The ‘e-evidence’ law would force tech firms to hand over data within as little as six hours
The European Commission is to publish proposed rules on Tuesday that would give national judges in the EU the ability to compel tech companies to quickly hand over information stored outside the bloc, in cases of serious crime.
The digital evidence proposals are intended to streamline cross-border procedures to adjust for the increasing use of remotely based communications services, which routinely involve data being stored in countries other than those where the user is located.
But a tech industry lobbying group said the Commission would be required to formulate the rules in such a way that they would withstand later scrutiny by the European Court of Justice.
The plans, which are similar to legislation adopted by the US Congress earlier this year, are a response to the often lengthy delays faced by prosecutors in obtaining “e-evidence” such as cloud-based documents, messages and emails.
The legislation also seeks to clarify to tech companies what their obligations are when judges demand evidence. The issue has played a part in Microsoft’s ongoing legal battle with US authorities over whether it is obliged to hand over emails held in an Irish server.
The EU proposal would see firms required to hand over information within 10 days of receiving a warrant called a “European Production Order”, with the delay reduced to as little as six hours in “emergency” cases, according to a copy of the plans seen by the Financial Times.
The same time limits would also apply to data held outside the EU.
Companies would be able to challenge access requests if they had concerns that they would be violating data protection laws in the country where the data was held, or for other reasons.
Access requests for information such as the contents of emails could only be made for the most serious types of crimes, and could only be issued by courts, judges or other state-appointed investigating authorities.
The Commission said the new powers would be in line with rights magistrates already possess for gathering physical evidence. The rules do not address issues such as encrypted communications in which companies don’t retain decryption keys.
Vera Jourova, the EU’s justice commissioner, said current rules can result in delays of up to 10 months in obtaining digital evidence across borders.
“We need to make sure law enforcement gets up to speed with the digital age,” she told the FT.
Alex Roure, senior public policy manager at the Computer and Communications Industry Association (CCIA) tech industry lobbing group, said reform would be welcome.
But he said if appropriate checks and balances are not in place, the law could later be overturned by the courts. To avoid that, the proposal must be focused on serious crime and limited in its scope, he said.
“At a minimum, the new EU rules should ensure that the information requested by law enforcement is limited to what is strictly necessary for and proportionate to the investigation in question,” wrote Roure in a blog post.
Privacy group European Digital Rights said it was concerned the laws could open the way for abuses in which companies are effectively forced into handing over individuals’ data, a situation that would erode current checks and balances.
The proposal is set to go before the European Parliament and national governments in the coming months.
How much do you know about privacy? Try our quiz!