- Setting the scene*
Informality is a common trajectory of composite reflections over data government. On this field of action relevant legal and social matches have been increasingly played on a global scale. Not only all that is formal in the law has an informal side in nature, but also not all data that is under legal regulation produces a formal outcome[1]. This aspect is particularly relevant in the field of information sharing and data transfers. The fragmentation of state sovereignty facing cyberspace is tangible at various levels, but modalities are often left to informal decision making[2]. For instance, the sharing of regulatory competences among private actors and public actors, on the one hand, and the shift of nation states’ jurisdictional boundaries, on the other hand, mark a threshold between lack of regulation and informal exercise of power. Patterns of societal interdependence that underpin global data flows change overtime. Practices of informality are often the result of discretional ways of world making among institutional actors. Adding a flexibility feature to formal rules could be a lubricant of institutional relationships even amongst Europe and third countries. In this perspective, the law can play a big role as an integration mechanism of competing purposes in data sharing, but should be coupled with adapting processes of social interaction among new players. These challenges question the sustainability of a model centred on the idea of knowledge as a commodity based on data exchange.
The aim of this reflection is to focus on the substantial core of what data is, and re-think data throughout subsequent level of analysis: as an object of regulation and control; as an element embedded in the social dimension of the law; as an exchange value of fragmented individual identities as a result of most cutting-edge techniques of data processing.
The concept of informality could be intertwined as a fil rouge across three different research strands: 1) extraterritorial challenges to state sovereignty and judicial jurisdiction; 2) cross-border law enforcement access to information; 3) the interaction among public actors and private actors in data gathering and sharing.
What is the informal dimension which comes across such different areas of data government?
Extraterritorial claims over cyberspace significantly call into question spatial categories but do not necessarily depend upon a formal derogation to the principle of territorial jurisdiction. They are mostly tied to the exercise of sovereign powers as control over the broadest share of conducts and individuals and regardless of territorial boundaries. As long as nation states can, the adjudicatory criterion of territorial connection is used as a trigger to enhance jurisdiction over the highest number of relationships regarding data gathering and sharing.
This phenomenon is strictly connected to the actors deputized to control data flows. Data transfers to third countries quite regularly overlap with data transfers from private sector data to public actors. The blur of purposes in data gathering and sharing among foreign countries as well as public and private actors, models either competing or cooperative legal dimensions.
Private actors, because of their technological expertise, act as intermediaries between the individual interest in controlling personal data flows and nation states’ interest in gathering huge amounts of untargeted data. In their “in-between” position, they are entitled to negotiate their own interests (such as, for example, intellectual property rights) with nation states, apparently in the name of individual rights protection. Thus, the crisis of sovereignty could be observed also throughout the outsourcing towards the private sector of the balancing test between individual rights protection and public authorities’ interest, that has been traditionally carried out by the nation states.
- Extraterritorial challenges to state sovereignty and judicial jurisdiction
A sovereignty model centred on the notion of territory shows numerous shortcomings.
In an “on-line” world the territorial dimension struggles to apply to the digital reality, whereas in a “off-line” world, jurisdiction and sovereignty are conceived as two sides of the same coin: sovereignty has been traditionally defined as the exercise of jurisdiction by a state over a territory.
Thus, the idea of an “off-line digital jurisdiction” evokes an inherent conflict that characterizes contemporary legal systems: as in the cyberspace, sovereignty is not conceivable but, at the same time, states continue to exercise jurisdiction.
The new reality created by the digitalization and the free flow of information challenges the general distribution of power on a geopolitical scale, affecting the practical enforceability of jurisdictional rules in the digital world.
The implications of this phenomenon are wide-ranging and deserve to be examined from many different angles. The authors have chosen to address the most relevant issues raised by extraterritorial jurisdiction over data and observed through the lenses of the major transformations in state sovereignty. In particular, the nature of information curtails one of the core element of domestic law: the territoriality principle. The category of territory has been indeed conceived as the basic foundation of the Western concept of law, as the condition as well as the scope of application of the law.
Even though cross-border relationships characterize many aspects of our contemporary life, legal constraints which frame them are still dependent on traditional spatial categories, which are no longer consistent in the context of global relationships mostly untied to the physical location of persons and goods, and namely data.
In the field of data protection, this aspect is critical as the ubiquity of data calls into question the scope of court jurisdiction, especially with regards to cross-border data transfers.
There are many examples including cases pending before national and supra-national courts in which states could be held accountable for the violation of information rights of foreigners. For instance, there are several lawsuits originated by the overarching US-UK mass surveillance scandal[3]; or cases of cross-border violations of privacy rights of citizens perpetrated by third parties, stigmatized by the Google Spaincase[4]; or cases in which States seek to assert sovereign powers over data related to their citizens which are located outside of the territory. This was for instance the case in the well-known Microsoft litigation recently brought before the US Supreme Court (and subsequently mooted by the CLOUD Act)[5].
These judgements highlight how questionable the idea of sovereignty over data is, amongst other reasons, because of the intrinsic character of data, which are peculiar goods: they are “non rival in consumption”, intangible and un-territorial. Because of their not physical location, they can be accessed and used by several persons at the same time in different places.
The un-territorial character of data would then deserve “non territorial jurisdiction”, which is not, according to international customary law, a legal category: everything that in nature is not territorial, implies either a territorial extension or an extraterritorial jurisdiction, which is in both case exclusive and not alternative. Nevertheless, both these options, which have been extensively debated, do not deviate from the territoriality principle.
In the case of jurisdiction over data, the enlargement of the territorial scope of EU law as well as the extraterritorial jurisdiction of the EU entails the identification of a different notion of sovereignty. Internet as “everybody’s land” has not yet been accepted within the state sovereignty perspective[6].
Therefore,extraterritoriality turns to be one of the new potential legal dimensions which can be explored to cope with the un-territorial character of data; it could be also an efficient vehicle to export a model of rights protection and security which strongly identifies the cultural threshold of legal systems.
The underlying idea is to questionwhether European law might be competitive with other legal systems, by strengthening the extraterritorial protection of fundamental rights against data nationalism as regards trans-border relations and, in particular, by widening the scope of the jurisdiction of European courts in such cases.
The attempt to explore novel legal frontiers for the un-physical nature of information untied to the notion of state borders and not necessarily overlapping with the idea of jurisdictional enforceability takes into account a) models of extraterritoriality assessed by international lawyers; b) the applicability of such models to data.
The goal is to go beyond the state of the art by depicting also what, in terms of geopolitical relations, the exercise of jurisdiction for activities occurring outside borders could lead to, seeking to focus on alternative adjudicatory models to the territorial connection.
- Public-private partnership in the context of the new data protection framework
Nowadays legal systems of most Western countries face relevant changes in the politics of information control. The rise of advanced technologies has magnified the capability of new players to control both means of communication and data flows. To an increasing extent, public authorities are sharing their regulatory competences with an indefinite number of actors, byimposing preventive duties on the private sector, such as information gathering and sharing (e.g.on telecommunication companies for data retention purposes). This trend leads to a growing privatisation of surveillance practises. Private actors are not just in charge of the operational enforcement of public authorities’ decision in security matters. They often are the only one holding the necessary expertise and thus profoundly shape decision making and policy implementation.
In the context of information sharing, and particularly in the area of interoperable information systems, technical platform integration or information hubs function across national boundaries and across the traditional public-private divide. Most the web giants are established overseas, so that often private actors – voluntarily or compulsorily – transfer data to third countries. Companies do not just cooperate with public authorities, but effectively and actively come to play a part in bulk collection and security practices. They identify, select, search, and interpret various elements on the basis of so-called “data selectors”. Private actors, in this sense, have become “security professionals” in their own right.
Systematic government access to private sectors data is carried out not only directly via the access to private sector databases and networks but also through the cooperation of third parties, such as financial institutions, mobile phone operators, communication providers, insurance companies that maintain the databases or networks available.
The significant blur of purposes among different layers of data gathering – for instance, commercial profiling techniques and security – aims at exploiting the “exchange value” of individuals’ fragmented identities, as consumers, suspected of certain crimes, “good citizens” or “other”.Systematic government access to private-sector data may not only affect the exercise of civil and political liberties as well as the protection of fundamental rights, but also the very intimate individual freedom[7].
Somehave argued that the most important shortcoming of the 2016 data protection reform is that it resulted in the adoption of two different instruments, a Regulation and a Directive. This separation is a step backwards with reference to the objective envisaged by Article 16 TFEU – which instead promotes a cross-sectoral approach potentially leading to a comprehensive instrument embracing different policy areas (including the AFSJ) in the same way. That is a weakness because the level of protection envisaged by the 2016 Police Data Protection Directive is de factolower than in the Regulation, as data gathering for law enforcement and national security purposes are mostly exempted from general data protection laws or constitute exemptions under those provisions even at the EU level (Recital n. 19 and art. 2, d), GDPR). Furthermore, what happens in practice is mostly depending on contractual clauses signed by individuals every time they subscribe terms and conditions as clients of service providers and media companies.
- Cross-border law enforcement access to information
The interest of law enforcement authorities in accessing electronic data has increased proportionally to the growing processing of personal data by private companies. Such trend often falls outside traditional legal channels of transnational judicial cooperation.
