Cross-Border Data Forum Bannner

LAWFARE – Navigating Toward an EU-U.S. Agreement on Electronic Evidence

This article originally appeared in Lawfare and is reprinted here with permission of same.

Solving crime today routinely requires obtaining electronic as well as physical evidence. “E-evidence in any form is relevant in around 85% of total (criminal) investigations,” a European Commission study has found. And in two-thirds of such investigations, the needed e-evidence is held in a different country from where the offense occurred. Most often this evidence resides in the United States.

The growing imperative for domestic law enforcement to obtain foreign e-evidence poses novel and complex international legal issues. Both Washington and Brussels therefore saw the need to develop overarching legal frameworks to govern the subject. The United States adopted legislation clarifying its authorities and enabling international agreements, the CLOUD Act, in 2018. That same year the European Commission proposed a counterpart measure for European Union member states, the e-Evidence Regulation, which was enacted this summer.

The U.S. Department of Justice and the EU Agency for Law Enforcement Cooperation (Europol) agree that the existing intergovernmental mechanism for transferring evidence in criminal matters across the Atlantic—a 2010 EU-U.S. mutual legal assistance treaty (MLAT) and implementing agreements with EU member states—is not able to promptly cope with the volume of e-evidence requests generated by each other’s law enforcement authorities. In 2019, the U.S. government and the European Commission embarked on negotiations on a U.S.-EU agreement on e-evidence in criminal matters. The Council of the European Union, composed of its member states, issued a mandate with its requirements for the new agreement.

Negotiations toward an EU-U.S. agreement on electronic evidence proceeded fitfully for two years, then stopped entirely, as the EU waited for its internal e-evidence legislative process to conclude. This year, with the final adoption of the e-Evidence Regulation, negotiations finally have resumed.

The renewed discussions take place at an opportune moment. The EU-U.S. Data Privacy Framework provides a legal foundation for commercial data transfers from Europe to the United States. It offers enhanced protections for persons in Europe whose transferred data may be obtained for intelligence purposes by the United States, thereby easing tensions over unilateral U.S. intelligence access. There is also discussion in the U.S. about incorporating safeguards contained in President Biden’s recent Executive Order 14086 for foreign nationals’ data into the reauthorization of the Foreign Intelligence Surveillance Act. Now the spotlight has shifted to e-evidence transfers for law enforcement purposes, where there is a need for a new international legal mechanism with robust institutional safeguards.

An agreement would have multiple benefits. Law enforcement in Europe and the United States would gain a reliable and speedy mechanism for securing e-evidence from providers located in each other’s territory, for use in combating offenses such as transnational organized crime and cybercrime. Service providers outside the EU would for the most part no longer be faced with stark conflicts between law enforcement demands and legal constraints on sending e-evidence abroad. Safeguards embedded in an agreement would also bolster overall trust in international data flows, reinforcing the Data Privacy Framework.

In this article, I examine the similarities and differences between the CLOUD Act, on the one hand, and the e-Evidence Regulation and EU negotiating mandate on the other. The comparison serves to highlight the negotiating challenges, which range from the legally basic—what the agreement’s form and scope will be—to the politically sensitive—how to address questions of individual rights. Following this review of U.S. and EU e-evidence legislation, I offer initial thoughts on three areas of central importance to the negotiations: competing views on the form of an agreement, its utility in addressing conflicts between U.S. and European law, and the handling of individual rights.

U.S. CLOUD Act Agreements

The CLOUD Act authorizes the U.S. government to enter into executive agreements that would permit U.S.-based service providers to voluntarily disclose users’ communications content and related metadata directly to a qualifying foreign government. The U.S. law also requires that the president notify Congress of a proposed CLOUD Act agreement, which Congress reviews and has the power to disapprove—unlike an executive agreement reached under the president’s sole authority.

Absent an agreement, the Stored Communications Act (SCA) prohibits U.S. service providers from disclosing such data in response to a foreign request. Similar prohibitions are contained in the Wiretap Act and the pen register trap and trace statute. The CLOUD Act creates a path for overcoming these domestic restrictions without otherwise affecting surveillance authorities.

To qualify for a CLOUD Act agreement, a foreign government must have in place robust protections for privacy and civil liberties, including respect for the rule of law and internationally recognized human rights, cyber experts Peter Swire and Jennifer Daskal note. The United States so far has concluded two CLOUD Act agreements with foreign states, with the United Kingdom and Australia, and is pursuing a third, with Canada.

