The European Commission is preparing to introduce laws to force technology companies to reveal details on citizens, even if those details are stored on servers outside European Union territory. And this is after it has previously opposed the US government trying to do something similar.
The Commission has previously expressed its support for European national law enforcement agencies to be able to quickly access personal information located in any of the 28 EU member states, as part of criminal investigations. But it has never previously publicly supported the idea of forcing companies to hand over data when it is located outside the EU area.
Sources with “direct knowledge of the matter” have spoken to news agency Reuters about the plans, which will attract opposition from privacy campaigners and potentially cloud service providers, who are building data centres in individual countries to serve customers in those countries, to go some way in addressing “data sovereignty” concerns.
The US Supreme Court is currently dealing with the long-running case of Microsoft against US prosecutors, who are trying to force the company to hand over emails stored on its servers in Ireland, as part of a drug-trafficking investigation.
As Reuters points out, the planned law, which would target all firms that do business in the European Union, is a shift in previous positions. On the Microsoft case, in 2014, the Commission said that “extraterritorial application of foreign laws (and orders to companies based thereon) ... may be in breach of international law”.
But European Justice commissioner Vera Jourova told Reuters that the current method for accessing cross-border evidence was “very slow and non-efficient” and that law enforcement had to be quicker.
Going into someone else's territory is nothing knew to the US when it comes to digital investigations. Under the US Patriot Act, brought in after 9/11, any US company is legally obliged to hand over data relating to a “serious” criminal investigation, even if that data is stored and managed by an overseas subsidiary of that company. So when a US company tells you your data is totally safe when they build a data centre in Germany, France or the UK, for instance, to provide locally delivered cloud services, it doesn't technically mean that the FBI, US Secret Service or US National Security Agency have no chance of getting hold of it.