EU Member States have traditionally privileged the model of mediated access to authorise the law enforcement access to data in a transnational context. The “unmediated access model” lacks the scrutiny of an independent judicial authority in the requested state to validate the lawfulness of accessing and processing data. Under this model, a third country may assert the authority under its own national law to access electronic data stored in EU territory. The risk is to create multiple conflicts of law when, in spite of the requesting country’s power, the transfer of data triggers legal effects in the country where a private company is requested to hand over that/those data. The “hybrid access model” raises similar challenges due to the lack of a proper oversight system by an independent judicial authority. It is also affected by accountability and transparency deficits with reference to the decision allowing for access to information.[8]
In 2014, a major step forward in the international cooperation in evidence gathering among EU Member States has been the adoption of the European Investigation Order (EIO),[9]which becomes the sole legal instrument regulating the exchange of evidence and mutual legal assistance between EU Member States. It helps in overcoming the undesirable fragmentation of legal instruments for the collection and transfer of evidence between EU Member States, in compliance with the defendants’ fundamental rights.This major legal developmentexpressly establishes the fundamental rights parameters of the operation of the mutual recognition principle.[10]The provision set limits to blind mutual trust among Member States and confirms that the presumption that all Member States comply with fundamental rights at all instances is rebuttable.The path towards the adoption of this instrument was lengthy and difficult. The challenge was that of allowing for the swift and the efficient cross-border judicial cooperation in criminal investigations in the EU and the admissibility of the evidence obtained abroad, while ensuring a high standard of procedural rights of the defendants involved in them.[11]
The Commission has recently presented two new proposals on e-evidence which would enable law enforcement authorities torequest (“production request”) or compel (“production order”) a third party, i.e.a service provider, in another Member State, to disclose personal data about a user, without the request or order having to go through a law enforcement or judicial intermediary in the other Member State.[12]These proposals witness an additional shift away from traditional MLA agreements, involving the “direct” cooperation between law enforcement authorities seeking to obtain electronic evidence and foreign service providers in (exclusive) control of it. MLA existing mechanisms are in fact considered lengthy and complex. Law enforcement authorities thus often disregard them in order to address requests for information directly to foreign service providers via mechanisms of voluntary disclosure, bypassing the judicial authority where service providers are established or targets habitually resident. Such mechanisms constitute a de facto extraterritorial reach of national investigative powers, as well as an extension of the “sword” function of criminal law via the further “privatization of security”.
At present, third-country access to data outside established legal channels of mediated assistance (MLAs) poses a number of fundamental rights’ challenges, with reference to issues such as“jurisdiction transfer” (or operations outside own jurisdiction); unclear legal basis; and/or lack of compliance with (EU) data protection rules.In this context, the most recent proposals within the EU are deeply influenced by what happens across the Atlantic. Particularly relevant has been the Microsoft caseconcerning law enforcement authorities unmediated access to data held by private companies, where the US Supreme Court was expected to decide whether territorial borders matter when it comes to data, but the case has been subsequently mooted by the CLOUD Act (“Clarifying Lawful Overseas Use of Data Act”)[13]. In response to the uncertainty highlighted by the case, the CLOUD Act, passed on 23 March 2018, specifies that all of the 1986 Stored Communications Act’s provisions on required disclosure apply regardless of the location of the communications or records.
- Perspectives
Legal arrangements for information management within the EU establish multiple horizontal interactions between authorities from different Member States as well as vertical interactions between national authorities and EU agencies. Inputs come from different levels of executive interaction. Data are thus increasingly integrated into informal mechanisms of transnational governance, which leave a perilous discretion to security executives. One of the questions is whether traditional accountability mechanisms must be reinvented to meet face new challenges and address the existing “accountability mismatch” both from the side of public powers as well as from the side of private shared competence.
For instance, initiatives for the exchange of information are part of a broader “information management policy” of the EU. It is meant to improve to improve shared knowledge of common threats between competent national authorities, which is a core element in the fight against serious crime.
Terrorist attacks and the pressure coming from migration flows, keep information exchanges at the top of EU priorities in the Area of Freedom Security and Justice. In this context, EU institutions and agencies as well as national legislators have ambitious agendas on law enforcement authorities’ access to interoperable information systems, which have eventually become a defining feature of the AFSJ.
In addition, cross-border direct access to electronic information held by private companies has become an EU priority in a reform of mutual legal assistance practices. Interoperable information systems are the most advanced form of information exchange, since they confer direct information access to competent authorities. At the opposite side of the scale, there are conventional forms of mutual legal assistance, lying at the lowest degree of informational integration. Similar dynamics and trends yet emerge in both fields, including law enforcement and judicial cooperation, witnessing a paradigm change in information management and fostering the emergence of new forms of formal and informal cooperation in the exchange of data.
