A European proposal (dubbed “E-Evidence”) that would allow the American government to potentially wiretap European citizens is receiving backlash.
European lawmakers are considering a new proposal that would have major privacy implications on European citizens. It is being dubbed as the “E-Evidence” package. The proposal is receiving major backlash from digital rights organizations.
The proposal, according to civil rights organizations, would allow governmental organizations to access personal information stored on private servers in real time whenever they want. In addition, some are considering the idea of allowing the US government to access this information in exchange for Europe having access to the personal information of American citizens. This is based on the American’s infamous CLOUD Act.
The proposal is being met with backlash by civil rights groups operating in Europe. From EDRI:
The proposal has so far become the object of wide-spread criticism from service providers, and civil society organizations, including EDRi, because it raises serious questions concerning privacy, data protection and basic principles such as the right to defence and access to effective remedies.
EDRI went on to conclude with the following:
In conclusion, some EU Member States more making these proposals even more extreme than they already are by pushing for real time interception and direct access to citizens’ data without appropriate safeguards and an agreement with the US that could have even further implications on mass surveillance and individuals’ rights such as data protection and privacy. EDRi warned against these proposals even before the drafts were published and will keep working with other stakeholders and policy-makers to change this worrisome situation.
European ISPs are also weighing in on this, saying that, among other things, they are worried about the infrastructure costs that this would bring. From EuroISPA:
Following the European Commission’s proposal on cross-border access to e-evidence, EuroISPA criticises the privatisation of law enforcement as a result of insufficient public funding, which sacrifices the rule of law and threatens national data protection regimes. “In our view the e-evidence proposal for cross-border cooperation fails to address the actual issue at hand: the inefficient MLAT procedure which is criticised for being slow and overburdened. Instead, the Commission hopes for a ‘silver bullet’ by ignoring many of the pressing challenges, aiming to shift an enormous administrative burden on ISPs, which is nothing less than a privatisation of law enforcement. The Commission clearly had a large platform in mind when drafting the proposal, which could now have devastating effects on small and medium size ISPs all over Europe” states Maximilian Schubert, Chair of the Cyber Security Committee at EuroISPA.
EuroISPA has already underlined a large number of practical challenges during the drafting process. A framework where any national judicial authority may send production or preservation orders to ISPs across the EU poses serious challenges for the European Internet Industry. Challenges consist of the multitude of legal systems across the EU, as well as security issues and the feasibility of verification of requests from other Member States. These are of significant concern for due process, legal clarity and liability for European ISPs, the majority being SMEs without their own legal departments. As highlighted in its response to the public consultation on e-evidence, EuroISPA insists that cost reimbursement should be a key element of the proposal, compensating ISPs for the processing and response to requests from law enforcement authorities. However, the proposal leaves it to the issuing Member State to grant cost reimbursement only if this is provided by national law, meaning that in many cases ISPs will have to cover the costs by themselves.
Further issues arise as the proposal does not foresee any exceptions for small ISPs which would work as a safeguard to ensure these companies are not pushed off the market due to additional expenditures. Moreover, a six-hour timeframe to respond to orders in emergencies is unrealistic for many service providers, further putting due process and legal certainty at risk when processing orders.
EuroISPA reiterates the importance of a standardised process for ISPs when dealing with law enforcement. This rings even more true in a pan-European context. As a result, the form should include a unique verification of the judicial authority in question, and a responsible officer. To ensure that data is only provided to legitimate requests from public authorities, Member States should establish Single Points of Contact (SPOC) to validate the authenticity of incoming requests, rather than a plethora of different authorities in all Member States as suggested by the proposal. The Austrian case can be a useful example, where all requests go through a SPOC of national law enforcement authorities. The authority encrypts and forwards the request to the national ISP in question, who decrypts and verifies the request. Upon validation, the required information is passed on to the SPOC in a secured manner. This approach not only provides clarity for ISPs on the request’s validity, it also takes place in a secured environment, safeguarding data protection and privacy standards.
One could be forgiven if they thought this whole idea is just satire somehow. Evidently, it is not. You can read up on these proposals yourself.
If such a law is put in the books and is widely practised, one wonders if the right to privacy even exists anymore in the region. If foreign governments can access real time data and wiretaps, what privacy rights are left for European citizens in the first place anyway?