An Article by Axel Petri, Senior Vice President Group Security Governance at Deutsche Telekom AG.
Crime doesn't stop at national borders, especially not in an increasingly digital world. The number of cases with an international dimension is rising. The investigating authorities are becoming increasingly dependent on international cooperation. Take cloud services, for example: data relevant to investigations is often stored on servers in other EU member states. While investigators already have the possibility to investigate in other members states in some cases, the process is often too slow in practice. Simple, standardized, uniform regulations have yet to be defined.
The European Union now intends to counter this development. To do so, the European Commission presented draft legislation in April 2018 aimed at simplifying and speeding up cross-border law enforcement (e-evidence). Under this new legislation, the investigating authorities would be able to gain access to data held by enterprises in the European Union without a court order, and much faster than before. The EU’s aim is to pass at least the essential framework parameters within this year.
Specifically, the European Commission has proposed a "European disclosure order" and a "European confiscation order". If they are passed, it would mean in practice that member state A could contact a local service provider – like Deutsche Telekom – in member state B without requiring the prior involvement of judicial authorities in the home country. Currently, national authorities review each request, to ensure that data is only passed on internationally when domestic law allows it.
In principle, Deutsche Telekom commends the initiative by the European Union aimed at making cross-border law enforcement faster and more effective. In doing so, however, we mustn't compromise data privacy and data security. The high level of privacy protection within the European Union must be maintained. What's more, the measures mustn't increase costs or required effort without the EU providing compensation.
In its current formulation, the proposed legislation harbors immense risks – not only to the protection of victims and the rule of law of these processes, but also to us as a telecommunications company, due to its lack of legal certainty.
For these reasons, Deutsche Telekom believes there is a significant need for corrections:
- The powers of the authorities must be balanced. Information mustn't be provided simply due to initial suspicion of a minor offense, for example. Before any intervention, legally granted rights – such as the protection of telecommunications secrecy – must be weighed against the state's interest in prosecuting criminals.
- For providers, the elements legal certainty, practicality, and protection of customer data according to the European standards are key. To achieve this, we will require at least:
- An official, definitive list of the authorized and responsible authorities. Even better: a central authority in each country to ensure state control and sovereignty,
- a definitive catalog of crimes for which information must be provided,
- limitation of the information to data that the provider has already saved,
- secure, standardized data transmission as well as
- reimbursement of costs for providers for the extra effort incurred by the larger number of requests.
And eventually, with regards to the sensitivity of the respective requests, a reliable, legally watertight regulation is needed here comparable to Telecommunications data retention.
Summarizing, one can state: Criminal investigation and law enforcement are sovereign tasks. They must generally remain in the hands of government bodies in the respective country and must not be delegated to private enterprises. Likewise, the home country of the provider who is obliged to cooperate, needs to be enabled to ensure the legitimacy of the order according to its national law. his is the only way to ensure compliance with legal rules governing criminal prosecution. At the same time, it is also clear that when private enterprises have access to data that is relevant to investigations, they have to support the authorities. But even in a more digital age, things must not go beyond this support. When it comes to protecting basic rights, private enterprises – particularly small and mid-sized companies – cannot provide the same level of quality as state authorities that have been established specifically for the purpose of law enforcement. To ensure that our basic rights continue to enjoy maximum protection, modern, digital law enforcement should also be the task of state institutions. Furthermore, it must be ruled out that private enterprises can be hold responsible for the legitimacy of orders they cannot verify themselves.
Under no circumstances should the new regulations come at the expense of the telecommunications providers or at the cost of the general public's right to privacy. That's why we see significant need for improvement on the part of the European Commission as well as the need for a transparent and thorough discussion with all relevant social groups. We call up this discussion and will take part in it.