Proton
illustration of EU e-evidence law

Everything wrong with the EU’s proposals for gathering electronic evidence

The European Commission recently submitted proposals for new rules governing how e-evidence is gathered by law enforcement agencies. E-evidence would include things like emails, messages, and other data related to a possible crime or investigation. It is certainly important that law enforcement can gather evidence and conduct thorough criminal investigations. However, just as there are laws governing how physical evidence is gathered that protect citizens’ privacy, we believe there should be similar laws for the gathering of e-evidence. 

We are concerned that the Commission’s new proposals will undermine these principles. Which is why, this week, we co-signed a letter to members of the European Parliament Committee on Civil Liberties, Justice and Home Affairs, calling for changes to the European Commission’s e-evidence proposal(новое окно) on cross-border access to data for law enforcement. 

As we’ve often said in the past, we believe people have a right to privacy and the right to control their own data. While we would not be directly affected as we’re based in Switzerland rather than in the EU, it’s possible that our European users’ data on other platforms would be put at risk. We are also concerned that this would set a worrying precedent. It would make it easier for EU governments to gather information on foreign citizens from other EU nations with little to no oversight. In our view, this is a clear invasion of privacy and exactly the sort of action that we set up Proton Mail to combat. 

How the proposals put privacy at risk

The proposals from the European Commission could allow foreign law enforcement agencies from across the EU to force companies in Europe to hand over customer data without a local judge reviewing and approving the foreign order. 

Previously, European privacy companies had a competitive advantage over their American competitors due to better data protection laws. Under the current rules, only the national judicial authority of the country where the company is based can order it to hand over customer data for a criminal investigation. However, the wording of the Commission’s proposal would make it difficult for companies to properly authenticate data requests to ensure they are not replying to a malicious actor — let alone object to an order if they found it to be unwarranted. Unlike their larger American rivals, in many cases these European privacy companies don’t have the legal resources required to properly scrutinize all requests as they come in.

Why is this important?

While we will not be affected by the Commission’s proposals, if the amendments listed below are not adopted, this represents a regressive step for privacy in Europe. We believe everyone has the right to privacy and the right to control their own data. This is a human right, and it needs to be protected. Furthermore, the European Commission’s proposed law would put users’ data at risk and prevent European privacy companies competing with their foreign rivals. We believe everyone, no matter who their email, data, or communications provider is, deserves to have their privacy respected.  

What does the letter call for?

The letter was sent by Privacy Tech Europe(новое окно), a loose coalition of European privacy tech companies. It calls on members of the European Parliament Committee on Civil Liberties, Justice and Home Affairs to support Rapporteur Birgit Sippel MEP’s proposed amendments(новое окно) and also suggests further ways that the law can be improved. 

Sippel’s amendments try to support the legitimate needs of law enforcement while also preserving citizens’ privacy rights. The proposed reforms would require: 

  • National judicial authorities be involved whenever foreign data requests are submitted.
  • Formally defined workable data categories. 
  • Online service providers be allowed to inform customers about foreign data requests as long as that does not obstruct an ongoing investigation.
  • The issuing authority to reimburse costs incurred from a data access request. 
  • A secure way of authenticating and exchanging information between companies and law enforcement agencies. 

Proton is protected from the EU’s ‘e-evidence’ proposals

We are in a fortunate position. Switzerland has some of the most privacy-conscious laws in the world, meaning our users receive a higher level of legal protection than users of many other companies. Being headquartered in a country outside of the EU means that we wouldn’t be directly impacted by this proposal. Also, since we do not collect data on our users, we would have very little information to share if we were ever served one of these foreign orders. However, we are still a member of the greater tech ecosystem, and something that negatively impacts privacy anywhere is still bad for the ecosystem as a whole. 

The letter can be read in full below. 

Best regards,
The Proton Mail Team


Dear Members of the LIBE Committee, 

This week, you will examine Rapporteur Birgit Sippel’s draft report on cross-border access to data for law enforcement (“e-evidence”). The undersigned European companies and start-ups urge you to support the many good proposals made by Rapporteur Sippel and to consider some key improvements to the file. 

