Cross-Border Data Forum Bannner

Contextualizing an EU-US E-Evidence Accord: Relationships to Existing Law Enforcement Agreements

Introduction

When the United States Congress enacted the CLOUD Act in 2018, law enforcement agencies around the world were encouraged that the innovative international agreements envisioned by the legislation would offer a solution to burgeoning difficulties in obtaining access to electronic evidence located in the United States.  Two years later, progress towards that goal has been slow: only one agreement, with the United Kingdom, has been signed, and reservations about this novel type of agreement persist in the privacy and civil liberties community in the United States and abroad.

The trajectory in the European Union has been similar.  In 2018, the Commission introduced e-evidence legislation to facilitate the sharing of electronic evidence amongst EU Member States.  Then, in early 2019, the Council took the unusual decision to authorize commencement of negotiations on an international agreement with the United States in parallel with the EU’s own legislative process.  But both the legislative process in Brussels and discussions with the United States have moved slowly.

The critique of one respected Brussels think-tank, the Center for European Policy Studies (CEPS), highlights the difficulties.  In addition to calling upon the Commission to withdraw the e-evidence legislative proposal, its report also urged that “the EU should not engage in international or transatlantic negotiations aimed at introducing instruments that would grant third countries – who are governed by different criminal justice and data-protection standards – the potential to directly access data held by service providers under EU jurisdiction.”[i]

In place of direct access, the CEPS authors advised, “(A)ny new instruments for cross-border data gathering should include mechanisms for systematic ex ante review of foreign data-gathering measures by judicial authorities in the country of requested execution.”[ii] Only prior judicial involvement could safeguard the body of EU law (acquis) protecting individual privacy rights and other due process protections in the criminal law context.  In effect, CEPS saw no need for any new EU legislation or international agreements offering law enforcement tailored means of cross-border access to electronic evidence, preferring that European governments continue to rely on traditional mutual legal assistance treaties (MLATs).

This post explains that e-evidence international agreements based on the CLOUD Act and the proposed EU legislation do not depart radically from the pre-existing order of international assistance in criminal matters, but rather build upon prior agreements.  First, it describes how an e-evidence agreement would complement – and relieve pressure on — the EU-US MLAT, by elaborating a new mechanism for assistance and new safeguards to address evidentiary constellations unimaginable when the existing transatlantic judicial assistance mechanism was negotiated only twenty years ago.  Next it explain how an e-evidence agreement would incorporate and potentially expand upon existing data protection safeguards contained in the EU-US Agreement on the Protection of Personal Information Relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses (also referred to as the Umbrella Agreement).   These additional safeguards would help mitigate the concerns expressed in the privacy and civil liberties community about the lesser degree of judicial involvement in responding to e-evidence requests.

The Network of US Mutual Legal Assistance Agreements with Europe

Origins and Structure: When the European Union proposed to the United States, in the immediate aftermath of the September 11, 2001 terrorist attacks on New York and Washington, the negotiation of extradition and mutual legal assistance agreements, the initial response of the US Government was bafflement.  The EU had no investigators or prosecutors, and little operative criminal justice responsibility, so what was the point for the United States of entering into these legal assistance relationships with the Union itself?  The United States already had mutual legal assistance treaties (MLATs) with the major EU member states where evidence needed for criminal matters tended to be located, as well as an extensive network of bilateral extradition treaties.

But it was a moment when policymakers in Washington were open to creative initiatives that might strengthen law enforcement relationships for the future.  US officials soon realized that “by concluding agreements with the European Union, the United States could achieve uniform improvements and expansions in coverage across much of Europe,” [iii] not only under existing bilateral MLATs, but also by creating legal assistance relationships with newer members with which it had no existing relations, as the Bush Administration explained in submitting the resulting set of agreements for Senate approval. “This is particularly important in light of the counter-terrorism challenges we have faced since September 11, 2001,” it further noted to the Senate.[iv]

The EU-US MLA Agreement served largely as a legal vehicle for amending and supplementing the terms under which law enforcement authorities in the United States and EU member states would obtain and transfer evidence needed for the other’s criminal proceedings.  The EU-US Agreement itself had limited ongoing operative significance, aside from periodic consultations between the parties on its implementation.  Rather, its substantive provisions supplemented existing MLATS and established new partial legal assistance relationships between the United States and member states with whom no prior MLAT existed.