In both cases, these are mechanisms to exchange raw material (data and/or information) for police/judicial investigations and prosecutions, which at a later stage, could become evidence at trial. There are of course a number of procedural and evidentiary issues to address, possibly reimagining procedural traditions, to address possible admissibility criteria also of improperly obtained evidence. The possibility to use information at trial could indirectly also regulate gathering and processing means and safeguards in order to facilitate their admissibility.
Besides, shared regulatory models between law enforcement authorities and private actors, such as communication providers, open two scenarios for further discussion. The first is the government of cyberspace which shows the clash between competence sharing beyond the public/private divide and the territorial limits imposed by jurisdiction. The second is the scrutiny of private actors’ conduct towards individuals through the assessment of liability rules. The proactive role of EU law in ensuring higher standards of protection,[14]besides being a way of fostering the rise to the top of competing legal systems, let us focus on the lower degree of the interaction between individuals and media companies, that are terms and use of services. Such reflecting ultimately addresses the issue of data quality in a context in which decision-making processes are often mediated by the use of algorithms. According to the well-known principle “garbage in/garbage out” it is very important to select reliable data as misleading input of data may undermine not only data sharing itself but also the democratic character of the whole decision-making process.
* These reflections are the outcome of a workshop organized by Mariavittoria Catanzariti and Francesca Galli in the framework of their appointment as Jean Monnet Fellows at the EUI during the year 2017/2018.
[1]See M. Kleine, Informal Governance in the European Union(Cornell University Press, 2013), 36-58.
[2]See M.N. Schmitt (ed.), Tallinn Manual 2.0 on International Law applicable to cyber operations(Cambridge University Press, 2017), 52.
[3]See Big Brothers Watch & Others v. UK, Judgment 13 September, even though the Court missed an occasion to address specifically the issue of extraterritoriality, giving for granted the universal application of ECHR. For a first analysis see M. Milanovic, “ECtHR Judgment in Big Brother Watch v. U.K.”, EJIL Talk, 17 September 2018.
[4]Case C-131/12, Google Spain SL v Agencia Española de Protección de Datos, Judgment of the Court (Grand Chamber) of 13 May 2014.
[5]829 F.3d 197 (2dCir.2016), petitionforcert.filed, (U.S. June 23, 2017)(No.17-2); see Brief of EU Data Protection and Privacy Scholars as amici curiaein suppor of Respondent in United States of America v. Microsoft Corporation, Supreme Court of United States, n. 17-2, available at https://www.supremecourt.gov/search.aspx?filename=/docket/docketfiles/html/public/17-2.html.
[6]For a complete analysis on this see D.J.B., Svantesson, Solving the Internet Jurisdiction Puzzle(OUP, 2017), 90-112.
[7]See I. Rubinstein, G. Nojeim, R. Lee (eds.), “Systematic Government Access to Personal Data: A Comparative Analysis”(2014) 4(2) International Data Privacy Law98.
[8]See S. Carrera et al., Access to Electronic Data by Third- country Law Enforcement Authorities, Challenges to EU Rule of Law and Fundamental Rights, CEPS (Brussels, 2015).
[9]Directive 2014/41/EU regarding the European Investigation Order in criminal matters, [2014] OJ L130/1.
[10]S. Allegrezza, “Collecting Criminal Evidence Across the European Union: The European Investigation Order Between Flexibility and Proportionality” in S. Ruggeri (ed.), Transnational Evidence and Multicultural Inquiries in Europe (Springer, 2014), pp. 29–35; S. Carrera et al., Access to Electronic Data, pp. 48-54.
[11]L. Bachmaier, “Mutual recognition and cross-border interception of communications: the way ahead of the European Investigation Order” in C. Brière and A. Weyembergh (eds.), The needles balances in EU criminal law: past, present and future(Hart, 2017).
[12]Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters, 17 April 2018, COM/2018/225 final – 2018/0108 (COD);Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, 17 April 2018, COM/2018/226 final – 2018/0107 (COD).
[13]H.R. 4943 – The Clarifying Lawful Overseas Use of Data Act(also known as CLOUD Act), 6 February 2018. For a comment see S.T. Mulligan, Cross-border Data Sharing under the Cloud Act, Congressional Research Service, R45172, 23 April 2018.
[14]See Opinion 1/15 of the Court (Grand Chamber) on the EU-Canada PNR agreement, delivered on 26 July 2017.