Tutanota signs Open Letter to improve e-evidence.

The EU commission has drafted a proposal for e-evidence that would allow authorities to request data from communication providers across borders. The draft in its current form is considered as way too broad by data protection professionals. Tutanota now has signed an Open Letter to the EU Parliament to include important restrictions and add a better legal oversight to the draft.


Why e-evidence is problematic

The Commission’s e-evidence proposal threatens the competitive advantage European tech businesses have over their American counterparts. It breaks with the long-standing rule that only trusted national judicial authorities can order companies to hand over customer data for criminal investigations. Instead, the Commission’s e-evidence proposal would allow any foreign law enforcement agency from across the EU to force us to hand out customer data without our own authorities doublechecking the foreign order.

How to fix it

Rapporteur Birgit Sippel has published a draft report to fix several issues of e-evidence. This is a very good first step, but further improvements need to be done to protect European citizens and their data.

The Rapporteur’s draft report contains a number of crucial improvements that deserve support:

  • It suggests to involve national judicial authorities whenever foreign data requests come in (amendments 127, 141, 142, 161);

  • It fixes the Commission’s failed attempt to define workable data categories (amendments 90-97); and

  • It enables online service providers such as ourselves to inform our customers about foreign data requests having taken place as long as that does not obstruct an ongoing investigation (amendments 163 and 164).

We strongly encourage you to support the above-mentioned amendments. In addition, the following provisions should be improved:

  • The reimbursement of costs incurred from data access requests by the issuing authority should be mandatory (as proposed by MEP Sippel’s amendment 168) but the reimbursed amount should also be proportionate to the amount of data requested. This would help preventing fishing campaigns without suspicion where a law enforcement agency demands large amounts of data in the hope of finding unrelated evidence.

  • The draft report should mandate a secure way of authentication and of exchanging information between companies and law enforcement agencies. Currently, too often tech companies receive requests for data via fax machine or unsecured emails, putting the data that is transmitted in both directions at risk. It is particularly crucial for companies to be able to authenticate with absolute certainty the foreign authority they are communicating with in order to avoid the leakage of customer data to malicious actors.

Read the full open letter by Privacy Tech Europe.