Published by The Lawfare Institute
in Cooperation With
In 2018, the United States and the European Union each set out to reinvent the creaky international system for making electronic evidence stored in one jurisdiction available to law enforcement in another. Law enforcement agencies on both sides of the Atlantic cheered. Four years later, progress toward this goal has been incremental at best. A meeting in Washington this week between the EU’s commissioner for justice, Didier Reynders, and U.S. Attorney General Merrick Garland is unlikely to advance prospects for a transatlantic e-evidence agreement. Frustrated investigators and prosecutors are looking for other tools. Has the time for an EU-U.S. agreement on e-evidence come and gone?
Law enforcement’s problem is clear. Major cloud service providers typically store customers’ electronic communications content data in servers scattered across the globe. When police or prosecutors seek this data, they now regularly find that it is under the control of a provider located in a foreign country. A European Commission study, for example, estimated that 85 percent of EU member states’ criminal investigations require electronic evidence in some form, and in two-thirds of the cases such evidence is in the hands of online service providers based in another jurisdiction. A report compiled by Europol, the EU’s police agency, reported that the coronavirus pandemic only increased law enforcement’s need for electronic evidence to pursue cybercrime as well as other types of crime.
In many countries, including the United States, and in Europe, communications service providers are prohibited by law from directly disclosing communications content to a foreign government. As a result of these bars, law enforcement seeking foreign-located content data must present a formal international request for mutual legal assistance. A prosecutor sends the request through a designated central authority in his or her home state to a foreign counterpart governmental central authority, which ensures that it is executed under the foreign state’s criminal procedure law. Centralized mediation in the receiving state unavoidably adds considerable time to the execution of the request. The U.S. Department of Justice acknowledges that mutual legal assistance requests have “increased dramatically, straining resources and slowing response times.” Europol confirms that delays in U.S. processing of European mutual assistance requests is a “recurring and longstanding challenge.”
In 2018, the U.S. government and the European Union began parallel efforts to restructure legal methods for obtaining foreign-located electronic evidence. The United States enacted the Clarifying Lawful Overseas Use of Data Act (Cloud Act), while the European Commission proposed the E-Evidence Regulation. Both measures eliminate a central government’s role in mediating a foreign request for e-evidence located in its territory. Instead, a law enforcement agency sends an order directly to the service provider in the foreign country where the evidence is located.
Soon after enactment of the Cloud Act, the U.S. Department of Justice embarked on a program to negotiate international agreements enabling law enforcement in select foreign countries to utilize this streamlined approach. The resulting agreements would lift the blocking provisions on foreign disclosure of communications content. Washington began with Anglophone jurisdictions with similar criminal justice institutions. An accord with the United Kingdom was signed in 2019 but has not entered into force. Another, reached with Australia in 2021, should take effect later this year. Negotiations with Canada are underway. New Zealand is eager for a Cloud Act agreement with the United States, as are some Asian countries.
In 2019, the United States also launched negotiations with the European Union, following EU issuance of a negotiating mandate. The EU initially anticipated that it would quickly complete its internal framework, the E-Evidence Regulation, and proceed in parallel to conclude an international agreement with the United States. However, the EU has yet to enact the E-Evidence Regulation, which has been mired in lengthy disputes among the European Parliament, European Commission and member states, primarily over civil liberties issues. France, a strong backer of the measure, is attempting to break the deadlock during its current presidency of the EU, which ends in June.
The EU’s inability so far to complete the E-Evidence Regulation has frozen the transatlantic negotiations for the past two years. Law enforcement authorities thus have seen the prospect of a speedier and more efficient transatlantic architecture for obtaining foreign-located communications content recede into the distance. Although the United States is gradually achieving a handful of agreements with like-minded countries, the slow pace of its negotiating program does not, in any case, offer a scalable global solution. The EU may eventually overcome internal concerns and finalize its own e-evidence regime, but prospects for an eventual international agreement with the United States remain distant and difficult. Is there another way?
Local Jurisdiction Over Cloud Service Providers
The Cloud Act itself supplies part of the answer. In addition to empowering the Justice Department to conclude international agreements, the law codified that U.S. prosecutors unilaterally may compel providers of electronic communications services subject to U.S. jurisdiction to disclose content data within their possession, custody or control, regardless of the foreign location of the data. This statutory assertion of U.S. extraterritorial reach has been widely noted—and criticized—in Europe. In turn, it has stimulated a variety of EU initiatives intended to ensure that providers of electronic communications services are immune from foreign legal processes.
U.S.-based cloud service companies receiving orders for foreign-located data issued under the unilateral authority of U.S. law must determine whether compliance would run afoul of the laws of the foreign jurisdiction. Laws in some EU member states prohibiting or limiting the use of communications intercepts, for example, can prove an obstacle. Navigating such potential conflicts of law has become an everyday task for major cloud service providers. Microsoft, for example, publicly reported receiving more than 240 requests from U.S. prosecutors for foreign-stored content in 2021.
Some EU member states similarly assert broad-based jurisdiction for criminal law evidentiary purposes over foreign-stored data. In one widely noted case from 2009, Belgium’s Supreme Court held that U.S.-based Yahoo had to surrender to Belgian law enforcement IP addresses associated with email accounts. By offering its email service in Belgium, the court found, Yahoo had submitted itself to that state’s jurisdiction. Belgian courts also took an expansive jurisdictional approach in a 2017 ruling requiring Skype to intercept communications involving an organized crime suspect, even though intercepts were prohibited under the law of Luxembourg, where Skype had its European establishment.
