Cloudy days ahead: Cross-border evidence collection and its impact on the rights of EU citizens

AuthorLawrence Siry
DOI10.1177/2032284419865608
Published date01 September 2019
Date01 September 2019
Subject MatterArticles
Article
Cloudy days ahead:
Cross-border evidence
collection and its impact
on the rights of EU citizens
Lawrence Siry
University College Cork – National University of Ireland, Ireland
Abstract
In recent years, the development of cloud storage and the ease of cross-border communication
have rendered the area of evidence collection particularly difficult for law enforcement agencies
(LEAs), courts and academics. Evidence related to a criminal act in one jurisdiction might be stored
in a different jurisdiction. Often it is not even clear in which jurisdiction the relevant data are, and at
times the data may be spread over multiple jurisdictions. The traditional rules related to cross-
border evidence collection, the mutual legal assistance treaty (MLAT) regimes, have proved to be
out-dated, cumbersome and inefficient, as they were suited for a time when the seeking of cross-
border evidence was more infrequent. In order to tackle this problem, the United States has
enacted the Clarifying Lawful Overseas Use of Data Act , which gives extraterritorial e-evidence
collection powers to US courts. Simultaneously, the European Union (EU) has proposed similar
sweeping changes which would allow for LEAs in Member States to preserve and collect cloud-
based evidence outside of the MLAT system. This article critically evaluates these developments
from the perspective of the impact on the rights of EU citizens.
Keywords
E-evidence, criminal law , CLOUD Act, privacy, Europ ean production order, dat a protection,
GDPR
Introduction
The dilemma of establishing jurisdiction over Internet actors is nothing new. It has dominated legal
discussions for nearly 20 years. States have two distinct interests in establishing jurisdiction over
Internet companies. The first is to control the content of material which is available in the
Corresponding author:
Lawrence Siry, University College Cork – National University of Ireland, College Road, Cork T12 T656, Ireland.
E-mail: lawrence.siry@gmail.com
New Journal of European Criminal Law
2019, Vol. 10(3) 227–250
ªThe Author(s) 2019
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/2032284419865608
njecl.sagepub.com
NJECL
NJECL
jurisdiction of a state. The second is to establish control over data held by companies which
concern investigative processes conducted by the state. While these two interests are in many
cases related, the first interest is easier to fit within the existing legal framework, most notably
because if information is available within a jurisdiction, has an impact within a jurisdiction and is
possibly evidences illegal activity pursuant to the states’ legal framework. There is a strong state
interest in permitting a state to dictate what is or is not available, within still the constructs of
international and national rights protections. Examples of this are the regulation of harmful mate-
rial, inter alia, child pornography, hate speech and incitement to violence. This is because the
speech itself is violative of national provisions.
More problematic is the second interest in the assertion of jurisdiction: the control (or jurisdic-
tion) over data held by a company with business ties to a state, which is not stored within the
territory of the state seeking the material. The problem stems in part from the changing nature of
the information sought. Gone are the days of data stored in a single location on a server at the
headquarters of companies such as Microsoft, Apple, Facebook or Google. The Cloud has made it
far more economical to diversify data storage. The legal impact of this diversification has chal-
lenged basic structures of international law and relations. Traditional concepts of territorial control
over objects in a particular jurisdiction are yielding to ideas of accessibility of data in a particular
jurisdiction regardless of where the data physically exist. Recent developments in the United States
and Europe highlight the dilemma: The United States has enacted legislation which extends data
access rules beyond their borders and is willing to allow law enforcement agencies (LEAs) to have
access to data stored in the United States in exchange, under certain conditions. In Europe, the
European Union (EU) commission has proposed rules that would allow for data access by Eur-
opean law enforcement across the EU. The question remains however as to what legal effects on
the rights of the data subject on both sides for the Atlantic will result.
In March 2018, as part of an Omnibus Budget Bill, the US Congress passed the Clarifying
Lawful Overseas Use of Data Act
1
(CLOUD Act) which amended the existing legal framework
concerning data evidence collection, the Stored Communications Act of 1986
2
(SCA). Congress
sought to update the law regarding the retrieval of digital evidence in the light of the reality that
digital evidence is now stored in the cloud rather than static servers within one particular jurisdic-
tion. The impetus for the Congressional action was a controversial case, Microsoft Corp. v. United
States, which had begun in the Federal Court in New York and made its way to the Supreme Court.
The case was ultimately dismissed by the High Court as moot with the passage of the new law.
3
The legislation comes at a time when the fundamental right to private life, in Europe,
4
is central.
Particularly, within the organs of the EU, the right has brought several prominent cases of the Court
of Justice of the European Union, as well as an expansive regulation applying to all Member States
of the EU. In an effort to clarify the rights of citizens both in the United States and Europe, and the
responsibilities of those companies which hold and process data, the law further muddies the
waters. Coupled with the new law is proposed Europea n legislation on evidence sharing and
1. H.R.4943 – CLOUD Act 115th Congress (2017–2018).
2. Stored Communications Act (SCA) 18 U.S.C. Chapter 121 §§ 2701–2712.
3. Microsoft Corp. v. United States (In re a Warrant to Search a Certain E-Mail Account Controlled & Maintained by
Microsoft Corp.) 829 F.3d 197, 204.
4. The right to private and family life is protected by Article 8 of the European Convention on Human Rights and Article 7
of the European Union Charter of Fundamental Rights.
228 New Journal of European Criminal Law 10(3)

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT