As the business world waits for the General Data Protection Regulation to become effective on May 25, 2018, big news about additional possible legislation broke today. According to Reuters, the new law would make it possible for law enforcement authorities to access personal data located on servers outside of the European Union. Statements made by the EU Justice Commissioner indicate that the EU is moving away from its position advocating for greater data privacy. Vera Jourova criticized current methods for cross border discovery as "very slow and non-efficient". The proposed law would bypass Multilateral Legal Assistance Treaties (MLATs) in cases where a suspect was charged with a crime carrying a potential sentence of three years or more.
This news comes one day before the Supreme Court of the United States hears oral arguments in United States v. Microsoft. In that case, the Court will decide if a warrant issued under the Stored Communications Act can compel American companies to produce data stored on servers located in foreign countries. Microsoft declined to compile with a warrant that requested emails relevant to a drug trafficking case that were stored on servers located in Ireland.
The Reuters report quotes the Microsoft vice president for EU Government affairs as saying with respect to the proposed EU law that, "I think the international law is pretty clear that police jurisdiction exercised outside your territory infringes the sovereignty of other countries."
Interestingly, the amicus brief filed by the European Commission in United States v. Microsoft, states that:
"Any domestic law that creates cross-border obligations—whether enacted by the United States, the European Union, or another state—should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity. The European Union’s foundational treaties and case law enshrine the principles of 'mutual regard to the spheres of jurisdiction' of sovereign states and of the need to interpret and apply EU legislation in a manner that is consistent with international law/"
. . . and further that:
"The GDPR thus makes 'mutual legal assistance treaties,' or MLATs,the preferred option for transfers. Such treaties provide for collection of evidence by consent, and embody a carefully negotiated balance between the interests of different states that is designed to mitigate jurisdictional conflicts that can otherwise arise."