E-Evidence Proposal: EuroISPA Criticises the Privatisation of Law Enforcement
Brussels, 17 April 2018- Following the European Commission’s proposal on cross-border access to e-evidence, EuroISPA criticises the privatisation of law enforcement as a result of insufficient public funding, which sacrifices the rule of law and threatens national data protection regimes. “In our view the e-evidence proposal for cross-border cooperation fails to address the actual issue at hand: the inefficient MLAT procedure which is criticised for being slow and overburdened. Instead, the Commission hopes for a ‘silver bullet’ by ignoring many of the pressing challenges, aiming to shift an enormous administrative burden on ISPs, which is nothing less than a privatisation of law enforcement. The Commission clearly had a large platform in mind when drafting the proposal, which could now have devastating effects on small and medium size ISPs all over Europe” states Maximilian Schubert, Chair of the Cyber Security Committee at EuroISPA.
EuroISPA has already underlined a large number of practical challenges during the drafting process. A framework where any national judicial authority may send production or preservation orders to ISPs across the EU poses serious challenges for the European Internet Industry. Challenges consist of the multitude of legal systems across the EU, as well as security issues and the feasibility of verification of requests from other Member States. These are of significant concern for due process, legal clarity and liability for European ISPs, the majority being SMEs without their own legal departments. As highlighted in its response to the public consultation on e-evidence, EuroISPA insists that cost reimbursement should be a key element of the proposal, compensating ISPs for the processing and response to requests from law enforcement authorities. However, the proposal leaves it to the issuing Member State to grant cost reimbursement only if this is provided by national law, meaning that in many cases ISPs will have to cover the costs by themselves.
Further issues arise as the proposal does not foresee any exceptions for small ISPs which would work as a safeguard to ensure these companies are not pushed off the market due to additional expenditures. Moreover, a six-hour timeframe to respond to orders in emergencies is unrealistic for many service providers, further putting due process and legal certainty at risk when processing orders.
EuroISPA reiterates the importance of a standardised process for ISPs when dealing with law enforcement. This rings even more true in a pan-European context. As a result, the form should include a unique verification of the judicial authority in question, and a responsible officer. To ensure that data is only provided to legitimate requests from public authorities, Member States should establish Single Points of Contact (SPOC) to validate the authenticity of incoming requests, rather than a plethora of different authorities in all Member States as suggested by the proposal. The Austrian case can be a useful example, where all requests go through a SPOC of national law enforcement authorities. The authority encrypts and forwards the request to the national ISP in question, who decrypts and verifies the request. Upon validation, the required information is passed on to the SPOC in a secured manner. This approach not only provides clarity for ISPs on the request’s validity, it also takes place in a secured environment, safeguarding data protection and privacy standards.
Even with EuroISPA’s calls for a rationalised, streamlined approach offering legal certainty for European ISPs, many fundamental aspects remain unanswered by the European Commission’s proposal. Most crucially, it places a further burden on ISPs to set out the legal arguments in the event of a conflict of law, rather than this process being carried out by judicial authorities before the order is delivered. It is also yet to be clarified which regime should be followed when dealing with non-EU countries.
EuroISPA and its 3,000 members are conscious of their role and responsibilities in safeguarding their users’ privacy, thus are well-versed in verifying the authenticity of demands from their own national law authority. The e-evidence proposal for cross-border cooperation unfortunately does not address the key issue at hand: the inefficient MLAT procedure, instead opting for the privatisation of law enforcement. EuroISPA reiterates that to ensure the rule of law, data protection and legal certainty, only a standardised process can contribute to safeguarding the proper handling of user data and a secure legal environment for European ISPs.
For your information, please find here a presentation on the Austrian model for law enforcement authority and ISP cooperation, as mentioned in the above Press Release: 20170502_Austrian Model
Image Creator attribution: Nick Youngson (http://nyphotographic.com/)