Police and judicial authorities are to have easier access to cloud data in the USA. To this end, a decree of the US government will also apply in the EU member states. As part of the “Budapest Convention”, US authorities could also knock directly on the door of European Internet companies.

The European Commission has today submitted two negotiating mandates for easier data retrieval from Internet companies. Their purpose is to facilitate access to “electronic evidence” in the US. This is also possible via the EU-US Mutual Legal Assistance Agreement or bilateral mutual recognition procedures. However, this existing international legal process takes up to 10 months. But allegedly, the EU member states only make use of this laborious procedure in around 4,000 cases a year.

The Commission therefore intends to negotiate with the US government on participation in the CLOUD Act. The US decree forces companies there to disclose content and traffic data, regardless of where these data are stored. It is also possible that foreign authorities may knock on the door of US companies. However, individual governments must first conclude a partner agreement with the USA.

Probably considerable requests

Such a partner agreement would cover user and traffic data. Content data would continue to be subject to the international legal process. The Commission now proposes to draft a framework contract for all Member States. Internet service providers in the US could then be forced to directly hand over certain data to European investigators.

If an agreement were reached, this could lead to considerable more requests. According to the Commission, about 85% of criminal investigations require “electronic evidence”. In two thirds of these cases, they would have to be obtained from another country. The largest service providers are based in the US. The number of requests to companies has therefore increased significantly in recent years.

At EU level, too, such a procedure for “E-Evidence” is currently being prepared. It will apply to all companies that can be reached via the Internet in the Member States. This “Regulation on European Production and Preservation Orders for electronic evidence in criminal matters” is currently being discussed by the Council. It provides for the introduction of a “Production Order” to seize cloud data or e-mails. To this end, Internet service providers will first receive a “Preservation Order” to prevent the requested data from being deleted in the meantime.

Companies must check requests

It does not require a judge’s reservation for the simplified query of user data. This would leave it to the companies to check whether orders within the framework of the “E-Evidence Regulation” have to be complied with in individual cases. This is also planned for European participation in the CLOUD Act. From the point of view of data protection, the project is therefore extremely problematic.

The US government will probably only agree to direct requests at domestic companies if its investigators’ access to European servers is also made easier. This would be possible via the Second Additional Protocol to the Council of Europe’s “Budapest Convention” on Computer Crime. By December 2019, a working group on cloud evidence is to prepare a draft for closer cooperation with Internet companies.

The USA is a signatory to the agreement of more than 60 governments, so the protocol would also apply to US companies. Although the European Union is not a member of the Council of Europe, the Commission today also requested the negotiating mandate for the new version of the “Budapest Convention” on behalf of all EU member states.

As with the “E-Evidence” Regulation, the Commission intends to promote the establishment of “Production Orders” and “Preservation Orders” in the Council of Europe. These would mainly concern user data (“subscriber information”). Nothing is known about the proposed deadlines, but the Commission also intends to negotiate an urgent procedure.

Introduction of new “investigative techniques”

However, the “Budapest Convention” does not only deal with requests for “electronic evidence”. It also provides for joint investigations in cyberspace. The police and judicial authorities are also to use “extended search” procedures and new “investigation techniques” for this purpose. This could involve the use of Trojan programmes, which can now be implemented across borders via the European Investigation Order. Under the Directive, a executing state must transfer data from private computers to the issuing state.

The two negotiating mandates still have to be decided by the Member States. This week the EU interior and justice ministers will meet for their informal Council in Bucharest.

Image: Server farm (Faber, CC BY-SA 2.0).