One Cloud in the Sky and Conflicting Laws on the Ground: Regulating Law Enforcement Access to E-Evidence in Cloud Computing in the European Union and the United States

Abstract

The widespread use of cloud computing has led to increased difficulties for law enforcement agencies in the context of criminal investigations. In order to access personal data which may constitute criminal evidence, it is no longer sufficient to seize the user’s devices (i.e. desktops, laptops or mobile phones). The most relevant data for criminal investigations, such as e-mails, photos or documents, are now typically stored in a data center operated by a cloud service provider. In this context, the paper offers an overview of the legal instruments which allow law enforcement bodies in the European Union and in the United States to seek disclosure of cloud data. Given that the cloud may be accessed from any device which has a connection to the Internet, regardless of its physical location, it is likely that the data of a user is stored abroad. Consequently, conflicts of laws may become commonplace, for example, when the disclosure of cloud data is simultaneously prescribed by the laws of one state and prohibited by the laws of another state. This paper starts by analyzing two central cases in which national courts have had to decide whether or not to claim jurisdiction over cloud data, namely Microsoft Ireland, before the United States Court of Appeals, and Yahoo! Belgium, before the Belgian Supreme Court. Once the factual context is laid out, the paper summarizes the theoretical challenges to conceptualize law enforcement in the cloud economy. Different theories are thus contrasted in order to defend that, despite the existence of potential conflicts of laws, states should nevertheless take appropriate steps to assert jurisdiction and enforce criminal law. The fact that states should enforce jurisdiction over cloud data is taken as a standpoint from which the question of the solution of existing conflicts of laws is addressed. By comparing different models, such as Mutual Legal Assistance Treaties, principles of international comity or the 2001 Budapest Convention of Cybercrime, the paper concludes that further regulatory intervention is needed to successfully tackle the problem. Finally, the recent examples of the US CLOUD Act and the European Commission e-Evidence Proposal are also considered. After critically analyzing the content of each set of rules, the paper concludes that international agreements are needed in order to prevent and solve conflicts of laws which, in turn, would facilitate law enforcement in the cloud economy. https://www.mayerbrown.com/One-Cloud-in-the-Sky-and-Conflicting-Laws-on-the-Ground-06-29-2018/