The United States also insisted upon concluding bilateral instruments with each EU member state to implement the obligations contained in the EU-US MLA Agreement.  These bilateral instruments served to make the United States and each member state directly responsible for enforcement, as a matter of international law, and also had the practical advantage of being easier for US judges to interpret in sometimes contentious judicial assistance proceedings in US courts. Negotiating and ratifying these bilateral instruments with twenty-seven member states added years to the process of entry into force for the package of agreements.

Main Features: US MLATs were developed as a consensual response to bitter disputes in the 1970’s with Germany and Switzerland, among other countries, over unilateral demands by US courts for documents, particularly bank and corporate records, located in these countries and needed in high-profile US criminal prosecutions.  The MLAT between the Federal Republic of Germany and the United States, in its current form, identifies the typical range of possible types of assistance, including providing documents and records, taking of testimony, executing searches and seizures, and conducting telecommunications surveillance. [v]  A party’s request triggers an affirmative obligation on the part of the other party to provide assistance, subject only to a right of refusal where sovereignty, security or other essential interests would be prejudiced.[vi]

In cases involving compulsory measures such as search warrants, prosecutors in a requested state must enlist the assistance of local judges to order the measures sought from abroad.[vii]  Since governments bound by MLATs thereby assume a broad obligation to put their criminal justice systems at the service of a foreign treaty partner, it makes sense that they would incorporate strict procedural safeguards to ensure rigor in the system.  Thus, even though a request may be generated initially by criminal investigators and prosecutors dispersed across a national (and, in the case of the United States, federal) system, it ultimately must be reviewed, sent and received by a designated central authority.[viii]  There are precise requirements laid down in the treaty for the content and form of requests.[ix]  In addition, the requesting state must translate the request and accompanying documents into the language of the requested state.[x]

Fulfilling all these requirements unavoidably adds considerable time to the execution of an MLAT request.  Still, the system functioned satisfactorily for the United States and its treaty partners when the number of cross-border demands for evidence were relatively few.  But the rapid proliferation of electronic communications and documents, combined with the advent of cloud computing, enabled information relevant to a criminal investigation to be stored outside national borders – indeed, anywhere in the world.[xi]  An EU study estimated that a very large majority (85%) of member state criminal investigations today require electronic evidence in some form, and in two-thirds of the cases it is in the hands of online service providers based in another jurisdiction.[xii]

Since US companies provide most of the electronic communications and cloud storage services utilized in Europe, and they typically store data in servers in the United States, the burden on the United States government of responding to MLAT requests began to rise rapidly.  The US Department of Justice acknowledged publicly that the average response time to an MLAT request was nine months.[xiii]  While DOJ recently has devoted additional resources to processing incoming requests, it remains the case that the centralized system for judicial assistance established by MLATs is under severe strain and may not be sustainable in the long term.

Relationship between MLATs and CLOUD Act Agreements

Fortunately, mutual legal assistance treaties were never intended as the exclusive means for providing international legal assistance in criminal matters.  A standard provision in US MLATs states that “(A)ssistance and procedures set forth in this Treaty shall not prevent either Party from granting assistance to the other through the provisions of other applicable international agreements or through the provisions of its domestic laws.”[xiv]  Thus, while MLATs remain the preferred route for the United States and its treaty partners in many cases, particularly where certified evidence is sought for use at trial, they leave the door open to new types of agreements better suited to the law enforcement challenges posed by electronic evidence.

The CLOUD Act, the US statute authorizing international agreements specifically to obtain electronic evidence, fundamentally changes the MLAT paradigm by eliminating a governmental executing role for a request received from foreign law enforcement.  The new approach is exemplified in the United States – United Kingdom Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, the sole CLOUD Act agreement concluded to date. Under this approach, a law enforcement agency in either jurisdiction sends a request for evidence directly to a service provider in the other country.[xv]

The CLOUD Act imposed strict requirements for the content of the request, including that it be targeted to specific accounts, addresses or persons; subject to review or oversight by a judge, magistrate or other independent authority in the sending state; and  based on articulable and credible facts.[xvi]  The US-UK Agreement also imposes a series of additional safeguards designed to make up for the absence of central government control at the stage of executing law enforcement requests: among them, an opportunity for the service provider to object to the government from whence the request originates when it believes that the agreement is being improperly invoked; use limitations; and notifications to affected third country governments.[xvii]

CLOUD Act agreements, like MLATs, do not foreclose alternative methods of international legal assistance.  Article 11(1) of the UK-US Agreement provides that it “is without prejudice to and shall not affect other legal authorities and mechanisms” for obtaining evidence, including “requests for mutual legal assistance”.   The UK’s internal explanatory memorandum bluntly states that “(t)he UK-US Mutual Legal Assistance Treaty is not changed by the Agreement and remains in place.”  This reflects that there may well be circumstances in which limitations contained in the CLOUD Act agreement – targeting limitations, or restrictions on the scope of covered offenses, for example — compel law enforcement authorities in the United States or United Kingdom to resort to the MLAT instead.

