Concerns Raised About Potential EU LegislationMeasure, Not Yet Drafted, Would Seek Broader Power to Seize Data
Some security experts in Asia are raising concerns about legislation the European Union might soon consider that, if enacted, would force technology and social media companies to hand over customer data held outside the EU so it can be used in criminal investigations.
See Also: Why CASBs Matter to Cloud Security
The measure, which is still being drafted, is expected to go before lawmakers and EU member states at the end of March, Reuters reports.
The proposed legislation would apply to the personal data of people in any nation, not just EU citizens, as long as their information is relevant to an European investigation, according to Reuters.
Some legal experts in Asia say the proposal, if enacted into law, would prove difficult to enforce in the region and elsewhere because of the issue of the EU's lack of jurisdiction outside Europe.
"Unless it's a matter of national sovereignty or terrorist attacks, I don't see countries allowing information to move out," says Indian attorney Pavan Duggal. "The problem is if for routine investigations companies are expected to share data. In such cases, I see a massive implementation issue [of the proposed legislation]. No country will allow companies to share data randomly."
With the "right to privacy" gaining momentum across the globe, many countries are enacting new privacy laws. India, for example, plans to come up with a data protection law by year's end.
In cases where the privacy law of a country doesn't allow sharing of data with authorities in other nations, companies will have to comply with the local law, some security experts say.
"Though most privacy laws across the globe make an exception for matters of national security, a company has to ... take into consideration the privacy laws of their residing country before deciding to share data," says Vicky Shah, a cyber law expert based in India. "In case of a conflict, the matter will be referred to the International Court of Justice."
A Singapore-based legal expert, who asked not to be named, says the EU proposal, if enacted, should be used sparingly. "In order for any law to be meaningful, the individual(s) perpetrating a crime must be identifiable and the law itself must be enforceable," he says. Companies should share data "only if the request has a national security perspective," the legal expert says.
The main objective behind the proposed legislation, some cyber experts say, appears to be to speed up the process of crime fighting in the digital age.
The proposal would give European prosecutors the power to compel companies to hand over data, bypassing an existing legal channel, the Mutual Legal Assistance Treaty, or MLAT. The treaty has been widely criticized for being unwieldy and slow.
European Justice Commissioner Vera Jourova told Reuters the current method for accessing evidence from those in another nation was "very slow and non-efficient" and that law enforcement had to be quicker than criminals.
Gulf Cooperation Council-based cybersecurity expert Samir Pawaskar notes: "From what little is available, it seems [the EU proposal] is law enforcement legislation specifically being drafted to facilitate and speed up investigations involving cross-border."
The measure being drafted, according to Reuters, would enable the EU to request information from other nations about individuals involved in international drug trafficking, child trafficking, criminal cases and cases endangering national security.
"When cases like data leaks are filed or cases pertaining to prevention of money laundering acts or when IT infrastructure is located in another country for any case being investigated, the proposed legislation will help in getting the required information," says Prashant Mali, a Bombay high court lawyer and cybersecurity expert.
In a significant, ongoing cross-border data sharing case, the U.S. Supreme Court is currently considering a case involving Microsoft protesting government efforts to force the company to share data it stores on servers located in Ireland.