Under these existing agreements, U.K. or Australian law enforcement authorities may not knowingly target a U.S. person or any other person located in the United States, nor knowingly target a non-U.S. person located outside the United States in order to obtain information about a U.S. person indirectly. Similar protections apply to persons in the United Kingdom or Australia whose data might be of interest to U.S. law enforcement. If a U.S. agreement with the EU were also to be reciprocal, the United States could be precluded from using it to seek from a provider in an EU member state information about any EU person, limiting the utility of the agreement from the perspective of U.S. law enforcement.

Both the U.K. and Australia agreements also impose additional tailored use and transfer restrictions: The U.S. may not introduce information obtained from the other party’s territory in a death penalty prosecution, and the foreign party may not introduce U.S.-origin data in a criminal proceeding in a manner that raises freedom of speech concerns.

Both existing agreements clarify that they are non-exclusive means of obtaining electronic evidence; parties instead may rely on other, unilateral national legal authorities and mechanisms. They do not prevent the United States from utilizing warrants to obtain evidence within the “possession, custody, or control” of a provider over which it has jurisdiction, as the SCA provides. The U.S. statute adds that possession, custody, or control may exist “regardless of whether such communication, record, or other information is located within or outside of the United States.” Scholars have explained that the meaning of “possession, custody, or control” varies depending on the factual circumstances.

The CLOUD Act recognizes that a communications service provider may seek to quash or modify an SCA warrant if complying with it would create a material risk of conflict with a qualifying government’s privacy laws. It elaborates how a U.S. court should weigh the respective interests of U.S. prosecutors against the interests of the foreign government in preventing the disclosure. European civil libertarians nonetheless have directed criticism at the scope of SCA warrants and at the non-exclusivity clause in U.S. CLOUD Act agreements, and they prefer continued reliance on MLATs.

EU E-Evidence Regulation and International Agreements

The e-Evidence Regulation harmonizes procedures for how EU member states obtain stored electronic evidence regardless of its location. The regulation applies to service providers that operate in the EU; a sufficient connection is deemed to exist when the service provider is established in an EU member state, has a significant number of users there, or targets its activities toward users in a member state. Theodore Christakis of the University Alpes Grenoble observes that a European production order (EPO) therefore could target a person residing either in an EU member state or in a third state—a similar scope to an SCA warrant.

The e-Evidence Regulation, like the CLOUD Act, contemplates the possibility of a conflict arising between an EPO and third-country law, and elaborates a similar set of factors for resolving that tension. A service provider may advise the issuing authority that it will not execute the order because of the conflict, triggering a comity review by a court in the state of issuance. The regulation elaborates a list of factors—not including location of the data—for the court to consider in balancing the interests of the issuing state and of the third country. If the court opines against execution of the EPO, it informs the issuing law enforcement authority of its view; the latter has the authority to make a final decision on the matter.

The e-Evidence Regulation does not specify whether member state unilateral authorities remain available as an alternative to a European production order. During the legislative process, the European Parliament put forward a provision ruling out domestic orders with extraterritorial effect, but the final text did not include it, leaving ambiguity on the question of non-exclusivity. The CLOUD Act, by contrast, expressly contemplates the co-existence of requests made under an executive agreement and unilateral U.S. requests.

When law enforcement in an EU member state transmits an EPO to a service provider in another EU member state, that latter state is, as a general rule, notified and has the opportunity to raise individual rights considerations as a basis for refusal. These could relate to freedom of the press or expression, or “in exceptional circumstances” to a “manifest breach of a relevant fundamental right” set out in the EU Charter of Fundamental Rights. This provision thus offers an avenue for an EU member state to consider denying compliance in cases where there is concern that the investigation or prosecution may be an attempt to victimize an individual for political reasons. The provision appears designed to respond to concerns within the EU about the rule of law in member states such as Hungary.

The EU’s objectives for the envisaged international agreement with the United States, delineated in its 2019 negotiating mandate, provide additional detail on the EU’s desired protections. Many of these protections already are included in the 2017 EU-U.S. Data Protection and Privacy Agreement (Umbrella Agreement), as I have pointed out previously. The EU negotiating mandate anticipates incorporating these protections into an e-evidence agreement with the United States, thereby significantly easing the negotiators’ task. It also calls for safeguarding sensitive data, prohibiting data use in U.S. death penalty prosecutions, and limiting the scale of data collection.

What Kind of Agreement?

As a threshold matter, EU and U.S. negotiators must agree on the legal nature and character of the agreement they seek. Both will insist on an agreement that is binding under international law and reciprocal in character. A CLOUD Act executive agreement qualifies as a binding international agreement, as Christakis and I have explained, even though, unlike an instrument denominated under U.S. law as a “treaty,” it does not require U.S. Senate advice and consent to ratification by a two-thirds majority. Although the EU may well prefer an agreement in the form of a treaty, the United States largely relies on executive agreements in its current foreign policy due to political polarization in the Senate relating to treaties.

