法律翻译 | 欧盟和美国就执法部门获取数据的谈判：分歧、挑战以及欧盟法律程序和选择（上）

- 原文引用文献------------------------------------

*Theodore Christakis, Professor of Law, University Grenoble Alpes, Grenoble, France

*Fabien Terpan, Senior Lecturer in Law, Sciences Po Grenoble, University Grenoble Alpes, Grenoble, France

We would like to express our gratitude to all the colleagues who contrib- uted useful comments on previous versions of this article: Karine Bannelier, Paul James Cardwell, Elaine Fahey, Kenneth Propp, Peter Swire, Juan Santos Vara, Ramses Wessel. We would also like to warmly thank warmly the members of the European Commission’s Negotiating Team Peter-Jozsef Csonka, Mark-Stephen Gray and Tania Schroeter for their helpful comments and insights. We would finally like to thank the anonymous reviewers of the International Data Privacy Law as well as the Editors for their very useful comments and for permitting to improve and updateenabling the improvement and updating of the article. All errors are ours. This article covers developments till the 17th June 2020. The two post-scriptum cover developments till the 6th October 2020.

[1]The US Delegation included Deputy Assistant Attorney Generals from the Department of Justice, as well as other representatives of the US Department of Justice’s Office for International Affairs, the State Department and the US Mission to the EU. The Commission was repre- sented by Chief Negotiator Alexandra Jour-Schroeder, Deputy Chief Negotiator Peter Csonka and other members of the negotiating team from DG JUST and DG HOME. Representatives from the European External Action Service and European Union Delegation in Washington were also present.

[2]Jennifer Daskal and Peter Swire, ‘A Possible EU-US Agreement on Law Enforcement Access to Data?’ (Lawfare, 21 May 2018)accessed 10 October 2020.

[3]Clarifying Lawful Overseas Use of Data Act, [hereinafter CLOUD Act], contained in Consolidated Appropriations Act, 2018, PL 115-141, div. V.accessed 10 October 2020.

[4]Peter Swire, ‘EU and U.S. Negotiations on Cross-Border Data, Within and Outside of the CLOUD Act Framework’ (Cross Border Data Forum, 13 April 2019)accessed 10 October 2020.

[5]There are a lot of extremely important and challenging issues of substance in the EU–US negotiations. These include: the procedural and fundamental rights safeguards that should be introduced in the agreement in order to comply with European Human Rights Law (for instance: ensuring that data may not be requested for use in criminal proceedings that could lead to the death penalty); the willingness of the EU to introduce clauses in order to complement the Umbrella Agreement (see below the subsection ‘Existing EU–US law enforcement agreements’ (8)) with additional data protection safeguards; the determination of the EU to conclude an agreement that will be entirely reciprocal in terms of the rights and obligations of the parties and the categories of people whose data must not be sought pursuant to the agreement; and other issues. In this article we will not discuss these substantive issues, which deserve a separate article and analysis. We will only focus on problems of form, architecture, and procedure.

[6]See for instance ‘US Department of Justice has reservations about transatlantic agreement on access to electronic evidence’, Agence Europe, 21 November 2019.

[7]译者注：外部参与主体，或外部行为者（external actor）的广义定义是：具有共同利益，为共同目标而行动的集体，主要位于该主体意在影响的领土之外。参见Schmitt C . From Colonialism to International Aid External Actors and Social Protection in the Global South: External Actors and Social Protection in the Global South[J]. 2020.

[8]We refer here to binding international agreements under International Law and art 2(1)(a) of the Vienna Convention on the Law of Treaties between States and International Organizations or between International Organizations, Vienna, 21 March 1986, UN Doc A/CONF. 129/15, 25 ILM 543 (1986).

[9]One famous transatlantic instrument on cross border data issues was the EU–US Privacy Shield. However, it must be emphasized that Privacy Shield was neither related to law enforcement nor an international agreement (as defined in n 7). It was not a law enforcement instrument but instead was intended to offer protections in relation to government access to personal data transferred by companies to the USA for commercial purposes. And it was not an international agreement but just a transatlantic arrangement constituted by an adequacy decision adopted by the Commission on 12 July 2016 (declaring that the US ensures an adequate level of protection as required by the Directive 95/46/EC) and a declaration and several letters is- sued by US authorities, and reproduced in the annexes. Whereas the ade- quacy decision was binding in the European Union, the documents issued by the US authorities were political engagements. cf Fabien Terpan, ‘EU-US Data Transfer from Safe Harbour to Privacy Shield: Back to the Square One?’, (2018) 3(3) European Papers 1045–59. The Privacy Shield arrange- ment has been invalidated by the CJEU in its Schrems II Judgment of 16 July 2020 (see Post-Scriptum).

