Last updated 10th July 2024: Online ordering is currently unavailable due to technical issues. We apologise for any delays responding to customers while we resolve this. For further updates please visit our website https://www.cambridge.org/news-and-insights/technical-incident
We use cookies to distinguish you from other users and to provide you with a better experience on our websites. Close this message to accept cookies or find out how to manage your cookie settings.
Published online by Cambridge University Press: 06 March 2019
Criminal offenses with the most different modi operandi and levels of complexity can generate digital evidence, whether or not the actual crime is committed by using information and communication technology (ICT). The digital data that could be used as evidence in a later criminal prosecution is mostly in the hands of private companies who provide services on the Internet. These companies often store their customers’ data on cloud servers that are not necessarily located in the same jurisdiction as the company. Law enforcement and prosecution authorities then need to take two steps that are not exclusive for evidence of a digital nature. First, they need to discover where the data is located—with which company and in which jurisdiction. Second, they need to obtain the data. In considering digital evidence, the last step, however, is complicated by new issues that form the focus of this paper. The first concern is the practice by companies to dynamically distribute data over globally spread data centers in the blink of an eye. This is a practical concern as well as a legal concern. The second issue is the slowness of the currently applicable international legal framework that has not yet been updated to a fast-paced society where increasingly more evidence is of a digital nature. The slowness of traditional mutual legal assistance may be no news. The lack of a suitable legal framework for competent authorities that need to obtain digital evidence in a cross-border manner, nonetheless, creates a landscape of diverse initiatives by individual states that try to remedy this situation. A third issue is the position that companies are put in by the new EU proposal to build a legal framework governing production orders for digital evidence. With companies in the driver's seat of a cross-border evidence gathering operation, guarantees of the traditional mutual legal assistance framework seem to be dropped. A fourth issue is the position of data protection safeguards. US based companies make for significant data suppliers for criminal investigations conducted by EU based authorities. Conflicting legal regimes affect the efficiency of data transfers as well as the protection of personal data to citizens.
1 See The Financial Action Task Force, International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation, The FATF Recommendations (2012), http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF_Recommendations.pdf.Google Scholar
2 See Kruisbergen, E.W., Combating Organized Crime: A study on undercover policing and the follow-the-money strategy, 143–45 (2017), https://www.wodc.nl/binaries/Kruisbergen_dissertation_full%20text_tcm28–237785.pdf; see also Neumann, P.E., Don't Follow the Money: The Problem with the War on Terrorist Financing, Foreign Affairs, July/Aug. 2017, at 93–102.Google Scholar
3 Improving cross-border access to electronic evidence: Findings from the expert process and suggested way forward, The European Commission (2017), https://ec.europa.eu/home-affairs/sites/homeaffairs/files/docs/pages/20170522_non-paper_electronic_evidence_en.pdf (citing the US as the recipient of the highest volume of requests for digital evidence from EU authorities. Non-paper from the Commission Services).Google Scholar
4 Commission Regulation 2016/670 of the European Parliament and of the Council of April 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, 2016 O.J. (L 119) [hereinafter GDPR].Google Scholar