The EU mandate carefully avoids identifying a CLOUD Act agreement as its objective. If the United States seeks a CLOUD Act agreement with Brussels, it first would have to satisfy itself that the EU is a “foreign government,” as the statute requires. In addition, the U.S. government would have to ascertain that the “domestic law of the foreign government” affords sufficient privacy and civil liberties protections for transferred data. These requirements may pose problems for a CLOUD Act agreement with the EU.

Although the CLOUD Act was written with individual foreign states in mind, its application to the European Union appears consistent with Congress’s intent to address cross-border data access concerns. The EU exercises competences conferred on it by its member states. U.S. courts have recognized this proposition, with the U.S. Court of Appeals for the Second Circuit ruling in European Community v. RJR Nabisco that the EU was an “agency or instrumentality” of its members under a Foreign Sovereign Immunities Act analysis. Further, the EU’s e-Evidence Regulation, which applies directly in EU member states, elaborates detailed privacy and civil liberties protections.

The EU itself could conceivably play a role in receiving, reviewing, and transmitting requests under an agreement with the United States. However, although the e-Evidence Regulation harmonizes at the EU level the rules for international data requests, it does not displace the responsibility of member states’ own law enforcement authorities for issuing and administering them. Thus, member state law enforcement authorities likely would remain the central actors with which U.S. federal, state, and local counterparts would engage.

The United States and the European Union have confronted the interplay of EU-level and member-state laws relating to law enforcement data requests before—when they negotiated the EU-U.S. MLAT. Before the development of this agreement, most EU member states had bilateral MLATs with the United States. The EU-U.S. MLAT modified the terms of these preexisting bilateral agreements and created new mutual legal assistance relationships with member states that did not have preexisting such treaties with the United States. The EU-U.S. MLAT thus serves as an overarching framework for bilateral mutual assistance relationships between the United States and individual EU member states.

Since EU member states make and receive requests for evidence under MLATs without EU involvement, U.S. negotiators of that agreement insisted that EU member states directly assume the additional obligations it contains. The EU initially resisted this additional step as unnecessary, contending that its member states were obliged, by operation of EU law, to implement obligations contained in an EU-level agreement. The solution found was for the United States and the EU to conclude a framework treaty, followed by Washington concluding implementing instruments with each EU member state. Negotiating bilateral instruments with 27 EU member states delayed entry into force of the EU-U.S. MLAT by five years.

Since the passage of the CLOUD Act, scholars have suggested that an EU-U.S. framework agreement would similarly be appropriate in the e-evidence setting. An EU-level agreement with the United States would suffice, as a matter of international and EU law, to bind individual EU member states. Nonetheless, the United States attaches high importance to its individual law enforcement relationships with EU member state governments, and it may well continue to press for formal member state commitments to implement an EU-U.S. e-evidence agreement.

Extraterritorial Application of U.S. and EU Law

U.S. and EU laws governing e-evidence envision that production orders would reach evidence, wherever located, held by providers over which they have jurisdiction. Both attempt to mitigate the inevitable conflicts of law that can arise between such orders and a foreign state’s blocking statute by instructing their courts on how to apply the principle of comity in such circumstances. Structuring comity analyses is helpful, but it does not in itself obviate the prospect of conflicts.

The United States, EU, and some EU member states maintain blocking statutes designed to prevent compliance with certain foreign evidentiary requests. For the United States, the bars set forth in the Stored Communications Act, the Wiretap Act, and the pen register trap and trace statute would apply. Similarly, Article 48 of the EU’s General Data Protection Regulation (GDPR) precludes recognition of third-country demands for the transfer of personal data by controllers or processors subject to EU law, unless they are based on an international agreement such as an MLAT or the Council of Europe Cybercrime Convention (Budapest Convention).

In view of the limits contained in Article 48, the EU Data Protection Supervisor and European Data Protection Board have taken a narrow view of permitted transfers of law enforcement-related information to the United States. Some EU member states, such as France and Germany, have decades-old sovereign sensitivities about unilateral U.S. law enforcement requests and maintain national-level blocking statutes as well; France, for example, modernized its law in 2022.

The existence of blocking statutes on both sides of the Atlantic is a powerful impetus for Washington and Brussels to reach an agreement on e-evidence, as Christakis and Fabien Terpan of Sciences Po have noted. However, neither side can be expected to entirely relinquish its unilateral authority to seek evidence in the possession, custody, or control of a service provider in its territory, even when the evidence is located outside its territory. Addressing this tension in a way that is responsive to both sides’ blocking statutes constitutes a major challenge—as well as an opportunity—in the ongoing negotiations.

