Nowadays crimes are more and more committed or at least facilitated by a smartphone or other computing device. That is why digital evidence in form of data is essential in almost all criminal investigations.[1] But that does not mean that the collection of such evidence is straightforward and effortless. Law enforcement authorities (LEAs) face, among others, two main challenges in their investigations: jurisdiction and encryption. [2]

Lawmakers have responded to these challenges by introducing new legislation that overcomes these challenges, such as the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), a piece of US legislation which allows US LEAs to request data from US  based service providers, even if such data is stored on servers abroad, or the Assistance and Access Bill passed by the Australian Parliament just a few weeks ago, which would require service providers to provide technical assistance to LEAs in order to allow access to encrypted data of their users.

Often overlooked by the outcry of the public at large are the consequences and dilemma service providers might face when faced with such legislation: On the one side, they could face criminal charges for not complying with for instance with US or Australian legislation but they could also open up their companies to crushing fines under the EU General Data Protection Regulation (GDPR), up to 20 000 000 EUR or 4 % of the total worldwide annual turnover of the preceding financial year.

This blog post briefly looks at the aforementioned developments to overcome the challenges of jurisdiction and encryption before sketching out the consequences such legislation might have from data protection perspective under the GDPR for the affected service providers.

1. Jurisdictional Challenges and the US CLOUD Act

LEAs’ jurisdiction is limited to a certain State’s territory, whereas our communication and use of data, due to the internet, cloud computing and technological developments, ignores borders. The provider of communication and cloud platforms such as Skype, WhatsApp, Microsoft, Google and Dropbox more than often will not store the data in the country in which the user resides and thereby deprives LEAs of the chance to physically seize the data within their State’s territory. When chasing the “bad guys” in the internet, LEAs thus encounter complex sovereignty questions, such as in which country is the data stored? Who has jurisdiction over the data? How is it possible to access the data required for a criminal investigation?

If the data is stored abroad, LEAs could or should actually rely on the official channel of investigation: mutual legal assistance (MLA). MLA though has been developed for investigations of traditional criminal cases in the offline world and is consequently regarded as cumbersome for seeking digital evidence online: “The mutual legal assistance (MLA) process is considered inefficient in general, and with respect to obtaining electronic evidence in particular. Response times to requests of six to 24 months appear to be the norm. Many requests and thus investigations are abandoned. This adversely affects the positive obligation of governments to protect society and individuals against cybercrime and other crime involving electronic evidence.”[3]

In order to overcome the jurisdictional challenge and speed up the investigatory process, LEAs over the last couple of years have started to request data relevant for their criminal investigations, directly from service providers, regardless of the data’s location.

One, if not the most prominent example in which data was requested that was stored on servers located on foreign soil, is the Microsoft Ireland Case. The Case began in December 2013, when a US court ordered Microsoft to hand over data belonging to an email account hosted by Microsoft in Ireland. The service provider challenged the Court’s order (Warrant) based on jurisdictional and sovereignty arguments, which resulted in a legal battle between the Department of Justice (DOJ) and Microsoft that ended in front of the Supreme Court in 2017.

However, before the Supreme Court could decide on the matter, the US Congress in March 2018 passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which now allows US LEAs to request data from US  based service providers, even if such data is stored on servers abroad. The  CLOUD Act amends the Stored Communications Act (18 U.S. Code Chapter 121) by adding §2713, which reads:

“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”

Due to the ambiguity of the requirement “possession, custody, or control” which could mean anything from physical, over contractual to control over the data, not only service providers in the US fall within the scope of the CLOUD Act but also subsidiaries of US companies which are operating abroad, for instance in the EU. In general, control is assumed to exist when there is the practical ability or the right to surrender the data directly or through a subsidiary.

2. Challenges as a result of Encryption: Assistance and Access Bill

Even if LEAs gain access to data, for instance either by seizing a mobile phone or by requesting the data from service providers, the increasing popularity of encryption technologies inhibits LEAs to make sense of the data. Data in encrypted form reveals nothing more than scrambled information.

An example from real life should help to better grasp these challenges. A federal judge asked Apple to help the FBI (Federal Bureau of Investigation) in providing reasonable technical assistance in order to unlock an encrypted iPhone, which belonged to the shooter of the San Bernardino terror attack from December 2015. Apple declined, fearing such assistance could set a precedent and harm the security of encryption technologies for years to come. Ultimately, the FBI was able to unlock the iPhone without Apple’s assistance, which is why the case did not proceed.

Another example concerns rather encrypted communication. In a two-year investigation that was vividly covered by the media, the FBI in 2013 took down the black-market forum Silk Road, which facilitated the trade of drugs and other illicit goods over the internet. The Silk Road owed its success to a combination of anonymity and encryption. It was a hidden service in the Darknet, a network of computers that use a cryptographic protocol to communicate, which made it difficult for law enforcement to locate the website’s server, its administrator(s) and users. Ultimately the server, on which the side was running at that time, was located in Iceland and seized after a successful mutual legal assistance request by the US. Reports indicate however, that the seizing was preceded by gaining unauthorized access (hacking) to the server located in Iceland from US soil[4], which clearly illustrates the aforementioned jurisdictional challenges.

Although nothing has changed in the US, Australian lawmakers have now decided to ensure “that […] national security and law enforcement agencies have the modern tools they need, with appropriate authority and oversight, to access […] encrypted conversations of those who seek to do […] harm”[5] by passing the Assistance and Access Bill just recently on the 6th December 2018. The Bill foresees fines up to 7,3 Million Dollar for companies as well as incarceration.[6]

Privacy advocates fear that the Bill might also have implications for other countries such as the UK or US.[7] Such investigatory powers seem necessary in light of the aforementioned examples, however an obligation to create a backdoor for the “good guys” will on the downside result in weakened security measures which “the bad guys” can also take advantage of.

