The late night attack Saturday on London Bridge that left eight people dead and close to 50 injured has put the spotlight once more on digital data privacy and the ongoing discussion over access to data stored on the servers of data management vendors.
European justice ministers will meet Thursday to examine three proposals from the European Commission on providing security services with access to data of those who are suspected of illegal activity.
Tech Vendors and Data
Tech companies have come under increasing pressure to provide data owned by these individuals to police forces or security services, but so far they have resisted.
The case came to what appeared to be a head in the US in July 2016 when Redmond, Wash.-based Microsoft won an appeal against an earlier court decision ordering Microsoft to hand over the emails of a known drug trafficker stored by Microsoft on a sever located in Dublin.
The decision in the US was watched closely from the European Union where national governments and the European Union are still trying to develop a unified digital data privacy strategy.
However, in Europe, which has suffered a number of serious terrorist attacks over the past two years, European citizens have displayed some willingness to give security forces access to certain kinds of information stored on the servers of tech vendors.
Data Privacy Options
As a result the European Commission — the European Union’s executive arm — will discuss three different options for information sharing.
According to Reuter’s news agency, and citing EU Justice Commissioner Vera Jourova, the EU justice ministers are considering these three possibilities:
- Allow police in one member state to ask a tech firm directly for data, even if that data is stored in another country.
- Oblige tech firms to hand over to any member state force once a legal request has been made.
- Give police direct access to servers so they can copy any data they need.
According to the report, the third option would be used strictly in extreme emergencies and safeguards would be built into the new rules to protect privacy.
There is no indication yet as to which option the EC is leaning towards, but there will be changes, Jourova said.
Whatever they decide on, the move is sure to complicate a situation that is already due to become a lot more complicated when the General Data Protection Regulation (GDPR) comes into effect in May 2018.
Under the GDPR, any company operating in Europe will have to get consent from individuals before collecting their data. Companies will also have to notify people that the company wants to use their data and what they plan to use it for. Individuals will have the right to refuse parting with their personal information.
How will this sit with the new proposals for data access for security forces? No one knows, and no one is likely to know until it ends up in the Supreme Court of one of the EU’s member states.
Add into the mix the recently enacted EU-US Privacy Shield and the possibility that US security forces may also request access to EU-stored data and you have a real devil’s brew that will poison any company or country that gets involved.