It may make sense for negotiators to examine MLAT precedent, as I have suggested. The 2009 U.S.-Germany MLAT commits law enforcement authorities to resort first to a treaty-based request; only if there is undue delay in producing evidence in response may the party subsequently utilize unilateral compulsory process. This approach respects foreign judicial sovereignty, while allowing recourse to unilateral authority in specified circumstances. The United States has not, however, replicated this provision in other MLATs.

An alternate approach could be to limit the types of electronic evidence that may be sought unilaterally. The EU and United States could, for example, consider foreclosing unilateral access to certain types of sensitive data—such as governmental data—compelling exclusive use of the e-evidence agreement in those cases. Another avenue worth exploring would be to require the seeking authority to notify the state of residence of a person whose data is sought, building on the approach in the e-Evidence Regulation.

At the same time, extraterritoriality concerns may be less acute in the e-evidence context than in the traditional MLAT setting. International law increasingly has accommodated unilateral e-evidence requests. Article 18 of the Budapest Convention, for example, recognizes a government’s authority to compel a service provider present in its territory to produce specified computer data (subscriber information, traffic data, and content data) over which the service provider has possession or control.

Individual Rights

Before the United States concludes a CLOUD Act agreement, the U.S. executive branch must perform a systematic and detailed analysis to ensure that the foreign government respects the rule of law and adheres to international human rights obligations. The U.S. agreements with the United Kingdom and Australia are accompanied by such analyses.

The EU e-Evidence Regulation contains no comparable requirement. The governments to which it applies—all EU member states—already share commitments to the rule of law and individual rights enshrined in the EU’s organic treaties and in its Charter of Fundamental Rights. In effect, EU members trust in each other’s legal systems because their adherence to the rule of law and to fundamental rights has been scrutinized exhaustively as a precondition of joining the club.

Nonetheless, in recent years, there has been disturbing back-sliding from the rule of law in several central and eastern European member states—most prominently, Hungary. The EU has attempted to discipline these members through a variety of means. It has initiated internal proceedings that in theory could lead to suspending a member’s voting rights in EU decision-making; it has withheld EU funding until offending domestic measures are corrected; and it has pursued judicial proceedings in the Court of Justice of the European Union (CJEU). However, none of these techniques has proved entirely successful.

Courts in Europe have begun to hesitate in fulfilling law enforcement requests originating in EU member states with rule of law problems. For example, some have balked at extraditing criminal subjects to Poland, because they doubt the independence of the Polish authority issuing the extradition request. The CJEU has had to referee these disputes, insisting that member state courts consider rule of law issues on a case-by-case basis.

The EU regards these blemishes on its otherwise solid record for upholding the rule of law as an internal matter. It understandably resists putting an international spotlight on— or potentially disqualifying—certain member states from an e-evidence accord with the United States. However, if the U.S. and the EU pursue an agreement under the terms of the CLOUD Act, the U.S. executive branch must confront member states’ rule of law and human rights records.

One possible approach is evident in the recent U.S. attorney general’s designation that the EU is eligible for the new Data Protection Review Court (DPRC), which provides redress in the commercial data transfer context. The attorney general’s examination included an analysis of EU-level and Council of Europe fundamental rights law as well as member states’ law. The Justice Department specifically adopted a “deferential approach” in assessing this multiplicity of applicable foreign laws, allowing a mixture of international obligations relating to fundamental rights and of national-level protections to be considered reciprocal to U.S. domestic protections. A similar approach in the CLOUD Act context appears conceivable.

In addition, the EU e-Evidence Regulation itself may provide the kernel of a solution by allowing one member state to raise fundamental rights as grounds for refusing another member state’s e-evidence request. Offering a comparable ground of refusal to the U.S. would not be an easy decision for the European Union. Nor would a case-by-case assessment be entirely consonant with the systematic ex ante analysis required by the CLOUD Act. Nonetheless, the e-Evidence Regulation at least acknowledges the EU’s internal problem and, in so doing, offers negotiators a conceptual approach that could be explored.

Conclusion

In this piece I have sought to provide background on the ongoing EU-U.S. e-evidence negotiations, to identify several key issues, and to briefly sketch potential approaches to them. Negotiators from Washington and Brussels currently have an opportunity to make progress in their talks before next year’s U.S. and EU elections intervene. If decisive progress can be made in the coming months toward establishing a legal framework for access to e-evidence, law enforcement on both sides of the Atlantic would benefit enormously, and the conflict-of-laws issues bedeviling providers would be significantly eased.

To read on Lawfare, click here.

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.

Author