Criminal justice in cyberspace – more of everything? – WS 11 2019: Difference between revisions

From EuroDIG Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
20 June 2019 | 14:00-15:30  | YANGTZE 2 | [[image:Icons_live_20px.png | Video recording | link=https://youtu.be/Rd7vQ_uxuEk]] | [[image:Icon_transcript_20px.png | Transcription | link=#Transcript]]<br />
[[Consolidated programme 2019|'''Consolidated programme 2019 overview''']]<br /><br />
[[Consolidated programme 2019|'''Consolidated programme 2019 overview''']]<br /><br />
Title: <big>'''Criminal justice in cyberspace – more of everything?'''</big><br /><br />
Proposals assigned to this session: ID 35, 36, 39, 130, 200, 204, 206 – [https://www.eurodig.org/fileadmin/user_upload/eurodig_The-Hague/statistik_proposals_all/proposals_for_2019_2018-12-04__01_final_web_IDs_ver1.pdf list of all proposals as pdf]<br /><br />
Proposals assigned to this session: ID 35, 36, 39, 130, 200, 204, 206 – [https://www.eurodig.org/fileadmin/user_upload/eurodig_The-Hague/statistik_proposals_all/proposals_for_2019_2018-12-04__01_final_web_IDs_ver1.pdf list of all proposals as pdf]<br /><br />
== <span class="dateline">Get involved!</span> ==  
== <span class="dateline">Get involved!</span> ==  
Line 50: Line 50:
'''Key Participants'''
'''Key Participants'''


*Lise Fuhr, Director General, European Telecommunications Network – [https://etno.eu/about/team.html Link to profile]  
*Paolo Grassia, Director of Public Policy, European Telecommunications Network Operators' Association (ETNO) – [https://etno.eu/about/team.html Link to profile]  
*Markko Kunnapu, Advisor to the Ministry of Justice of Estonia, Member of the Cybercrime Convention Committee Bureau - [https://www.linkedin.com/in/markko-k%C3%BCnnapu-26791419/ LinkedIn]
*Markko Kunnapu, Advisor to the Ministry of Justice of Estonia, Member of the Cybercrime Convention Committee Bureau - [https://www.linkedin.com/in/markko-k%C3%BCnnapu-26791419/ LinkedIn]
*Acadia Senese, Legal Counsel, Law Enforcement & Information Security, Google - [https://www.linkedin.com/in/acadia-senese-a296925/ LinkedIn]
*Acadia Senese, Legal Counsel, Law Enforcement & Information Security, Google - [https://www.linkedin.com/in/acadia-senese-a296925/ LinkedIn]
*Gregory Mounier, Head of Outreach at European Cybercrime Centre (EC3), EUROPOL - [https://www.linkedin.com/in/gregory-mounier-7a84448b/ LinkedIn]
*Philipp Amann, Head of EC3 Strategy at European Cybercrime Centre (EC3), EUROPOL
*Stanislaw Tosza, Assistant Professor, Utrecht University - [https://www.uu.nl/medewerkers/STTosza link to the profile ]
*Stanislaw Tosza, Assistant Professor, Utrecht University - [https://www.uu.nl/medewerkers/STTosza link to profile ]


'''Moderator'''
'''Moderator'''
Line 84: Line 84:


== Messages ==   
== Messages ==   
A short summary of the session will be provided by the Reporter.
*Criminal justice instruments should provide for safeguards to ensure that the fundamental principles are respected, including principles of proportionality, necessity, legality.
*Increasing digital literacy in law enforcement, judiciary (prosecution and judges), and telecom operators is crucial.
*It is important that the Second Draft Protocol to the Budapest Convention on Cybercrime works for everyone, including non-EU countries, and conditions, safeguards, and notifications have to be present.


== Video record ==
== Video record ==
Will be provided here after the event.
https://youtu.be/Rd7vQ_uxuEk


== Transcript ==
== Transcript ==
Will be provided here after the event.
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-800-825-5234, www.captionfirst.com
 
 
''This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.''
 
 
>> TATIANA TROPINIA: I guess we can start. Anyone that comes to the room can catch up. Hello, everyone. My name is Tatiana Tropina. I'm from Germany, and I'm a co-moderator with this session together with Irina Drexler. For you who are in the room and not speakers, any time you have a question or comment, just raise your hand. I'm watching you all. This is why I'm standing. And I'm keeping the time.
 
We'll talk today about criminal justice in cyberspace. We have a long tradition at EuroDIG having sessions on cybercrime, but we personally think that the term cybercrime is not applicable anymore. It's too narrow, because any crime nowadays can leave digital traces. The same instruments that were used to investigate cybercrimes are nowadays used to investigate basically any crime. Law enforcement urgently needs access to data. How do we solve these problems?
 
If you look at the recent political context, you will see that from both sides of Atlantics we have virus proposals on how to make life of law enforcement easier and facilitate access to data without, for example, judicial authorization. We have in the U.S. and European proposals for evidence regulation, which basically change the current system of legal assistance where request of data has to be approved in both countries. Under new proposals, they will be sent to Internet providers without the need for approval. How do we deal with the criminal justice in cyberspace -- more of everything? Less of everything? What do we need to solve the problems and are we going the right way.
 
I have really truly amazing panel who will discuss these together with you. So just from my right habitant side we have Phillip Amann from the Europol Cybercrime Center. We have Markko Kunnapu from Minister of Justice of Estonia. We have Paolo Grassia, from Telecommunications Network Association of communication providers, and we have Acadia Senese from Google. I will start with Markko, who probably can give us a short overview of those proposals about access to electronic evidence and tell us where they're good, where they're bad, what they bring for law enforcement, and what is his perspective on this.
 
Markko, the floor is yours.
 
>> Markko Kunnapu: Good afternoon. First, I think it's not a surprise to you in order to investigate criminal offenses, not only cybercrime, but any offenses, you need access to computer data. You need access to electronic evidence. The problem is that often when people use the services offered by different service providers, the question that sometimes we know that the data is in our own territorially and we can use domestic procedures, which won't be a big problem. But often computer data that we need to use as evidence in criminal proceeding is stored somewhere abroad. And so far the cooperation between the States, cooperation between law enforcement and service providers, it has worked to certain extent, but it's not perfect. There are some flaws. There are some problems. Then all this have created great challenges, huge challenges for the law enforcement authorities all over the Europe. I could also say all over the world. So, therefore, we need something additional, something actually which would -- I wouldn't say replace, but maybe complement existing legal assistance, frameworks, and then also those cooperation frameworks based on voluntary cooperation.
 
Right now European Union and Council of Europe has been working on finding binding legal framework that would enable law enforcement authorities in one country to access or to obtain electronic evidence in another country. Of course, both instruments to provide for procedures, conditions and safeguards, as well as remedies. As regards the Council of Europe, discussions on the second edition, convention of cybercrime, have been taking place for years already. Since the cybercrime convention committee has been negotiating and then drafting the text of the protocol. Nothing has been agreed. Nothing has been finalized yet. Work is still going on.
 
Last year, also, European Union came out with a so-called E-Evidence Proposal, which consists of regulation and directive and also the main purpose idea is to provide binding legal framework that would enable EU law enforcement authorities to get more easily data from service providers who often are not located in our own territories, but in other countries. Again, the connection, the authorizing services online. People are using them. If it happens to be a victim or suspect, then we need this information.
 
Right now, it is to some extent, possible to get this data from abroad, as I mentioned, voluntarily cooperation exists to certain currently, but it's not working perfectly. When we talk about mutual legal assistance, MLA, again, it is slow, too bureaucratic. Again, those cooperation regime frameworks that have been developed decades ago, they were not designed to address electronic evidence; therefore, in order to meet the current challenges and technological developments in particular cloud computing, we need something additional, something new. This is what both EU and the Council of Europe have been doing.
 
>> Tatiana Tropina: Thank you very much, Markko. If there are no immediate questions or interventions, I would like to pass the floor to Paolo. I know ETNO had a strong position. I picked a couple of points from Markko introduction. Do you think these frameworks would complement legal assistance and what, from your perspective, is more easily accessed to data, seeing this is basically what ETNO was trying to reflect on? Could you provide us with your perspective?
 
>> Paolo Grassia: Yes. Thank you, Tatiana. And for whom the people that don't know ETNO, we do represent European telecom operators network operators. It's important because we do have a pretty long-standing history of cooperation of man -- mandated cooperation with law enforcement authorities, and second, because the information carried through our networks is pretty relevant to law enforcement.
 
And to pick your point, I would like to also note one element of the -- two elements, actually, of the assessment of the European Commission attached to the proposal. The first element is that 90%, roughly, of cross-border access requests are addressed to five companies only, Google, Microsoft, Facebook, Apple, and Twitter, which means that this proposal is originally designed to solve issues in accessing data stored by five companies, but it is much broader than that.
 
The second one is also that refers to the earlier intervention, is that the impasse assessment is the problem is these companies and the storing of capacity of these companies may not be based and distributed in European countries, but they may be avail themselves centralized storing system. That's where perspective. We are conscious that these proposals would impact majorly, but we do have a history of mandated cooperation with local authorities, because attached to our license to operate with our members in European markets, there are obligations to disclose data and collaborate with law enforcement authorities. That's a system that has been in place for a long time and works pretty well.
 
Indeed, every request of access to data law enforcement interception needs to be based on a legal order by national authorities. Usually, this legal order has to be communicated to the provider through a series of standards, MOUs, service level agreements, and technical specificities. Some are like details, but they're not. With the E-Evidence Proposal, if a telecom operator would be exposed to from 26 other Member States, telecom operators would have to put in place secure channels of communication, accreditation, and standards with 26 or 27 Member States, which is -- well, a bit unfeasible. The European Commission, in their defense, said they had been working with Member States on development of the platform to secure a centralized communication, but this is kind of the chicken or the egg. Do we want the legislation first and then think about a technical solution first, or do we want to have a technical solution before legislation is in place. Companies have to abide by legislation once it is in place.
 
My point that I would like to stress before leaving the floor to the others is that at the core of our position, for all the considerations that I mentioned above, is that territorially jurisdiction is the key, is really has been at the core of the collaboration with authorities to whom our members interface. It is what guarantees that, as I say, there are standards. There are security channels in place that make us comfortable, that a legal order is based on the legal basis, and that respects also the fundamental rights of the concerned people. The more we do stretch the boundaries, the limit of territorial jurisdictions, the less secure this collaboration becomes, just because operators can't ensure that the same standards can be applied to collaboration with 27 or 26 Member States.
 
So I would like to leave you with that. Our core message is we do commend in part the objective. We understand the challenges of the law enforcement prosecutors and the judiciary, but the system of collaboration from the telecom perspective is working pretty well. We shouldn't risk breaking it by trying to solve it.
 
>> Tatiana Tropina: Thank you very much, Paolo. I see a question. One moment. I'm going to bring the microphone.
 
>> Audience: Thank you very much. I'm now working at EuroJuc. I was working for digital Europe also had a very strong position. You're being very diplomatic, but do I understand your concerns to basically mean because in certain EU Member States there's a different level of protection of fundamental rights and the rule of law, for example, one of the Member States is actually being investigated by the European Commission, and that, therefore, some of your members, teleco operators would be passing information. The E-Evidence says you can then start a case and say, actually, I don't want to do this. The teleco that I know best tells me they would never do that and they would just hand over the information.
 
I'm not familiar with your strongly worded opposition. Could you give us a little bit less diplomatic? You're in Holland, maybe a more Dutch way of saying what's wrong with it?
 
>> Paolo Grassia: Sure. I think because of -- yeah. I will say and mention all the safeguard, actually, usually telecos do not opine on the orders they do receive. They just receive. They are comfortable that they are legal and they just execute. There is, according to transparency reportings, but also interviews with our members, there is a very negligible share of requests that gets rejected just because the legal basis is not current enough or just because of formal problems. Members know they do not have to carry out the legality check.
 
If Dutch operator would receive a request from Polish authorities, from Spanish authorities, who would ensure that the legal basis and the legal safeguards are equivalent to those in place in the Netherlands if they're not validated by an authority in the Netherlands?
 
There are some assurances given from the commission that operators do not have to carry out the proportionality check, legality check, just have to execute. But that's not how it happens in practice, just because if some violation of fundamental rights happens, in the end the liability would be upon the operators. That's the point. Also, that's what makes members uncomfortable and then there is also a host of barriers, practical questions, for example, emergency procedures disclosure in six hours. It's much tighter than the timing that is afforded by their national authorities. So they find themselves in the situation of having to -- the privilege of request that comes from a foreign authority, then the request of the home authorities, which would be a bit ironic.
 
There are many, many, let's say, misgivings. And I missed to mention in my intervention is our proposal is to bring back the process closer to the authority, to the national authorities. So to have a stronger involvement of the authorities in the Member States where the telecos operate, so that the national authorities act as an intermediary between the foreign one and the operators and the operators remain sure that the requests that land on their desk are validated according to their legal standards.
 
>> Tatiana Tropina: Thank you very much. And I would like to give the floor to Acadia from Google. Are you comfortable with this proposal?
 
>> Acadia Senese: So Google is, by the nature of its tolling, and by the designation of Google LLC as a U.S. entity, situated wholly differently than, certainly, the European teleco operators, and has a different perspective with respect to the E-Evidence Proposal.
 
With respect to the E-Evidence regulation, Google on the whole supports the regulation. Google supports modernization of cross-border access to user information. This regulation is a significant step forward in modernizing and harmonizing cross-border access within the European Union. Before the E-Evidence regulation, this kind of framework did not exist and it is true that what that meant for companies like Google, who are based in the United States, who are subject to U.S. law, is that Google was left to navigate conflicting legal obligations, different patch works of legal requirements across Europe, and Google historically has utilitized its ability under U.S. law to categorize information directly to European authorities. We have only done so if we were sure that the request that Google received was valid and otherwise met the requirements of the issuing jurisdiction.
 
So if you can imagine, that left Google in the position of having to understand the local and national requirements of every jurisdiction in Europe. We actually have quite an internal library of what all the requirements are in all the different jurisdictions.
 
From Google's perspective, having those requirements harmonized, accompanying those harmonized requirements with safeguards, albeit a side comment here, the safeguards containing the E-Evidence, I think certainly could be improved, most notably on the notification measures. I'll come back to that in a minute. But on the whole E-Evidence, it's a significant step forward in creating a harmonious framework across Europe.
 
