to streamline the process for obtaining and preserving e-evidence within its territory.
While the European Commission has made an initial proposal on reforming the rules for e-evidence, the proposal has largely missed the mark by making the process more cumbersome for companies and shifting the burden of vetting requests to the private sector. In addition, the proposed rules threaten high fines—up to 2 percent of their global turnover—for compliance violations, which will make companies focus more on avoiding penalties rather than working cooperatively with investigators.
The purpose of new rules should be to expedite law enforcement access to data stored by providers in another EU member state. Updated rules should accomplish three main goals. First, they should standardize the process for how EU law enforcement agencies request that a company preserve or provide access to data in cross-border situations. For example, there should be common rules on when a court order is necessary, what type of information may be requested, and how long companies have to respond to a request. Requests from other EU member states should also be vetted through a domestic government agency, so that companies do not have to deal with multiple foreign government authorities. Creating an EU standard will greatly simplify compliance for companies because it will make it easier for them to determine the authenticity and lawfulness of the requests they receive. If companies can more easily determine the validity of a request, then they can respond faster.
Second, the EU should establish a streamlined process for how companies respond to these requests. For example, the EU should establish a secure digital transmission channel so that companies can safely provide requested information to the government without risk of data theft. The EU should also provide a consistent reimbursement policy across member states to limit the out-of-pocket costs for companies to comply with these requests. Again, simplifying this process can help ensure investigators obtain timely responses.
Third, the EU should avoid putting companies in the middle of competing national laws. Within the EU, there is limited harmonization in criminal law between member states, and national laws diverge on important social issues such as abortion, euthanasia, and religious rights. A company would face reputational damage among its customers and in public opinion if, for example, it was obliged to incriminate a woman who had an abortion—an act that is illegal in Poland but not in other member states. To avoid these types of conflicts, the European Commission’s rules on e-evidence should adhere to the principle of double criminality, which states that law enforcement in one country should only act on orders from another country when the underlying behavior constitutes a criminal offense in both countries.
Obviously, new rules will not solve everything. When investigators need access to e-evidence from providers not offering services in the EU, or when there is a conflict of law preventing the company from disclosing the date, they will still likely need to use mutual legal assistance mechanisms to obtain lawful access to this information. Unfortunately, these inter-governmental processes are generally slow and cumbersome, and need global reform. But modernized rules on e-evidence within the EU could significantly streamline access for investigators in many cases.
Pictured above: MEP Birgit Sippel, rapporteur for the e-evidence proposal, who has highlighted various critical issues about the Commission’s proposal—supported by civil society organisations, data protection experts as well as the industry. Image credit: Birgit Sippel