A planned EU regulation on police investigations into cloud data should now include direct access and real-time interception. This would include user,  traffic and content data. All companies offering “interpersonal communication services” in the European Union would be concerned. The Austrian Presidency wants an agreement by the end of the year.

The European Union is planning to extend a planned legislation to allow direct access to data held by Internet service providers. This is stated in a document distributed by the Bulgarian Presidency to the representations of the Member States. The regulation is aimed in particular at US companies. EU Justice Ministers should give the green light as soon as possible to start negotiations with the US administration. They will also discuss whether the act could also apply to intercepted calls.

In April, the European Commission proposed a regulation to simplify access to so-called “electronic evidence”. The judicial authority of a Member State could therefore issue a “European Production Order” for  subscriber data, access data, transactional data (“non-content data”) and stored content data, which must be provided within 10 days. In “emergencies” the time limit is reduced to six hours. Similar to the German “Quick Freeze”, the Internet service providers concerned receive a “European Preservation Order” beforehand so that the requested data is not deleted.

Passwords would also be required

The “Production Order” and “Preservation Order” are meant for all companies providing “interpersonal communication services” on the territory of EU Member States. In addition to cloud storage, this includes Internet telephony, messengers, e-mail services and online marketplaces. The regulation will also apply to social networks such as Twitter and Facebook. Finally, providers of “Internet infrastructure” and domain registrars should also be subject to a corresponding regulation.

In addition to personal data, companies would have to disclose all known e-mail addresses and telephone numbers as well as documents and photos used for identity verification as inventory data. SIM card numbers and credit card information are also required. Access data (such as PIN and PUK codes or passwords) are also defined as access data. The regulation is aimed in particular at US companies. EU Justice Ministers should give the green light as soon as possible to start negotiations with the US administration. They will also discuss whether the act could also apply to intercepted calls.

Issuance of non-content data for “all types of crimes”.

Similar to the already available EU procedures on mutual legal assistance (such as the European Arrest Warrant or the European Investigation Order), a regulation on “electronic evidence” would be based on the principle of mutual recognition. It should only be used in criminal investigations if a similar measure is available in both states for the same crime.

According to the draft, the disclosure of telecommunications data should follow a graduated procedure. Orders for  subscriber data and access data may therefore be issued for “any type of offence”, but orders for transaction and content data may only be issued for offences with an estimated prison sentence of at least three years.

Direct access with “Option D”

In the draft regulation for the “Production Order” and “Preservation Order”, the Commission had presented and assessed several options. Finally, a legal assistance procedure has become proposed, to which the companies are bound by certain deadlines. Direct access (“Option D”) went too far for the Commission and would initially not be legally enforceable regarding US companies. However, the Commission promised to further reflect on “measures on direct access and the access to databases, which form part of Option D”.

The draft regulation remains vague on this, but the Bulgarian Presidency is now setting the course. European investigators would have to be equipped with all the tools “that are also available to their US colleagues”. Thus, in addition to direct access, real-time interception of data should also be hefted into the regulation. However, the delegations of the Member States are divided on this issue: According to the Brussels news service Euractiv, ministers from Belgium, Portugal, Cyprus, France, Greece, Italy, Estonia spoke out in favour of allowing the interception of communication in real time.

However, the State concerned, on whose territory such a server is located, would have to be informed of the measure. Furthermore, it is unclear how to deal with data whose location or hoster is unknown. According to a Commission paper, “possibilities to access and in some  cases  copy  the  data directly from  a  computer  system” could then be used. “A number of Member States” would already have these capacities.

Implementing agreements for the whole European Union

The US would probably only agree to direct access to its territory if US authorities in the European Union were also allowed such a measure. The proposed regulation on “electronic evidence” can be understood as a response to the recent CLOUD Act (“Clarifying Lawful Overseas Use of Data (CLOUD) Act”), which forces US companies to disclose user, traffic and content data.

The CLOUD Act contains a clause under which individual EU member states can conclude an executive agreement with the US government as partner states. The European authorities would be on an equal footing with the US authorities with regard to orders to issue “electronic evidence”. Instead of the arduous negotiations of each EU Member State, the Council is now to negotiate such an executive agreement with the US administration for the entire European Union.

Austria wants regulation by the end of the year

Two weeks ago, the topic was on the agenda of the EU-US ministerial meeting in Sofia, which was attended by the Austrian Minister of the Interior Herbert Kickl, the US Senator of Justice Jeff Sessions and the Deputy Secretary for Homeland Security Claire Grady. Austria will take over the EU Presidency in the second half of the year and will treat the regulation on “electronic evidence” as a priority. An initial agreement is expected to be reached in October and the act will finally be ready for signature by the end of the year.

On Monday, the EU Justice Ministers discussed the matter in Luxembourg. The Bulgarian discussion paper was adopted there without objection, stressing the need for a strong negotiating position with the US. The debate on the cross-border disclosure of “electronic evidence” should therefore be conducted as openly as possible in order to send out a “provide a clear signal of the willingness of the Member States and the EU to proceed swiftly with this matter”.

Image: US Senator of Justice Jeff Sessions and Homeland Security Deputy Secretary Claire Grady at the EU-US meeting in Sofia. The European Union wants to negotiate participation in the CLOUD Act with the USA (all rights reserved Bulgarian Council Presidency)