ProtonBlog
illustration of EU e-evidence law

Everything wrong with the EU’s proposals for gathering electronic evidence

Share this page

The European Commission recently submitted proposals for new rules governing how e-evidence is gathered by law enforcement agencies. E-evidence would include things like emails, messages, and other data related to a possible crime or investigation. It is certainly important that law enforcement can gather evidence and conduct thorough criminal investigations. However, just as there are laws governing how physical evidence is gathered that protect citizens’ privacy, we believe there should be similar laws for the gathering of e-evidence. 

We are concerned that the Commission’s new proposals will undermine these principles. Which is why, this week, we co-signed a letter to members of the European Parliament Committee on Civil Liberties, Justice and Home Affairs, calling for changes to the European Commission’s e-evidence proposal(new window) on cross-border access to data for law enforcement. 

As we’ve often said in the past, we believe people have a right to privacy and the right to control their own data. While we would not be directly affected as we’re based in Switzerland rather than in the EU, it’s possible that our European users’ data on other platforms would be put at risk. We are also concerned that this would set a worrying precedent. It would make it easier for EU governments to gather information on foreign citizens from other EU nations with little to no oversight. In our view, this is a clear invasion of privacy and exactly the sort of action that we set up Proton Mail to combat. 

How the proposals put privacy at risk

The proposals from the European Commission could allow foreign law enforcement agencies from across the EU to force companies in Europe to hand over customer data without a local judge reviewing and approving the foreign order. 

Previously, European privacy companies had a competitive advantage over their American competitors due to better data protection laws. Under the current rules, only the national judicial authority of the country where the company is based can order it to hand over customer data for a criminal investigation. However, the wording of the Commission’s proposal would make it difficult for companies to properly authenticate data requests to ensure they are not replying to a malicious actor — let alone object to an order if they found it to be unwarranted. Unlike their larger American rivals, in many cases these European privacy companies don’t have the legal resources required to properly scrutinize all requests as they come in.

Why is this important?

While we will not be affected by the Commission’s proposals, if the amendments listed below are not adopted, this represents a regressive step for privacy in Europe. We believe everyone has the right to privacy and the right to control their own data. This is a human right, and it needs to be protected. Furthermore, the European Commission’s proposed law would put users’ data at risk and prevent European privacy companies competing with their foreign rivals. We believe everyone, no matter who their email, data, or communications provider is, deserves to have their privacy respected.  

What does the letter call for?

The letter was sent by Privacy Tech Europe(new window), a loose coalition of European privacy tech companies. It calls on members of the European Parliament Committee on Civil Liberties, Justice and Home Affairs to support Rapporteur Birgit Sippel MEP’s proposed amendments(new window) and also suggests further ways that the law can be improved. 

Sippel’s amendments try to support the legitimate needs of law enforcement while also preserving citizens’ privacy rights. The proposed reforms would require: 

  • National judicial authorities be involved whenever foreign data requests are submitted.
  • Formally defined workable data categories. 
  • Online service providers be allowed to inform customers about foreign data requests as long as that does not obstruct an ongoing investigation.
  • The issuing authority to reimburse costs incurred from a data access request. 
  • A secure way of authenticating and exchanging information between companies and law enforcement agencies. 

Proton is protected from the EU’s ‘e-evidence’ proposals

We are in a fortunate position. Switzerland has some of the most privacy-conscious laws in the world, meaning our users receive a higher level of legal protection than users of many other companies. Being headquartered in a country outside of the EU means that we wouldn’t be directly impacted by this proposal. Also, since we do not collect data on our users, we would have very little information to share if we were ever served one of these foreign orders. However, we are still a member of the greater tech ecosystem, and something that negatively impacts privacy anywhere is still bad for the ecosystem as a whole. 

The letter can be read in full below. 

Best regards,
The Proton Mail Team


Dear Members of the LIBE Committee, 

This week, you will examine Rapporteur Birgit Sippel’s draft report on cross-border access to data for law enforcement (“e-evidence”). The undersigned European companies and start-ups urge you to support the many good proposals made by Rapporteur Sippel and to consider some key improvements to the file. 

