knowledge | 20 June 2018 |
Changes to Cross-Border Access to Electronic Evidence Mean it’s Decision Time for Ireland
The advent of the digital-age has offered unprecedented opportunities for criminals to operate unchecked, often on a cross-border basis, while enjoying the anonymity offered by the Internet. Frequently, governments and legislation have struggled to keep pace with technology, with law enforcement hamstrung in its pursuit of wrongdoers.
These difficulties are particularly acute when it comes to accessing electronic evidence such as emails, social network posts, subscriber or traffic data, which may be critical to a successful prosecution but where data may be held outside national borders. The rise of cloud computing often means that data is stored in centres located abroad.
Until now, states have sought to combat challenges posed by cross-border access to electronic evidence by using bilateral frameworks such as mutual legal assistance treaties ("MLAT") and, in a European context, the relatively new European Investigation Order ("EIO"). Despite many relevant service providers being headquartered in Ireland, it did not take part in the EIO initiative given perceived inconsistencies with Irish law and practice and instead continues to rely on MLAT channels.
Response times under either regime are slow. Currently, a response to an EIO can take 120 days or up to ten months under a MLAT. While law enforcement struggles under these cumbersome methods, criminals use cutting-edge technology to operate, moving data at the click of a mouse. Change is essential to give law enforcement 21st century methods to combat crime.
Conflict potential between new US legislation and GDPR
In March the U.S. Congress passed the Clarifying Lawful Overseas Use of Data or “CLOUD” Act, aimed at assisting law enforcement in tackling the international reach of the Internet. Now, an electronic communication service or remote computing service provider who is subject to U.S. jurisdiction, will be obliged to “preserve, backup, or disclose” the contents of certain electronic communications and customer information held or controlled by them, regardless of whether this information is located within or outside of the U.S.
However, a service provider will be able to apply to court to modify or quash an order where it reasonably believes that disclosure of data would violate foreign law. For example, absent a new MLAT, an organisation subject to the GDPR which receives such an order may not have a clear legal basis for complying if it is to adhere with its GDPR obligations.
Also, under the new law individual governments who satisfy set criteria, including robust protection for privacy and civil liberties, will be able to conclude reciprocal “executive agreements” with the United States. Subject to certain safeguards, this will entitle their respective law enforcement to access communications data held by operators in the other jurisdiction. The approach will be to the operator directly, rather than to the foreign nation and if implemented in Ireland, this would represent a radical departure from the MLAT procedure.
The CLOUD Act arrived just in time to resolve an action between the U.S. Department of Justice and Microsoft which recently reached the U.S. Supreme Court and highlighted the legal tensions around these issues. The U.S. authorities had sought to rely on a domestic warrant to access emails held by Microsoft in Ireland arguing that they could require production of emails stored anywhere in the world. Microsoft argued that the existing U.S. law only permitted access to data held within U.S. territorial boundaries and that a request for the data should be made to Ireland under a MLAT. However, once the CLOUD Act was passed, the U.S. Department of Justice simply obtained a new warrant under that Act disposing of their dispute with Microsoft and the U.S. Supreme Court directed that the case be dismissed.
Creating a level playing field in the EU
In April the European Commission proposed a new Regulation creating a European Production Order. If implemented, this will permit law enforcement agencies, with judicial approval, to make cross-border requests for electronic evidence again directly from a service provider offering services in the Union and established or represented in another Member State, regardless of the location of data. The proposal is widely cast to create a level playing field between all participants in the same markets and prevent circumvention by criminals. A response will be required within 10 days or 6 hours in an emergency. Also proposed is a European Preservation Order which will ensure specific data is preserved pending such a request. Both new remedies will have appropriate safeguards built in. These new EU measures follow strong calls for action by Member States and industry and have been welcomed by them.
The proposals have a particular resonance for Ireland as a number of service providers have their European headquarters here and may address the issue of the increase in the time needed to access e-evidence from Ireland under MLAT procedures, apparently due to the high number of requests to the Irish authorities. It is expected that Ireland will be one of the Member States most impacted by the Commission’s proposals should it decide to opt-in to them given its prior decision not to adopt EIOs.
Legislative change takes time. In the interim, stakeholders sometimes seek out alternative legitimate methods of achieving required results. For example, the European Commission reports that some service providers established in Ireland will reply directly to data requests from EU Member States on a voluntary basis, insofar as far as the requests concern non-content data. While this voluntary cooperation may get results in some instances, the difficulty here has been a lack of consistency of approach, predictability of response, transparency and accountability.
Change is afoot and it clear that Ireland as a hub for big data is at its epicentre. As data requests continue to mount, the MLAT procedures on which Ireland relies may no longer be fit for purpose. Voluntary cooperation between service providers and law enforcement is also not an optimum solution and may be difficult to achieve given GDPR requirements. While Ireland cannot be compelled to move with the changing legislative landscape in the EU and US, the question remains whether it can afford to hang back.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.