30 January - 1 February 2019



CPDP2019 offered 90 panel sessions with 440 international speakers from academia, public and private sectors and civil society. CPDP2019 received 1289 registrations in total and was attended by over 1100 attendees from 60 countries, where over 70% of the attendees coming from outside of Belgium. The EVIDENCE2e-CODEX project was represented by Alexandra Tsvetkova, LIBRe Foundation, disseminating its activities and results to participants and speakers.

The agenda covered several special sessions dedicated to electronic evidence and related aspects:

The Cloud Act and E-Evidence: “America First” or GDPR First? Challenges of Transatlantic Access to E-Evidence in Law Enforcement

Video recording is available here.

In March 2018 the US CLOUD Act was passed as part of a two-thousand page spending bill covering 1.3 trillion dollars, without any congressional debate. A few months later, the European Commission published its e-evidence regulation proposal for easier access to electronic evidence for law enforcement purposes. By the end of January, the Commission will recommend the Council to grant a mandate for negotiations with the US on an EU-US agreement under the CLOUD Act.

What are the consequences of the CLOUD Act and a forthcoming EU-US agreement for data privacy of Europeans?

Are the US and EU racing against each other to the bottom: weaker privacy protections and eliminating judicial checks and legal safeguards?

Will the EU propose the same arrangement to Russia or China if they adopt their own CLOUD Act?

How can law enforcement cooperation work in the digital age without compromising citizens’ rights?

Law enforcement and data subjects’ rights: is the EU legal framework a genuine step forward?

Video recording is available here.

Directive 2016/680 creates a harmonized data protection framework for Member State law enforcement authorities, excluding the national security authorities and Europol. Amongst the highlights of this framework is the strengthened level of protection of data subjects’ rights, e.g. of access, rectification, erasure and restriction of processing. The strengthened rights are expected to grant more transparency to the data subjects and act as safeguards against the law enforcement authorities. However, the legal framework contains many exceptions. In addition, subjects’ rights were already provided for in existing EU law enforcement instruments such as the Schengen Information System, which are not necessarily harmonized with Directive 2016/680. At the same time, the limited scope of Directive 2016/680 – which excludes the national security authorities and EU entities such as Europol (which is subject to a separate legal framework) – begs the question of how effectively Directive 2016/680 will boost data subjects’ rights. Core questions:

Have the Member States modified the existing procedures for exercise of the rights, esp. those Member States which provided only for indirect exercise of the rights through the responsible DPA? What are the trends?

Has Directive 2016/680 led to increases in the number of data subjects’ requests to exercise their rights? Why (not)?

Has cooperation on EU level between national supervisory authorities and these and Europol and the EDPS improved?

Do Directive 2016/680 and the implementing national laws contain loopholes which allow for too broad exceptions/restrictions, e.g. restricting the right of access on national security or other grounds?

Law enforcement without borders: access to electronic data under the EU Production Order and the US Cloud Act

Video recording is available here.

Crime fighting within Europe and across the Atlantic increasingly relies on the possibility to access electronic information held by IT Service Providers. The EU and the US are equipping Law Enforcement Authorities with new tools that will speed up the gathering of data located outside of their countries’ territory. The European Production and Preservations Orders, as well as the US CLOUD Act will allow investigating and prosecuting authorities to seek data directly from private companies, regardless of their location. But is the Internet really borderless? This Panel explores the conflicts of laws that might arise when LEAs seek to obtain data which are subject to foreign jurisdictions.

Which are the main challenges that the implementation of the US CLOUD Act poses from an EU primary and secondary law perspective?

Will the European Production and Preservation Orders prevent or increase conflicts of law between the EU and the US?

Are Mutual Legal Assistance Treaties still a valid channel for criminal justice cooperation in the gathering of electronic information?

The Cloud Act, E-Evidence, and the Globalization of Criminal Evidence

Video recording is available here.

Since CPDP 2018, the U.S. has enacted the Cloud Act, and the Commission has published its proposed E-Evidence Directive and Regulation. These law and policy changes result from a technological change – the shift to cloud computing. Evidence of crimes used to exist locally; today it is very often stored in a different jurisdiction. This panel highlights global experts on these issues, which call for: (i) responses to legitimate law enforcement requests; (ii) the need to promote privacy and human rights as essential to new legal approaches; (iii) a workable regime for companies holding the data; and (iv) risks to the global Internet from pervasive data localization.

What are the advantages and disadvantages of the Cloud Act and E-Evidence approaches compared with Mutual Legal Assistance Treaties and European Production Orders?

What are the advantages and disadvantages, concerning privacy and human rights protections, of the new proposed regimes? How might these protections be improved?

What should be the role for electronic service providers in reviewing (and perhaps contesting) direct law enforcement requests under these new regimes?

More countries have implemented (China, Russia, Vietnam) or are considering implementing (India, Indonesia) data localization requirements. To what extent can new law enforcement regimes such as Cloud Act and E-Evidence address the perceived need in these and other countries for data localization?

The official agenda of the event can be found here. All recorded conference sessions are available online on CPDP's YouTube channel.