By Catherine Stupp
(EurActiv) — Messaging apps and other digital services will be forced to give their users’ data to law enforcement authorities within ten days of receiving requests, or six hours in emergencies, according to a leaked draft of an upcoming EU legal overhaul.
The European Commission will crack down on technology companies that collect so-called electronic evidence that is needed for criminal investigations, regardless of where companies are located or user data is stored, according to proposals obtained by EURACTIV.
The “e-evidence” legislation will force a broad range of digital communication apps to respond quickly to requests for data.
Services that will fall under the new rules include “social networks, such as Twitter and Facebook”, cloud providers, domain name registries and registrars, and even “digital marketplaces that allow consumers and/or traders to conclude peer-to-peer transactions” like user forums on ecommerce platforms.
The reform is scheduled to be announced on 17 April.
The Commission proposal refers to the “exponential increase in use of online services and apps” that are sometimes “misused” to commit crimes.
EU Justice Commissioner Vera Jourova has argued that the legal change is needed because authorities currently face difficult and long processes to receive data stored in other countries for their investigations.
The changes are controversial. Privacy advocates have criticised the Commission’s plan to force companies to quickly give over data.
The new system will circumvent MLATs, or mutual legal assistance treaties, which authorities argue are too slow. Under those agreements, justice officials in partnering countries cooperate, which is different from the e-evidence legislation that allows authorities to approach foreign companies directly.
The Commission will propose two new laws to clamp down on tech companies.
A new regulation will create legal systems for authorities in EU member states to demand companies share data within 10 days, or six hours if there is “imminent threat to life or physical integrity of a person or to a critical infrastructure”.
The overhaul will also include a directive, under which any company providing services that collect electronic evidence in the EU will be forced to appoint a legal representative within the bloc.
Companies’ EU-based legal appointees will need to respond to law enforcement requests for data.
The system will force a big change on companies that currently have no office or do not store user data in the EU: if their services are available in the bloc, those firms will need to comply with police demands.
The proposal specifies that any services that EU-based users can access through app stores will also fall under the rules.
As a result, law enforcement authorities in EU countries will be able to demand user data from any messaging app or digital communication service operating in the bloc.
“Given the borderless nature of the internet, such services can be provided from anywhere and do not necessarily require a physical infrastructure, corporate presence or staff in member states where the services are offered,” the regulation says.
Companies will be able to appeal legal orders and seek reimbursement for data transfers if member states’ national laws cover those costs. They will face sanctions if they refuse to respond to demands.
Law enforcement authorities can only demand data for crimes that carry sentences of up to three years.
Because of that high threshold, the Commission has determined that requests will focus on serious offences like “membership in a criminal organisation, financing of terrorist groups”, training for terrorist acts or supporting a criminal organisation.
National governments have pressured the Commission to propose rules to give law enforcement authorities easier access to data stored in other EU member states. But the new proposals go further by covering companies located outside the EU.
Earlier this year, Jourova confirmed that she was seeking to expand the new system to include a data sharing arrangement with the United States.
But those plans are now uncertain. US authorities will be able to demand data held abroad if it’s needed for investigations, under the new CLOUD Act, which lawmakers approved last week in a fast-tracked vote.
Legal experts argue that the strict new EU data protection law set to go into effect in May will prevent companies from being forced to give American authorities data, unless EU member states agree to bilateral deals with the US.
That means that under the new proposals, US-based companies will be required to give data to European authorities if they operate in the bloc. But European companies do not need to comply with American data demands.
Jourova was disappointed by the new US law, tweeting on Monday (26 March) that the CLOUD Act “narrows the room for the potential compatible solution between EU-US”.
The EU justice chief wrote that she is pushing for “a coordinated approach to avoid different bilateral agreements”.
An aide to Jourova revealed last November that the Commissioner had asked US Attorney General Jeff Sessions months earlier to start negotiations for an EU-US agreement.
Political tensions around police access to data have been soaring on both sides of the Atlantic for several months.
Microsoft is currently at the centre of a high-profile case before the US Supreme Court over the company’s refusal to hand over data to US authorities that is held on a server in Ireland.
The Commission has sent its own submission to the Supreme Court.
According to the EU’s draft e-evidence regulation, the Commission still plans to “discuss with the US and other third countries the possibility of future bilateral or multilateral agreements”.
In the meantime, the EU executive wants existing MLAT agreements with authorities in countries outside the bloc to work more quickly.
The draft Commission regulation earmarks €1 million in funding to train law enforcement authorities in member states on using MLATs, “with a focus on the US as the third country receiving the largest number of requests from the EU”.