That said, I think there are provisions of the E-Evidence and Google published a position paper on the commissions text for the E-Evidence regulation. But as it's evolved, there are portions of the regulation, most notably a penalty provision, that I think create disincentives for companies to ever question the validity or the sufficiency or the propriety of a law enforcement request.
 
What I mean by that is under the current text that contains a severe penalty for noncompliance, what that does is incentivize a service provider to always produce data and to never question, not that service providers want to be in a position of having to question or confirm the validity of a European production order, but that to the extent that a provider might have uncertainty about a request they would choose to disclose rather than raise an objection, rather than face that penalty.
 
So one of the things about the E-Evidence regulation is that -- and I think it's not necessarily a bad thing, but in an effort to modernize legislation and in an effort to give law enforcement expeditious access to data, as they should have when they're conducting legitimate law enforcement investigations, many of which are time sensitive, and in recognition that the MLAP processes are too slow, too antiquated and too difficult, E-Evidence solves those things. But because E-Evidence creates a mechanism by which an issuing authority can go directly to a service provider outside of its jurisdiction, it has eliminated the role of normally what would be the central authority in the receiving jurisdiction.
 
Having eliminated that role, some of the obligations of the central authority has now shifted to the service provider, or having not shifted, has eliminated sort of the check that a requesting jurisdiction -- a receiving jurisdiction central authority would otherwise do. Coming back then to the notification piece, that can be solved by robust notification measures. So at the moment, the E-Evidence regulation effectively prohibits service providers from notifying their users or customers about the existence of a demand. Google thinks that notice should be the norm and only by exception should notice be prohibited. The reason is that a user or customer's best position to evaluate if any of their fundamental rights or privileges are unlawfully implicated by the request, but another notification procedure could simply be that any issuing authority has to notify the central authority of an impacted Member State, meaning that if I'm the issuing authority in France and I'm seeking information about a German user, as the issuing authority, I would have to notify the German authority, and the Germans could themselves decide whether or not to intervene in the request and assert any objections. This would place back to governments the role of evaluating the propriety of the request, and the one way to do it in the regulation is to create that notification procedure.
 
I could go on all afternoon. I'll stop, but with that, on the whole, we think this is a good step forward. We think that the E-Evidence regulation could help support and serve the foundation of an EU/U.S. cloud act agreement as well. I think both of these instruments are positive developments in terms of modernize go surveillance legislation.
 
>> Tatiana Tropina: Thank you very much, Acadia. We focused on the role of providers and on the power of providers and responsibilities of providers. And I want to give the floor to Stanislaw who might provide us with a more legal of the criminal procedures safeguards from his perspective.
 
>> Stanislaw Tosza: Thank you, Tatiana. Thank you. I want to bring to the table a legal concept which hasn't been mentioned yet. Picking up from what which is mutual recognition. This is not the forum to talk about international cooperation, but let's not forget, this is based on the mutual recognition. It's Article 82, which allows the create instruments which are based on the mutual recognition. Which is mutual recognition? It's a step forward from mutual legal assistance, meaning that one Member State in principle recognizes the validity of a decision of another Member State. This is the idea.
 
In practice, European arrest warrant, the classic instrument of mutual recognition that has been working for the past more than 15 years quite well, which means a French authority issues a European arrest warrant to get somebody from Germany, sends it to Germany, and the authorities in Germany do just a basic limited check of this order and then send the person to France. This is the idea.
 
Now, here what happened is that we agreed with the authority in that state. I claim this is a quantum leap of mutual recognition and mutual trust for two reasons: One reason is that the grounds for refusal are limited in this proposal, are much more limited if the authority is engaged, which as we know happens in case there are problems with the execution when the service provider resists the order, then the authority of that country can come back. Then they have some grounds for refusal, much more limited than in the other mutual recognition instruments, like European arrest warrant or European investigation order.
 
But what is more important is that what Acadia said, the order goes directly to the service provider and in principle the service provider should send the data. Nobody is checking it. If they do send it, the authorities in that country are not engaged. What it means is, as you said, that the commission, the proposal, the memorandum can say that the service providers have nothing to say. In theory, yes; in practice, no. They work, in my opinion, but this is what I just had, according to different logic, which is a business logic, there is a need to check. Is it good for us to provide this data? Whether we might suffer reputational consequences that make it not worth? But it's better to risk the sanction?
 
Poland was already mentioned. It's not the only problematic country at the moment. Spain, you said Spain. If Spain starts to send requests to Belgium about the leaders of the dependence movement and you have NGOs that gets very active, they will have to take a decision what's better for us? How should we look in front of the society?
 
So I think we can say that they have nothing to say. We can even shield them from liability by saying that by complying with the orders they will not be liable, but in practice they also need to think about their reputation. And this changes the whole logic. And this makes them sort of guardians of fundamental rights. But according to the business philosophy, and I think this is a huge change, which is not fully reflected necessarily in the debate yet, because do we want service providers to be guardians of the fundamental rights instead of the Member States?
 
>> Tatiana Tropina: Thank you very much, Stanislaw. Phillip, I will give the floor to you, like bringing it back to law enforcement. What do you think about these proposals about direct requests for data?
 
>> Phillip Amann: If I could take a moment to refer to a paper that we are currently drafting the third version together with our colleagues who described the common challenges in combating cybercrime for law enforcement in the judiciary. There's lots of data related to criminal abuse of encryption, it's cross-border cooperation. It's legislation, for us, obviously, law enforcement also capacity-building, having the skills. It's a public and private partnership. For us, this is one of the aspects that makes our work difficult. And so E-Evidence, we support it. We are not, obviously, an agency that develops legislation where we're happy if we get invited and can provide the boots on the ground, let's say, and see what the challenges are, and hope that the legislators can come up with something that meets the practical requirements, but at the same time, as we heard, has all the safeguards in place to make sure that we protect the fundamental rights, protect human rights, because that's really what it is. From our standpoint, we investigate criminal activity. We're not into data surveillance. We're not into eavesdropping. We need to have urgently access to data. That's not the point.
 
We have a criminal investigation, and as part of that investigation, especially when it's any type of criminal investigation these days has a digital component. Sometimes that digital component is the starting point of the investigation. It might be an IP address. We need to have the means to be effective and efficient while respecting the fundamental principles. We heard them before, proportionality, necessity, legality.
 
I appreciate, I think those are all valid comments. We don't want to take away any checks and balances. We want to make sure that the process is respect the human rights, but at the same time supports how it works. I think from where we stand and we can then talk about also some of the challenges and potential solutions, is legislation is a huge challenge for us on something that we closely monitor because, obviously, that's if not -- it's the basis for our work. But it's just one. So when we talk about E-Evidence, it's just one of the challenges that we see. It might be useful to see we're looking at different things. If we look at ePrivacy, for example, one of the first sort of proposals would have left us in a situation where a lot of our partners wouldn't have been able to scan attachments. So we have an existing process with the U.S., with the national center for missing and exploited children. They send us reports of child sexual abuse material. It's a huge volume challenge. We can discuss that at a later stage. It's a real big data challenge, but if some of the big providers would have to implement ePrivacy in one of the previous reading, it would have meant that it would not have been able to scan for anything, any attachments.
 
So this is where it's important that we have a voice as well. These are the implications. Please do consider those things. In general, just to make that point, it's one of the challenges that we face.
 
>> Tatiana Tropina: Thank you very much. Are there any questions for now? Yes?
 
>> Audience: Not necessarily a question, buy representing the Council of Europe cybercrime office, we have heard about the E-Evidence Proposal. Since we are still at the stage of the discussion where we talk about regulations, I'd like to hear a bit more about the Budapest convention of the cybercrime Council of Europe. Why I make this point is in February we organized in Bucharest the international conference on criminal justice in cyberspace, concluded with key messages that are available on the cybercrime website and cybercrime office. One of the key messages, about 20 of them, but one of them is in line with the harmonized approach that was mentioned and also the other points that were made that the Budapest convention is -- the international convention is mostly agree with and it has so many Member States that have already signed and ratified it. It's considered as a good instrument. And I'd like to hear from your perspectives also one key message with this in mind to see if the conclusions from this conference are in line with the thoughts of the panel and of the participants here as well.
 
>> Tatiana Tropina: Thank you very much. Anyone has an intervention on these? Because we basically -- I'm not here to state my opinions, but I do agree the Budapest convention is a very important instrument. Acadia?
 
>> Acadia Senese: I'll respond for Google. We have not seen the text or not sure what's being contemplated of the negotiation of the second additional protocol. To the extent the Budapest is looking to modernize and create safeguards and harmonization and procedure around cross-border access, that that's a good thing. One of the really great things about the Budapest Convention is that it has a strong proposed in Article 18. The E-Evidence does not. The Budapest protects sovereignty and jurisdiction in the way that the regulation arguably has a more aggressive extraterritorial reach. But with respect to the mechanisms being contemplated, I think any mechanism that involves government-to-government interaction is preferred, even if it's around legal assistance for, perhaps, subscriber data only.
 
>> Tatiana Tropina: And, Markko, yes, I really wanted to give the floor to you just to address those mild concerns. You have some concerns, so please just the floor is yours. Either the Budapest Convention or what has been said earlier.
 
>> Markko Kunnapu: Actually, those points and concerns that were raised, yes, these are really important ones. All of them also had been discussed in Brussels, because this is something we need to just take into account and bear in mind while negotiating the E-Evidence Proposal, as well as drafting the text for the second edition to the convention. Actually, the scope of those instruments, it's a bit different. EU regulations is for EU Member States. The second edition protocol would be for the more wider audience. As I can say, right now the Budapest Convention has 63 state parties to the convention. So far, it is the only legally binding international instrument on cybercrime and the electronic evidence that has global impact. We have state parties who actually sharing the same concerns, international cooperation in all continents of the world.
 
As regards those points and concerns that were raised, first, yes, we have been discussing a lot about notification, actually, whether to notify and in case notification takes place, then who. It's not very difficult. It's quite difficult to answer this because when we also think about impact, international service provider, impact to data subject, then, for example, if we imagine a situation that we have victim in Estonia, a suspect in Finland, for example, Finish police is investigating the case, they would need some data from a service provider that is not based in the European Union, but has, for example, a local office, representation in Ireland, then, yes, we could actually send this notification to Ireland. Actually, what would they do this? They have actually no idea what the case is about. Often it is the case that we don't even actually know who the suspect is beforehand, because we just see somebody's using IP address or somebody's using some sort of e-mail address or nickname. Again, this could be all.
 
This is usually the case when we talk about the very first stages of the criminal investigation. Therefore, if notification takes place, then what should be the follow-up? Because if there were notification, if somebody -- a competent authority in a receiving state would get this, then I think this notification also entails certain responsibility or obligation. Again, actually, it would be quite difficult for the competent authority and the receiving country to decide whether preservation of data or disclosure of data is necessary justified or not, because they don't know what is this all about.
 
Also, as regards conditions and safeguards, when we talk about European Union proposal, it's regulation. It would be directly applicable, same rules, same conditions for all Member States. And it's not only this E-Evidence proposal. Legislation in Member States has been harmonized by other instruments as well; for example, on procedure rights, there are also instruments concerning substantive law, etc.
 
Of course, for the Budapest condition and second edition protocol, it would be different, as we are talking about some members which are maybe not so traditional conventional, which actually go beyond the existing Budapest Convention as well. Again, we need to just pay attention to additional safeguards and conditions. Then this is actually has to be, because, yes, we would like to actually trust each other. We would like to trust other state parties at the convention, but still you need to have some conditions and safeguards in place as well. Of course, when something goes wrong, it happens to be the case that, I don't know, that there are Member States or state parties who just would like to abuse those powers. Again, actually, there are some mechanisms for the Budapest Convention. We have cyber convention to address those issues. If something goes wrong somebody abuses certain powers at the European Union level, also, there are some supervisory places where you can actually raise these issues and then discuss.
 
>> Tatiana Tropina: Thank you very much. Are there any questions? So then I would like, unless one of you wants to respond something to Markko, I would like to -- oh, sorry. I'm running again with the microphone. First here and then to Luis.
 
>> Audience: I'm Michael Fultz. I work for Microsoft. We can find ourselves in the arguments of Google as well. When we're talking about service providers being the guardians of the human rights, I think we do not want to do this. The same is with the telecos, of course. What we do want is if we see a production order and we see that it's too broad, abusive, let's say you need, let's say you need to have the data of one company, and the production wants all the e-mails of one domain. We want to say well, we want to give you the data, but you should sort of adjust your order to make sure that it is more directed. So this is not a liability for a service provider to be liable for checking the fundamental rights of an order if it complies with fundamental rights, but if it's too broad and too abusive but we do want to give the data, then we want to have this possibility to make it more directed, so to say.
 
I don't know what your view is on this, but we think it's unnecessary to give more data than necessary.
 
>> Tatiana Tropina: One more before I see there are some interactions from the panel. I ask you a bit of provocative question as a moderator. If we see that the order is broad and abusive, basically you say that you are assessing the order in any case?
 
>> Audience: Well, there is a difference. If you assess it on fundamental rights, that's different than saying -- okay, so you're not checking if the order is complying to fundamental rights, because this is the rule of a local judge. If a judge says this is who sometimes does not have the technical knowledge or the technical information, maybe knowledge but not the information, then we can say, all right, the judge said that this is complying to human rights, but we still think that you can get the data without having more data than necessary. So we're not judging the choice of the judge, but we're saying in this case -- these are cases that happen. They can say, okay, we create the order again, but now it's more targeted to the data that we actually want. That's not judging human rights.
 
>> Tatiana Tropina: Thank you. We will get to the next question soon, but first I need direct responses. Stanislaw, I saw your hand up.
 
>> Stanislaw Tosza: Yeah. I actually had a very similar reaction to yours. You see an abusive order or a dubious order, and you want to comply with it, but you say what do you mean by that?
 
>> Audience: Let's say he see an order and the judge says it's complying to human rights. We won't question this. If we see the goal is to get the data from one subject, but they are actually asking for the address of 200 accounts, which only one want or two, we can help them direct it to those two so that they don't get the information of 198 accounts that are not part of this.
 
>> Stanislaw Tosza: I get that. Then they say it's none of your business, we wanted 200? We are the judge.
 
>> Audience: Yeah, so then --
 
>> Stanislaw Tosza: If you look at the statistics in certain EU Member States, not to very many, they sometimes request a lot of data from a lot of people. Second question, are you happy with every judge in the European Union as it stands now, especially that some countries are under investigation about the independence of the judges?
 