Belgium’s approach is not unique. Europol’s annual report on EU member states’ experiences with e-evidence found that demands made to the eight largest such companies (Airbnb, Facebook, Google, Microsoft, Snap, TikTok, Twitter and Verizon) have been increasing steadily. It counted 162,000 in 2020, an increase of 27.1 percent over the previous year.
Recent European Union digital legislation also has made non-EU cloud service providers increasingly susceptible to European law enforcement agencies’ unilateral demands for e-evidence. The General Data Protection Regulation (GDPR), for example, applies to “the processing of personal data in the context of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the EU or not.” U.S. cloud service providers typically have located their European establishments in Ireland or Luxembourg, becoming subject to judicial data demands there.
The GDPR also applies even where the controller or processor does not have an establishment in the EU but instead offers goods or services to persons in the union or monitors their behavior. The Court of Justice of the European Union has interpreted the meaning of “offering of goods or services” liberally, applying it, for example, to Google’s sale of advertising on its search engine operating in an EU member state, as held in the Google Spain “right to be forgotten” case. Similarly, newly proposed EU legislation regulating the use of nonpersonal data would apply to manufacturers and suppliers of products and services that have been placed on the market in the union.
Finally, the EU in 2018 adopted a directive expanding the scope of the European Electronic Communications Code (EECC), to harmonize the regulation of electronic communications networks and services with those of traditional telecommunications providers. The EECC extends the reach of preexisting telecommunications legislation to “over the top” (OTT) services, a category including email services, voice over internet services such as Skype, and messaging applications such as WhatsApp. It further makes them subject to the EU’s E-Privacy Directive, a measure to protect communications confidentiality that limits the extent to which data may be retained or used. Over the past year, several major member states, including France, Germany, and the Netherlands, have transposed the revised EEEC into their domestic laws. Others have been slower to adopt necessary implementing legislation, despite a requirement that they have done so by now.
Becoming subject to the full scope of Europe’s telecommunications laws means that providers of OTT services established in one EU member state now can be ordered by law enforcement or intelligence agencies in another member state to conduct real-time communications intercepts—without the mediation of a governmental central authority, as would be the case under a mutual legal assistance treaty (MLAT). Real-time intercepts remain a sensitive subject in some EU member states, and laws vary on the extent to which they are allowed. Germany’s laws are among the most robust. Germany’s 2021 reforms to its telecommunications law, for example, require service providers, including those of OTT services, to be able to carry out judicial orders for intercepts.
EU member states’ implementation of the expanded EECC, combined with their existing powers to demand foreign wiretaps, has led major cloud providers to realize that they soon may face a volume of intercept requests relating to OTT services they offer in Europe. A low-key reform of EU telecommunications law—little noticed by civil liberties groups—stands to substantially expand the scope for exercises of unilateral extraterritorial jurisdiction by law enforcement and intelligence agencies. With such requests comes the prospect of more conflicts of law, like those that previously arose with Belgian law enforcement demands.
The Limits of Unilateral Process
Over the past several years, Europe has put in place a number of incentives for an overarching consensual solution with the United States to the proliferation of evidence in electronic form. The GDPR formally forbids the transfer of personal data pursuant to a unilateral third-country demand, although this blocking provision has yet to be invoked. Measures to regulate nonpersonal data could impose analogous barriers to U.S. law enforcement.
Despite the increasing possibilities that unilateral exercises of jurisdiction offer, European law enforcement still are largely compelled to rely on the MLAT system—with all its difficulties—for foreign-located communications content data. The best international solution, therefore, remains the one identified by the United States and the European Union in 2019—an international agreement enabling direct requests by law enforcement to service providers for electronic evidence. Such an agreement would complement the EU-U.S. MLAT while reducing pressure on it.
The U.S. agreement with the United Kingdom shows that an e-evidence accord would protect parties’ respective essential sovereign interests. The United States retains the power to decline U.K. orders that could implicate U.S. free speech protections, and the U.K. may do likewise to deny U.S. requests in cases where the death penalty is sought. An EU-U.S. agreement also would incorporate a mechanism for accommodating the interests of third countries affected by requests for e-evidence.
In addition, the interests of individuals and service providers would be addressed in detail. Under the U.K.-U.S. agreement, for example, orders must be limited to serious crimes, subject to review or oversight by an independent judicial or administrative authority, and based on articulable and credible facts. An EU-U.S. agreement also undoubtedly would build upon data protection provisions afforded to individuals under the existing EU-U.S. Umbrella Law Enforcement Data Protection Agreement.
Over the years, Europe and the United States have managed—despite occasional well-publicized difficulties—to build a well-functioning international law framework for law enforcement and security information exchange that respects individual privacy rights. An e-evidence agreement containing similar safeguards would be another valuable modernizing step. But if the legislative deadlock in Brussels cannot be broken soon, U.S.-EU negotiations could be abandoned or left to languish indefinitely. If governments on both sides of the Atlantic let the opportunity slip away, they will face a future of ever more aggressive unilateral foreign data demands.