WHO WE ARE 

As part of the flourishing European privacy tech industry, we provide highly secure data hosting, email, messaging and collaboration platforms built in Europe and for Europe. The privacy tech industry helps the EU, its businesses and citizens to strengthen their digital sovereignty and become more independent from the Big Data behemoths of Silicon Valley. We build software and online services with the needs of real businesses and people in mind, rather than for creepy advertisement and data collection.

THE PROBLEM 

The Commission’s e-evidence proposal threatens the competitive advantage European tech businesses have over their American counterparts by undermining the protections we can provide to our customers. It breaks with the long-standing rule that only trusted national judicial authorities can order companies to hand over customer data for criminal investigations. Instead, the Commission’s e-evidence proposal would allow any foreign law enforcement agency from across the EU to force us to hand out customer data without our own authorities double checking the foreign order. 

Different from American Big Tech firms, European privacy tech companies lack the resources to verify the legality of each foreign order. Because of the way the e-evidence proposal is phrased, we would not even be able to properly authenticate foreign authorities to ensure that we are not replying to a malicious actor – let alone object to an order if we found it to be unwarranted. 

HOW TO FIX IT 

The Rapporteur’s draft report contains a number of crucial improvements that deserve support: 

  • It suggests to involve national judicial authorities whenever foreign data requests come in (amendments 127, 141, 142, 161); 
  • It fixes the Commission’s failed attempt to define workable data categories (amendments 90-97); and 
  • It enables online service providers such as ourselves to inform our customers about foreign data requests having taken place as long as that does not obstruct an ongoing investigation (amendments 163 and 164).

We strongly encourage you to support the above-mentioned amendments. 

In addition, the following provisions should be improved: 

  • The reimbursement of costs incurred from data access requests by the issuing authority should be mandatory (as proposed by MEP Sippel’s amendment 168) but the reimbursed amount should also be proportionate to the amount of data requested. This would help preventing fishing campaigns without suspicion where a law enforcement agency demands large amounts of data in the hope of finding unrelated evidence. 
  • The draft report should mandate a secure way of authentication and of exchanging information between companies and law enforcement agencies. Currently, too often tech companies receive requests for data via fax machine or unsecured emails, putting the data that is transmitted in both directions at risk. It is particularly crucial for companies to be able to authenticate with absolute certainty the foreign authority they are communicating with in order to avoid the leakage of customer data to malicious actors. 

We stand ready to support your work in improving the e-evidence proposal and provide clear safeguards for European privacy tech companies and our users. 

We thank you for your consideration and remain at your full disposal to respond to any questions you may have.

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support.

Protect your privacy with Proton
Create a free account

Share this page

Proton Team

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

At Proton, we’re always working on new and innovative ways to protect the privacy and data of the Proton community. Sometimes that means developing entirely new services, like our Proton Sentinel program, which combines AI and human security analysts
How to unsend an email in Gmail, Outlook, Proton Mail, and Apple Mail
“Undo Send” gives you a chance to stop an erroneous message you’ve just sent. We’ve all done it. You hit Send on an email only to spot you’ve misspelled someone’s name, forgotten an attachment, or accidentally sent a cringing joke to half your conta
Google has already taken privacy washing to the extreme by trying to brand itself as “privacy focused”, even though its business model is based on surveillance.  Lately, the company’s marketing strategy has turned toward outright Orwellian doublespe
Last week, the UK government made a statement in the House of Lords acknowledging that portions of the controversial Online Safety Bill might not even be technically enforceable without breaking end-to-end encryption. This rightly received a lot of a
What is email spoofing?
Email spoofing is a technique attackers use to make a message appear to be from a legitimate sender — a common trick in phishing and spam emails. Learn how spoofing works, how to identify spoofed messages, and how to protect yourself from spoofing a
Google Chrome is the world’s most popular web browser by far, with over 3 billion users. Its built-in password manager, Google Password Manager, is its default software to create and store passwords for websites and services. Although convenient for