Vera Jourova, EU justice commissioner © EPA
Brussels is planning to give judges the power to seize emails and text messages of terror suspects contained in servers in other countries, under plans that will force tech companies to hand over sensitive information quickly to prosecutors in cases of serious crime.
The European Commission on Tuesday will propose giving national judges the extraterritorial power to order companies to hand over “e-evidence” held in servers in another EU country or outside of the bloc. The warrants would be used for investigations into terror offences and other serious crime.
The EU’s plans, which bear similarities to legislation adopted by the US Congress this year, respond to warnings from prosecutors that it can take months to get hold of vital evidence such as documents stored in the cloud, instant-messaging conversations, and emails.
They also reflect complaints from tech companies that, at present, it is unclear what their obligations are when judges demand evidence. Microsoft has fought a lengthy legal battle with US authorities over whether the company should be forced to turn over emails held in a server in Ireland.
Under the new EU law, tech companies would be expected to hand over the information within 10 days of receiving a warrant, known as a “European Production Order,” with this time period shortened to as little as six hours “in emergency cases,” according to a copy of the plans seen by the FT.
Tech companies would not be able to refuse to hand over information simply because it is stored outside of the EU, although procedures would exist for them to challenge access requests — for example, if they had concerns that the move would violate data protection laws in the country where the server is based.
The European Parliament and national governments are set to vote on the plans over the coming months.
Vera Jourova, the EU’s justice commissioner, told the FT that “securing evidence stored online always is a race against time,” sometimes taking as much as ten months. “We need to make sure law enforcement gets up to speed with the digital age,” she said.
EU officials said that while Brussels already has measures in place to smooth cross-border evidence gathering by judicial authorities, they are not fit for purpose in an age where criminals increasingly communicate online.
They added that the need for new measures had been underlined by terrorists’ use of messaging apps and other online tools to prepare and co-ordinate attacks, leading to a multiplication of judicial requests between EU countries for help in getting access to data.
Ms Jourova said one priority was to come up with a system that was “compatible” with rules in the US, which is home to many of the world’s largest tech companies such as Google, Apple and Facebook. “Shared challenges require shared solutions,” she said.
Privacy campaigners have argued the plans risk removing vital checks and balances that make sure EU citizens’ information is only handed over when necessary. A particular concern is that tech companies will refuse to challenge access orders to avoid the risk of being prosecuted for non-compliance.
“If companies are coerced into handing over citizens’ data, our existing rights are put at risk,” said Maryant Fernández Pérez, senior policy adviser at European Digital Rights, a campaigning group. “States have legal obligations to respect and defend people’s fundamental rights. Companies do not have such legal obligations.”
The EU officials said safeguards had been built into the plans, ensuring that access requests for detailed information, such as the contents of emails, would only be possible for investigations into the most serious types of criminal offences. Such requests could only be made by courts, judges or other “investigating” authorities nominated by the state.
The officials also argued that the powers would mimic similar rights magistrates already possess for gathering more traditional forms of evidence. The plans only cover the gathering of existing evidence, not wiretapping, and do not address what to do about encrypted messaging services.