[10]Agreement between the USA and The European Police Office signed on 6 December 2001.

[11]Elaine Fahey, ‘The Evolution of Transatlantic Legal Integration: Truly, Madly, Deeply? EU–US Justice and Home Affairs’ in A Ripoll Servent and F Trauner (eds), The Routledge Handbook of Justice and Home Affairs Research (Routledge, London 2017), at 587. See also: Elaine Fahey and Deirdre Curtin (eds), A Transatlantic Community of Law: Legal Perspectives on the Relationship between the EU and US Legal Orders (CUP, Cambridge 2014); Elaine Fahey, ‘Transatlantic Cooperation in Criminal Law’ in M Bergstrom, V Mitsilegas and T Konstadinides (eds), Research Handbook on EU Criminal law (Edward Elgar, Cheltenham 2015), at 11 (stating that: ‘An examination of contemporary practice reveals much “sophistication” in the evolution of transatlantic criminal law cooperation. It appears perhaps even disproportionately extensive, relative to the many limitations of mutual recognition in justice’).

[12]Fahey, ibid, at 537 has observed in relation to the 2003 extradition and MLA Agreements that‘the secrecy of the negotiation of the agreements and their limited review by parliaments in both jurisdictions gave rise to concerns about the democratic character of the agreements. Similarly, the omission of human rights protections from the scope of the agreements provoked concerns, as did the prospect of joint investigation teams working together as well as the place of personal data within the scope of the agreements’. The PNR and TFTP agreements have also gen- erated controversy especially on account of their limitations on redress and their uneven application of US law to EU citizens, not enabling the latter to fully realise their rights to redress and review. Even the more re- cent Umbrella Agreement, which intends inter alia to deal with these issues, has been criticized by NGOs (see for instance Fanny Hidvegi and Estelle Masse ́, ‘The Umbrella Agreement Just Isn’t Good Enough to Protect our Rights’ (24 November 2016) < https://www.accessnow.org/ umbrella-agreement-just-isnt-good-enough-protect-rights/> accessed 10 October 2020).

[13]For criticism of the Umbrella Agreement by the EDPS see Opinion 1/ 2016, Preliminary Opinion on the agreement between the US and the EU on the protection of personal information relating to the prevention, in- vestigation, detection and prosecution of criminal offences, 12 February 2016.

[14]Peter Swire, Theodore Christakis and Jennifer Daskal, ‘The Globalisation of Criminal Evidence’ (IAPP Privacy Tracker, 16 October 2018)accessed 10 October 2020.

[15]See European Commission Staff Working Document, Impact Assessment Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters and Proposal for a Directive of the European Parliament and of the Council laying down harmonized rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceeding [2018]<https: eur-lex.europa.eu="" legal-content="" en="" txt="" pdf="" ?uri1<="" font="">⁄4 CELEX:52018SC0118&from1⁄4EN> accessed 10 October 2020.

[16]Theodore Christakis, ‘Data, Extraterritoriality and International Solutions to Transatlantic Problems of Access to Digital Evidence. Legal Opinion on the Microsoft Ireland Case (Supreme Court of the United States)’ (29 November 2017), The White Book: Lawful Access to Data: The US v. Microsoft Case, Sovereignty in the Cyber-Space and European Data Protection, CEIS & The Chertoff Group White Paper (December 2017).<https: ssrn.com="" abstract1<="" font="">⁄43086820> accessed 10 October 2020.

[17]A first such ‘CLOUD Act executive agreement’ was concluded between the US and the UK in October 2019 and entered into force on 8 July 2020 (Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, 3 October 2019). For an analysis of the UK– US Agreement see, eg Jennifer Daskal and Peter Swire,‘The UK-US CLOUD Act Agreement is Finally Here, Creating New Safeguards’ Lawfare and Just Security blogs, 8 October 2019,accessed 10 October 2020; Theodore Christakis, ‘21 Thoughts and Questions about the UK-US CLOUD Act Agreement’ European Law Blog, 17 October 2019accessed 10 October 2020; Theodore Christakis and Kenneth Propp, ‘The Legal Nature of the UK-US CLOUD Agreement’ (Cross Border Data Forum, 20 April 2020)accessed 10 October 2020. The US is about to negoti- ate another CLOUD Act executive agreement with Australia.

[18]See European Commission, ‘E-Evidence’ accessed 10 October 2020.

[19]See Theodore Christakis, ‘E-Evidence in a Nutshell: Developments in 2018, Relations with the CLOUD Act and the Bumpy Road Ahead’ (Cross Border Data Forum, 14 January 2019)accessed 10 October 2020.

[20]See Theodore Christakis, ‘Lost in Notification? Protective Logic as Compared to Efficiency in the European Parliament’s E-Evidence Draft Report’ (Cross Border Data Forum, 7 January 2020)accessed 10 October 2020.