>> Audience: We do want an extra check. We're on the same page as Google on this. So we think that if the target resides in the certain country, this country needs to be notified as well. Again, it's not the role of the service providers to judge on base of human rights. We just want to have the possibility and not the liability, but the possibility to check on proportionality and not proportionality as in judging human rights, but more we see that this is the order, a judge said that it's all right to do it, so we can do it, but we just want to make sure that the people who are not the targets are affected by this order. That's -- I think that's our rationale. If you're talking today, the judges and the law enforcement agencies, then I think if it's reasonable we can say all right. You can do this order. You can excuse it, but direct it more because this is the information that you actually want. Then I think is also your responsibility of law enforcement agency to -- yeah, to also see this point, this viewpoint.
 
>> Stanislaw Tosza: As it stands, the regulation doesn't oblige the authorities to react in the way you expect.
 
>> Audience: Sure. But we want the option to make sure that a production order is as targeted as possible.
 
>> Tatiana Tropina: Thank you. One moment. Acadia, I saw that your hand was going to the microphone.
 
>> Acadia Senese: I would just echo the comments that oftentimes, not because of any malfeasance, it's that the issuing authority or a judge may issue an order and not understand or fully appreciate the order that they've issued, meaning they don't understand the breadth of the data that they've authorized to be seized or the number of accounts that are subject to the order. Often, there's an ability of a service provider to just sort of raise their hand and say, "Hey, Judge, were you aware that this is what you authorized?"
 
Oftentimes the judge says, "Oh, no, that's not what I meant," and they revise the order. If the judge instead says, "Yes, I understood and this is what we authorized," that's a different question.
 
Bringing the facts to the Court to evaluate when they revisit the propriety of an order.
 
>> Tatiana Tropina: I will save a question for later. What if the judge is in the foreign country? But this is the question for later, because we have a Luis, you are the next one. And then Chris.
 
>> Audience: Also I'll raise the question about capacity building of the judges.
 
>> Audience: I have two questions. Microsoft and Google are extraordinarily large and wealthy companies. You guys could actually have the time to reflect it. There are service providers, little Internet providers that are literally mom and pop shop. There's no way they can start doing the kind of stuff that you guys are doing. They're not gonna risk the fine. So I'm wondering where their voice is in all of this.
 
The second thing is I've never really understood about the evidence directive is what we call in Dutch the principle of double illegality. So let's say that something is illegal in one Member State but not in another, or not completely hypothetical thing whereby a very Catholic member site can say you can't get an abortion, even when it's legal, and they get information that's very illegal in that Catholic country, but not illegal in the country where the abortion has actually gotten. I'm having nightmares from what's happening in the U.S., Alabama. Who knows what's going to come here. What happens here and where are the safeguards?
 
>> Tatiana Tropina: So who is going to take the first question about the small providers and how. Markko?
 
>> Markko Kunnapu: The question about smaller providers and that the capacity ability to handle those requests and then respond in a timely manner, especially when we talk about some emergency situations and when the deadline within ours. We have discussed this a lot as well. But, again, there was some criticism concerning the text and then provisions, but in fact, no one actually could provide some working solutions. First, when we talk about information society service and offering services abroad, then actually, how to assess with a company -- a small company or medium company or not. Because it could be the case that, yes, you have a few servers and then maybe just only a few people actually working there, but you may have actually hundreds of thousands, even millions of customers. So then in this case, can you consider this as a small company and then could this be excluded from the scope? Because it's not a secret that criminals, they know pretty well, actually, which companies would cooperate with law enforcement and which not.
 
Already, now we see many companies, they advertise and be bulletproof and they wouldn't cooperate with anybody and that they don't store data and things like this. It's quite difficult to have those exceptions.
 
As regards to capacity building, training, yes, this is important. You need to just train. It's also just the task of the Member States to provide sufficient training, not only for law enforcement, but also for judiciary. Yes, everybody should have certain baseline knowledge concerning cybercrime and then the electronic evidence. Again, in order to actually avoid these kind of situations that you would get really broad and confusing requests. The discussion that is been discussed at the Council of Europe and the European Union level is to use certain formulas, certain templates. Again, if you have those templates, then, the result, the age, actually, behind the request remains unclear or confusing, actually, these would be also used to minimum. Then this is something, actually.
 
Then, of course, when you have -- when Member States are going to implement these instruments at domestic level, again, you need to just make sure that everybody would understand, actually, that this is a template and then whether you should tick this box or this box if you need that information.
 
>> Tatiana Tropina: Phillip, I saw your hand up.
 
>> Phillip Amann: Just no relation to the practicalities of how you implement that, what you said, Markko, there is a lot of power in standardizing those requests, capturing the practical knowledge and how you do those things, having forms, templates. We have set up, for instance, a platform. One of the objectives of the platform is actually to say to give information how do you contact Facebook if you want them to take down in this case content. And it tells you this is the point of contact. This is how you do it. I don't know where they are currently with the writer's tool, but you have a tool that actually tells you if you go to this country, that provider, this is what you have to put into your request. Those are sort of the robust words that you have to use, so that they can legally respond to that. I think there is a lot of -- a lot that can be done to capture those things. And it's a link to the continuous education that not just for law enforcement, but a judiciary prosecution and judges so they're aware of the implications. I think there is a whole cycle. I fully agree that standardization and forms and capturing those practical aspects of how you actually implement that is very important.
 
>> Tatiana Tropina: Anyone else? Yes?
 
>> Markko Kunnapu: Also, I see the need for literacy preparedness for law enforcement. There is also for telecom operators that is recurring problems and times that prosecutors do not know what they ask for. For example, mobile communication, they may ask for all the traffic from a given mobile cell in the past 12 hours. Then they see a trove of data coming in, and they say we didn't request for that, but yeah, you did. They don't understand what they asked for.
 
Standardization is crucial, but I don't think that templates are enough. Even if you have a template but then the authority of police just keeps requesting via the template all the traffic in the past 12 hours, that's not gonna solve the problem.
 
But standardization is essential. It's not just about their request, because the request is not just a letter, you do send to the operator. It's about the whole process. It's how the authority gets accredited to the system of the operator to ping the system and get the request, and how the accreditation is checked by the operator and how the request is processed internally. Ultimately, how the evidence is communicated technically to the authority, which is a whole process with a lot of standards, protocols involved. That's why we reinforce the cooperation with the national authorities is the key because that's how you do establish this process.
 
>> Tatiana Tropina: So, basically, it echoes the comment about government to government cooperation.
 
For the purpose of time, I'm going to collect three next interventions, because -- four, and then get back to you. So I'm very happy that we have, actually, two law enforcement people in the queue. Chris, you're the first. Okay. So I'm going to bring you a microphone. Then three other.
 
>> Audience: Yes. Thank you very much. Thank you, Chris, for offering up your spot. My name is European Commission. I'm a member of the E-Evidence task force that prepared legislative proposals. I'm happy to see that this discussion is taking place with all these different stakeholders.
 
At first I thought it was a shame that I was not on the panel, now with all these difficult questions I'm happy to be on this side of the table than with Phillip and Markko and all the others taking all the difficult questions. I wanted to take this opportunity to bring to the table a couple of points. Some of the things that have mentioned here this afternoon, first of all, I would like to mention is that, of course, these legislative proposal, the E-Evidence proposal from April 2018 were prepared on the basis of very standard impact assessment at the European Commission. It's a very lengthy report you can find on the Internet. It has a lot of detail about percentages of numbers of requests, how many of them go abroad, etc. So if you're really interested in this topic, and I think some of the questions that were here today can be answered if you read the impact assessment. I would certainly recommend you to go there to our website and see that impact assessment.
 
What you will find there, also, is that we conducted quite a comprehensive consultation process to formulate the legislative proposals, consultation process that involves law enforcement authorities from Member States, from third countries, service providers, small ones, big ones, and NGOs, civil society organizations. So all of them. On that basis, indeed, we concluded that existing channels that can be used for obtaining closed border access for electronic evidence, like direct service cooperation with service providers, but also mutual legal assistance, really do not meet the needs of law enforcement. We can also see this is something we already concluded in 2016, but even more the case now that there is fragmentation at international level where different countries choose different approaches that do not necessarily overlap or have the same scope.
 
That puts a risk a lot. It puts at risk a legal clarity, certainty of service providers, but also of citizens, and the protection of fundamental rights. That's why we came forward with these proposals. Of course, to address all the concerns that have been mentioned, we included quite a lot of safeguards in the proposals, safeguards that, I must say, and I can say on the basis of the consultation and impact assessment that we did, are often higher than what you can find at domestic level in many European Union Member States. For example, there is the mandatory involvement of the judicial authority, an independent authority for each and every request. That's independent authority can check and proportionality of the request. That's key for us and a lot of Member States. I'm repeating myself. A lot of Member States you will not find this as a mandatory safeguard. In many cases we're going above what you can find in many Member States. That is, of course, to take account of the cross-border effect of these orders.
 
I think Markko already referred to the harmonized safeguards that we can find at the European Union level, when it comes to the protection of personal data, protection to the right of privacy, but also procedural rights safeguards, which are harmonized at the European level and can be used in the contest of the proposals.
 
To sum up, there is a robust framework of safeguards. As the commission, of course, stand by our proposal, even now there are discussions by the co-legislators, the counsel and the parliaments, also taking into account the opinions of the stakeholders. We are very much interested to hear that.
 
A few points on the basis of the comments that were made in addition: I would like to support Phillip, who, indeed, said that these proposals provides for investigative measures in the context of criminal law. That's something that we have to be aware of when we think about this. This is not about surveillance or intelligence. No, this is about criminal investigations where authorities, law enforcement authorities, have an investigation for a specific crime with a specific subject suspect and there are safeguards provided by criminal law. That is important to be aware of when we talk about these proposals, because a lot of the comments actually appear to go beyond that.
 
Also, what we should be aware of is that in an overall majority of the cases where these proposals will be used, we are actually talking about domestic cases or cases that are domestic in nature. For one of the largest service providers, also present here in the room, we heard, for example, the request that I receive 94% of those requests are really domestic in nature. So it's just a case where law enforcement authorities are investigating a crime with a victim in the country of the authority, with a suspect in the country of the authority. The crime happens in the country of the authority. It's just that the data is located on the server somewhere else or the server is owned by a company that's located in another country.
 
So this is the overall majority of the cases. These are domestic in nature. There was a lot of talk about the need for a dialogue, and the information that could be provided by service providers to authorities when I make a request. That is something that, of course, is not excluded in the context of the proposal. When you are doing that today, it's quite likely that you can also do that tomorrow if these proposals are adopted, of course.
 
Finally, there was a lot of talk about Budapest Convention, the Union and European Commission have supported the convention for many years. This is also the case for the negotiations that are currently ongoing. So I also wanted to underline that we have proposed for the participation of the Union in the negotiations and we are happy to see they supported that on the 6th of June. From that moment on, the Union represented by the Commission can also take part in these negotiations. We are fully transparent about that. The recommendation was published on the Internet. The negotiating directives are published on the Internet. We think this is not something that should be done secretly. It should be done in full transparency, because there are so many things at stake. We are fully committed.
 
Just a final point, because that was made by the colleague from Google, referring to Article 18 of the Budapest Convention, which has as a scope the offering of services in the territorially and on that basis then parties to the convention can issue an order. In fact, what I wanted to point out is that the legislative proposals from the commission have the same connecting factor. So offering services in the territorially of the Union. That is the connecting fact also for the evidence proposal. There is, actually, quite an interesting overlap there. Thank you.
 
>> Tatiana Tropina: Thank you very much. So I have four more people in the queue. I'm closing the queue for the interest of time. I will collect for intervention. I see that some of the speakers want to reply, but take note of what you want to say and I will come back to you. So now I have Chris first.
 
>> Audience: Thank you very much. Chris from the U.S. A question from Google. You talked about they want to be able to reduce the scope of any request or order that you've received. Obviously, based on the data that you can see who it might be affected. You're obviously saying that you see a number of requests anyway. So how would you raise awareness for the police forces and the judges to stop those orders and then slightly tongue in check would you do the reverse where you have a request? Would you look to be open and say this probably isn't broad enough. If you changed your order, that way? Two questions.
 
>> Tatiana Tropina: Right. These require immediate answers. Acadia, from you and I'm bringing microphone to Microsoft.
 
>> Acadia Senese: For Google's part, we try to do as much engagement with law enforcement as we can, recognizing that there's far more law enforcement officials than there were of the folks at Google who know this work. I would say that the Spock model is the best model that we have encountered. What I mean by that is a single point of contact who are the experts in any particular jurisdiction who understand the company, understand the data that it holds, and are very familiar with the kinds of things that can be sought and how to ask for them. So for the jurisdictions like the UK that is a Spock model, those jurisdictions do a much better job in crafting orders that are narrowly tailors than those experts that don't have those contacts in the law enforcement community.
 
The second question, will service providers look beyond the order to do their own investigation to see if they have anything helpful, which I think is what you're asking. The answer is no. Speaking for Google, when Google gets an authorized order to search, we search what's been ordered by the issuing authority and we don't go beyond that. So our search is limited by what the Court has ordered us to do.
 
>> I think I can copy and paste the answer. We look into the orders that we suspect and I have those examples, but already gave one of them. It's the second question is a good one. I do not have any examples of this. So I think the law enforcements are well aware of what they want. Of course, more aware than we because we are not the law enforcement. He's going to decide. So, no, we don't help law enforcement with their investigations. I think that would be not -- well, I can imagine that if they ask for the data, I don't have these examples, but I can't imagine if he wanted data from a certain suspect who is part of a certain domain, so to say, and you're asking a totally other domain, you would say the data you request right now is not the data that you want, but I think these situations do not occur. It's a great question.
 
Also, a little small comment on how small service providers are not able to do this. That's why we don't want to have an obligation, but just an option, so that small service providers are not liable when they do not object to certain production order.
 
>> Tatiana Tropina: Thank you very much. Next in the queue I have Claudia.
 
>> Audience: Hi. I'm actually a judge, so it's been funny to hear you guys talking about us. And so I'm here. I'm an investigating judge in Lisbon. And I just wanted to be brief and I'm happy to see that Microsoft is on the same page that we are. One thing for us is crucial: We don't want more information than we actually need. Too much information is actually bad for us. So regarding the future production order, it will follow the same pattern as the other European instruments. It will have an Annex, arrest warrant, and that helps a lot in focusing information.
 
