Draft EU CLOUD Proposal—Enabling Law Enforcement Access to Overseas Data
The Situation: To strengthen cross-border cooperation in investigations, the European Commission has proposed legislation allowing EU Member State authorities to access, directly from services providers, electronic evidence held outside of the European Union or in another EU Member State.
The Details: The draft Regulation enables authorities to directly request a service provider in another Member State to disclose data about a user within 10 days, or six hours in emergency cases. The draft Directive requires Member States to enact legislation requiring service providers to designate a representative in the European Union for responding to cross-border production and preservation orders.
Looking Ahead: The Proposal is pending adoption by the EU Parliament and the Council.
On April 17, 2018, the European Commission proposed a legislative package ("Proposal") to allow EU Member State law enforcement and judicial authorities to access, directly from services providers, electronic evidence held outside of the European Union or in another EU Member State. The Proposal comes in the wake of the U.S. CLOUD Act, which also aims at facilitating public authorities' access to overseas data (see Jones Day Alert of March 27, 2018).
The Proposal strengthens cross-border cooperation, which is presently limited to:
- The exchange of evidence and mutual legal assistance between EU Member States under the existing European Investigation Order; and
- A set of practical nonbinding measures adopted in 2017 to improve cooperation among judicial authorities both within the European Union and with the United States (e.g., online platform to facilitate mutual legal assistance requests).
The Proposal is composed of a draft Regulation and a draft Directive. The draft Regulation enables judicial authorities to directly request a service provider (or its legal representative) in another Member State to disclose data about a user within 10 days or six hours in emergency cases ("production order") or to retain such data ("preservation order"). The draft Directive also requires Member States to enact legislation compelling service providers offering services in the European Union, but headquartered abroad, to designate a legal representative in the European Union for responding to such cross-border production/preservation orders.
The Proposal is applicable to:
- Service providers offering in the European Union: (i) electronic communications services; (ii) information society services that store data, such as social networks, online marketplaces, and cloud providers; and (iii) internet domain name and IP numbering services, such as IP address providers, and domain name registries.
- Data regardless of where it is located, requiring the provision/retention of subscriber data (e.g., date of birth, telephone number), access data (e.g., log-in/off, IP addresses), content data (e.g., text messages, photos/videos), and transactional data (e.g., traffic data).
Safeguards for respecting EU fundamental rights are also foreseen in the draft Regulation, such as protecting the right to privacy and data protection. Personal data covered by the Proposal may be processed only in accordance with the General Data Protection Regulation, or GDPR, and the Data Protection Directive for Police and Criminal Justice Authorities, known as the Law Enforcement Data Protection Directive, although it remains to be seen whether the Proposal's requirements would potentially conflict in practice with such legislation. Other safeguards include systematic judicial oversight, remedies for service providers, and layered access to data depending on the gravity of the criminal offense at stake.
For service providers, where the obligation to produce data conflicts with a competing obligation under a third-country law, judicial review may be sought by raising an objection under a specific procedure under the draft Regulation.
The Proposal is pending adoption by the EU Parliament and the Council. We will be following the Proposal, which will likely affect the global operations of companies providing digital services in the European Union, even if based abroad.
Two Key Takeaways
- The Proposal is composed of a draft Regulation and a draft Directive, and it is applicable to providers offering particular services in the European Union, as well as to certain data, regardless of where it is located.
- The draft Regulation includes safeguards for respecting EU fundamental rights, such as the right to privacy and data protection.
For further information, please contact your principal Firm representative or the other lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Laurent De Muyter
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.