States globally are unilaterally adopting new criminal procedural laws granting law enforcement powers to obtain users’ data to prevent, detect, investigate and prosecute crimes regardless of the location of the data or the users’ place of resident. This data may, however, be held by foreign providers or hosted abroad.
The admissibility of digital evidence in criminal prosecutions has seen prosecutors use different digital techniques in the presentation of evidence to the courts, including audio enhancement, photograph enhancement, forensic video analysis and the digital enhancement of latent fingerprints.
With the location of data becoming increasingly irrelevant in determining whether and how law enforcement can obtain data, its thus important for law enforcement and other criminal justice partners to balance the recovery and admissibility of digital evidence with privacy and security concerns.
These discussions formed part of the 14th Internet Governance Forum (IGF) in Berlin, during a workshop on “Solutions for law enforcement to access data across borders”, with attendees bewildered by the lack of a universal definition for the term “criminal”, giving room to especially weak democracies, with no bare minimum of data protection legislation, to criminalise legitimate activities under the guise of obtaining users’ data for criminal investigations. This has further given rise to an increase in the adoption of substandard criminal laws by states, posing great risk to user’s data privacy.
But Brazilian prosecutor Fernanda Teixeira Souza Domingos’ concern aligned with data sovereignty, as she narrated how her government has made several attempts to obtain digital evidence within the jurisdiction of the United States of America, only to be blocked by the US CLOUD Act.
“Cross-border data requests take a long time and often data is never acquired because of sovereign interests, creating a barricade to key criminal investigations,” she decried. She called for broader bilateral solutions and harmonisation of e-evidence legislations, applauding the US-UK bilateral data sharing agreement under the CLOUD Act.
The situation is not rosy for intermediaries, either. Google’s public policy and government relations manager Ludmila Georgieva lamented the overwhelming number of requests for users’ data that the company receives on a daily basis from both individuals and state authorities. However, these requests and the desired actions of the company are always in conflict with the law.
When national legislations are approved without a coordinated approach, they may create extraterritorial consequences for other countries, which have a duty to protect their citizens’ privacy. There are also consequences for the business community, who are the custodians of users’ data, since the extent of a company’s liability when it receives law enforcement requests is uncertain.
While several attempts to secure personal data across borders are taking shape in the global North, in the global South little is being done, be it at the national or regional levels. Some states do not even have in place national data protection laws meant to safeguard their citizens’ personal data. The power structure between global South citizens and service providers exacerbates the vulnerabilities of personal data.
Whatever the status quo, there is a need to balance the sovereign rights of states to investigate and their duty to protect the rights of users, including their privacy.