[21]A point reiterated once again on 4 June 2020 by the European Commissioner for Justice, Didier Reynders. See ‘“Real” negotiations with United States over E-evidence will only take place when agreement is reached on European side according to Didier Reynders’, Europe Daily Bulletin No12499, Agence Europe.

[22]Council of European Union’s Decision of 6 June 2019 authorizing the opening of negotiations in view of an agreement between the EU and the USA on cross-border access to electronic evidence for judicial coopera- tion in criminal matters, accessed 10 October 2020.

[23]Addendum to the 6 June 2019 Council Decision,accessed 10 October 2020. These directives set a series of conditions on the nature and scope of the Agreement that the Commission should follow as well as a series of procedural and other fundamental rights safeguards that should be introduced in the agreement to comply with EU Law (see n 5).

[24]Recmmendation for a Council decision authorizing the opening of negotiations in view of an agreement between the EU and the USA on cross-border access to electronic evidence for judicial cooperation in criminal matters, COM/2019/70 final, Brussels, 5 February 2019. See also European Commission, ‘Questions and Answers: Mandate for the EU- U.S. Cooperation on Electronic Evidence’ (5 February 2019)accessed 10 October 2020.

[25]Other reasons include the necessity of putting some order in the practice of ‘voluntary cooperation’ with service providers for LEAs access to non- content data. The Commission notes that the scale of direct cooperation requests on a voluntary basis has rapidly increased with more than 124 000 in 2017. However, direct cooperation on a voluntary basis for non- content data ‘can be unreliable, it may not ensure respect of the appropriate procedural safeguards, is only possible with a limited num- ber of service providers which all apply different policies, is not transpar- ent and lacks accountability’. The resulting fragmentation ‘may generate legal uncertainty, raise questions on the legality of prosecution as well as concerns on the protection of fundamental rights and procedural safe- guards for the persons related to such requests’. See Recommendation for a Council decision . . . (ibid). An EU–US Agreement could permit these issues to be addressed.

[26]European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.

[27]Theodore Christakis, ‘Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?’ in Randal Milch, Sebastian Benthall and Alexander Potcovaru (eds), Cybersecurity and Privacy in a Globalized World - Building Common Approaches (New York University School of Law, e- book, 2019) 60–76.<https: ssrn.com="" abstract1<="" font="">⁄43397047> accessed 10 October 2020.

[28]Cloud Act on the European legal framework for personal data protection’ (10 July 2019)accessed 10 October 2020.

[29]ecommendation for a Council decision . . . (n 23).

[30]Beyond the elements discussed in this section, a very important challenge

related to the scope of the EU–US agreement concerns the relationship between the two parts of the CLOUD Act and whether the US would still be able to use the first part of the CLOUD Act after the conclusion of an EU–US agreement. This problem has been discussed in two articles re- lated to the US–UK CLOUD Act Agreement that allows such unilateral access (see studies by T Christakis and K Propp (n 16)). The EU is op- posed to the idea that the US might be able to use the first part of the CLOUD Act to access European data after the conclusion of an EU–US Agreement. On 15 June 2020, the EDPB stressed in a letter to Members of the European Parliament ‘that any future agreement between the EU and the US must prevail over US domestic laws’. Letter from EDPB to MEPs Sophie in ‘t Veld and Moritz Ko ̈rner on the US-UK agreement un- der the US CLOUD Act’ (15 June 2020). accessed 10 October 2020.

[31]Discussed by Swire (n 4).

[32]Daskal and Swire (n 2).

[33]Swire (n 4).

[34]Report from the Commission on the opening of negotiations in view of an agreement between the EU and the US on cross-border access to elec- tronic evidence for judicial cooperation in criminal matters, 12524/19, 25 September 2019, at 3.

[35]See below the subsection ‘A comprehensive self-standing EU agreement’.

[36]‘US Department of Justice has reservations about transatlantic agreement

[37]on access to electronic evidence’, Agence Europe, Europe Daily Bulletin No 12374 (21 November 2019).

[38]Report from the Commission. . . (n 33), at 2.

[39]European Commission, ‘Questions and Answers’ (n 23).