5 Directive 2016/680 of the European Parliament and of the Council of April 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offenses or the Execution of Criminal Penalties, and on the Free Movement of Such Data, and Repealing Council Framework Decision 2008/977/JHA, 2016 O.J. (L 110) [hereinafter DDPLE].Google Scholar
6 Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, COM (2018) 225 final (Apr. 17, 2018) [hereinafter E-Evidence Regulation].Google Scholar
7 This convention, and the 1980 OECD Guidelines governing the protection of privacy and trans-border flows of personal data, were inspired by two resolutions of the Council of Europe Committee of Ministers—Res 73(22) and Res 74(29)—and a recommendation by the Parliamentary Assembly of 1968.Google Scholar
8 Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281).Google Scholar
9 See Bygrrave, Lee A., Data Protection Law, Approaching its Rationale, Logic and Limits 43 (2002).Google Scholar
10 See id. at 44.Google Scholar
11 2016 O.J. (L 119) 4(1).Google Scholar
12 Opinion 4/2007 on the Concept of Personal Data, The Working Party (2007), https://www.clinicalstudydatarequest.com/Documents/Privacy-European-guidance.pdf.Google Scholar
13 Opinion 2/2010 on Online Behavioural Advertising, The Working Party (2010), https://iapp.org/media/pdf/resource_center/wp171_OBA_06–2010.pdf (noting an individual's internet surfing behavior can be so specific that it can qualify as personal data).Google Scholar
14 See E-Evidence Regulation, supra note 6 at Art. 2 (7)–(10).Google Scholar
15 See Solove, Daniel, Why Metadata Matters: The NSA and the Future of Privacy, Teach Privacy (Feb. 12, 2013), https://teachprivacy.com/metadata-matters-nsa-future-privacy/; see also Daskal, Jennifer, Law Enforcement Access to Data Across Borders, 8 J. of Nat'l Security L. & Pol'y 3, 485 (2016).Google Scholar
16 See E-Evidence Regulation, supra note 6; see infra Section B.1.Google Scholar
17 See The 1959 Council of Europe Convention on Mutual Legal Assistance in Criminal Matters, E.T.S. No. 30.Google Scholar
18 2000 O.J. (C 197).Google Scholar
19 2003 O.J. (L 181).Google Scholar
20 See The 2001 Council of Europe Convention on CyberCrime, E.T.S. No. 185.Google Scholar
21 In order to avoid confusion with the term “service providers,” I choose to use the wider term “companies.” Companies that offer search engines such as Google are not a service provider in the strict sense of the word because they do not offer Internet access. Search engines, however, collect vast amounts of data that can be requested by law enforcement authorities and should thus be included in this analysis.Google Scholar
22 See Improving cross-border access to electronic evidence, supra note 3.Google Scholar
23 Seth, Shobhit, World's Top 10 Internet Companies, Investopedia (Feb. 16, 2018) https://www.investopedia.com/articles/personal-finance/030415/worlds-top-10-internet-companies.asp (noting that of the top ten of the largest—based on annual revenue—Internet companies in the world, six are American and four are Chinese).Google Scholar
24 See Data and Security, Google https://www.google.com/about/datacenters/inside/locations/index.html.Google Scholar
25 In re Search Warrant No. 16–960-M-01 to Google (E.D. Pa. 2017).Google Scholar
26 See GDPR, supra note 4 at recital 36 of the preamble.Google Scholar
27 Daskal, Jennifer, The Un-Territoriality of Data, 125 Yale L. J. 326, 326–98, (2015).Google Scholar
28 See Improving cross-border access to electronic evidence, supra note 3; see also Questionnaire on Improving Criminal Justice in Cyberspace, https://ec.europa.eu/home-affairs/what-we-do/policies/organized-crime-and-human-trafficking/e-evidence_en.Google Scholar
29 See Questionnaire, supra note 28.Google Scholar
30 Measures to improve cross-border access to electronic evidence for criminal investigations following the conclusions of the Council of the European Union on improving criminal justice in cyberspace (2017), https://ec.europa.eu/home-affairs/sites/homeaffairs/files/docs/pages/20170522_technical_document_electronic_evidence_en.pdf.Google Scholar
31 U.S. v. Microsoft, 584 U.S. 1 (2018) (per curium).Google Scholar
