EU Commission to seek authority to seize overseas data

TECH CHALLENGE::The legislation being drafted would allow those officials investigating serious crimes to access data belonging to people from all nations


Tue, Feb 27, 2018 - Page 1

The EU is preparing legislation to force companies to turn over customers’ personal data when requested, even if it is stored on servers outside the bloc, a position that would put Europe at loggerheads with tech giants and privacy campaigners.

The EU executive has previously indicated it wanted law enforcement authorities to be able to access electronic evidence stored within the 28-nation bloc, but the scope of the planned legislation would extend to data held elsewhere, according to two sources with direct knowledge of the matter.

Digital borders are a growing global issue in an era when big companies operate “cloud” networks of giant data centers, which mean an individual’s data can reside anywhere.

The EU push comes as a landmark legal battle in the US nears its climax. The US Supreme Court this week is to hear oral arguments in a case pitting Microsoft against US prosecutors trying to force the company to turn over e-mails stored on its servers in Ireland in connection with a drug-trafficking investigation.

Many law enforcement officials argue that such powers are necessary for crime-fighting in the digital age, but campaigners say giving governments so-called extra-territorial authority to reach across borders and access data would erode individuals’ privacy rights.

Technology firms like Microsoft, Apple and IBM say it would undermine consumer trust in cloud services.

The planned EU law, which would apply to all companies around the world that do business in the EU, is an apparent shift in position for the European Commission, which has stood on the side of privacy advocates in the past.

Asked about the extra-territorial authority rules in the planned law, European Commissioner for Justice, Consumers and Gender Equality Vera Jourova said the current method for accessing cross-border evidence was “very slow and non-efficient” and that law enforcement had to be quicker than criminals.

The proposed law would apply to the personal data of people of all nationalities, not just EU citizens, as long as they are linked to a European investigation, one of the sources said.

The legislation is still in the drafting stage and is expected to go before lawmakers and member states at the end of next month. It can take up to two years for a law to be agreed upon.

Extra-territorial authority rules are fraught with complexity, legal and privacy experts say, as they could conflict with existing data protection laws.

In the US, for example, certain companies are prohibited from disclosing information to foreign governments, while in Europe itself, consumers’ data privacy is strictly protected and companies are restricted in how they can transfer data outside the bloc.

The sources said the EU executive acknowledged such complexities and that the decision to include extra-territorial authority was partly aimed at strengthening its hand in negotiating a deal with the US on the issue.