Getting cross border lawful access in Europe right

Lawmakers in the EU have proposed a new legal framework that will make it easier for police in one country to get access to user data in another country (so-called ‘e-evidence’) when investigating crimes. While the law seeks to address some important issues, there is a risk that it will inadvertently undermine due process and the rule of law in Europe. Over the coming months, we’ll be working with lawmakers in Europe to find a policy solution that effectively addresses the legitimate interests of law enforcement, without compromising the rights of our users or the security of our communications infrastructure.

Cloud computing is now ubiquitous. Where once law enforcement could get the data it needed with a warrant served against a local company, that data may now be stored halfway around the world, and consequently, those traditional warrants may no longer apply. To illustrate this problem in practice, think of a case in which a criminal gang operating in France and comprised of Dutch nationals commits a crime in Germany, and those who are most affected are Italian. Besides the obvious challenge of trying to establish which national law enforcement authority has jurisdiction to investigate the crime, there is an additional practical challenge of how to manage that investigation process in an efficient manner. Traditionally, for such cross-border investigations law enforcement and judicial authorities are required to cooperate within formal mechanisms and adhere to certain standards of due process and oversight. Yet herein lies the problem – EU lawmakers and law enforcement authorities claim these processes are too slow and burdensome for the modern cloud economy.

Against that backdrop, policymakers in Europe are seeking to create a new law that would make traditional warrants for so-called ‘e-evidence’ issued by an EU Member State enforceable on any company offering services in the EU. The EU’s move follows similar efforts by lawmakers in the US of late, where the recently-adopted US CLOUD Act creates a framework for more easily securing data stored overseas by internet companies.

The EU’s legislative proposal as drafted contains a number of serious weaknesses. For instance:

  • It sweeps aside the due process safeguards that are essential to protect our users’ rights and meet their legitimate expectations of privacy;
  • It offers preciously little detail on the procedural mechanisms that are a necessary underpinning of these kind of regimes e.g. how can a company like Mozilla be sure that a foreign warrant served on us actually comes from who it says it’s from; and,
  • It does not confront the higher-order question of how a country can establish jurisdiction to investigate a crime in the first place, particularly in instances where several Member States have an interest.

In light of this, over the next few months we’ll be engaging closely with lawmakers in Brussels (the EU headquarters) and the Member State capitals to address the existing shortcomings. Our position is that this law will not strike an appropriate balance unless the following safeguards are incorporated:

  • Data requests shall be necessary and proportionate, and subject to effective due process;
  • There shall be no “gag orders” or other mechanisms that undermine transparency;
  • There will be recognition that metadata (e.g. call logs, location data) is sensitive data; and,
  • There will be clarity that no company or service should be compelled to undermine or hack the security features of its products and services.

When thinking about due process safeguards, it is crucial to note that the EU’s proposal is a major departure from global norms in this space. The arising interference with users’ expectation of privacy – and the risk that the new regime may engender rights abuses – means that the bar for ‘effective due process’ must necessarily be high. For instance, companies like Mozilla must always have the possibility to seek judicial review of data requests that risk violating our users’ rights and lawmakers must create clearing-houses and national single-points-of-contact to ensure that we can identify malicious attempts that exploit the new rules to misappropriate our users’ personal data.

Linked to this, it must be stressed that the proposed regime in Europe is the product of the unique political and legal culture that binds the EU’s 28 Member States. The level of convergence and integration of the EU Member States means that such a regime is, in principle at least, feasible. It is important that this proposed EU regime is not seen as a model for cross-border jurisdiction challenges per se. Indeed, we would strongly advise against similar mechanisms to regulate the lawful access relation between, say, the EU and the US.

The two institutions that oversee the EU legislative process – the European Parliament and the EU Council – are now independently scrutinising and amending the Commission’s legislative proposal, and aim at finalising the new law in early 2019.

Over the coming months, we will continue to develop our perspectives on this issue, and we will meet with policymakers in both the Parliament and the Council as well as other stakeholders in Brussels, as we try to realise a new framework that protects our users’ rights and the security of our products.

We’ll share updates as the proposal evolves.

Read more about our recent work on lawful access: