Hostname: page-component-7d684dbfc8-zgpz2 Total loading time: 0 Render date: 2023-09-26T10:55:02.868Z Has data issue: false Feature Flags: { "corePageComponentGetUserInfoFromSharedSession": true, "coreDisableEcommerce": false, "coreDisableSocialShare": false, "coreDisableEcommerceForArticlePurchase": false, "coreDisableEcommerceForBookPurchase": false, "coreDisableEcommerceForElementPurchase": false, "coreUseNewShare": true, "useRatesEcommerce": true } hasContentIssue false

EU-US Digital Data Exchange to Combat Financial Crime: Fast is the New Slow

Published online by Cambridge University Press:  06 March 2019

Els De Busser*
Cyber Security Governance, Institute of Security and Global Affairs, Leiden University


Core share and HTML view are not possible as this article does not have html content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

Criminal offenses with the most different modi operandi and levels of complexity can generate digital evidence, whether or not the actual crime is committed by using information and communication technology (ICT). The digital data that could be used as evidence in a later criminal prosecution is mostly in the hands of private companies who provide services on the Internet. These companies often store their customers’ data on cloud servers that are not necessarily located in the same jurisdiction as the company. Law enforcement and prosecution authorities then need to take two steps that are not exclusive for evidence of a digital nature. First, they need to discover where the data is located—with which company and in which jurisdiction. Second, they need to obtain the data. In considering digital evidence, the last step, however, is complicated by new issues that form the focus of this paper. The first concern is the practice by companies to dynamically distribute data over globally spread data centers in the blink of an eye. This is a practical concern as well as a legal concern. The second issue is the slowness of the currently applicable international legal framework that has not yet been updated to a fast-paced society where increasingly more evidence is of a digital nature. The slowness of traditional mutual legal assistance may be no news. The lack of a suitable legal framework for competent authorities that need to obtain digital evidence in a cross-border manner, nonetheless, creates a landscape of diverse initiatives by individual states that try to remedy this situation. A third issue is the position that companies are put in by the new EU proposal to build a legal framework governing production orders for digital evidence. With companies in the driver's seat of a cross-border evidence gathering operation, guarantees of the traditional mutual legal assistance framework seem to be dropped. A fourth issue is the position of data protection safeguards. US based companies make for significant data suppliers for criminal investigations conducted by EU based authorities. Conflicting legal regimes affect the efficiency of data transfers as well as the protection of personal data to citizens.

Copyright © 2018 by German Law Journal GbR 


1 See The Financial Action Task Force, International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation, The FATF Recommendations (2012), Scholar

2 See Kruisbergen, E.W., Combating Organized Crime: A study on undercover policing and the follow-the-money strategy, 143–45 (2017),–237785.pdf; see also Neumann, P.E., Don't Follow the Money: The Problem with the War on Terrorist Financing, Foreign Affairs, July/Aug. 2017, at 93–102.Google Scholar

3 Improving cross-border access to electronic evidence: Findings from the expert process and suggested way forward, The European Commission (2017), (citing the US as the recipient of the highest volume of requests for digital evidence from EU authorities. Non-paper from the Commission Services).Google Scholar

4 Commission Regulation 2016/670 of the European Parliament and of the Council of April 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, 2016 O.J. (L 119) [hereinafter GDPR].Google Scholar

5 Directive 2016/680 of the European Parliament and of the Council of April 27, 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offenses or the Execution of Criminal Penalties, and on the Free Movement of Such Data, and Repealing Council Framework Decision 2008/977/JHA, 2016 O.J. (L 110) [hereinafter DDPLE].Google Scholar

6 Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, COM (2018) 225 final (Apr. 17, 2018) [hereinafter E-Evidence Regulation].Google Scholar

7 This convention, and the 1980 OECD Guidelines governing the protection of privacy and trans-border flows of personal data, were inspired by two resolutions of the Council of Europe Committee of Ministers—Res 73(22) and Res 74(29)—and a recommendation by the Parliamentary Assembly of 1968.Google Scholar

8 Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281).Google Scholar

9 See Bygrrave, Lee A., Data Protection Law, Approaching its Rationale, Logic and Limits 43 (2002).Google Scholar

10 See id. at 44.Google Scholar

11 2016 O.J. (L 119) 4(1).Google Scholar

12 Opinion 4/2007 on the Concept of Personal Data, The Working Party (2007), Scholar

13 Opinion 2/2010 on Online Behavioural Advertising, The Working Party (2010),–2010.pdf (noting an individual's internet surfing behavior can be so specific that it can qualify as personal data).Google Scholar

14 See E-Evidence Regulation, supra note 6 at Art. 2 (7)–(10).Google Scholar

15 See Solove, Daniel, Why Metadata Matters: The NSA and the Future of Privacy, Teach Privacy (Feb. 12, 2013),; see also Daskal, Jennifer, Law Enforcement Access to Data Across Borders, 8 J. of Nat'l Security L. & Pol'y 3, 485 (2016).Google Scholar

16 See E-Evidence Regulation, supra note 6; see infra Section B.1.Google Scholar

17 See The 1959 Council of Europe Convention on Mutual Legal Assistance in Criminal Matters, E.T.S. No. 30.Google Scholar

18 2000 O.J. (C 197).Google Scholar

19 2003 O.J. (L 181).Google Scholar

20 See The 2001 Council of Europe Convention on CyberCrime, E.T.S. No. 185.Google Scholar

21 In order to avoid confusion with the term “service providers,” I choose to use the wider term “companies.” Companies that offer search engines such as Google are not a service provider in the strict sense of the word because they do not offer Internet access. Search engines, however, collect vast amounts of data that can be requested by law enforcement authorities and should thus be included in this analysis.Google Scholar

22 See Improving cross-border access to electronic evidence, supra note 3.Google Scholar

23 Seth, Shobhit, World's Top 10 Internet Companies, Investopedia (Feb. 16, 2018) (noting that of the top ten of the largest—based on annual revenue—Internet companies in the world, six are American and four are Chinese).Google Scholar

25 In re Search Warrant No. 16–960-M-01 to Google (E.D. Pa. 2017).Google Scholar

26 See GDPR, supra note 4 at recital 36 of the preamble.Google Scholar

27 Daskal, Jennifer, The Un-Territoriality of Data, 125 Yale L. J. 326, 326–98, (2015).Google Scholar

28 See Improving cross-border access to electronic evidence, supra note 3; see also Questionnaire on Improving Criminal Justice in Cyberspace, Scholar

29 See Questionnaire, supra note 28.Google Scholar

30 Measures to improve cross-border access to electronic evidence for criminal investigations following the conclusions of the Council of the European Union on improving criminal justice in cyberspace (2017), Scholar

31 U.S. v. Microsoft, 584 U.S. 1 (2018) (per curium).Google Scholar

32 CLOUD Act, H.R. 4943, 115th Cong. (2018).Google Scholar

33 Nielsen, Nikolaj, Rushed US Cloud Act Triggers EU Backlash, EUOBSERVER (Mar. 26, 2018), Scholar

34 See E-Evidence Regulation, supra note 6.Google Scholar

35 Proposal for a Directive of the European Parliament and of the Council Laying Down Harmonised Rules on the Appointment of Legal Representatives for the Purpose of Gathering Evidence in Criminal Proceedings, COM (2018) 226 final (Apr. 17, 2018).Google Scholar

36 Denmark and Ireland are not taking part in the European Investigation Order so for cooperation with these member states, the freezing and confiscation orders can still be used.Google Scholar

37 See E-Evidence Regulation, supra note 6 at Art. 4 (defining criminal offenses punishable in the issuing state by a custodial sentence of a maximum of at least 3 years or fraudulent money transfers, offenses related to sexual abuse and exploitation of children and terrorism offenses wholly or partly committed by means of an information system).Google Scholar

38 See infra Section B.2.Google Scholar

39 New EU Rules to Obtain Electronic Evidence, European Commission (Apr. 17, 2018),–3345_en.htm.Google Scholar

40 Murgia, Madhumita, UK-US pact will force big tech companies to hand over data, Financial Times (Oct. 23, 2017),–11e7–9bfb-4a9c83ffa852.Google Scholar

41 CLOUD Act, H.R. 4943, 115th Cong. (2018).Google Scholar

42 Woods, Andrew Keane & Swire, Peter, The CLOUD Act: A Welcome Legislative Fix for Cross-Border Data Problems, Lawfare (Feb. 6, 2018), Scholar

43 See Amicus Curiae Brief of the European Commission on Behalf of the EU in the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corporation, U.S. v. Microsoft, 584 U.S. 1 (2018) (per curium).Google Scholar

44 See McMeley, Christin & Seiver, John, The CLOUD Act — A needed fix for US and foreign law enforcement or threat to civil liberties? IAPP (Feb. 28, 2018), Scholar

45 See De Busser, Els, Data Protection in EU and US Criminal Cooperation: A Substantive Law Approach to the EU Internal and Transatlantic Cooperation in Criminal Matters between Judicial and Law Enforcement Authorities, 353–54 (2009).Google Scholar

46 See Trubow, George B., European Harmonization of Data Protection Laws Threatens U.S. Participation in Trans Border Data Flows 13 Ne. J. of Int'l L. & Bus., 176 (1992–1993); see also Long, William J. & Quek, Marc Pang, Personal Data Privacy Protection in an Age of Globalization: The US-EU Safe Harbor Compromise, 9 J. of Eur. Pub. Pol'y 325, 326 (2002).Google Scholar

47 Commission Implementing Decision (EU) 2016/1250 of July 12, 2016 pursuant to the Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the EU-US Privacy Shield, 2016 O.J. (L 207) (Both the Safe Harbor agreement and the Privacy Shield are based on the same mechanism: a set of data protection principles signed by a long list of US based companies committing themselves to compliance with these principles. Since the Safe Harbor agreement was annulled due to insufficient necessity and proportionality safeguards and lacking redress for EU citizens (Case C-362/14, Schrems v. Data Protection Commissioner, ECLI:EU:C:2015:650), the Privacy Shield enhances data protection.Google Scholar

48 The Judicial Redress Act of 2015, H.R. 1428, 144th Cong. (2016).Google Scholar

51 Daskal, Jennifer, Microsoft Ireland, the CLOUD Act, and International Lawmaking 2.0, 71 Stan. L. Rev. Online 9 (2018) (referencing to Anu Bradford, The Brussels Effect).Google Scholar

53 See Joined Cases C-404/15 & C-659/15 PPU Pál Aranyosi & Robert Căldăraru (Apr. 5, 2016) Scholar