Australia is close to completing a CLOUD Act agreement with the United States, and it is anticipated that other members of the “Five Eyes” intelligence collective – Canada and New Zealand – may well follow suit in due course.  The United States also has commenced discussions with the European Union, which are at an early stage.

The Importance of the US-EU Umbrella Agreement to a US-EU E-evidence Agreement

An eventual EU-US e-evidence agreement would be framed not only by the body of transatlantic mutual legal assistance treaties but also by the important privacy protections for law enforcement data transfers contained in the Umbrella Agreement. The Umbrella Agreement confers important privacy protections for personal information exchanged between the United States and EU member states “to prevent, investigate, detect and prosecute criminal offenses,”[xviii] most notably a commitment to provide citizens of the other party the right of judicial review in relation to government handling of personal information.[xix]  But, at the same time, it functions only as a privacy framework, establishing baseline levels of protection for information exchanged pursuant to other, operational law enforcement data transfer agreements.[xx]  Thus, the current legal effect of the Umbrella Agreement is to supplement – and render uniform — the varying levels of privacy protection contained in US mutual legal assistance treaties with European governments, as well as in other specialized agreements providing access to airline passenger name records and international financial messaging data.

The Umbrella Agreement is not purely retrospective in effect, however – it also expressly anticipates application to future agreements between the United States and EU.[xxi]  Moreover, its scope extends not only to information exchanged under traditional law enforcement agreements between governmental authorities in both jurisdictions, but also to information “otherwise transferred in accordance with an agreement” between the US and the EU or its member states.[xxii]  In other words, it would apply to an e-evidence agreement in which law enforcement makes requests directly to a service provider in the other jurisdiction.

The inclusion of ‘prevention’ among the permitted purposes of data transfers to which Umbrella Agreement protections attach is consistent with the scope of US mutual legal assistance agreements with European governments generally.[xxiii]  Information from a national security agency relating to terrorism, for example, would benefit from the protections of the Umbrella Agreement, for example, if lawfully exchanged under an MLAT or an e-evidence agreement.  This sort of bilateral information transfer by a national security agency is entirely distinct from the scenario addressed in the recent Schrems II judgment before the European Court of Justice, where US national security agencies unilaterally obtain the personal information of EU nationals.[xxiv]

A series of protections contained in the Umbrella Agreement would be built into a US-EU e-evidence agreement.  Key ones include: purpose and use limitations (Article 6); onward transfer limitations (Article 7); specified time periods for retention of data (Article 12); allowances for individual access to and rectification of data (Articles 16-17), the aforementioned redress for improper handling of data (Articles 18-19), and public oversight powers (Article 21).

The US-UK CLOUD Act Agreement illustrates how the interaction of an e-evidence agreement and the US-EU Umbrella Agreement works in practice.  The US and UK governments, rather than spelling out all the Umbrella Agreement protections in the CLOUD Act Agreement itself, simply incorporated them by reference.[xxv]  In a few instances, they saw fit to provide additional protections, for instance relating to use of data.  Data received via the US-UK agreement may not be transferred to a third country without the consent of the government in the state from which it has been received, for example.[xxvi]  Additionally, the United Kingdom may refuse to allow data produced from its territory to be used in a US death-penalty prosecution, and the United States equally may block data use that raises freedom of speech concerns.[xxvii]

Similarly, the European Union expressly envisages that the Umbrella Agreement protections would form a part of an e-evidence agreement with the United States and, in certain respects, would “be complemented by additional safeguards to take into account the level of sensitivity of the categories of data concerned and the unique requirements of the transfer of electronic evidence directly by service providers.”[xxviii]  Some of these additional safeguards relate to the same issues singled out in the US-UK Agreement (onwards transfers, and use limitations in US death penalty cases), while others are specifically rooted in EU law (such as necessity and proportionality requirements). [xxix]

The Umbrella Agreement will serve a critical purpose in the EU-US e-evidence agreement under negotiation.  Negotiators of the latter will not need to start from scratch in developing the necessary privacy safeguards for transferred data, since they already have been exhaustively negotiated and pre-agreed in the Umbrella Agreement.  Instead, the negotiators will be able to concentrate their energies on the small number of privacy issues unique to the e-evidence context.  Relying on protections already embodied in binding international obligations between the parties also will bolster confidence in the final result and should ease the approval process.