On the other hand, that's something that been very crucial for me. I'm very happy to be in this forum, is that we need a dialogue with companies. We need -- there has to be a dialogue between the judiciary, the law enforcement, and private companies, because sometimes we don't have enough knowledge, enough digital literacy. You guys also need to help us having it. It cannot be just a role for the government, because the government itself may be in the dark. So we need to talk to each other. And if I happen to ask Microsoft or Google or another service provider for too much information, I would be happy to have an answer like you told me.
 
You are asking for too much, don't you want to focus? So we need to keep this dialogue going. And I hope to see the production order coming forward as soon as possible because it's. We are not information agency. We are not secret service. We act in the role of democratic institutions. So we actually are the good guys. And we are here to catch the bad guys. And I'm counting on you to help us doing so. So thank you.
 
>> Tatiana Tropina: Thank you very much. I see some of the panels want to reflect. Please take a note. I will take the last two intervention and I will give the floor to you. Yes? The next?
 
>> Audience: Hi. Katherine from the Applied Services. I'm conducting research on what it was mentioned at the very beginning. I was happy to see that there was an acknowledgment on that we within the framework we have the additional cooperation which has been widely discussed here. There is also -- so I wonder in all the interventions it has mentioned that both have flaws and also that have been not been working perfectly. My question goes back to the voluntary cooperation framework. What kind of measure -- what kind of indicator are you taking into account to measure success or failure of this frameworks of cooperation?
 
>> Tatiana Tropina: Very much. I will take the last question, the last intervention and then I will just give it to the panel and you will reflect on whatever you want to reflect upon.
 
>> Audience: My name is Miguel and I'm working just across the street. It was very interesting to hear all those various perspective judiciary, law enforcement companies, researchers, and I would just like to very briefly add one more, and that's the perspective of the coordinator. We are coordinating cross-border to make sure judicial authorities can cooperate in a sound way and don't get into each other's way when doing investigations of linked cases. Linked cases is what you usually have when you talk about cybercrime, which is in the title of this session, you have victims in very many countries. You have the way the criminals themselves are distributed over many countries, the way they provide crimes as a service to each other.
 
This is a huge challenge. It makes it very complex to address. For that reason, I think it's a very -- a step with a great potential that lies in the E-Evidence package and also in what the counsel of Europe is doing, that we are at least trying to find ways to not involve those states, not really having a substantial connection to a certain case. This is a little bit echoing what Markko has described. We also need to involve states just out of the pure coincidence that a service provider that is relevant, that holds relevant evidence, is located in that state or that data is stored on that state's territorially.
 
So I think the E-Evidence package has a real step forward in that regard. It is difficult to think of other states that could play that role. So which would be the relevant state to make a decision? The state where the data subject resides? Most of the cases you will not know where that is.
 
So I think the right way forward is that you try to compensate this as it was called taking away of that layer by creating additional strong safeguards on the side of the issuing state, just to add this from the perspective of the coordinator.
 
>> Tatiana Tropina: Thank you very much. And before I will give the last word for the session to our speakers, I would like to sum up a bit. I see that for now we really have a bit more questions than we have answers. We do have strong disagreements. While I'm very happy that we have such a diverse stakeholder panel here, law enforcement, academia, I think it could have been much broader, lawyers, bar associations, and so forth. I know we were going to wrap up talking about the next challenges, but I think that the entire discussion is already on the next challenge. So I would just give the microphone to all of you to maybe lay out the challenge for you and also to reflect on anything you heard here to answer the questions, and I will start with Phillip.
 
>> Phillip Amann: Thank you, Tatiana. I think that was a very good discussion. We could have spent much more time to include many more people and get many more opinions. That's important. Just before I start, I want to say the Microsoft is under my name, but you said things like you don't support law enforcement and so on, I just said this was not me, this was you.
 
>> Tatiana Tropina: For the record.
 
>> Phillip Amann: So I don't get back to my office and my boss tells me thank you.
 
[Laughter]
 
>> The other thing is, and it goes very much, just to explain we are not the FBI. We support Member States. I think that's important also, as you said Microsoft. When you see we're in a very strong position because we see the issues and we can hopefully create this network of networks, networks of networks, to provide an answer. And that brings me to one of the points. I don't know who said that now. One of the things we do is we work very closely with industry. We have advisory groups for the Internet security committee, advisory group for community providers. We have an advisory group for the banking sector, financial sector. And that's public/private partnership, but participation that we always like to add. This is key for us.
 
Then we can understand what are the issues. For instance, two days ago we had the second meeting this weir with the advisory group on communication providers. And it was all about 5G. It's great whether that will be a resolution. Is that really considered in the development of standard in law enforcement? We have this forum that we can discuss with experts. The same goes for all the other challenges. For us this is a great forum to hear the other side and see where is the common ground. We can explain our views. Equally we get back the view from industry or the communication providers and say these are the challenges. That's vital to us.
 
I really subscribe to that. It can only be a networked approach. We have to have, as a society, to come together to address those issues. A company for that matter, I don't think companies should set the reality which is sometimes due when they implement the technical solutions and say this is it now without involving the broader discussion around that and say what are the implications of that it's great to have this very strong focus and privacy. From where we stand, privacy security safety, this is not a zero sum game. This is something that has to go hand in hand. You cannot cut out law enforcement. You cannot cut out the judiciary and solely focus on privacy, then you're missing the safety and security part.
 
We need to talk. We need to create this network. We need to have this mutual understanding of the challenges and the needs and the requirements. And I think that's the way forward to solve this problem that we face. And I think just to end with so what are the challenges? I think I highlighted some of the key challenges. 5G, if I want to be very specific. 5G is definitely gonna be one. Encryption, the criminal views of encryption, certainly, one of our key challenges. Big data volumes, the fact that the volume of data that we sometimes get in the area of child sexual abuse, this is no longer something that we can solve with human resources. We also need to look at technology. And I think we didn't get a chance to talk about artificial intelligence. I don't particularly like that term. But it's things like machine learning. How can we use that to help cybersecurity and law enforcement. It's very, very exciting. We'll take a look at technology to help us solve some of the issues to make sure that we get the best service, that we can use the benefits of technology and make sure we work together, have safety security and privacy all together. Thank you.
 
>> Tatiana Tropina: Markko, you are next.
 
>> Markko Kunnapu: Okay. I think that if you just look at the statistics everywhere, then you can see that the number of cybercrimes and supervisor-enabled crimes is increasing. The problem is that often perpetrators, criminals behind those crimes, they just get away with these, because the very low rate of detection, sometimes low rate of successful investigations, this is something, actually, that has also been facilitating the situation. So, therefore, we need something additional. We would need those new legal frameworks, regulation, and second edition of the Budapest Convention for access to computer data. This is what we need.
 
A colleague from the Commission already mentioned that before Commission came out with this draft proposal, they made extensive work, then also drafted a quite comprehensive explanatory report. In regards Council of Europe and draft of the second protocol Budapest convention, we don't have the draft text. All the drafting and the negotiation is being done in a different manner. Still, we have plenty of information and background information, different reports, studies that were carried out by cyber convention committee, and then this information is also available on the Council of Europe website. Still, right now the cyber convention committee is working with the draft text, just slowly, article by article. Every year, also, we try to have some sort of public hearings, also meetings with other stakeholders, industry, law enforcement, level society, data protection.
 
This year, actually, we will have a conference in November and again there will be not only one, but several workshops on the protocol and issues that have been addressed there, including elements and then also condition safeguards. Most of the things and most of the points and then concerns that were raised here today, these are the issues that we are going to discuss as well. So you can also -- although we don't have the text and it's not so easy, actually, to follow the negotiations, discussions, and then provide written comments, still there is some information which is already available or actually the elements for the second edition protocol, and then background information, also explanations why we have situation like this and then what are the reasons. So this is something that you can use.
 
Also, as regards a different frameworks, we have also already realized that EU has a specific, let's say, ecosystem, I could say, recognition principles, fundamental rights, GDPR, and all these standards as well, procedure law and then substantive law. That means for the second edition protocol, the discussions are different. Even if we can agree certain principles at the European Union level, we need to think how this would work with third countries as well. As I mentioned when it comes to the protocols, right now we have 63 state parties, and the solution actually has to work for everybody. So that means that conditions, safeguards, notification, so everything needs to be there as well.
 
We don't know when we'll finalize the text of the protocol, but we hope that they would arrive soon.
 
>> Tatiana Tropina: Thank you very much. I saw that you wanted to answer European Commission convention and maybe you can wrap it up from your perspective as well.
 
>> I would like to react from what the Commission said. I acknowledge the huge work that was done by the commission. I was observing it as it was developing. And it was great work and great effort. There is no doubt about it. I acknowledged the creativity of the instrument, but hard work is not a guarantee of perfection or of a great result, unfortunately. It doesn't mean that there are no flaws in the system. And I would like to make several points. I would like to respond to three, because I think the need -- there needs to be a response. You said safeguards are harmonized in the EU. No, they are not harmonized. Some of them are harmonized. That is the roadmap. Some of the more harmonized. For example, access to lawyer. Okay. This is important, but this is not crucial here. But problems that we discussed were thought subject to harmonization, not to mention the substantive criminal law, which is also a problem.
 
What we discussed, what you mentioned about abortion, I believe, so we have plenty of problems with harmonization is nonexistent. I don't think harmonization is the solution here. Then you said that there are a lot of remedies. There are conditions. I agree. Some of them higher the threshold in capacity law. For remedies for personal concerns, we have a chapter on remedies. There are three Articles. Out of those three, two are on the conflict law only for the service providers. One is for the persons concerned, what does it say? This is for the Member States to legislate on that. It's limited only to the Member State that is investigating and prosecuting. If you call this a lot of remedies, then I don't know what it means to have a lot of remedies. But I don't think that.
 
The third point, you said majority of the cases will be domestic. Fine, but there is also the minority where all these problems will be exacerbated. People many not know and there will be requests for data and they might not know about it. You cannot use an argument, in my opinion, that majority will be fine if minority will not be. If majority will be fine as well, that's another question. But I don't agree with this. Of course, the whole problem started with domestic cases. We know that with cases like the Belgium Yahoo case. Law enforcement couldn't get the data. Then this proposal creates a system which is broader than that. And I think all the consequences should be thought through to the end.
 
>> Tatiana Tropina: Thank you very much. And I know that I hope that you can stay here for another five to seven minutes so we can really wrap up this wonderful discussion.
 
>> Paolo Grassia: Yes, I would be very, very brief. As I said, the discussion just showed that we are in a single market in the European Union, but criminal law is not harmonized. And the direct access to providers in other Member States can make up only partially to the lack of cooperation, and also trust among authorities that is also at the origin of this kind of proposal.
 
But there are developments in place. For example, we have a newish investigation order, so I would be very curious to see how it gets implemented. Maybe a few years down the line that may show that the need of the E-Evidence Proposal was not as big as it was originally first seen.
 
Also, it would be very interesting to understand how in the eyes of the legislators and then the decision-makers that the E-Evidence Proposal ultimately needs to be implemented, because we are talking about principle, which is right, but in the end there have to be legal and technical solution to be put in place, either by centralized system or let's say, but this is a discussion that seriously needs to be tackled. Maybe eventually we do understand that the technical solution that would be in place would also promote more cooperation or smoother cooperation among authorities of different Member States, or would require eventually more cooperation among authorities in different Member States. Then we are back to square one. What matters, really, is government-to-government cooperation.
 
>> Tatiana Tropina: Thank you very much. Acadia, you will be the last with you not least.
 
>> Acadia Senese: No pressure. Thank you. One quick reaction to the commission: First, the commission should be commended for its stakeholder consultation process, which absolutely was thorough and very much welcomed, one of the more extraordinary that we have seen occur. So thank you for that.
 
One point of clarification, on the Article 18 jurisdiction provision with respect to the Budapest Convention, it is true that the commission's proposal with the E-Evidence regulation borrowed from the Budapest Convention's Article 18, but the regulation eliminated important requirements of Article 18. And I think that bears mentioning, because the elimination of those requirements fundamentally changes the jurisdictional provision of the regulation as prepared to the second Budapest Convention.
 
Summing up, I think -- and I've said this to some colleagues and anyone who can listen, I can't remember another time when there were so many legislative proposals about this data. It's welcomed and what we need in terms of lawful access to data, in terms of developing frameworks with safeguards, with harmonization, with proper procedures and safeguards. So I think this is actually a very exciting and, frankly, crucial time with respect to E-Evidence, with respect to the Budapest Convention, with respect to the cloud act, with respect to the EIO, to see how it develops. And I think it's an important time to ensure that it's a moment to elevate privacy protections and safeguards in this space, but it's also an important time to ensure that these frameworks are harmonious, that they do the things they intend to do with respect to resolving conflicts of law, and that they are cohesive. So I’m looking forward to those discussions.
 
>> Tatiana Tropina: Thank you very much. Actually, there is one person in the room I don't envy, and this is the reporter of this session. I really don't know, because as a moderator, and I know the topic, and, honestly, I will not be able to I'm wondering what the challenge here is.
 
>> Andrijana Gavrilovic: Well, if I could sum this up the way I want to, it would be very exciting. Frankly, to quote you, we discussed a lot of things today. It was very, very dynamic. The way this works is that I read the messages and you tell me if you strongly agree or strongly disagree. The messages will be up for voting later on by the community, so there will be changes. Changes will be possible.
 
So we said that a lot of discussion revolved around government-to-government interaction. So instruments that involve government-to-government interaction are preferred by some of the actors, stakeholders, in order to ensure that that human rights are respected. Does anyone have a real pushback on that? That is fine. We also said law enforcement are the good guys, or that we should all collaborate. So raising digital literacy in law enforcement and judiciary, including prosecuting and judges, also telecom operators is crucial. That's all right?
 
And then we said that it's very important for the second draft protocol to work for everyone, including non-EU countries, so conditions and safeguards and notifications have to be present.
 
I have room for two more messages. That is possible. I don't know how long you want to stay here for or if we can agree on two things, or if you're all right with these three.
 
>> Tatiana Tropina: I actually think that this message would be ready for comments. If there are additions, if there are other points to raise, you can always raise them.
 
With these, thank you so much. And thanks so much to our panelists and to everyone who contributed to these discussions, who were not on the panel, and yeah, thank you. And my amazing co-moderator.
 
[Applause]
 
 
This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document or file is not to be distributed or used in any way that may violate copyright law.
 