3. More to consider: The EU General Data Protection Regulation

The GDPR has been in force since 25 May 2018 and established an almost uniform data protection standard within the EU and its Member States. Obligations deriving from the GDPR apply to all service providers, which are either to some extent established in the EU, process personal data of people residing in the EU or on behalf of an EU company (controller).

Often overlooked are the consequences and dilemma service providers might face when legislation such as the US CLOUD Act or the Australian Assistance and Access Bill contradicts the obligations imposed on them by the EU General Data Protection Regulation (GDPR). Failing to comply with one or the other can result in criminal charges, or as mentioned above, in case of the GDPR in crushing fines up to 20 000 000 EUR or in case of an undertaking up to 4 % of the total worldwide annual turnover of the preceding financial year.

Opposed to the CLOUD Act or the Australian Assistance and Access Bill, the GDPR only applies to the processing of personal data. Personal data is defined as any information relating to an identified or identifiable natural person, such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (see Art. 4 GDPR).

This blog post cannot provide more than a short glimpse at the challenges service providers may face in light of the GDPR and contradicting legislation.

3.1 GDPR: Legal Basis

The processing of data, which also includes the transfer of personal data from service providers to LEAs, is only permitted, if based on a valid consent or a legal basis foreseen according to Art. 6 GDPR. Considering that both the CLOUD Act as well as the Australian Assistance and Access Bill are dealing with investigatory powers of LEAs, it is unlikely that the affected person, here the suspect of a criminal investigation, will give his or her consent to the disclosure or processing by the service provider in the interest of the authorities.

The European lawmakers therefore incorporated Art. 6 para. 1 lit. c GDPR according to which the processing of personal data is allowed, if necessary to fulfil a legal obligation. Service providers confronted with a court order based on either the CLOUD Act or the Assistance and Access Bill, could therefore argue, that any disclosure or processing based on such a court order, is allowed based on Art. 6 para. 1 lit. c GDPR. However, according to Art. 6 para. 3 GDPR, only a legal obligation imposed by the EU or its Member States can be considered valid for the processing based on Art. 6 para. 1 lit. c GDPR.

Consequently, the service providers are left with Art. 6 para. 1 lit. f GDPR, which allows the processing of data for a legitimate interest, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. In case of criminal investigations, the rights and freedoms of the data subject will more than often override the interest of the service provider.

Any disclosure or processing of data based on a court order by a non-EU/EEA country, is therefore in breach of the GDPR and can be fined according to Art. 83 para. 5 lit. a GDPR.

3.2. GDPR: Third Country Transfer

Beyond, the GDPR imposes even stricter rules, when the personal data is transferred to a non-EU State (Third Country) such as the US or Australia. In such a case, the GDPR requires the implementation of additional safeguards, such as the conclusion of standard data protection clauses according to Art. 46 para. 2 lit. c GDPR or the existence of an adequacy decision by the European Commission (Art. 45 GDPR).

In addition, the European lawmakers require the transfer of personal data in response to a “judgment of a court or tribunal and any decision of an administrative authority of a third country” to be backed up by an international agreement, such as a mutual legal assistance treaty (see Art. 48 GDPR). The CLOUD Act or Assistance and Access Bill or any court order based hereon, are therefore not sufficient to justify a third country transfer, if not backed up by an international agreement between the EU (or its Member States) and the US or Australia, which is not existent as of now.

Again, the service provider face fines according to Art. 83 para. 5 lit. c GDPR, if they transfer the data or grant access to the data to US or Australian authorities.

3.3 GDPR: Technical and Organizational Measures

Last but not least, the GDPR restricts the use of service providers to the extent, that only such providers shall be used, that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject (Art. 28 GDPR). The technical and organizational measures have to ensure a level of security appropriate to the risk, including inter alia as appropriate, the ability to ensure the encryption of the data as well as the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

As explained above, the obligation to create a backdoor or to allow LEAs access to encrypted communication data, will generally weaken the security measures and thereby increases the risk of unauthorized access also by “bad guys”. Should Australian service providers in reaction to the Assistance and Access Bill from now on incorporate backdoors into their encryption technologies, they might not be able to provide sufficient guarantees according to Art. 28 and 32 GDPR and therefore risk being sidelined by EU companies, which would face fines up to 10 000 000 Euro or 2 % of the total worldwide annual turnover of the preceding financial year, if contracting with a service provider in breach of Art. 28 GDPR.

[1] Susan W. Brenner, Cybercrime: criminal threats from cyber- space, 2010, p. 37.

[2] Similar, Europol (2015), The Internet Organised Crime Threat Assessment, iOCTA, p. 50 ff.

[3] See Cybercrime Convention Committee (T-CY), T-CY assessment report: The mutual legal assistance provisions of the Budapest Convention on Cybercrime, adopted by the T-CY at its 12th Plenary (2–3 December 2014), page 123.

[4] Andy Greenberg, Ross Ulbricht Calls for New Trial, Alleging Feds Hacked Tor, Wired, 2015.

[5] Attorney General Christian Porter, see Jamie Tarabay for the New York Times, Australian Government Passes Contentious Encryption Law, Dec. 6, 2018, https://www.nytimes.com/2018/12/06/world/australia/encryption-bill-nauru.html .

[6] Frankfurter Allgemeine Zeitung, Australiens Polizei darf jetzt verschlüsselte Daten knacken, 06.12.2018, https://www.faz.net/aktuell/wirtschaft/diginomics/australiens-polizei-darf-jetzt-verschluesselte-daten-knacken-15927874.html.

[7] Ibid.