Conclusion

E-evidence agreements would complement existing MLATs, incorporating many MLAT due process protections while adapting others to avoid the bottlenecks that inevitably result from centralized execution of e-evidence located in US territory and needed for local prosecutions around the globe.  An EU-US e-evidence agreement also would incorporate and expand upon the privacy protections for law enforcement data transfers developed in the EU-US Umbrella Agreement.  Just as both the EU-US MLAT and the Umbrella Agreement were important modernizing steps in transatlantic judicial assistance, so too a new type of EU-US agreement designed to meet the challenges of accessing electronic evidence across borders can meet law enforcement needs while also setting a high standard for rule of law jurisdictions.

 

[i] Cross-border data access in criminal proceedings and the future of digital justice, Center for European Policy Studies, Sergio Carrera, Marco Stefan, Vatsamis Mitsilegas, rapporteurs, October, 2020, at 77.

[ii] Id. at 80.

[iii] Message from the President of the United States transmitting the Mutual Legal Assistance Agreement with the European Union, Senate Treaty Doc. 109-13 (September 28, 2006), letter of submittal at V.

[iv] Id.

[v] See, e.g., Article 1, Treaty between the United States and the Federal Republic of Germany on Mutual Legal Assistance, [hereinafter ‘US-Germany MLAT’], Senate Treaty Doc. 108–27 (November 16, 2004).

[vi] Id., Article 3.

[vii] Id., Art. 19(3).

[viii] Id., Art. 2.

[ix] Id., Art. 17.

[x] Id., Art. 18.

[xi] Peter Swire, Theodore Christakis, and Jennifer Daskal, ‘The Globalisation of Criminal Evidence’, IAPP Privacy Tracker, October 16, 2018.

[xii] See European Commission Staff Working Document, Impact Assessment Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters and Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceeding [2018] < https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018SC0118&from=EN >.

[xiii] Liberty and Security in a Changing World, President’s Review Group on Intelligence and Communications Technology ,at 227 (Dec. 12, 2013).

[xiv] US-Germany MLAT, supra, Article 25(1).

[xv]Article 5(5), United States- United Kingdom Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime {hereinafter US-UK CLOUD Act Agreement], (October 3, 2019). While the agreement, unlike an MLAT, does not establish a central authority to receive and execute incoming requests, it does retain a limited central government screening function for outgoing requests to ensure that they comply with all the agreement’s requirements. See Article 5(5)-(12).

[xvi] These and other safeguards are thoroughly explained in Jennifer Daskal and Peter Swire, ‘The UK-US CLOUD Act Agreement is Finally Here, Containing New Safeguards, Just Security, October 14, 2019.

[xvii] Id.

[xviii]Article 1, Agreement Between the United States and the European Union on the Protection of Personal Information Relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offenses, (June 2, 2016).

[xix] Id., Art. 19.  This provision required the United States to amend its Privacy Act, which previously had limited such redress to US citizens.

[xx] Article 1(3) makes the point explicitly: “This Agreement in and of itself shall not be the legal basis for any transfers of personal information.  A legal basis for such transfers shall always be required.”

[xxi] Id., Preamble.

[xxii] Id., Art. 3(1).

[xxiii] See, e.g., US-Germany MLAT, supra, Preamble (“cooperation between the two States in the repression of crime”).

[xxiv] The limited possibilities of redress for European citizens in the case of unilateral national security access to their personal data were described in the US-EU Privacy Shield, a non-binding arrangement that was the basis for a subsequent European Commission adequacy finding for data transferred by that means.

[xxv] US-UK CLOUD Act Agreement, Article 9.

[xxvi] Id., Art. 8(2).

[xxvii] Id., Art. 8(4).

[xxviii] Council Decision authorizing the opening of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters, COM(2019) 70 final, February 5, 2019, at 7.

[xxix] Annex to Council Decision authorizing the opening of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters, COM(2019) 70 final, February 5, 2019, at 2-3.  The European Data Protection Supervisor subsequently issued an opinion calling for supplementing the Umbrella Agreement in other ways as well, notably demanding that judicial authorities be involved in reviewing requests before execution by service providers. European Data Protection Supervisor Opinion 2/2019 on the negotiating mandate of an EU-US agreement on cross-border access to electronic evidence, April 2, 2019.

 

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.