During this week, the LIBE committee of the European Commission will read a draft report on e-evidence. This report includes a proposal for cross-border access to data for law enforcement which would allow foreign law enforcement agencies from across the EU to force companies to hand over customer data without a check by local authorities.
A big problem for local EU IT businesses
While further and deeper integration of EU law enforcement is not a bad thing, this proposal puts the onus on verifying the legality of this request on the recipient. While large companies like Google certainly have no problem with this, a small local hosting provider which manages Nextcloud for its customers would not be able to even properly authenticate the foreign authorities, let alone object to illegitimate orders!
This would obviously be bad for the many thousands of independent hosting providers in Europe as well as the privacy and security of their customers, providing a huge benefit to the established internet molochs Google, Amazon, Microsoft and others.
Together with Mailfence, Tutanota, ProtonMail and Matomo, Nextcloud has signed a public letter to the LIBE committee. We’d like to not only thank our co-signatories, but also do a call-out to privacy-tech.eu who brought this issue to the forefront.
A few recommendations are made in our letter. First, we’d like to see a number of improvements which were already in the draft to be picked up:
- Involve national judicial authorities whenever foreign data requests come in
- Define workable data categories
- Enable online service providers to inform their customers about foreign data requests having taken place as long as that does not obstruct an ongoing investigation
We ask for a few further improvements:
- The reimbursement of costs incurred from data access requests by the issuing authority should be mandatory (as proposed by MEP Sippel’s amendment 168) but the reimbursed amount should also be proportionate to the amount of data requested. This would help preventing fishing campaigns without suspicion where a law enforcement agency demands large amounts of data in the hope of finding unrelated evidence.
- The draft report should mandate a secure way of authentication and of exchanging information between companies and law enforcement agencies. Currently, too often tech companies receive requests for data via fax machine or unsecured emails, putting the data that is transmitted in both directions at risk. It is particularly crucial for companies to be able to authenticate with absolute certainty the foreign authority they are communicating with in order to avoid the leakage of customer data to malicious actors.
We hope the EU commission will take our feedback serious and we urge everyone to spread this message and voice support for the EU privacy tech business!