32 CLOUD Act, H.R. 4943, 115th Cong. (2018).Google Scholar
33 Nielsen, Nikolaj, Rushed US Cloud Act Triggers EU Backlash, EUOBSERVER (Mar. 26, 2018), https://euobserver.com/justice/141446.Google Scholar
34 See E-Evidence Regulation, supra note 6.Google Scholar
35 Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, COM (2018) 226 final (Apr. 17, 2018).Google Scholar
36 Denmark and Ireland are not taking part in the European Investigation Order so for cooperation with these member states, the freezing and confiscation orders can still be used.Google Scholar
37 See E-Evidence Regulation, supra note 6 at Art. 4 (defining criminal offenses punishable in the issuing state by a custodial sentence of a maximum of at least 3 years or fraudulent money transfers, offenses related to sexual abuse and exploitation of children and terrorism offenses wholly or partly committed by means of an information system).Google Scholar
38 See infra Section B.2.Google Scholar
39 New EU Rules to Obtain Electronic Evidence, European Commission (Apr. 17, 2018), http://europa.eu/rapid/press-release_MEMO-18–3345_en.htm.Google Scholar
40 Murgia, Madhumita, UK-US pact will force big tech companies to hand over data, Financial Times (Oct. 23, 2017), https://www.ft.com/content/880bc2ae-b980–11e7–9bfb-4a9c83ffa852.Google Scholar
41 CLOUD Act, H.R. 4943, 115th Cong. (2018).Google Scholar
42 Woods, Andrew Keane & Swire, Peter, The CLOUD Act: A Welcome Legislative Fix for Cross-Border Data Problems, Lawfare (Feb. 6, 2018), https://lawfareblog.com/cloud-act-welcome-legislative-fix-cross-border-data-problems.Google Scholar
43 See Amicus Curiae Brief of the European Commission on Behalf of the EU in the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corporation, U.S. v. Microsoft, 584 U.S. 1 (2018) (per curium).Google Scholar
44 See McMeley, Christin & Seiver, John, The CLOUD Act — A needed fix for US and foreign law enforcement or threat to civil liberties? IAPP (Feb. 28, 2018), https://iapp.org/news/a/the-cloud-act-a-needed-fix-for-u-s-and-foreign-law-enforcement-or-threat-to-civil-liberties/.Google Scholar
45 See De Busser, Els, Data Protection in EU and US Criminal Cooperation: A Substantive Law Approach to the EU Internal and Transatlantic Cooperation in Criminal Matters between Judicial and Law Enforcement Authorities, 353–54 (2009).Google Scholar
46 See Trubow, George B., European Harmonization of Data Protection Laws Threatens U.S. Participation in Trans Border Data Flows 13 Ne. J. of Int'l L. & Bus., 176 (1992–1993); see also Long, William J. & Quek, Marc Pang, Personal Data Privacy Protection in an Age of Globalization: The US-EU Safe Harbor Compromise, 9 J. of Eur. Pub. Pol'y 325, 326 (2002).Google Scholar
47 Commission Implementing Decision (EU) 2016/1250 of July 12, 2016 pursuant to the Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the EU-US Privacy Shield, 2016 O.J. (L 207) (Both the Safe Harbor agreement and the Privacy Shield are based on the same mechanism: a set of data protection principles signed by a long list of US based companies committing themselves to compliance with these principles. Since the Safe Harbor agreement was annulled due to insufficient necessity and proportionality safeguards and lacking redress for EU citizens (Case C-362/14, Schrems v. Data Protection Commissioner, ECLI:EU:C:2015:650), the Privacy Shield enhances data protection.Google Scholar
48 The Judicial Redress Act of 2015, H.R. 1428, 144th Cong. (2016).Google Scholar
49 See Big Data: A Twenty-First Century Arms Race, Atlantic Council (2017), http://www.atlanticcouncil.org/images/publications/Big_Data_A_Twenty-First_Century_Arms_Race_web_0627.pdf.Google Scholar
50 Id. Google Scholar
51 Daskal, Jennifer, Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0, 71 Stan. L. Rev. Online 9 (2018) (referencing to Anu Bradford, The Brussels Effect).Google Scholar
52 Id. Google Scholar
53 See Joined Cases C-404/15 & C-659/15 PPU Pál Aranyosi & Robert Căldăraru (Apr. 5, 2016) http://curia.europa.eu/juris/liste.jsf?num=C-404/15.Google Scholar
You have
Access
