This webinar discussed the access to personal data by law enforcement authorities around the world and the extraterritoriality of laws that regulate such access. Speakers are: Mona Giacometti (Professor of criminal law at the Université Libre of Brussels), Richard Salgado (lecturer at Harvard and Stanford Law Schools), and Joe Jones (Director of Research and Insights at IAPP). Moderator is Kenneth Propp (Senior Fellow at the Cross-Border Data Forum and the Atlantic Council’s Europe Center).
Episode Highlights:
[00:00] – Introduction and presentation of the panel experts
[01:20] – Mona Giacometti’s analysis of the interplay between EU and U.S. laws regulating law enforcement access to data
[05:59] – The territorial extension of the EU e-Evidence Regulation
[08:20] – Connecting factors of the EU e-Evidence Regulation
[10:30] – The applicability of the EU e-Evidence Regulation to U.S. service providers
[13:30] – Conflict of EU and U.S. laws regulating law enforcement access to data
[16:42] – Richard Salgado’s analysis of the extra territorial extent of the EU e-Evidence Regulation
[19:42] – The adoption of international (CLOUD) Agreements to solve conflicts of law
[24:17] – Remarks on the U.S. CLOUD Act
[29:00] – Remarks on the proliferation of new international CLOUD Agreements
[33:00] – Joe Jones’s analysis of the UK-U.S. CLOUD Agreement
[39:38] – The concerns of the EU on the possible onward transfers of EU personal data to the U.S. via the UK-U.S. CLOUD Agreement
[43:30] – The challenges and opportunities of the EU-U.S. negotiations for a CLOUD Agreement
[52:20] – Efforts around the world to impose mandates to break encryption measures for law enforcement purposes
[58:00] – Final remarks of the panel experts on the territorial extent of laws regulating law enforcement access to data
Quotes:
Mona Giacometti: “I prefer to talk about territorial extension of the EU e-Evidence Regulation to designate a situation in between territoriality and extraterritoriality, such as where a regulation applies neither in a fully territorial manner, nor in a fully extraterritorial manner. [I believe] this is because there are rather “connecting factors” between persons or activities to which the regulation applies, [with] the state (or the organization such as the European Union) that adopts the regulation.”
Richard Salgado: “The connecting factors [theory] is a useful way to look at [the applicability of the EU e-Evidence Regulation to non-EU based service providers] and in part because it can identify different equities that different jurisdictions can have over the same data set and whether it should be revealed to one country or another.”
Kenneth Propp: “The instinct of a U.S. judge undertaking a comity analysis under U.S. statutes would probably be the same as a European judge [ruling on a judicial control under the EU e-Evidence Regulation with regard to a data access request issued by an EU Member State law enforcement authority towards a U.S. service provider]. Judges tend to want prosecution to be able to go forward and to get the evidence that prosecutors need.”
Richard Salgado: “CLOUD Agreements are the diplomatic ways for rules to be set out and [to] get clarity [on potential conflict of laws].”
Richard Salgado: “There are a lot of ways of customizing these [CLOUD] Agreements for particular jurisdictions, with potentially the promise of expanding if things work well.”
Joe Jones: “The risks and challenges of scaling up and being more inclusive [with CLOUD Agreements], is something that we discovered in the UK-U.S. context, between two partners, where there is really nothing separating them. There is a risk that you can get stuck on the “narcissism” of small differences.” Yes, it’s been five years since the UK-U.S. CLOUD Agreement was signed, but it took another three years for the Agreement to enter into force, for various reasons, related to data protection and safeguards, or redress and protection.”
Joe Jones: “There has been huge transformational benefits, on the UK end, in having the UK-U.S. CLOUD Agreement in place.”
Joe Jones: “One of the most challenging tensions that needs to be resolved, is how do you structure the [EU-U.S. CLOUD Agreement] arrangement in light of different competences? Is this an agreement with the EU, at an umbrella level, with EU Member States signing on, [or] is it an agreement with each and every EU Member State? And what data is in scope? What agencies are in scope? (…) There will be a lot of complicated questions for the EU Member States.”
Richard Salgado: “I would hope that in the evaluation of whether a country is a “qualified” jurisdiction for either renewing or getting into an initial CLOUD Act Agreement, that [domestic] laws would be considered. So it would be a strike against a country being able to engage and direct requests to U.S. providers to turn over data, where they have laws that ultimately undermine security and private communications of users worldwide.”
Mona Giacometti: “It’s a question of balance between privacy and efficiency in a criminal investigation. Law enforcement authorities will have access to encrypted data, and they would like to be able to read encrypted communications for criminal investigations purposes, but privacy is too important [in the EU].”
_________________________________________________________________________________________
In this webinar, Kenneth Propp questions panel experts Mona Giacometti, Richard Salgado, and Joe Jones on the regulation of law enforcement access to data around the world, with a particular focus on frameworks established in the U.S., the UK, and the European Union (EU).
Mona Giacometti presents in the first part of the webinar her research on the extraterritorial scope of applicability of the EU e-Evidence Regulation. She presents connecting factors that explain why certain companies with no EU establishments can end up being subject to the EU regulation, and she describes how U.S. service providers can, in specific cases, be required to comply with access requests of EU Member States law enforcement bodies. Giacometti further discusses the risk of conflict between EU laws with U.S. requirements that apply to U.S. based companies that offer their services on the EU market.
In the second part of the webinar, Kenneth Propp interrogates Richard Salgado on the far-reaching implications of the EU e-Evidence Regulation. Salgado also sheds some light on cases where the EU law will not be able to compel U.S. service providers to disclose certain user data, which allowed Giacometti to add that companies in scope of the EU e-Evidence Regulation have the possibility to request that a judicial review be carried out on the lawfulness of access requests submitted by local law enforcement bodies.
Salgado also discusses in the second half of the webinar recent findings about the use of the U.S. CLOUD Act for law enforcement purposes and how the U.S. may be varying its approach regarding cross border law enforcement access to data. Salgado underlines that the U.S. is not only interested in cooperating with long time partners such as the UK and Australia, and he points out that negotiations may be necessary with countries where large volumes of data flow, such as India or Brazil.
In the third part of the webinar, Joe Jones comments on the adoption and implementation of the UK-U.S. CLOUD Agreement and how it has helped and encouraged UK criminal prosecution. Jones discusses the challenges and opportunities of adopting CLOUD Agreements, and he questions the long-term sustainability of such frameworks. Jones further examines the impacts of the UK-U.S. Cloud Agreement on onward transfers of personal data subject to EU privacy and data protection requirements and describes the concerns that were raised by the European Commission in that regard. Jones concludes his analysis by challenging the possibilities for the EU but also for EU Member States (in their own right), to negotiate and enter into Cloud Agreements with the U.S. to frame law enforcement access to data.
Propp closes the debate by gathering the opinions of the three experts on the state of progress of EU-U.S. negotiations to design a common framework regulating cross border access to data by law enforcement authorities.
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
