On Monday, it was reported that the European Union is processing legislation that will allow it to demand access to customer data across boundaries. This has raised several concerns from corporations that host such information, as well as activists concerned about citizens’ basic right to privacy.
In recent years, there has been growing concern amongst governmental and inter-governmental agencies regarding digital crimes. The internet has been used as a tool by organisations such as ISIS to radicalize youth and spread propaganda. In 2016, two major cyberattacks took place, and billions of dollars were lost due to the NotPetya and WannaCry malwares.
However, another growing concern during this era of information, is privacy. The increasing use of cloud storage through companies such as Google, Amazon, Dropbox, and Microsoft, leaves sensitive and often personal data in the hands of these corporations. The server storing this information is often remotely located. Additionally, as demonstrated by WikiLeaks, and a number of other hacks, any information shared or stored online is vulnerable.
The European Union is a political and economic bloc comprising of 28 independent member states. The EU has shown initiative in updating its policies to address cyber issues. The bloc has expressed concern regarding inflammatory content and hate speech on major social media sites for years.
In 1995, the Data Protection Directive (DPD) (Directive 95/46/EC) came into force. This directive interpreted human rights law to protect personal information. According to this directive, “Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes”.
In April 2016, the European Parliament &Council ordered the replacement of the DPD with the General Data Protection Regulation (GDPR). The GDPR, which will be implemented in May 2018, is intended to increase regulations “with regard to the processing of personal data and on the free movement of such data”. As GDPR is a Regulation rather than a directive, it will be directly applicable across all member nations once implemented.
On the 26th of February, Reuters reported that the European Union is currently drafting legislation that will enable law enforcement to demand access to electronic criminal evidence: both within the EU, and across the world.
“The current method [to access evidence internationally] is very slow and non-efficient,” European Justice Commissioner Vera Jourova told Reuters. Under the current system, Mutual Legal Assistance Treaties (MLAT), European officials are required to file an official warrant with the country where the data is stored. Jourova acknowledged the inter-governmental issues that could arise. “This issue of reciprocity in the law enforcement area is highly necessary to discuss in order to avoid the problem of conflict of laws,” she said.
Earlier this month, Jourova delivered a slightly contradictory message, warning social media giants Facebook, Google, and Twitter to update their privacy policies to match EU laws. Further, in 2014, in the context of a case that will reach the United States Supreme Court this week, EU officials said that “extraterritorial application of foreign laws (and orders to companies based thereon) ... may be in breach of international law”.
The case in question, between Microsoft and the United States Justice Department, involves a warrant for information. The warrant is regarding a narcotics investigation. Emails stored on Microsoft servers in Ireland hold possible evidence. Microsoft holds that a domestic warrant does not provide grounds to access data stored on servers overseas. Microsoft President Brad Smith stated that providing domestic agencies with access to internationally stored data would be “a recipe for international tension and chaos.” A number of large technology companies including Google, Apple, and Amazon, have issued support for Microsoft.
While officials argue for increased efficiency and counter-terrorism investigations, technology companies are concerned that allowing access would break customer trust. Meanwhile, privacy advocates believe that such a law would invade individual rights. Some legal experts have claimed that this legislation would also breach current EU data protection laws.
Our assessment is that the European Union has made steps to adapt to a world where physical boundaries are increasingly blurred by technology. However, the wider debate surrounding privacy and technology will only continue to grow. As technology continues to advance, it will be increasingly essential for lawmakers to update existing legal frameworks to address these advancements.
European Union authorities have pushed for years to protect the privacy of individual citizens. Would this legislation change that?