[[Category:2019]][[Category:Sessions 2019]][[Category:Sessions]][[Category:Security and crime 2019]]
[[Category:2019]][[Category:Sessions 2019]][[Category:Sessions]][[Category:Security and crime 2019]]

Revision as of 16:15, 8 July 2019

20 June 2019 | 14:00-15:30 | YANGTZE 2 | Video recording | Transcription
Consolidated programme 2019 overview

Proposals assigned to this session: ID 35, 36, 39, 130, 200, 204, 206 – list of all proposals as pdf

You are invited to become a member of the session Org Team! By joining an Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the session mailing list and answer the email that will be send to you requesting your confirmation of subscription.

Session teaser

The session will look into aspects of criminal justice in cyberspace from the perspective of applicable regulations, access to evidence and human rights, public-private cooperation and technical aspects of investigations.

The discussion will revolve around recent legislative initiatives from the EU and the Council of Europe addressing cooperation on cybercrime and electronic evidence, seek various perspectives on public-private cooperation, weight on human rights issues of access to electronic evidence in light of GDPR, and will attempt to provide a brief outlook on technical aspects of cybercrime investigations with particular focus on AI.

Session description

The session will address the overall theme of criminal justice in cyberspace in three distinct areas of discussion:

Regulations: This part will have a specific focus on two most recent legislative initiatives, spearheaded respectively by the European Union and the Council of Europe, to modernize the current framework applicable to cybercrime and electronic evidence – namely, the E-Evidence Proposal and work on the Second Draft Protocol to the Budapest Convention on Cybercrime.

Access to data: Following up the issue of regulations with particular focus on the need for public-private cooperation and transborder access to data, this session will offer more industry-driven point of view on the subject. Discussion will also allow insight into concerns of access to data in light of implementing General Data Protection Regulation, those concerns applicable to both law enforcement access to data as well as trans-border processing of data by private companies.

Technical aspects: A brief outlook at most recent developments in terms of tackling new forms of cybercrime will be offered, with particular focus on current/potential use of Artificial Intelligence for aiding investigations, but also possible ethical or legal aspects of use of AI for these purposes.

Format

The session will be driven by short initial interventions from key participants/speakers on subjects of discussion, with moderated Q&A with the audience, seeking to develop discussion further on the themes of the workshop.

Further reading

People

Please provide name and institution for all people you list here.

Focal Point

  • Giorgi Jokhadze, Council of Europe

Organising Team (Org Team) List them here as they sign up.

  • Zoey Barthelemy
  • Tjabbe Bos
  • Nertil Berdufi, University College Beder
  • Irina Drexler, Council of Europe
  • Desara Dushi, SEEDIG Programme Committee
  • Catherine Garcia-van Hoogstraten, Centre of Expertise Cyber Security- Cybersecurity for SMEs, The Hague University of Applied Sciences (THUAS)
  • Kristina Olausson, ETNO - European Telecommunications Network Operators' Association
  • Corien van Pinxteren

Key Participants

  • Paolo Grassia, Director of Public Policy, European Telecommunications Network Operators' Association (ETNO) – Link to profile
  • Markko Kunnapu, Advisor to the Ministry of Justice of Estonia, Member of the Cybercrime Convention Committee Bureau - LinkedIn
  • Acadia Senese, Legal Counsel, Law Enforcement & Information Security, Google - LinkedIn
  • Philipp Amann, Head of EC3 Strategy at European Cybercrime Centre (EC3), EUROPOL
  • Stanislaw Tosza, Assistant Professor, Utrecht University - link to profile

Moderator The session will have two moderators:

  • Tatiana Tropina, Senior Researcher, Max Planck Institute for Foreign and International Criminal Law, LinkedIn
  • Irina Drexler, Cybercrime Programme Office of the Council of Europe, LinkedIn

Remote Moderator

Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.

Reporter

  • Andrijana Gavrilovic, Geneva Internet Platform

The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:

  • are summarised on a slide and presented to the audience at the end of each session
  • relate to the particular session and to European Internet governance policy
  • are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
  • are in (rough) consensus with the audience

Current discussion, conference calls, schedules and minutes

The discussions in the Org Team for the session took part primarily as email exchanges on the mailing list for the Workshop, with several major milestones:

  • On 18.03.19, the initial sequence of topics and work-plan for Org Team was suggested and discussed; further, call for speakers/key participants was launched and responses from the Org Team collated;
  • On 06.04.19, the sequence of themes was further refined and identity of potential speakers discussed; communications with Org Team on these matters were summarized on 17.04.19;
  • Session title was established through Doodle poll on 14.04.19;
  • Session description and format communicated and discussed on 12.05.19;
  • Individual communications with key participants and potential speakers still ongoing.

Messages

  • Criminal justice instruments should provide for safeguards to ensure that the fundamental principles are respected, including principles of proportionality, necessity, legality.
  • Increasing digital literacy in law enforcement, judiciary (prosecution and judges), and telecom operators is crucial.
  • It is important that the Second Draft Protocol to the Budapest Convention on Cybercrime works for everyone, including non-EU countries, and conditions, safeguards, and notifications have to be present.

Video record

https://youtu.be/Rd7vQ_uxuEk

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-800-825-5234, www.captionfirst.com


This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.


>> TATIANA TROPINIA: I guess we can start. Anyone that comes to the room can catch up. Hello, everyone. My name is Tatiana Tropina. I'm from Germany, and I'm a co-moderator with this session together with Irina Drexler. For you who are in the room and not speakers, any time you have a question or comment, just raise your hand. I'm watching you all. This is why I'm standing. And I'm keeping the time.

We'll talk today about criminal justice in cyberspace. We have a long tradition at EuroDIG having sessions on cybercrime, but we personally think that the term cybercrime is not applicable anymore. It's too narrow, because any crime nowadays can leave digital traces. The same instruments that were used to investigate cybercrimes are nowadays used to investigate basically any crime. Law enforcement urgently needs access to data. How do we solve these problems?

If you look at the recent political context, you will see that from both sides of Atlantics we have virus proposals on how to make life of law enforcement easier and facilitate access to data without, for example, judicial authorization. We have in the U.S. and European proposals for evidence regulation, which basically change the current system of legal assistance where request of data has to be approved in both countries. Under new proposals, they will be sent to Internet providers without the need for approval. How do we deal with the criminal justice in cyberspace -- more of everything? Less of everything? What do we need to solve the problems and are we going the right way.

I have really truly amazing panel who will discuss these together with you. So just from my right habitant side we have Phillip Amann from the Europol Cybercrime Center. We have Markko Kunnapu from Minister of Justice of Estonia. We have Paolo Grassia, from Telecommunications Network Association of communication providers, and we have Acadia Senese from Google. I will start with Markko, who probably can give us a short overview of those proposals about access to electronic evidence and tell us where they're good, where they're bad, what they bring for law enforcement, and what is his perspective on this.

Markko, the floor is yours.

>> Markko Kunnapu: Good afternoon. First, I think it's not a surprise to you in order to investigate criminal offenses, not only cybercrime, but any offenses, you need access to computer data. You need access to electronic evidence. The problem is that often when people use the services offered by different service providers, the question that sometimes we know that the data is in our own territorially and we can use domestic procedures, which won't be a big problem. But often computer data that we need to use as evidence in criminal proceeding is stored somewhere abroad. And so far the cooperation between the States, cooperation between law enforcement and service providers, it has worked to certain extent, but it's not perfect. There are some flaws. There are some problems. Then all this have created great challenges, huge challenges for the law enforcement authorities all over the Europe. I could also say all over the world. So, therefore, we need something additional, something actually which would -- I wouldn't say replace, but maybe complement existing legal assistance, frameworks, and then also those cooperation frameworks based on voluntary cooperation.

Right now European Union and Council of Europe has been working on finding binding legal framework that would enable law enforcement authorities in one country to access or to obtain electronic evidence in another country. Of course, both instruments to provide for procedures, conditions and safeguards, as well as remedies. As regards the Council of Europe, discussions on the second edition, convention of cybercrime, have been taking place for years already. Since the cybercrime convention committee has been negotiating and then drafting the text of the protocol. Nothing has been agreed. Nothing has been finalized yet. Work is still going on.

Last year, also, European Union came out with a so-called E-Evidence Proposal, which consists of regulation and directive and also the main purpose idea is to provide binding legal framework that would enable EU law enforcement authorities to get more easily data from service providers who often are not located in our own territories, but in other countries. Again, the connection, the authorizing services online. People are using them. If it happens to be a victim or suspect, then we need this information.

Right now, it is to some extent, possible to get this data from abroad, as I mentioned, voluntarily cooperation exists to certain currently, but it's not working perfectly. When we talk about mutual legal assistance, MLA, again, it is slow, too bureaucratic. Again, those cooperation regime frameworks that have been developed decades ago, they were not designed to address electronic evidence; therefore, in order to meet the current challenges and technological developments in particular cloud computing, we need something additional, something new. This is what both EU and the Council of Europe have been doing.

>> Tatiana Tropina: Thank you very much, Markko. If there are no immediate questions or interventions, I would like to pass the floor to Paolo. I know ETNO had a strong position. I picked a couple of points from Markko introduction. Do you think these frameworks would complement legal assistance and what, from your perspective, is more easily accessed to data, seeing this is basically what ETNO was trying to reflect on? Could you provide us with your perspective?

>> Paolo Grassia: Yes. Thank you, Tatiana. And for whom the people that don't know ETNO, we do represent European telecom operators network operators. It's important because we do have a pretty long-standing history of cooperation of man -- mandated cooperation with law enforcement authorities, and second, because the information carried through our networks is pretty relevant to law enforcement.

And to pick your point, I would like to also note one element of the -- two elements, actually, of the assessment of the European Commission attached to the proposal. The first element is that 90%, roughly, of cross-border access requests are addressed to five companies only, Google, Microsoft, Facebook, Apple, and Twitter, which means that this proposal is originally designed to solve issues in accessing data stored by five companies, but it is much broader than that.

The second one is also that refers to the earlier intervention, is that the impasse assessment is the problem is these companies and the storing of capacity of these companies may not be based and distributed in European countries, but they may be avail themselves centralized storing system. That's where perspective. We are conscious that these proposals would impact majorly, but we do have a history of mandated cooperation with local authorities, because attached to our license to operate with our members in European markets, there are obligations to disclose data and collaborate with law enforcement authorities. That's a system that has been in place for a long time and works pretty well.

Indeed, every request of access to data law enforcement interception needs to be based on a legal order by national authorities. Usually, this legal order has to be communicated to the provider through a series of standards, MOUs, service level agreements, and technical specificities. Some are like details, but they're not. With the E-Evidence Proposal, if a telecom operator would be exposed to from 26 other Member States, telecom operators would have to put in place secure channels of communication, accreditation, and standards with 26 or 27 Member States, which is -- well, a bit unfeasible. The European Commission, in their defense, said they had been working with Member States on development of the platform to secure a centralized communication, but this is kind of the chicken or the egg. Do we want the legislation first and then think about a technical solution first, or do we want to have a technical solution before legislation is in place. Companies have to abide by legislation once it is in place.

My point that I would like to stress before leaving the floor to the others is that at the core of our position, for all the considerations that I mentioned above, is that territorially jurisdiction is the key, is really has been at the core of the collaboration with authorities to whom our members interface. It is what guarantees that, as I say, there are standards. There are security channels in place that make us comfortable, that a legal order is based on the legal basis, and that respects also the fundamental rights of the concerned people. The more we do stretch the boundaries, the limit of territorial jurisdictions, the less secure this collaboration becomes, just because operators can't ensure that the same standards can be applied to collaboration with 27 or 26 Member States.

So I would like to leave you with that. Our core message is we do commend in part the objective. We understand the challenges of the law enforcement prosecutors and the judiciary, but the system of collaboration from the telecom perspective is working pretty well. We shouldn't risk breaking it by trying to solve it.

>> Tatiana Tropina: Thank you very much, Paolo. I see a question. One moment. I'm going to bring the microphone.

>> Audience: Thank you very much. I'm now working at EuroJuc. I was working for digital Europe also had a very strong position. You're being very diplomatic, but do I understand your concerns to basically mean because in certain EU Member States there's a different level of protection of fundamental rights and the rule of law, for example, one of the Member States is actually being investigated by the European Commission, and that, therefore, some of your members, teleco operators would be passing information. The E-Evidence says you can then start a case and say, actually, I don't want to do this. The teleco that I know best tells me they would never do that and they would just hand over the information.

I'm not familiar with your strongly worded opposition. Could you give us a little bit less diplomatic? You're in Holland, maybe a more Dutch way of saying what's wrong with it?

>> Paolo Grassia: Sure. I think because of -- yeah. I will say and mention all the safeguard, actually, usually telecos do not opine on the orders they do receive. They just receive. They are comfortable that they are legal and they just execute. There is, according to transparency reportings, but also interviews with our members, there is a very negligible share of requests that gets rejected just because the legal basis is not current enough or just because of formal problems. Members know they do not have to carry out the legality check.

If Dutch operator would receive a request from Polish authorities, from Spanish authorities, who would ensure that the legal basis and the legal safeguards are equivalent to those in place in the Netherlands if they're not validated by an authority in the Netherlands?

There are some assurances given from the commission that operators do not have to carry out the proportionality check, legality check, just have to execute. But that's not how it happens in practice, just because if some violation of fundamental rights happens, in the end the liability would be upon the operators. That's the point. Also, that's what makes members uncomfortable and then there is also a host of barriers, practical questions, for example, emergency procedures disclosure in six hours. It's much tighter than the timing that is afforded by their national authorities. So they find themselves in the situation of having to -- the privilege of request that comes from a foreign authority, then the request of the home authorities, which would be a bit ironic.

There are many, many, let's say, misgivings. And I missed to mention in my intervention is our proposal is to bring back the process closer to the authority, to the national authorities. So to have a stronger involvement of the authorities in the Member States where the telecos operate, so that the national authorities act as an intermediary between the foreign one and the operators and the operators remain sure that the requests that land on their desk are validated according to their legal standards.

>> Tatiana Tropina: Thank you very much. And I would like to give the floor to Acadia from Google. Are you comfortable with this proposal?

>> Acadia Senese: So Google is, by the nature of its tolling, and by the designation of Google LLC as a U.S. entity, situated wholly differently than, certainly, the European teleco operators, and has a different perspective with respect to the E-Evidence Proposal.

With respect to the E-Evidence regulation, Google on the whole supports the regulation. Google supports modernization of cross-border access to user information. This regulation is a significant step forward in modernizing and harmonizing cross-border access within the European Union. Before the E-Evidence regulation, this kind of framework did not exist and it is true that what that meant for companies like Google, who are based in the United States, who are subject to U.S. law, is that Google was left to navigate conflicting legal obligations, different patch works of legal requirements across Europe, and Google historically has utilitized its ability under U.S. law to categorize information directly to European authorities. We have only done so if we were sure that the request that Google received was valid and otherwise met the requirements of the issuing jurisdiction.

