The European Commission has outlined its desire for a new legal instrument that would require carriers, clouds, email service providers, and operators of messaging apps, to produce someone's data within six hours to assist investigations of “criminals or terrorists”.
The proposed European Production Order will "allow a judicial authority in one Member State to request electronic evidence (such as emails, text or messages in apps) directly from a service provider offering services in the Union and established or represented in another Member State, regardless of the location of data".
And yes, you’ve interpreted that correctly: it does mean that if an organisation has an office in one European Union member state, and stores its data outside the EU, the EU wants the right to retrieve that data within six hours.
That super-short deadline will only be imposed in the case of an “emergency”. Less urgent investigations have been offered a ten-day deadline.
The European Commission’s justification for the new power is that access to electronic evidence is critical, but current instruments to obtain it move too slowly to help investigators and have therefore eroded public confidence. It therefore also wants a “European Preservation Order” to stop service providers deleting data. The package of measures also calls for any service providers that operate within the EU to have a designated legal representative within the Unions borders.
Safeguards? The Commission thinks it has them. The Production Orders will be applicable only to crimes punishable with “a maximum sentence of at least three years, or for specific cybercrimes and terrorism-related crimes”. Offshore providers will be able to open local proceedings to dispute and order. And there will also be an avenue of appeal if an Order “manifestly violates the Charter of Fundamental Rights of the European Union”.
Article Eight of that Charter states:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
The EC announced the new plan as part of a suite of measures designed “to deny terrorists and criminals the means and space to act”. Among those measures is compulsory biometrics on EU member states’ ID cards, easier access to banking records for investigators, new restrictions on “marketing and use of explosives precursors” to make the manufacture of home-made explosives harder and background checks on anyone who tries to export weapons from the bloc.
EU members knew this stuff was coming as safety is a legislative priority for the Union 2018-2019. Whether the rest of the world knew it would soon be required to cough data on short notice is debatable, although the recent passage of the USA’s Cloud Act means there’s already a precedent for the EU’s desires. ®