The clash of codes – conflicts of laws in government data access and how to resolve them

25 Nov 2019 11:40h - 12:40h

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

The panel on this session presented the challenges in resolving the conflict of laws in international data governance, specifically in relation to gathering digital evidence in criminal proceedings.

Crimes online do not respect state borders. Many serious crimes, such as organised crime, money laundering, terrorism, and exploitation of children take place online or via electronic means. This leads to evidence in criminal cases in electronic format and the need for service providers to assess it. Even if the crime as such is local, the evidence needed may be stored in a third country. Conflicts of laws ensue due to differing regulations on conditions and procedures to access such data.

In discussing the procedure of requesting evidence in digital form from foreign countries, Ms Alexandra Jour-Schroeder (Deputy Director-General, DG Justice and Consumers, European Commission) noted that the current procedure of requests for assistance is not effective and the delays cause data not be available. The objective of the EU E-evidence proposal is not only to make criminal investigations more effective, but to take a new approach in safeguarding and respecting the rights of those under suspicion and General Data Protection Regulation (GDPR). Presenting the US Cloud Act, Ms Jennifer Daskal (Associate Professor of Law at American University Washington College of Law & Center for Strategic and International Studies) explained that it authorises the US government to conclude an executive agreement with foreign states allowing direct request of evidence from service providers on individuals (not US residents or citizens). Such agreements must satisfy a host of criteria related to the use of data and compliance with the rule of law. The first of such agreements was concluded between the US and the UK last month.

In addressing the obligations of service providers when receiving a request for providing information, Jour-Shroeder pointed out considerations related to conflicts in different regulations of obligations of service providers; for example, a service provider receiving a request for information when their national regulation does not allow passage of such data. Daskal explained that in the USA, under the Cloud Act the US government can compel disclosure orders on US companies applicable to data in possession, custody or control of those companies without regard to the location. Mr Ulrich Kelber (German Federal Commissioner for Data Protection and Freedom of Information) noted that both the Cloud Act and the EU E-evidence proposal remove authorities from the process of gathering evidence, leaving it up to private companies to comply. Kelber suggests involving the authorities of the EU member state of the service provider, via notifications to the authorities.

The participants agreed that a need exists to balance the rights and effectiveness of criminal proceedings. Also, distinctions need to be made between the reasons service providers are not allowed to share evidence, such as economic rights (fines) or protection of human rights of investigated persons (putting someone in danger of persecution). Ms Sofía Jaramillo Otoya (Legal Advisor to the UN Special Rapporteur on Freedom of Expression and Digital Rights Fellow, University of California Irvine) presented additional views on human rights aspects, stating that legal provisions and mechanisms are in place. She highlighted initiatives within the UN, such as the Human Rights Council’s guiding principles on business and human rights, which include the obligation of companies to respect human rights. She emphasised the right to privacy and the right to freedom of expression as being the most violated when it comes to sharing information.

With regards to solutions, the panellists discussed the possibility of an international agreement on conflicts of jurisdiction and of bilateral agreements establishing deadlines for providing data and to guarantee data protection.

By Pavlina Ittelson