The rise of internet-based communications has complicated the ability of law enforcement to gather evidence in criminal investigations. Compounding the problem is the fact that technology companies often store users’ data at a great distance from the physical location of their customers. As a result, when law enforcement is investigating crimes with a cross-border element, their powers are often curtailed by outdated or prolonged cooperation mechanisms.
With many technology companies’ EU or EMEA headquarters located in Ireland, these Irish companies control the majority of the EU’s electronic communications on their servers. The upcoming legislative changes in the area of cross-border access to evidence, and Irish support for these changes, are being closely watched by many, including our fellow Member States.
Outdated mechanisms for co-operation
Historically, ‘letters rogatory’ were the principle mechanism for sharing evidence between nations. Letters rogatory are discretionary requests made between the courts of one country to the courts of another country that are available to governments and private litigants. As investigations into complex, coordinated international crimes, such as money laundering and drug trafficking, became more common in the 1970s, countries began entering into Mutual Legal Assistance Treaties (MLATs), which established standardised procedures for the sharing of certain evidence in criminal matters.
In Ireland, matters relating to Mutual Legal Assistance are governed by the Criminal Justice (Mutual Assistance) Act 2008. Under the Act, other states’ authorities can request Irish assistance in a wide range of matters. Each party to an MLAT designates a central authority (Central Authority) through which direct communications can be made; in Ireland, the Central Authority sits within the Department of Justice. However, the MLAT process was not devised to handle the growing volume and frequency of demands for electronic evidence. An oft-cited criticism of the MLAT process is that, on average, it takes 10 months for a request to be fulfilled.
In April 2018, the European Commission proposed a legislative package, commonly referred to as “e-evidence”, to make it easier for law enforcement authorities of Member States to obtain cross-border evidence. E-evidence proposes to introduce European Production and Preservation Orders, or EPOs, in criminal matters. This would allow competent authorities from one Member State to make requests directly to service providers in another Member State for access to, or preservation of, electronic data for criminal investigations. While the ability to make direct requests will remove red-tape for law enforcement, it will also remove all diplomatic channels and oversight of the receiving Member State from the process. The shortcut will, in effect, give private companies a role which was previously carried out by the judicial authorities of receiving Member States. This will shift the burden onto service providers to verify the legitimacy of the request and push back on overreaching requests.
In addition, the e-evidence proposal seeks to dramatically increase the speed at which the information must be produced or preserved by service providers. Under the proposal, service providers will be obliged to reply to the requesting Member State within 10 days of receiving the request, and, in cases of emergency, within a window of 6 hours. The narrow windows for responding to EPOs will be problematic for many service providers, in particular smaller organisations with limited resources. If no oversight mechanism of the receiving Member State makes it into the final text, the narrow window will likely fail to provide enough time and scope for crucial safeguards and checks to be performed by the service providers.
Will Ireland opt into e-evidence?
Generally, the law of the European Union is valid in all Member States. However, occasionally, Member States negotiate certain opt-outs meaning they do not have to participate in certain policy areas. Following the adoption of the Lisbon Treaty in 2009, Ireland has an option to ‘opt in’ to EU laws on matters relating to freedom, security and justice. This means that Ireland has a choice whether to adopt the e-evidence proposal.
E-evidence comes quick on the heels of the European Investigation Orders (EIOs), which permit a request for an investigatory measure to be conducted in another Member State. Despite Ireland fully participating in the negotiations on the EIOs and, indeed, chairing the negotiations on the proposal with the European Parliament during its Presidency of the Council in 2013, Ireland chose not to opt into the EIO Directive.
Unlike its approach to the EIOs, Ireland, via a letter in July from our Permanent Representation, has notified the European Council of its intention to adopt the e-evidence proposal.
In addition to working on its own legislation, the EU is considering an executive agreement with the US government under the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act). This would enable US authorities to directly request access to data of European companies and vice versa. While it is widely expected that the first executive agreement under the CLOUD Act will be between the US and the UK, the presentation of negotiation mandates for an EU-US agreement is on the agenda of the EU’s Justice and Home Affairs Council.
The aim of the new co-operation frameworks is to remove bureaucratic hurdles hindering cross-border access to criminal evidence where time is often of the essence. However, if appropriate safeguards are not baked into the new cooperation frameworks, there is a real risk to individuals’ fundamental rights and freedoms, such as data protection and privacy.
If your company receives requests for customer data from law enforcement or other government agencies, you should keep an eye on these upcoming changes as they will have a substantial impact on how and when your company responds to these requests.
For more information relating to the forthcoming changes and how they may potentially affect your business, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.