Proton
illustration of EU e-evidence law

Everything wrong with the EU’s proposals for gathering electronic evidence

The European Commission recently submitted proposals for new rules governing how e-evidence is gathered by law enforcement agencies. E-evidence would include things like emails, messages, and other data related to a possible crime or investigation. It is certainly important that law enforcement can gather evidence and conduct thorough criminal investigations. However, just as there are laws governing how physical evidence is gathered that protect citizens’ privacy, we believe there should be similar laws for the gathering of e-evidence. 

We are concerned that the Commission’s new proposals will undermine these principles. Which is why, this week, we co-signed a letter to members of the European Parliament Committee on Civil Liberties, Justice and Home Affairs, calling for changes to the European Commission’s e-evidence proposal(new window) on cross-border access to data for law enforcement. 

As we’ve often said in the past, we believe people have a right to privacy and the right to control their own data. While we would not be directly affected as we’re based in Switzerland rather than in the EU, it’s possible that our European users’ data on other platforms would be put at risk. We are also concerned that this would set a worrying precedent. It would make it easier for EU governments to gather information on foreign citizens from other EU nations with little to no oversight. In our view, this is a clear invasion of privacy and exactly the sort of action that we set up Proton Mail to combat. 

How the proposals put privacy at risk

The proposals from the European Commission could allow foreign law enforcement agencies from across the EU to force companies in Europe to hand over customer data without a local judge reviewing and approving the foreign order. 

Previously, European privacy companies had a competitive advantage over their American competitors due to better data protection laws. Under the current rules, only the national judicial authority of the country where the company is based can order it to hand over customer data for a criminal investigation. However, the wording of the Commission’s proposal would make it difficult for companies to properly authenticate data requests to ensure they are not replying to a malicious actor — let alone object to an order if they found it to be unwarranted. Unlike their larger American rivals, in many cases these European privacy companies don’t have the legal resources required to properly scrutinize all requests as they come in.

Why is this important?

While we will not be affected by the Commission’s proposals, if the amendments listed below are not adopted, this represents a regressive step for privacy in Europe. We believe everyone has the right to privacy and the right to control their own data. This is a human right, and it needs to be protected. Furthermore, the European Commission’s proposed law would put users’ data at risk and prevent European privacy companies competing with their foreign rivals. We believe everyone, no matter who their email, data, or communications provider is, deserves to have their privacy respected.  

What does the letter call for?

The letter was sent by Privacy Tech Europe(new window), a loose coalition of European privacy tech companies. It calls on members of the European Parliament Committee on Civil Liberties, Justice and Home Affairs to support Rapporteur Birgit Sippel MEP’s proposed amendments(new window) and also suggests further ways that the law can be improved. 

Sippel’s amendments try to support the legitimate needs of law enforcement while also preserving citizens’ privacy rights. The proposed reforms would require: 

  • National judicial authorities be involved whenever foreign data requests are submitted.
  • Formally defined workable data categories. 
  • Online service providers be allowed to inform customers about foreign data requests as long as that does not obstruct an ongoing investigation.
  • The issuing authority to reimburse costs incurred from a data access request. 
  • A secure way of authenticating and exchanging information between companies and law enforcement agencies. 

Proton is protected from the EU’s ‘e-evidence’ proposals

We are in a fortunate position. Switzerland has some of the most privacy-conscious laws in the world, meaning our users receive a higher level of legal protection than users of many other companies. Being headquartered in a country outside of the EU means that we wouldn’t be directly impacted by this proposal. Also, since we do not collect data on our users, we would have very little information to share if we were ever served one of these foreign orders. However, we are still a member of the greater tech ecosystem, and something that negatively impacts privacy anywhere is still bad for the ecosystem as a whole. 

The letter can be read in full below. 

Best regards,
The Proton Mail Team


Dear Members of the LIBE Committee, 

This week, you will examine Rapporteur Birgit Sippel’s draft report on cross-border access to data for law enforcement (“e-evidence”). The undersigned European companies and start-ups urge you to support the many good proposals made by Rapporteur Sippel and to consider some key improvements to the file. 

WHO WE ARE 

As part of the flourishing European privacy tech industry, we provide highly secure data hosting, email, messaging and collaboration platforms built in Europe and for Europe. The privacy tech industry helps the EU, its businesses and citizens to strengthen their digital sovereignty and become more independent from the Big Data behemoths of Silicon Valley. We build software and online services with the needs of real businesses and people in mind, rather than for creepy advertisement and data collection.

THE PROBLEM 

The Commission’s e-evidence proposal threatens the competitive advantage European tech businesses have over their American counterparts by undermining the protections we can provide to our customers. It breaks with the long-standing rule that only trusted national judicial authorities can order companies to hand over customer data for criminal investigations. Instead, the Commission’s e-evidence proposal would allow any foreign law enforcement agency from across the EU to force us to hand out customer data without our own authorities double checking the foreign order. 

Different from American Big Tech firms, European privacy tech companies lack the resources to verify the legality of each foreign order. Because of the way the e-evidence proposal is phrased, we would not even be able to properly authenticate foreign authorities to ensure that we are not replying to a malicious actor – let alone object to an order if we found it to be unwarranted. 

HOW TO FIX IT 

The Rapporteur’s draft report contains a number of crucial improvements that deserve support: 

  • It suggests to involve national judicial authorities whenever foreign data requests come in (amendments 127, 141, 142, 161); 
  • It fixes the Commission’s failed attempt to define workable data categories (amendments 90-97); and 
  • It enables online service providers such as ourselves to inform our customers about foreign data requests having taken place as long as that does not obstruct an ongoing investigation (amendments 163 and 164).

We strongly encourage you to support the above-mentioned amendments. 

In addition, the following provisions should be improved: 

  • The reimbursement of costs incurred from data access requests by the issuing authority should be mandatory (as proposed by MEP Sippel’s amendment 168) but the reimbursed amount should also be proportionate to the amount of data requested. This would help preventing fishing campaigns without suspicion where a law enforcement agency demands large amounts of data in the hope of finding unrelated evidence. 
  • The draft report should mandate a secure way of authentication and of exchanging information between companies and law enforcement agencies. Currently, too often tech companies receive requests for data via fax machine or unsecured emails, putting the data that is transmitted in both directions at risk. It is particularly crucial for companies to be able to authenticate with absolute certainty the foreign authority they are communicating with in order to avoid the leakage of customer data to malicious actors. 

We stand ready to support your work in improving the e-evidence proposal and provide clear safeguards for European privacy tech companies and our users. 

We thank you for your consideration and remain at your full disposal to respond to any questions you may have.

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

Related articles

What is NIS2?
We look at how NIS2 will affect your organization, and at how Proton’s services can help it meet its compliance requirements. 
Find out how a password manager works, what it does, and how Proton Pass keeps your private information secure.
An image of a mortarboard cap, logos for Proton Drive, Mail, VPN, Pass, and Calendar, and a password field on a blog offering student discounts for all Proton products
As students build their lives online, Proton makes it safe for them to access educational resources, communicate with each other, and share knowledge online safely.
The cover image for a blog introducing the new Pass Family plan. Text saying 'Introducing Pass Family' next to an image of a family sitting together on their laptops
  • Product updates
  • Proton Pass
Pass Family helps you manage the passwords and logins of up to six family members and gives you more time to spend with your family.
Salt Typhoon
Chinese hackers have compromised US national security by exploiting government-mandated “backdoors”. The EU should learn from this.
An illustration of a laptop with chains and a padlock on the screen to represent a ransomware attack
A ransomware attack is a serious threat for an organization. Here's what they are, how to avoid them, and 11 of the most well-known incidents.