nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Watch out Facebook, Google – the EU wants easy access to your data

So much for the European data fortress?

By Rebecca Hill, 9 Jun 2017

The European Commission is pushing measures that would force tech firms like Facebook and Google to hand over their data to police in different member states.

EU justice ministers met in Luxembourg yesterday to consider three proposals, which range from allowing police from one state to ask nicely for data held by companies in another to giving cops the ability to copy data directly from the cloud.

The surprise move by the commission – which jars with the perception that Europe is a strong advocate of data privacy – has been prompted by the increase in terrorist attacks in Europe over the last two years.

EU justice commissioner Vera Jourova told Reuters: "I am sure that now in the shadow of the recent terrorist attacks and increasing threats in Europe there will be more understanding among the ministers, even among those who come from countries where there has not been a terrorist attack."

According to commission spokesman Christian Wigand, the ministers "all agreed that a legislative approach is needed", and said discussions focused mainly on the second of the three proposals.

Under this proposal, referred to as "production orders", tech firms based in one state would be obliged to hand over data when it is requested by police in another member state.

It goes slightly further than the first, which would merely allow police in one member state to request data from an IT provider without having to first OK it with the other member state.

Wigand said that the ministers also discussed the third proposal, which would allow police to copy data directly from the cloud.

Frank Jennings, partner at law firm Wallace LLP, told The Reg that this measure was "the most concerning" of the three.

"I'd certainly like to see some checks and balances put in place, for instance that access to data would be restricted just to the data necessary to identify the criminal undertaking, or – if it's going to be through a general trawl to find information – then that the data would not be retained afterwards.

"If Europe is going to continue to be data fortress Europe, we need to make sure we have some of these broad checks and balances, to prohibit us from becoming the next NSA regime."

Jourova did describe this third option of direct access as "a kind of an emergency possibility, which will require some additional safeguards protecting the privacy of people" such as making sure requests are necessary and proportionate. She added: "You simply cannot massively collect some digital data for some future use."

However, the proposals are also likely to muddy the waters of global data privacy and the abilities of security agencies to access firms' data – an issue that is coming under intense scrutiny after a spate of court battles between tech firms trying to shut down federal data slurping.

In January Microsoft won a landmark appeal against US investigators trying to get their hands on emails stored on cloud systems in Ireland – a case in which the commission took Microsoft's side, saying that data held by EU companies should not be accessed by overseas agencies.

But Jennings asked whether the new proposals could open a backdoor for the US to access such data from member states. "The US government wouldn't be able to get access data in the Microsoft Dublin cloud," he said, "but the EU commission or law enforcement bodies would be able to. So if the US government were to ring up its friends at GCHQ [and ask it to use the] process under this new proposal."

Jennings added that although tech firms' official line was likely to be "outrage", he thought that "behind the scenes it is not going to be too different to what happens at the moment – so long as you turn up with a warrant that's legitimate", data sharing will go ahead.

The EU justice ministers were also expected to discuss the types of data that could fall within the scope of the law – such as geolocation or personal data – during the meeting.

Based on these discussions, the commission will put together a final proposal by the end of 2017 or early 2018.

The Register - Independent news and views for the tech community. Part of Situation Publishing