New E-Evidence Rules in Europe: Let’s Keep Reader Data Well Protected!
A new EU regulation aims to streamline the process by which a prosecutor from one EU Member State can request electronic evidence from a server in another Member State. As current procedures are messy, this is necessary. But the current proposal would also mean that prosecutors could request data about who has read which Wikipedia article without judicial oversight and without a possibility for the country’s authority that hosts the platform to intervene in case of fundamental rights breaches. That is worrisome!
The Wikimedia Foundation gathers very little about the users and editors on its projects, including Wikipedia. This is how the Wikimedia movement can ensure that everyone is really free to speak their mind and, for instance, share information that may be critical of a government in the country they live in. However, the Foundation’s servers do record the IP addresses of users who have accessed Wikipedia, and the individual articles they have viewed. In accordance with the Wikimedia community’s support for strong privacy protections, the Foundation keeps this information for a few months as part of the way its servers function before it is deleted. Allowing access to these IP addresses and the articles that the users behind those IP addresses have read — without judicial oversight — is the issue with the European Commission and Council proposals for an E-Evidence Regulation.
What is “access data”?
Currently, there are three types of data established in procedures regarding the preservation and production of electronic evidence: “subscriber data”, “traffic data”, and “content data”. As they contain data that is more or less sensitive, so are the rules about their requisition more or less strict. “Content data” — think of your uploaded images or messages you sent — needs to be requested by a prosecutor and the request validated by a judge. “Subscriber data” — your basic account information — can usually be requested by a prosecutor during an investigation without a validation by a judge. “Traffic data “ is the information relating to the transfer of data, excluding the contents of the transferred data.
This is where the E-Evidence Regulation, as proposed by the European Commission and supported by the Council of the EU (the governments of Member States), changes the current situation by creating a new type of data category — “access data” which it considers a “non-content” data category. This categorisation means that its production doesn’t need to be validated by a judge.
Access data is defined in the current draft to include IP addresses, date and time of use, and the “interface” accessed by the user. The information covered is the information necessary to identify the user of the service. In the Wikimedia context, this definition creates ambiguity as to whether information covered by access data could include records of access to individual Wikipedia articles. Thus, access data could constitute a reading log of Wikipedia pages for a given user.
Why is this an issue?
Because Wikipedia is a prominent source of knowledge on a vast array of topics, this reading of “access data” could expose a user’s interaction with the website, including the topics they are reading about, and may indicate sensitive information such as gender, ethnicity, religion, trade union status, or political views under the current regulations.
The right to privacy includes the right to open and safe inquiry without having the subject of one’s interest examined or scrutinized by others.
Unfortunately, as a European Parliament report written by Civil Liberties and Home Affairs (LIBE) committee itself has recently clearly stated, not all EU Member States adhere to the highest rule of law standards. The political independence of the prosecutors in some EU countries is questioned. Therefore, safeguards for readers’ and editors’ privacy are needed.
Should the hosting country’s authorities be able to intervene?
Such safeguards could serve the purpose of an “emergency brake” in case of blatant breaches of fundamental rights of citizens and overreach of authority.
The rapporteur, Ms. Sippel (S&D, DE), has suggested introducing a “notification” of requests from other EU countries to the authority of the countries where data is hosted. This would give the authority in the host country a veto right in case of violations of fundamental rights, such as privacy. We support such a veto right.
European Parliament to the rescue?
The lead LIBE committee in the European Parliament on 7 December agreed on its position. Thankfully it fixes the issue with “access data” by reverting to the old, already established categorisation. This fix needs to be supported in the trilogue.
At the same time, LIBE’s position fails to give authorities in the country hosting the platform a realistic chance to interfere when evidence production orders are being misused by the prosecutors of another EU Member State. The Wikimedia community hoped for and still calls for stronger safeguards here.
We are now waiting for the so-called trilogues to start. These are meetings between the European Commission, the European Parliament and the Council (where the Member States’ governments are represented). It is essentially a process whereby the institutions try to reconcile the Parliament and the Council positions. For us, the most sensible action right now is to raise awareness nationally and express our position to national governments, as the Council needs to accept at least the positive changes the Parliament puts forward. Ideally the negotiators would also find a more robust way to ensure misuse of production orders is prevented across the EU. One way to do this would be to give the platform hosting country’s authority a veto power over production orders that manifestly violate fundamental rights.
Dimitar Dimitrov, EU Policy Director, Free Knowledge Advocacy Group EU
Jacob Rogers, Senior Legal Manager, Wikimedia Foundation