WHO WE ARE 

As part of the flourishing European privacy tech industry, we provide highly secure data hosting, email, messaging and collaboration platforms built in Europe and for Europe. The privacy tech industry helps the EU, its businesses and citizens to strengthen their digital sovereignty and become more independent from the Big Data behemoths of Silicon Valley. We build software and online services with the needs of real businesses and people in mind, rather than for creepy advertisement and data collection.

THE PROBLEM 

The Commission’s e-evidence proposal threatens the competitive advantage European tech businesses have over their American counterparts by undermining the protections we can provide to our customers. It breaks with the long-standing rule that only trusted national judicial authorities can order companies to hand over customer data for criminal investigations. Instead, the Commission’s e-evidence proposal would allow any foreign law enforcement agency from across the EU to force us to hand out customer data without our own authorities double checking the foreign order. 

Different from American Big Tech firms, European privacy tech companies lack the resources to verify the legality of each foreign order. Because of the way the e-evidence proposal is phrased, we would not even be able to properly authenticate foreign authorities to ensure that we are not replying to a malicious actor – let alone object to an order if we found it to be unwarranted. 

HOW TO FIX IT 

The Rapporteur’s draft report contains a number of crucial improvements that deserve support: 

  • It suggests to involve national judicial authorities whenever foreign data requests come in (amendments 127, 141, 142, 161); 
  • It fixes the Commission’s failed attempt to define workable data categories (amendments 90-97); and 
  • It enables online service providers such as ourselves to inform our customers about foreign data requests having taken place as long as that does not obstruct an ongoing investigation (amendments 163 and 164).

We strongly encourage you to support the above-mentioned amendments. 

In addition, the following provisions should be improved: 

  • The reimbursement of costs incurred from data access requests by the issuing authority should be mandatory (as proposed by MEP Sippel’s amendment 168) but the reimbursed amount should also be proportionate to the amount of data requested. This would help preventing fishing campaigns without suspicion where a law enforcement agency demands large amounts of data in the hope of finding unrelated evidence. 
  • The draft report should mandate a secure way of authentication and of exchanging information between companies and law enforcement agencies. Currently, too often tech companies receive requests for data via fax machine or unsecured emails, putting the data that is transmitted in both directions at risk. It is particularly crucial for companies to be able to authenticate with absolute certainty the foreign authority they are communicating with in order to avoid the leakage of customer data to malicious actors. 

We stand ready to support your work in improving the e-evidence proposal and provide clear safeguards for European privacy tech companies and our users. 

We thank you for your consideration and remain at your full disposal to respond to any questions you may have.

You can get a free secure email account from Proton Mail here.

We also provide a free VPN service(новое окно) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.

Статьи по теме

A phone screen with a speech bubble with a phone number in it
en
  • Для бизнеса
Your email address and passwords aren't the only information hackers can use to scam you. Here's what someone can do with your phone number — and how to protect it.
A web application screen with an unlock icon in the bottom right corner
en
Your best defense against a data breach could be improving your web application security: Find out how Proton Pass can help.
Investigative journalist Vegas Tenold explains the gear he uses to protect his privacy and stay safe.
en
  • Новости о конфиденциальности
Follow investigative journalist Vegas Tenold as he explains his gear and how it keeps him safe from surveillance as he works in the field.
Coinbase, the largest Bitcoin exchange in the US, suffered a data breach
en
  • Новости о конфиденциальности
  • Proton Wallet
Coinbase employees sold sensitive personal information to attackers, including government IDs and BTC transaction history. Proton Wallet is built to avoid these risks.
Whistleblower's whistle. Journalists must use secure channels to communicate with whistleblowers.
en
  • Советы о конфиденциальности
Whistleblowers risk everything to expose the truth. This guide helps journalists keep their sources safe using secure tools like Proton Mail, Signal, and SecureDrop.
An image showing a phone screen with a child icon and three icons with '17+' '8-12' and '3-5' to indicate age ratings
en
  • Советы о конфиденциальности
Parents can help their children develop healthy screen habits by learning about dark design patterns — Proton investigates how