Law Enforcement and the Cloud From Europe’s Perspective

Thoughts about digital transformation and AI for enterprise leaders and their legal & compliance advisors

These posts represent my personal views on enterprise governance, regulatory compliance, and legal or ethical issues that arise in digital transformation projects powered by the cloud and artificial intelligence. Unless otherwise indicated, they do not represent the official views of Microsoft.

A few posts ago I wrote about a relatively new US law that aims to make it easier for law enforcement agencies in the US and its allies to reach across borders to obtain electronic data needed for criminal investigations. Passed by the US Congress in 2018, the law is called the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). In that earlier post, I looked at the issue of cross-border access from a mostly American point of view. Today I want to consider how Europeans—or at least European law enforcement agencies—might see it.

I’m not going to go into detail here about CLOUD Act’s provisions (for readers who want to know more, I highly recommend a recent review article by legal scholars Peter Swire and Jennifer Daskal, Frequently Asked Questions about the US CLOUD Act). But the basic story is clear. Older laws governing the conduct of criminal investigations, both in the US and elsewhere, did not anticipate a world where evidence can routinely be stored on a different continent from its owner’s place of residence and may even move from one country to another in the blink of an eye.

For example, under current US and French law, French police investigating a murder in Paris will face real obstacles getting emails from the suspect’s Gmail account if they happen to be stored on a Google server in the US. This would be so even if the suspect is a French citizen living in Paris—clearly under the jurisdiction of French law—and even if the police have reason to believe that the suspect admitted to the murder in an email. It’s not that the police can’t get this evidence. They can—but it may take a very long time. The US-EU Mutual Legal Assistance agreement, in force since 2010, provides procedures by which French police may submit a request through their Ministry of Justice to the US Department of Justice, which after review may forward it to a local judge who may decide to issue a warrant under US law for the desired data. But according to statistics compiled by the European Commission, it currently takes an average of 10 months for such transatlantic requests to return useful data, and some requests take more than a year.

The problem is made all the more acute by the fact that volume is surging for requests from Europe to the US for electronic evidence (or simply “e-evidence,” as the EU calls it). Again, according to the EC, the number of requests from EU law enforcement agencies to Facebook, Google, Microsoft, Twitter, and Apple alone exceeded 125,000 in 2018, an increase of 84% over the previous 5 years. This is far higher than the number of requests from US authorities for data stored in Europe. At the same time, the importance of cross-border requests is also growing. The EC says that in the EU today 85% of criminal investigations need access to e-evidence of some kind, and in two-thirds of these cases the evidence is located outside the member state conducting the investigation. Given the combined market share of the US cloud providers, the odds are high that this evidence will be located in a data center operated by one of these companies.

In short, the current state of affairs is highly unsatisfactory for European law enforcement agencies. This is why this past September the EC and the US jointly announced the start of formal negotiations for an EU-US agreement to facilitate access to electronic evidence in criminal investigations. According to the Commission, its hope is that such an agreement will cut the average time for transatlantic law enforcement data requests from 10 months to 10 days. This is exactly the kind of agreement enabled by the CLOUD Act and that European law enforcement agencies have been calling for. As European Commissioner for Justice, Consumers and Gender Equality, Věra Jourová put it:

“Criminals use fast, modern technologies to organize their crimes and cover up their evidence. We need to work together with our American partners to speed up the access of our law enforcement authorities to this evidence. This will strengthen our security, while protecting the data privacy and procedural safeguards of our citizens. The launch of negotiations marks an important step towards achieving this.”

I don’t mean to suggest that the CLOUD Act settles all the vexed issues that have for so long entangled debates about cross-border law enforcement access to cloud data. Those issues often turn on the question of what to do when the laws of two countries conflict—what to do, for example, when US authorities seek data belonging to a European citizen stored in Europe on the servers of a US cloud company, data that the EU’s GDPR says cannot be sent to a non-EU country without the data owner’s consent. As Microsoft’s Chief Legal Officer Brad Smith said in a blog post last year, “This journey is not yet complete.”

But the start of negotiations for an EU-US agreement is an auspicious sign. Both sides agree that they need to strike a careful balance between the data privacy rights of their residents and the equally legitimate need of their law enforcement agencies to pursue criminal investigations with tools fit for the modern world. I’m optimistic that the partners will succeed in defining procedures that respect privacy and due process while acknowledging the realities of a world where data knows no frontiers.

As a footnote, let me mention here that the European Union is currently debating a proposed new law of its own that would create modernized procedures for cross-border data access by law enforcement agencies within the EU. And it’s little surprise that the same issues of protection of privacy and due process rights vs. efficiency of law enforcement investigations are spurring vigorous debate in Europe as they have in the US. For a critical perspective on the proposed European e-evidence regulation, interested readers should look at this recent article by two of my colleagues from Microsoft Europe.

Microsoft has published a book about how to manage the thorny cybersecurity, privacy, and regulatory compliance issues that can arise in cloud-based Digital Transformation—including a section on law enforcement access. The book explains key topics in clear language and is full of actionable advice for enterprise leaders. Click here to download a copy. Kindle version available as well here.

We invite you to visit our Transformation Tuesday YouTube channel to view two presentations targeted at enterprise leaders and their legal and compliance advisors.