New rules proposed by the EU could see personal data turned over when requested, even when it is stored outside the bloc.
The European Union is preparing legislation that could force companies to turn over personal data, even when the information is located on servers outside of the 28-nation group.
Previously, the EU said it wished for electronic evidence stored within the bloc to be accessible by law enforcement authorities, but now it seems the new legislation will extend to information stored outside of the area, which is concerning data privacy experts.
Data privacy concerns
Reuters reported that EU officials are growing concerned about policing digital borders and companies’ operation of gigantic cloud networks filled with information, some of which could be useful in criminal cases. A similar issue is being discussed at present in the US, with the supreme court this week seeing judges consider whether law in the country permits prosecutors to compel tech firms to hand over data stored abroad.
The battle in the US concerns a 2013 warrant issued in the country for emails of a drug trafficking suspect that were stored on Microsoft servers in Dublin. The US Department of Justice says that due to Microsoft being headquartered in the US, prosecutors are entitled to the data.
There are two basic sides to this data privacy argument. One side is that of many governments and law enforcement agencies, which argue that crime-fighting in a digital world requires broader search powers. The other is that of many tech firms and privacy advocates, who say individual privacy rights would be damaged by such rules.
Apple, IBM and Microsoft have all stated that customer trust in cloud services would be eroded if such regulations were made.
A change in outlook for EU
The European Commission has previously sided with privacy advocates on this issue but justice commissioner Věra Jourová said that currently accessing cross-border evidence is “very slow and non-efficient”, adding that law enforcement agencies need to be a step ahead of criminal activity.
The new law would apply to the personal data of anyone involved in a European investigation, regardless of their individual nationality, and it is still in the drafting stage at this point. The new text is earmarked to go before lawmakers and officials at the end of March.
There is the risk of conflict with individual privacy and data protection laws, but the EU said it was introducing extraterritorial authority partially to strengthen bilateral negotiations on the subject with the US.
According to Jourová, EU prosecutors could compel firms to hand over data, skipping over existing legal methods known as mutual legal assistance treaties (MLATs). Some privacy experts say that while MLATs need to be changed, cross-border personal data requests should be avoided.