[40]The mandate (n 21, at 6) requires from the Commission to refrain from

any solution that would ‘discriminate between persons from different

Member States’.It is interesting to note that the US law setting out the VWP requires,

among other things, that a participating country should enter into an agreement with the US on police information-sharing—the so-called Enhancing Cooperation in Preventing and Combating Serious Crime Agreements (PCSC Agreements). The US began entering into PCSC Agreements in 2008, primarily with countries that participate or seek to participate in the VWP, and as of today there are 38 of them worldwide in force including bilateral agreements with 22 EU Member States. It would not be surprising if the US Government invoked the PCSC ap- proach for LEA’s access to data if the negotiations with the EU do not succeed in a reasonable time frame, with the hope that a number of Member States might be tempted to break ranks and negotiate directly with the US. However, it is far from certain that an analogy could be drawn between the PCSC Agreements and LEA’s access to data. From a legal point of view, ‘break the ranks’ in order to negotiate a bilateral data access agreement with the US would expose the EU Member State to in- fringement procedures (see our discussion below in the section ‘Issues of competence’). From a political point of view the situation with the VWP and the bilateral PCSC Agreements created a lot of frustrations at the EU: on the one hand Member States that are not yet part of the VWP are unhappy because of the unequal treatment and the lack of reciprocity; on the one hand some Member States that are part of the VWP consider that they went too far into their concessions to the US in the PCSC Agreements especially in terms of information sharing. Both categories of States seem to feel that the EU, as a bloc, is in a much stronger position and has much more important bargaining power than individual Member States in order to negotiate with the US such an important data agreement.

[41]See the press release on 2 March 2017: Parliament asks EU Commission to press for full US–EU visa reciprocity,accessed 10 October 2020.

[42]See ‘EU escalates “visa war” with US with Americans set to lose visa-free travel to Europe’ (The Telegraph, 2 March 2017)accessed 10 October 2020.

[43]See ‘Americans won’t need a visa to Europe, but rather an ETIAS – which is not a visa’ (Schengen Visa Info, 10 March 2019)accessed 10 October 2020.

[44]See ‘EU visa reciprocity mechanism - Questions and Answers’ 19 December 2018,accessed 10 October 2020.

[45]4th WORKING DOCUMENT (B) on the Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (2018/0108 (COD))—Relation with third country law, Committee on Civil Liberties, Justice and Home Affairs, 11.3.2019, at 5.

[46]Daskal and Swire (n 2).

[47]European Court of Justice, ERTA (1971), Case 22/70. Lo ̈ıc Azoulai, ‘The Question of Competence in the European Union’ Oxford University Scholarship, 2014.

[48]Commission Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters, COM(2018) 225 final.

[49]Although a directive has also been proposed by the Commission on the issue of appointment of legal representatives: Proposal for a Directive of the European Parliament and of the Council laying down harmonized rules on the appointment of legal representatives for the purpose of gath- ering evidence in criminal proceedings, COM/2018/226 final.

[50]Elaine Fahey, ‘The Evolution of Transatlantic Legal Integration: Truly, Madly, Deeply? EU–US Justice and Home Affairs’ in Florian Trauner and Ariadna Ripoll Servent (eds.), The Routledge Handbook of Justice and Home Affairs Research (Routledge International Oxford 2017) 336–45.

[51]Christophe Hillion and Panos Koutrakos, Mixed Agreements Revisited (Hart Publishing 2010).

[52]This is why the relevant substantive legal basis for the EU–US Agreement is not only art 82(1) TFEU on judicial cooperation in criminal matters but also art 16 TFEU on data protection safeguards. For the parallel pro- cedural legal basis of art 218 TFEU (which applies to all negotiations, sig- natures and conclusions of international agreements entered into by the EU) see below the section ‘Adoption of international agreements by the EU: a multi-stage/multi-actor process’.

[53]According to the CJEU case-law, ‘[t]here is a risk that common EU rules may be adversely affected by international commitments undertaken by the Member States, or that the scope of those rules may be altered, which is such as to justify an exclusive external competence of the European Union, where those commitments fall within the scope of those rules’. Opinion 3/15 (Marrakesh Treaty to Facilitate Access to Published Works for Persons who are Blind, Visually Impaired or Otherwise Print Disabled), EU:C:2017:114, para 105).

[54]In Case C-246/07, Commission v Sweden, the Court examined in detail the duty of sincere cooperation in relation to Member State action in international fora. See Marise Cremona, ‘Case C-246/ 07, Commission v. Sweden (PFOS), Judgment of the Court of Justice (Grand Chamber) of 20 April 2010’ (2011) 43 Common Market Law Review 1639–65.

[55]Piet Eeckhout, EU External Relations Law (2nd edn, OUP, Oxford 2011), at 248.

[56]To assess whether an area is largely covered by common rules, account must be taken not only of EU law as it currently stands, but also of its fu- ture development, in so far as that is foreseeable (Case C-66/13 Green Network, EU:C:2014:2399, paras 61–64; Opinion 1/03 (New Lugano Convention), EU:C:2004:490, para 126).

[57]Hearing before the LIBE Committee, 25 July 2019, Agence Europe, no 12304.

[58]See n 16.

[59]See Question reference E-003136-19, date of the parliamentary question 7 October 2019, date of the written answer: 10 January 2020;accessed 10 October 2020.