So if you can imagine, that left Google in the position of having to understand the local and national requirements of every jurisdiction in Europe. We actually have quite an internal library of what all the requirements are in all the different jurisdictions.

From Google's perspective, having those requirements harmonized, accompanying those harmonized requirements with safeguards, albeit a side comment here, the safeguards containing the E-Evidence, I think certainly could be improved, most notably on the notification measures. I'll come back to that in a minute. But on the whole E-Evidence, it's a significant step forward in creating a harmonious framework across Europe.

That said, I think there are provisions of the E-Evidence and Google published a position paper on the commissions text for the E-Evidence regulation. But as it's evolved, there are portions of the regulation, most notably a penalty provision, that I think create disincentives for companies to ever question the validity or the sufficiency or the propriety of a law enforcement request.

What I mean by that is under the current text that contains a severe penalty for noncompliance, what that does is incentivize a service provider to always produce data and to never question, not that service providers want to be in a position of having to question or confirm the validity of a European production order, but that to the extent that a provider might have uncertainty about a request they would choose to disclose rather than raise an objection, rather than face that penalty.

So one of the things about the E-Evidence regulation is that -- and I think it's not necessarily a bad thing, but in an effort to modernize legislation and in an effort to give law enforcement expeditious access to data, as they should have when they're conducting legitimate law enforcement investigations, many of which are time sensitive, and in recognition that the MLAP processes are too slow, too antiquated and too difficult, E-Evidence solves those things. But because E-Evidence creates a mechanism by which an issuing authority can go directly to a service provider outside of its jurisdiction, it has eliminated the role of normally what would be the central authority in the receiving jurisdiction.

Having eliminated that role, some of the obligations of the central authority has now shifted to the service provider, or having not shifted, has eliminated sort of the check that a requesting jurisdiction -- a receiving jurisdiction central authority would otherwise do. Coming back then to the notification piece, that can be solved by robust notification measures. So at the moment, the E-Evidence regulation effectively prohibits service providers from notifying their users or customers about the existence of a demand. Google thinks that notice should be the norm and only by exception should notice be prohibited. The reason is that a user or customer's best position to evaluate if any of their fundamental rights or privileges are unlawfully implicated by the request, but another notification procedure could simply be that any issuing authority has to notify the central authority of an impacted Member State, meaning that if I'm the issuing authority in France and I'm seeking information about a German user, as the issuing authority, I would have to notify the German authority, and the Germans could themselves decide whether or not to intervene in the request and assert any objections. This would place back to governments the role of evaluating the propriety of the request, and the one way to do it in the regulation is to create that notification procedure.

I could go on all afternoon. I'll stop, but with that, on the whole, we think this is a good step forward. We think that the E-Evidence regulation could help support and serve the foundation of an EU/U.S. cloud act agreement as well. I think both of these instruments are positive developments in terms of modernize go surveillance legislation.

>> Tatiana Tropina: Thank you very much, Acadia. We focused on the role of providers and on the power of providers and responsibilities of providers. And I want to give the floor to Stanislaw who might provide us with a more legal of the criminal procedures safeguards from his perspective.

>> Stanislaw Tosza: Thank you, Tatiana. Thank you. I want to bring to the table a legal concept which hasn't been mentioned yet. Picking up from what which is mutual recognition. This is not the forum to talk about international cooperation, but let's not forget, this is based on the mutual recognition. It's Article 82, which allows the create instruments which are based on the mutual recognition. Which is mutual recognition? It's a step forward from mutual legal assistance, meaning that one Member State in principle recognizes the validity of a decision of another Member State. This is the idea.

In practice, European arrest warrant, the classic instrument of mutual recognition that has been working for the past more than 15 years quite well, which means a French authority issues a European arrest warrant to get somebody from Germany, sends it to Germany, and the authorities in Germany do just a basic limited check of this order and then send the person to France. This is the idea.

Now, here what happened is that we agreed with the authority in that state. I claim this is a quantum leap of mutual recognition and mutual trust for two reasons: One reason is that the grounds for refusal are limited in this proposal, are much more limited if the authority is engaged, which as we know happens in case there are problems with the execution when the service provider resists the order, then the authority of that country can come back. Then they have some grounds for refusal, much more limited than in the other mutual recognition instruments, like European arrest warrant or European investigation order.

But what is more important is that what Acadia said, the order goes directly to the service provider and in principle the service provider should send the data. Nobody is checking it. If they do send it, the authorities in that country are not engaged. What it means is, as you said, that the commission, the proposal, the memorandum can say that the service providers have nothing to say. In theory, yes; in practice, no. They work, in my opinion, but this is what I just had, according to different logic, which is a business logic, there is a need to check. Is it good for us to provide this data? Whether we might suffer reputational consequences that make it not worth? But it's better to risk the sanction?

Poland was already mentioned. It's not the only problematic country at the moment. Spain, you said Spain. If Spain starts to send requests to Belgium about the leaders of the dependence movement and you have NGOs that gets very active, they will have to take a decision what's better for us? How should we look in front of the society?

So I think we can say that they have nothing to say. We can even shield them from liability by saying that by complying with the orders they will not be liable, but in practice they also need to think about their reputation. And this changes the whole logic. And this makes them sort of guardians of fundamental rights. But according to the business philosophy, and I think this is a huge change, which is not fully reflected necessarily in the debate yet, because do we want service providers to be guardians of the fundamental rights instead of the Member States?

>> Tatiana Tropina: Thank you very much, Stanislaw. Phillip, I will give the floor to you, like bringing it back to law enforcement. What do you think about these proposals about direct requests for data?

>> Phillip Amann: If I could take a moment to refer to a paper that we are currently drafting the third version together with our colleagues who described the common challenges in combating cybercrime for law enforcement in the judiciary. There's lots of data related to criminal abuse of encryption, it's cross-border cooperation. It's legislation, for us, obviously, law enforcement also capacity-building, having the skills. It's a public and private partnership. For us, this is one of the aspects that makes our work difficult. And so E-Evidence, we support it. We are not, obviously, an agency that develops legislation where we're happy if we get invited and can provide the boots on the ground, let's say, and see what the challenges are, and hope that the legislators can come up with something that meets the practical requirements, but at the same time, as we heard, has all the safeguards in place to make sure that we protect the fundamental rights, protect human rights, because that's really what it is. From our standpoint, we investigate criminal activity. We're not into data surveillance. We're not into eavesdropping. We need to have urgently access to data. That's not the point.

We have a criminal investigation, and as part of that investigation, especially when it's any type of criminal investigation these days has a digital component. Sometimes that digital component is the starting point of the investigation. It might be an IP address. We need to have the means to be effective and efficient while respecting the fundamental principles. We heard them before, proportionality, necessity, legality.

I appreciate, I think those are all valid comments. We don't want to take away any checks and balances. We want to make sure that the process is respect the human rights, but at the same time supports how it works. I think from where we stand and we can then talk about also some of the challenges and potential solutions, is legislation is a huge challenge for us on something that we closely monitor because, obviously, that's if not -- it's the basis for our work. But it's just one. So when we talk about E-Evidence, it's just one of the challenges that we see. It might be useful to see we're looking at different things. If we look at ePrivacy, for example, one of the first sort of proposals would have left us in a situation where a lot of our partners wouldn't have been able to scan attachments. So we have an existing process with the U.S., with the national center for missing and exploited children. They send us reports of child sexual abuse material. It's a huge volume challenge. We can discuss that at a later stage. It's a real big data challenge, but if some of the big providers would have to implement ePrivacy in one of the previous reading, it would have meant that it would not have been able to scan for anything, any attachments.

So this is where it's important that we have a voice as well. These are the implications. Please do consider those things. In general, just to make that point, it's one of the challenges that we face.

>> Tatiana Tropina: Thank you very much. Are there any questions for now? Yes?

>> Audience: Not necessarily a question, buy representing the Council of Europe cybercrime office, we have heard about the E-Evidence Proposal. Since we are still at the stage of the discussion where we talk about regulations, I'd like to hear a bit more about the Budapest convention of the cybercrime Council of Europe. Why I make this point is in February we organized in Bucharest the international conference on criminal justice in cyberspace, concluded with key messages that are available on the cybercrime website and cybercrime office. One of the key messages, about 20 of them, but one of them is in line with the harmonized approach that was mentioned and also the other points that were made that the Budapest convention is -- the international convention is mostly agree with and it has so many Member States that have already signed and ratified it. It's considered as a good instrument. And I'd like to hear from your perspectives also one key message with this in mind to see if the conclusions from this conference are in line with the thoughts of the panel and of the participants here as well.

>> Tatiana Tropina: Thank you very much. Anyone has an intervention on these? Because we basically -- I'm not here to state my opinions, but I do agree the Budapest convention is a very important instrument. Acadia?

>> Acadia Senese: I'll respond for Google. We have not seen the text or not sure what's being contemplated of the negotiation of the second additional protocol. To the extent the Budapest is looking to modernize and create safeguards and harmonization and procedure around cross-border access, that that's a good thing. One of the really great things about the Budapest Convention is that it has a strong proposed in Article 18. The E-Evidence does not. The Budapest protects sovereignty and jurisdiction in the way that the regulation arguably has a more aggressive extraterritorial reach. But with respect to the mechanisms being contemplated, I think any mechanism that involves government-to-government interaction is preferred, even if it's around legal assistance for, perhaps, subscriber data only.

>> Tatiana Tropina: And, Markko, yes, I really wanted to give the floor to you just to address those mild concerns. You have some concerns, so please just the floor is yours. Either the Budapest Convention or what has been said earlier.

>> Markko Kunnapu: Actually, those points and concerns that were raised, yes, these are really important ones. All of them also had been discussed in Brussels, because this is something we need to just take into account and bear in mind while negotiating the E-Evidence Proposal, as well as drafting the text for the second edition to the convention. Actually, the scope of those instruments, it's a bit different. EU regulations is for EU Member States. The second edition protocol would be for the more wider audience. As I can say, right now the Budapest Convention has 63 state parties to the convention. So far, it is the only legally binding international instrument on cybercrime and the electronic evidence that has global impact. We have state parties who actually sharing the same concerns, international cooperation in all continents of the world.

As regards those points and concerns that were raised, first, yes, we have been discussing a lot about notification, actually, whether to notify and in case notification takes place, then who. It's not very difficult. It's quite difficult to answer this because when we also think about impact, international service provider, impact to data subject, then, for example, if we imagine a situation that we have victim in Estonia, a suspect in Finland, for example, Finish police is investigating the case, they would need some data from a service provider that is not based in the European Union, but has, for example, a local office, representation in Ireland, then, yes, we could actually send this notification to Ireland. Actually, what would they do this? They have actually no idea what the case is about. Often it is the case that we don't even actually know who the suspect is beforehand, because we just see somebody's using IP address or somebody's using some sort of e-mail address or nickname. Again, this could be all.

This is usually the case when we talk about the very first stages of the criminal investigation. Therefore, if notification takes place, then what should be the follow-up? Because if there were notification, if somebody -- a competent authority in a receiving state would get this, then I think this notification also entails certain responsibility or obligation. Again, actually, it would be quite difficult for the competent authority and the receiving country to decide whether preservation of data or disclosure of data is necessary justified or not, because they don't know what is this all about.

Also, as regards conditions and safeguards, when we talk about European Union proposal, it's regulation. It would be directly applicable, same rules, same conditions for all Member States. And it's not only this E-Evidence proposal. Legislation in Member States has been harmonized by other instruments as well; for example, on procedure rights, there are also instruments concerning substantive law, etc.

Of course, for the Budapest condition and second edition protocol, it would be different, as we are talking about some members which are maybe not so traditional conventional, which actually go beyond the existing Budapest Convention as well. Again, we need to just pay attention to additional safeguards and conditions. Then this is actually has to be, because, yes, we would like to actually trust each other. We would like to trust other state parties at the convention, but still you need to have some conditions and safeguards in place as well. Of course, when something goes wrong, it happens to be the case that, I don't know, that there are Member States or state parties who just would like to abuse those powers. Again, actually, there are some mechanisms for the Budapest Convention. We have cyber convention to address those issues. If something goes wrong somebody abuses certain powers at the European Union level, also, there are some supervisory places where you can actually raise these issues and then discuss.

>> Tatiana Tropina: Thank you very much. Are there any questions? So then I would like, unless one of you wants to respond something to Markko, I would like to -- oh, sorry. I'm running again with the microphone. First here and then to Luis.

>> Audience: I'm Michael Fultz. I work for Microsoft. We can find ourselves in the arguments of Google as well. When we're talking about service providers being the guardians of the human rights, I think we do not want to do this. The same is with the telecos, of course. What we do want is if we see a production order and we see that it's too broad, abusive, let's say you need, let's say you need to have the data of one company, and the production wants all the e-mails of one domain. We want to say well, we want to give you the data, but you should sort of adjust your order to make sure that it is more directed. So this is not a liability for a service provider to be liable for checking the fundamental rights of an order if it complies with fundamental rights, but if it's too broad and too abusive but we do want to give the data, then we want to have this possibility to make it more directed, so to say.

I don't know what your view is on this, but we think it's unnecessary to give more data than necessary.

>> Tatiana Tropina: One more before I see there are some interactions from the panel. I ask you a bit of provocative question as a moderator. If we see that the order is broad and abusive, basically you say that you are assessing the order in any case?

>> Audience: Well, there is a difference. If you assess it on fundamental rights, that's different than saying -- okay, so you're not checking if the order is complying to fundamental rights, because this is the rule of a local judge. If a judge says this is who sometimes does not have the technical knowledge or the technical information, maybe knowledge but not the information, then we can say, all right, the judge said that this is complying to human rights, but we still think that you can get the data without having more data than necessary. So we're not judging the choice of the judge, but we're saying in this case -- these are cases that happen. They can say, okay, we create the order again, but now it's more targeted to the data that we actually want. That's not judging human rights.

>> Tatiana Tropina: Thank you. We will get to the next question soon, but first I need direct responses. Stanislaw, I saw your hand up.

>> Stanislaw Tosza: Yeah. I actually had a very similar reaction to yours. You see an abusive order or a dubious order, and you want to comply with it, but you say what do you mean by that?

