BRUSSELS (Reuters) - Technology companies such as Google, Microsoft and Facebook will be forced to hand over users’ data to European law enforcement officials even when it is stored on servers outside the bloc, under a law proposed by the EU on Tuesday.
The law would allow European prosecutors to force companies to turn over data such as emails, text messages and pictures stored online in another country, within 10 days or as little as six hours in urgent cases.
The European Union executive says the proposed law, which would apply to data stored inside and outside the bloc, is necessary because current legal procedures between countries to obtain such electronic evidence can drag on for months.
“Electronic evidence is increasingly important in criminal proceedings,” said European Commission Vice-President Frans Timmermans.
“We cannot allow criminals and terrorists to exploit modern and electronic communication technologies to hide their criminal actions and evade justice.”
Digital borders are a growing global issue in an era where big companies operate so-called cloud networks of giant data centers, which mean that an individual’s data can reside anywhere.
Technology companies have found themselves torn between protecting consumers’ privacy while cooperating with law enforcement. The political pressure has intensified after Islamist-inspired attacks across Europe in recent years.
The United States recently moved to address the same problem, passing a law making it clear that U.S. judges could issue warrants for data held abroad while giving companies an avenue to object if the request conflicts with foreign law.
Prosecutors and police will have to ask a judge to approve their request for electronic evidence where it concerns more sensitive data, such as the actual content of messages, emails, pictures and videos.
They will also be able to ask companies to ensure electronic evidence is not deleted while they prepare their so-called production order.
The proposal will apply only in cases where crimes carry a minimum jail sentence of three years. In cases of cybercrime there will be no minimum penalty requirement.
Where companies find themselves in a conflict-of-law situation because the country where data is stored forbids them from handing it over to a foreign authority, they will be able to challenge the seizure request.
However, such extraterritorial rules are fraught with complexity, legal and privacy experts warn.
In the United States, for example, certain companies are prohibited from disclosing information to foreign governments, while in Europe consumers’ data privacy is strictly protected and companies are restricted in how they can transfer data outside the bloc.
“The Commission is proposing dangerous shortcuts to allow national authorities to obtain people’s data directly from companies, basically turning them into judicial authorities,” said Maryant Fernandez Perez, senior policy adviser at campaign group European Digital Rights.
CCIA, a tech association that includes Google and Facebook, welcomed the proposal but said it only offered a limited mechanism for addressing the risk that companies find themselves torn between two conflicting national laws.
“We welcome today’s proposals, which can help authorities obtain digital evidence more effectively and with more transparency and legal clarity,” said Alexandre Roure, CCIA Europe’s senior manager.
Ultimately, the Commission hopes to start talks with the United States on a deal to help law enforcement authorities to seize evidence held on each other’s territories.
“We always think it’s useful to have an EU-U.S. coordinated approach instead of a French-U.S. approach, a Belgian-U.S. approach because that leads to fragmentation,” a Commission official said.
Reporting by Julia Fioretti; Editing by David Goodman