BRUSSELS -- The European Union is preparing legislation to force companies to turn over customers’ personal data when requested even if it is stored on servers outside the bloc, a position that will put Europe at loggerheads with tech giants and privacy campaigners.
The EU executive has previously indicated it wanted law enforcement authorities to be able to access electronic evidence stored within the 28-nation bloc. But the scope of the planned legislation will extend to data held elsewhere, according to two sources with direct knowledge of the matter.
Digital borders are a growing global issue in an era where big companies operate “cloud” networks of giant data centers which mean an individual’s data can reside anywhere.
The EU push comes as a landmark legal battle in the United States nears its climax. The U.S. Supreme Court will this week hear oral arguments in a case pitting Microsoft against U.S. prosecutors, who are trying to force the company to turn over emails stored on its servers in Ireland in connection with a drug-trafficking investigation.
Many law enforcement officials argue such powers are necessary for crime-fighting in the digital age. But campaigners say giving governments so-called extra-territorial authority to reach across borders and access data would erode individuals’ privacy rights. Technology firms like Microsoft, Apple and IBM say it would undermine consumer trust in cloud services.
The planned law, which would apply to all companies around the world that do business in the European Union, is an apparent shift in position for the European Commission, the EU executive, which has stood on the side of privacy advocates in the past.
In 2014, it said in relation to the Microsoft case that “extraterritorial application of foreign laws (and orders to companies based thereon) ... may be in breach of international law”.
Asked about the extra-territorial authority rules in the planned law, European Justice Commissioner Vera Jourova told Reuters the current method for accessing cross-border evidence was “very slow and non-efficient” and that law enforcement had to be quicker than criminals.
The proposed law would apply to the personal data of people of all nationalities, not just EU citizens, as long as they were linked to a European investigation, one of the sources said.
The legislation is still in the drafting stage and is expected to go before lawmakers and member states at the end of March. It can take up to two years for a law to be finally agreed.
Extra-territorial authority rules are however fraught with complexity, legal and privacy experts warn, as they could conflict with existing data protection laws.
In the United States, for example, certain companies are prohibited from disclosing information to foreign governments while in Europe itself, consumers’ data privacy is strictly protected and companies are restricted in how they can transfer data outside the bloc.
The sources said the EU executive acknowledged such complexities and that the decision to include extra-territorial authority in the law was partly aimed at strengthening its hand in negotiating a bilateral deal with the United States on the issue.
Jourova recognized the challenges.
“Of course when we look at the transatlantic regime there we have to agree on the reciprocity with the American authorities,” she said in an interview. “This issue of reciprocity in the law enforcement area is highly necessary to discuss in order to avoid the problem of conflict of laws.”
Keeping pace with tech
The proposed rules are the latest attempt by authorities around the world to update regulations to keep pace with technology. In May the EU General Data Protection Regulation (GDPR) will come into effect, requiring firms to give customers more control over their online information.
The planned law would give European prosecutors the power to compel companies to hand over data, bypassing existing legal channels known as mutual legal assistance treaties (MLAT).
Jourova said the law would apply to crimes which carry a minimum penalty of three years to ensure serious crimes like terrorism and drug trafficking are covered, however discussions are still ongoing.
Under MLAT, which is widely criticized for being unwieldy and slow, a European prosecutor would have to go to the government of the country where the data was stored and ask for a local subpoena or search warrant.
Some privacy campaigners agree that the MLAT system needs to be changed to speed up the process, but oppose any moves to requisition personal data across borders.
“The Commission’s main course of action is once again to circumvent this process ... rather than proposing to reform the problem they have identified,” Estelle Masse, Senior Policy Analyst at Access Now, a digital rights advocacy group, said at a conference in late January.
Asked about the Commission’s plans, John Frank, vice president for EU government affairs at Microsoft, said he thought it was generally “a bad idea.”
“I think the international law is pretty clear that police jurisdiction exercised outside your territory infringes the sovereignty of other countries,” he said at the same Brussels conference.
“If every country asserts extraterritorial jurisdiction ... then everybody gets everybody’s data.”