>> Audience: Let's say he see an order and the judge says it's complying to human rights. We won't question this. If we see the goal is to get the data from one subject, but they are actually asking for the address of 200 accounts, which only one want or two, we can help them direct it to those two so that they don't get the information of 198 accounts that are not part of this.

>> Stanislaw Tosza: I get that. Then they say it's none of your business, we wanted 200? We are the judge.

>> Audience: Yeah, so then --

>> Stanislaw Tosza: If you look at the statistics in certain EU Member States, not to very many, they sometimes request a lot of data from a lot of people. Second question, are you happy with every judge in the European Union as it stands now, especially that some countries are under investigation about the independence of the judges?

>> Audience: We do want an extra check. We're on the same page as Google on this. So we think that if the target resides in the certain country, this country needs to be notified as well. Again, it's not the role of the service providers to judge on base of human rights. We just want to have the possibility and not the liability, but the possibility to check on proportionality and not proportionality as in judging human rights, but more we see that this is the order, a judge said that it's all right to do it, so we can do it, but we just want to make sure that the people who are not the targets are affected by this order. That's -- I think that's our rationale. If you're talking today, the judges and the law enforcement agencies, then I think if it's reasonable we can say all right. You can do this order. You can excuse it, but direct it more because this is the information that you actually want. Then I think is also your responsibility of law enforcement agency to -- yeah, to also see this point, this viewpoint.

>> Stanislaw Tosza: As it stands, the regulation doesn't oblige the authorities to react in the way you expect.

>> Audience: Sure. But we want the option to make sure that a production order is as targeted as possible.

>> Tatiana Tropina: Thank you. One moment. Acadia, I saw that your hand was going to the microphone.

>> Acadia Senese: I would just echo the comments that oftentimes, not because of any malfeasance, it's that the issuing authority or a judge may issue an order and not understand or fully appreciate the order that they've issued, meaning they don't understand the breadth of the data that they've authorized to be seized or the number of accounts that are subject to the order. Often, there's an ability of a service provider to just sort of raise their hand and say, "Hey, Judge, were you aware that this is what you authorized?"

Oftentimes the judge says, "Oh, no, that's not what I meant," and they revise the order. If the judge instead says, "Yes, I understood and this is what we authorized," that's a different question.

Bringing the facts to the Court to evaluate when they revisit the propriety of an order.

>> Tatiana Tropina: I will save a question for later. What if the judge is in the foreign country? But this is the question for later, because we have a Luis, you are the next one. And then Chris.

>> Audience: Also I'll raise the question about capacity building of the judges.

>> Audience: I have two questions. Microsoft and Google are extraordinarily large and wealthy companies. You guys could actually have the time to reflect it. There are service providers, little Internet providers that are literally mom and pop shop. There's no way they can start doing the kind of stuff that you guys are doing. They're not gonna risk the fine. So I'm wondering where their voice is in all of this.

The second thing is I've never really understood about the evidence directive is what we call in Dutch the principle of double illegality. So let's say that something is illegal in one Member State but not in another, or not completely hypothetical thing whereby a very Catholic member site can say you can't get an abortion, even when it's legal, and they get information that's very illegal in that Catholic country, but not illegal in the country where the abortion has actually gotten. I'm having nightmares from what's happening in the U.S., Alabama. Who knows what's going to come here. What happens here and where are the safeguards?

>> Tatiana Tropina: So who is going to take the first question about the small providers and how. Markko?

>> Markko Kunnapu: The question about smaller providers and that the capacity ability to handle those requests and then respond in a timely manner, especially when we talk about some emergency situations and when the deadline within ours. We have discussed this a lot as well. But, again, there was some criticism concerning the text and then provisions, but in fact, no one actually could provide some working solutions. First, when we talk about information society service and offering services abroad, then actually, how to assess with a company -- a small company or medium company or not. Because it could be the case that, yes, you have a few servers and then maybe just only a few people actually working there, but you may have actually hundreds of thousands, even millions of customers. So then in this case, can you consider this as a small company and then could this be excluded from the scope? Because it's not a secret that criminals, they know pretty well, actually, which companies would cooperate with law enforcement and which not.

Already, now we see many companies, they advertise and be bulletproof and they wouldn't cooperate with anybody and that they don't store data and things like this. It's quite difficult to have those exceptions.

As regards to capacity building, training, yes, this is important. You need to just train. It's also just the task of the Member States to provide sufficient training, not only for law enforcement, but also for judiciary. Yes, everybody should have certain baseline knowledge concerning cybercrime and then the electronic evidence. Again, in order to actually avoid these kind of situations that you would get really broad and confusing requests. The discussion that is been discussed at the Council of Europe and the European Union level is to use certain formulas, certain templates. Again, if you have those templates, then, the result, the age, actually, behind the request remains unclear or confusing, actually, these would be also used to minimum. Then this is something, actually.

Then, of course, when you have -- when Member States are going to implement these instruments at domestic level, again, you need to just make sure that everybody would understand, actually, that this is a template and then whether you should tick this box or this box if you need that information.

>> Tatiana Tropina: Phillip, I saw your hand up.

>> Phillip Amann: Just no relation to the practicalities of how you implement that, what you said, Markko, there is a lot of power in standardizing those requests, capturing the practical knowledge and how you do those things, having forms, templates. We have set up, for instance, a platform. One of the objectives of the platform is actually to say to give information how do you contact Facebook if you want them to take down in this case content. And it tells you this is the point of contact. This is how you do it. I don't know where they are currently with the writer's tool, but you have a tool that actually tells you if you go to this country, that provider, this is what you have to put into your request. Those are sort of the robust words that you have to use, so that they can legally respond to that. I think there is a lot of -- a lot that can be done to capture those things. And it's a link to the continuous education that not just for law enforcement, but a judiciary prosecution and judges so they're aware of the implications. I think there is a whole cycle. I fully agree that standardization and forms and capturing those practical aspects of how you actually implement that is very important.

>> Tatiana Tropina: Anyone else? Yes?

>> Markko Kunnapu: Also, I see the need for literacy preparedness for law enforcement. There is also for telecom operators that is recurring problems and times that prosecutors do not know what they ask for. For example, mobile communication, they may ask for all the traffic from a given mobile cell in the past 12 hours. Then they see a trove of data coming in, and they say we didn't request for that, but yeah, you did. They don't understand what they asked for.

Standardization is crucial, but I don't think that templates are enough. Even if you have a template but then the authority of police just keeps requesting via the template all the traffic in the past 12 hours, that's not gonna solve the problem.

But standardization is essential. It's not just about their request, because the request is not just a letter, you do send to the operator. It's about the whole process. It's how the authority gets accredited to the system of the operator to ping the system and get the request, and how the accreditation is checked by the operator and how the request is processed internally. Ultimately, how the evidence is communicated technically to the authority, which is a whole process with a lot of standards, protocols involved. That's why we reinforce the cooperation with the national authorities is the key because that's how you do establish this process.

>> Tatiana Tropina: So, basically, it echoes the comment about government to government cooperation.

For the purpose of time, I'm going to collect three next interventions, because -- four, and then get back to you. So I'm very happy that we have, actually, two law enforcement people in the queue. Chris, you're the first. Okay. So I'm going to bring you a microphone. Then three other.

>> Audience: Yes. Thank you very much. Thank you, Chris, for offering up your spot. My name is European Commission. I'm a member of the E-Evidence task force that prepared legislative proposals. I'm happy to see that this discussion is taking place with all these different stakeholders.

At first I thought it was a shame that I was not on the panel, now with all these difficult questions I'm happy to be on this side of the table than with Phillip and Markko and all the others taking all the difficult questions. I wanted to take this opportunity to bring to the table a couple of points. Some of the things that have mentioned here this afternoon, first of all, I would like to mention is that, of course, these legislative proposal, the E-Evidence proposal from April 2018 were prepared on the basis of very standard impact assessment at the European Commission. It's a very lengthy report you can find on the Internet. It has a lot of detail about percentages of numbers of requests, how many of them go abroad, etc. So if you're really interested in this topic, and I think some of the questions that were here today can be answered if you read the impact assessment. I would certainly recommend you to go there to our website and see that impact assessment.

What you will find there, also, is that we conducted quite a comprehensive consultation process to formulate the legislative proposals, consultation process that involves law enforcement authorities from Member States, from third countries, service providers, small ones, big ones, and NGOs, civil society organizations. So all of them. On that basis, indeed, we concluded that existing channels that can be used for obtaining closed border access for electronic evidence, like direct service cooperation with service providers, but also mutual legal assistance, really do not meet the needs of law enforcement. We can also see this is something we already concluded in 2016, but even more the case now that there is fragmentation at international level where different countries choose different approaches that do not necessarily overlap or have the same scope.

That puts a risk a lot. It puts at risk a legal clarity, certainty of service providers, but also of citizens, and the protection of fundamental rights. That's why we came forward with these proposals. Of course, to address all the concerns that have been mentioned, we included quite a lot of safeguards in the proposals, safeguards that, I must say, and I can say on the basis of the consultation and impact assessment that we did, are often higher than what you can find at domestic level in many European Union Member States. For example, there is the mandatory involvement of the judicial authority, an independent authority for each and every request. That's independent authority can check and proportionality of the request. That's key for us and a lot of Member States. I'm repeating myself. A lot of Member States you will not find this as a mandatory safeguard. In many cases we're going above what you can find in many Member States. That is, of course, to take account of the cross-border effect of these orders.

I think Markko already referred to the harmonized safeguards that we can find at the European Union level, when it comes to the protection of personal data, protection to the right of privacy, but also procedural rights safeguards, which are harmonized at the European level and can be used in the contest of the proposals.

To sum up, there is a robust framework of safeguards. As the commission, of course, stand by our proposal, even now there are discussions by the co-legislators, the counsel and the parliaments, also taking into account the opinions of the stakeholders. We are very much interested to hear that.

A few points on the basis of the comments that were made in addition: I would like to support Phillip, who, indeed, said that these proposals provides for investigative measures in the context of criminal law. That's something that we have to be aware of when we think about this. This is not about surveillance or intelligence. No, this is about criminal investigations where authorities, law enforcement authorities, have an investigation for a specific crime with a specific subject suspect and there are safeguards provided by criminal law. That is important to be aware of when we talk about these proposals, because a lot of the comments actually appear to go beyond that.

Also, what we should be aware of is that in an overall majority of the cases where these proposals will be used, we are actually talking about domestic cases or cases that are domestic in nature. For one of the largest service providers, also present here in the room, we heard, for example, the request that I receive 94% of those requests are really domestic in nature. So it's just a case where law enforcement authorities are investigating a crime with a victim in the country of the authority, with a suspect in the country of the authority. The crime happens in the country of the authority. It's just that the data is located on the server somewhere else or the server is owned by a company that's located in another country.

So this is the overall majority of the cases. These are domestic in nature. There was a lot of talk about the need for a dialogue, and the information that could be provided by service providers to authorities when I make a request. That is something that, of course, is not excluded in the context of the proposal. When you are doing that today, it's quite likely that you can also do that tomorrow if these proposals are adopted, of course.

Finally, there was a lot of talk about Budapest Convention, the Union and European Commission have supported the convention for many years. This is also the case for the negotiations that are currently ongoing. So I also wanted to underline that we have proposed for the participation of the Union in the negotiations and we are happy to see they supported that on the 6th of June. From that moment on, the Union represented by the Commission can also take part in these negotiations. We are fully transparent about that. The recommendation was published on the Internet. The negotiating directives are published on the Internet. We think this is not something that should be done secretly. It should be done in full transparency, because there are so many things at stake. We are fully committed.

Just a final point, because that was made by the colleague from Google, referring to Article 18 of the Budapest Convention, which has as a scope the offering of services in the territorially and on that basis then parties to the convention can issue an order. In fact, what I wanted to point out is that the legislative proposals from the commission have the same connecting factor. So offering services in the territorially of the Union. That is the connecting fact also for the evidence proposal. There is, actually, quite an interesting overlap there. Thank you.

>> Tatiana Tropina: Thank you very much. So I have four more people in the queue. I'm closing the queue for the interest of time. I will collect for intervention. I see that some of the speakers want to reply, but take note of what you want to say and I will come back to you. So now I have Chris first.

>> Audience: Thank you very much. Chris from the U.S. A question from Google. You talked about they want to be able to reduce the scope of any request or order that you've received. Obviously, based on the data that you can see who it might be affected. You're obviously saying that you see a number of requests anyway. So how would you raise awareness for the police forces and the judges to stop those orders and then slightly tongue in check would you do the reverse where you have a request? Would you look to be open and say this probably isn't broad enough. If you changed your order, that way? Two questions.

>> Tatiana Tropina: Right. These require immediate answers. Acadia, from you and I'm bringing microphone to Microsoft.

>> Acadia Senese: For Google's part, we try to do as much engagement with law enforcement as we can, recognizing that there's far more law enforcement officials than there were of the folks at Google who know this work. I would say that the Spock model is the best model that we have encountered. What I mean by that is a single point of contact who are the experts in any particular jurisdiction who understand the company, understand the data that it holds, and are very familiar with the kinds of things that can be sought and how to ask for them. So for the jurisdictions like the UK that is a Spock model, those jurisdictions do a much better job in crafting orders that are narrowly tailors than those experts that don't have those contacts in the law enforcement community.

The second question, will service providers look beyond the order to do their own investigation to see if they have anything helpful, which I think is what you're asking. The answer is no. Speaking for Google, when Google gets an authorized order to search, we search what's been ordered by the issuing authority and we don't go beyond that. So our search is limited by what the Court has ordered us to do.

>> I think I can copy and paste the answer. We look into the orders that we suspect and I have those examples, but already gave one of them. It's the second question is a good one. I do not have any examples of this. So I think the law enforcements are well aware of what they want. Of course, more aware than we because we are not the law enforcement. He's going to decide. So, no, we don't help law enforcement with their investigations. I think that would be not -- well, I can imagine that if they ask for the data, I don't have these examples, but I can't imagine if he wanted data from a certain suspect who is part of a certain domain, so to say, and you're asking a totally other domain, you would say the data you request right now is not the data that you want, but I think these situations do not occur. It's a great question.

Also, a little small comment on how small service providers are not able to do this. That's why we don't want to have an obligation, but just an option, so that small service providers are not liable when they do not object to certain production order.

>> Tatiana Tropina: Thank you very much. Next in the queue I have Claudia.

>> Audience: Hi. I'm actually a judge, so it's been funny to hear you guys talking about us. And so I'm here. I'm an investigating judge in Lisbon. And I just wanted to be brief and I'm happy to see that Microsoft is on the same page that we are. One thing for us is crucial: We don't want more information than we actually need. Too much information is actually bad for us. So regarding the future production order, it will follow the same pattern as the other European instruments. It will have an Annex, arrest warrant, and that helps a lot in focusing information.

On the other hand, that's something that been very crucial for me. I'm very happy to be in this forum, is that we need a dialogue with companies. We need -- there has to be a dialogue between the judiciary, the law enforcement, and private companies, because sometimes we don't have enough knowledge, enough digital literacy. You guys also need to help us having it. It cannot be just a role for the government, because the government itself may be in the dark. So we need to talk to each other. And if I happen to ask Microsoft or Google or another service provider for too much information, I would be happy to have an answer like you told me.

You are asking for too much, don't you want to focus? So we need to keep this dialogue going. And I hope to see the production order coming forward as soon as possible because it's. We are not information agency. We are not secret service. We act in the role of democratic institutions. So we actually are the good guys. And we are here to catch the bad guys. And I'm counting on you to help us doing so. So thank you.

>> Tatiana Tropina: Thank you very much. I see some of the panels want to reflect. Please take a note. I will take the last two intervention and I will give the floor to you. Yes? The next?

>> Audience: Hi. Katherine from the Applied Services. I'm conducting research on what it was mentioned at the very beginning. I was happy to see that there was an acknowledgment on that we within the framework we have the additional cooperation which has been widely discussed here. There is also -- so I wonder in all the interventions it has mentioned that both have flaws and also that have been not been working perfectly. My question goes back to the voluntary cooperation framework. What kind of measure -- what kind of indicator are you taking into account to measure success or failure of this frameworks of cooperation?

>> Tatiana Tropina: Very much. I will take the last question, the last intervention and then I will just give it to the panel and you will reflect on whatever you want to reflect upon.

>> Audience: My name is Miguel and I'm working just across the street. It was very interesting to hear all those various perspective judiciary, law enforcement companies, researchers, and I would just like to very briefly add one more, and that's the perspective of the coordinator. We are coordinating cross-border to make sure judicial authorities can cooperate in a sound way and don't get into each other's way when doing investigations of linked cases. Linked cases is what you usually have when you talk about cybercrime, which is in the title of this session, you have victims in very many countries. You have the way the criminals themselves are distributed over many countries, the way they provide crimes as a service to each other.

This is a huge challenge. It makes it very complex to address. For that reason, I think it's a very -- a step with a great potential that lies in the E-Evidence package and also in what the counsel of Europe is doing, that we are at least trying to find ways to not involve those states, not really having a substantial connection to a certain case. This is a little bit echoing what Markko has described. We also need to involve states just out of the pure coincidence that a service provider that is relevant, that holds relevant evidence, is located in that state or that data is stored on that state's territorially.

So I think the E-Evidence package has a real step forward in that regard. It is difficult to think of other states that could play that role. So which would be the relevant state to make a decision? The state where the data subject resides? Most of the cases you will not know where that is.

So I think the right way forward is that you try to compensate this as it was called taking away of that layer by creating additional strong safeguards on the side of the issuing state, just to add this from the perspective of the coordinator.

>> Tatiana Tropina: Thank you very much. And before I will give the last word for the session to our speakers, I would like to sum up a bit. I see that for now we really have a bit more questions than we have answers. We do have strong disagreements. While I'm very happy that we have such a diverse stakeholder panel here, law enforcement, academia, I think it could have been much broader, lawyers, bar associations, and so forth. I know we were going to wrap up talking about the next challenges, but I think that the entire discussion is already on the next challenge. So I would just give the microphone to all of you to maybe lay out the challenge for you and also to reflect on anything you heard here to answer the questions, and I will start with Phillip.

>> Phillip Amann: Thank you, Tatiana. I think that was a very good discussion. We could have spent much more time to include many more people and get many more opinions. That's important. Just before I start, I want to say the Microsoft is under my name, but you said things like you don't support law enforcement and so on, I just said this was not me, this was you.

>> Tatiana Tropina: For the record.

>> Phillip Amann: So I don't get back to my office and my boss tells me thank you.

[Laughter]

>> The other thing is, and it goes very much, just to explain we are not the FBI. We support Member States. I think that's important also, as you said Microsoft. When you see we're in a very strong position because we see the issues and we can hopefully create this network of networks, networks of networks, to provide an answer. And that brings me to one of the points. I don't know who said that now. One of the things we do is we work very closely with industry. We have advisory groups for the Internet security committee, advisory group for community providers. We have an advisory group for the banking sector, financial sector. And that's public/private partnership, but participation that we always like to add. This is key for us.

Then we can understand what are the issues. For instance, two days ago we had the second meeting this weir with the advisory group on communication providers. And it was all about 5G. It's great whether that will be a resolution. Is that really considered in the development of standard in law enforcement? We have this forum that we can discuss with experts. The same goes for all the other challenges. For us this is a great forum to hear the other side and see where is the common ground. We can explain our views. Equally we get back the view from industry or the communication providers and say these are the challenges. That's vital to us.

I really subscribe to that. It can only be a networked approach. We have to have, as a society, to come together to address those issues. A company for that matter, I don't think companies should set the reality which is sometimes due when they implement the technical solutions and say this is it now without involving the broader discussion around that and say what are the implications of that it's great to have this very strong focus and privacy. From where we stand, privacy security safety, this is not a zero sum game. This is something that has to go hand in hand. You cannot cut out law enforcement. You cannot cut out the judiciary and solely focus on privacy, then you're missing the safety and security part.

We need to talk. We need to create this network. We need to have this mutual understanding of the challenges and the needs and the requirements. And I think that's the way forward to solve this problem that we face. And I think just to end with so what are the challenges? I think I highlighted some of the key challenges. 5G, if I want to be very specific. 5G is definitely gonna be one. Encryption, the criminal views of encryption, certainly, one of our key challenges. Big data volumes, the fact that the volume of data that we sometimes get in the area of child sexual abuse, this is no longer something that we can solve with human resources. We also need to look at technology. And I think we didn't get a chance to talk about artificial intelligence. I don't particularly like that term. But it's things like machine learning. How can we use that to help cybersecurity and law enforcement. It's very, very exciting. We'll take a look at technology to help us solve some of the issues to make sure that we get the best service, that we can use the benefits of technology and make sure we work together, have safety security and privacy all together. Thank you.

>> Tatiana Tropina: Markko, you are next.

>> Markko Kunnapu: Okay. I think that if you just look at the statistics everywhere, then you can see that the number of cybercrimes and supervisor-enabled crimes is increasing. The problem is that often perpetrators, criminals behind those crimes, they just get away with these, because the very low rate of detection, sometimes low rate of successful investigations, this is something, actually, that has also been facilitating the situation. So, therefore, we need something additional. We would need those new legal frameworks, regulation, and second edition of the Budapest Convention for access to computer data. This is what we need.

A colleague from the Commission already mentioned that before Commission came out with this draft proposal, they made extensive work, then also drafted a quite comprehensive explanatory report. In regards Council of Europe and draft of the second protocol Budapest convention, we don't have the draft text. All the drafting and the negotiation is being done in a different manner. Still, we have plenty of information and background information, different reports, studies that were carried out by cyber convention committee, and then this information is also available on the Council of Europe website. Still, right now the cyber convention committee is working with the draft text, just slowly, article by article. Every year, also, we try to have some sort of public hearings, also meetings with other stakeholders, industry, law enforcement, level society, data protection.

This year, actually, we will have a conference in November and again there will be not only one, but several workshops on the protocol and issues that have been addressed there, including elements and then also condition safeguards. Most of the things and most of the points and then concerns that were raised here today, these are the issues that we are going to discuss as well. So you can also -- although we don't have the text and it's not so easy, actually, to follow the negotiations, discussions, and then provide written comments, still there is some information which is already available or actually the elements for the second edition protocol, and then background information, also explanations why we have situation like this and then what are the reasons. So this is something that you can use.

Also, as regards a different frameworks, we have also already realized that EU has a specific, let's say, ecosystem, I could say, recognition principles, fundamental rights, GDPR, and all these standards as well, procedure law and then substantive law. That means for the second edition protocol, the discussions are different. Even if we can agree certain principles at the European Union level, we need to think how this would work with third countries as well. As I mentioned when it comes to the protocols, right now we have 63 state parties, and the solution actually has to work for everybody. So that means that conditions, safeguards, notification, so everything needs to be there as well.

We don't know when we'll finalize the text of the protocol, but we hope that they would arrive soon.

>> Tatiana Tropina: Thank you very much. I saw that you wanted to answer European Commission convention and maybe you can wrap it up from your perspective as well.

>> I would like to react from what the Commission said. I acknowledge the huge work that was done by the commission. I was observing it as it was developing. And it was great work and great effort. There is no doubt about it. I acknowledged the creativity of the instrument, but hard work is not a guarantee of perfection or of a great result, unfortunately. It doesn't mean that there are no flaws in the system. And I would like to make several points. I would like to respond to three, because I think the need -- there needs to be a response. You said safeguards are harmonized in the EU. No, they are not harmonized. Some of them are harmonized. That is the roadmap. Some of the more harmonized. For example, access to lawyer. Okay. This is important, but this is not crucial here. But problems that we discussed were thought subject to harmonization, not to mention the substantive criminal law, which is also a problem.

What we discussed, what you mentioned about abortion, I believe, so we have plenty of problems with harmonization is nonexistent. I don't think harmonization is the solution here. Then you said that there are a lot of remedies. There are conditions. I agree. Some of them higher the threshold in capacity law. For remedies for personal concerns, we have a chapter on remedies. There are three Articles. Out of those three, two are on the conflict law only for the service providers. One is for the persons concerned, what does it say? This is for the Member States to legislate on that. It's limited only to the Member State that is investigating and prosecuting. If you call this a lot of remedies, then I don't know what it means to have a lot of remedies. But I don't think that.

The third point, you said majority of the cases will be domestic. Fine, but there is also the minority where all these problems will be exacerbated. People many not know and there will be requests for data and they might not know about it. You cannot use an argument, in my opinion, that majority will be fine if minority will not be. If majority will be fine as well, that's another question. But I don't agree with this. Of course, the whole problem started with domestic cases. We know that with cases like the Belgium Yahoo case. Law enforcement couldn't get the data. Then this proposal creates a system which is broader than that. And I think all the consequences should be thought through to the end.

>> Tatiana Tropina: Thank you very much. And I know that I hope that you can stay here for another five to seven minutes so we can really wrap up this wonderful discussion.

>> Paolo Grassia: Yes, I would be very, very brief. As I said, the discussion just showed that we are in a single market in the European Union, but criminal law is not harmonized. And the direct access to providers in other Member States can make up only partially to the lack of cooperation, and also trust among authorities that is also at the origin of this kind of proposal.

But there are developments in place. For example, we have a newish investigation order, so I would be very curious to see how it gets implemented. Maybe a few years down the line that may show that the need of the E-Evidence Proposal was not as big as it was originally first seen.

Also, it would be very interesting to understand how in the eyes of the legislators and then the decision-makers that the E-Evidence Proposal ultimately needs to be implemented, because we are talking about principle, which is right, but in the end there have to be legal and technical solution to be put in place, either by centralized system or let's say, but this is a discussion that seriously needs to be tackled. Maybe eventually we do understand that the technical solution that would be in place would also promote more cooperation or smoother cooperation among authorities of different Member States, or would require eventually more cooperation among authorities in different Member States. Then we are back to square one. What matters, really, is government-to-government cooperation.

>> Tatiana Tropina: Thank you very much. Acadia, you will be the last with you not least.

>> Acadia Senese: No pressure. Thank you. One quick reaction to the commission: First, the commission should be commended for its stakeholder consultation process, which absolutely was thorough and very much welcomed, one of the more extraordinary that we have seen occur. So thank you for that.

One point of clarification, on the Article 18 jurisdiction provision with respect to the Budapest Convention, it is true that the commission's proposal with the E-Evidence regulation borrowed from the Budapest Convention's Article 18, but the regulation eliminated important requirements of Article 18. And I think that bears mentioning, because the elimination of those requirements fundamentally changes the jurisdictional provision of the regulation as prepared to the second Budapest Convention.

Summing up, I think -- and I've said this to some colleagues and anyone who can listen, I can't remember another time when there were so many legislative proposals about this data. It's welcomed and what we need in terms of lawful access to data, in terms of developing frameworks with safeguards, with harmonization, with proper procedures and safeguards. So I think this is actually a very exciting and, frankly, crucial time with respect to E-Evidence, with respect to the Budapest Convention, with respect to the cloud act, with respect to the EIO, to see how it develops. And I think it's an important time to ensure that it's a moment to elevate privacy protections and safeguards in this space, but it's also an important time to ensure that these frameworks are harmonious, that they do the things they intend to do with respect to resolving conflicts of law, and that they are cohesive. So I’m looking forward to those discussions.

>> Tatiana Tropina: Thank you very much. Actually, there is one person in the room I don't envy, and this is the reporter of this session. I really don't know, because as a moderator, and I know the topic, and, honestly, I will not be able to I'm wondering what the challenge here is.

>> Andrijana Gavrilovic: Well, if I could sum this up the way I want to, it would be very exciting. Frankly, to quote you, we discussed a lot of things today. It was very, very dynamic. The way this works is that I read the messages and you tell me if you strongly agree or strongly disagree. The messages will be up for voting later on by the community, so there will be changes. Changes will be possible.

So we said that a lot of discussion revolved around government-to-government interaction. So instruments that involve government-to-government interaction are preferred by some of the actors, stakeholders, in order to ensure that that human rights are respected. Does anyone have a real pushback on that? That is fine. We also said law enforcement are the good guys, or that we should all collaborate. So raising digital literacy in law enforcement and judiciary, including prosecuting and judges, also telecom operators is crucial. That's all right?

And then we said that it's very important for the second draft protocol to work for everyone, including non-EU countries, so conditions and safeguards and notifications have to be present.

I have room for two more messages. That is possible. I don't know how long you want to stay here for or if we can agree on two things, or if you're all right with these three.

>> Tatiana Tropina: I actually think that this message would be ready for comments. If there are additions, if there are other points to raise, you can always raise them.

With these, thank you so much. And thanks so much to our panelists and to everyone who contributed to these discussions, who were not on the panel, and yeah, thank you. And my amazing co-moderator.

[Applause]


This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document or file is not to be distributed or used in any way that may violate copyright law.