关于美国在执法跨境调取数据的进展，以及对中国区iCloud账户影响的延伸分析，见【深度解读 | 微软VS美国政府：他们到底在争什么？】、【美国Cloud Act法案到底说了什么】、【如何看待“iCloud中国账户密钥将存储在中国”】、【苹果公司境内存储密钥的法律效果再分析】。

结果，中美之间还没分析透彻。欧洲人又参与进来。

路透社2018年2月26日报道，欧盟正在酝酿立法，允许执法机构向在欧洲运营的企业直接调取其存储在欧盟境外的数据。被问及立法缘由时，欧盟最高司法官员Vera Jourova表示，目前的跨境调取证据的方式太慢且效率太低，而执法部门必须比犯罪分子更快一步。

在路透社的报道中，知情人士进一步透露，欧盟的立法不仅仅局限于欧盟公民，只要是与欧盟的具体调查相关，执法机构可以调取任何国家公民的个人数据，前提是侦查所涉及的犯罪的最低刑罚为三年监禁。

而且这样激进的立法，部分目的就是为了在与美国进行相关议题的双边谈判中，增加自己的筹码。对此，Vera Jourova也给予了确认，“我们必须与美国当局达成互惠”。

如果结合GDPR第三条关于管辖地域的规定，欧盟对“在欧洲运营”可是持扩大理解的态度。第三条翻译如下：

《条例》的管辖范围包括，

1、对在欧盟境内设有establishment的数据控制者或数据处理者，只要个人数据处理活动发生在此establishment的情景中，哪怕实际的数据处理行动不在欧盟境内发生，都将被《条例》管辖。

2、对在欧盟境内没有设立establishment的数据控制者或数据处理者，只要其面向欧盟境内的数据主体提供商品或服务（无论是否发生支付行为），或监控欧盟境内数据主体的行为，就要接受《规定》的管辖。

换句话说，如果某一家中国企业，其设有欧盟官方语言的界面（例如德文、法文等），或支持以欧元为结算货币，那就算在欧盟境内没有办公室，也算是“在欧洲运营”。

看来，在个人数据的保护和执法跨境调取数据两个方面，欧洲人确实准备和美国人针锋相对。那什么是中国的策略？

我们是否要重新思考和定义《网络安全法》第37条所说的“在境内运营”和“向境外提供”？见【个人信息和重要数据出境安全评估之“境内运营”】、【个人信息和重要数据出境安全评估之“向境外提供”】

路透社报道原文

Europe seeks power to seize overseas data in challenge to tech giants

Julia Fioretti

February 26, 2018

BRUSSELS (Reuters) - The European Union is preparing legislation to force companies to turn over customers’ personal data when requested even if it is stored on servers outside the bloc, a position that will put Europe at loggerheads with tech giants and privacy campaigners.

The EU executive has previously indicated it wanted law enforcement authorities to be able to access electronic evidence stored within the 28-nation bloc. But the scope of the planned legislation will extend to data held elsewhere, according to two sources with direct knowledge of the matter.

Digital borders are a growing global issue in an era where big companies operate“cloud” networks of giant data centers which mean an individual’s data can reside anywhere.

The EU push comes as a landmark legal battle in the United States nears its climax. The U.S. Supreme Court will this week hear oral arguments in a case pitting Microsoft against U.S. prosecutors, who are trying to force the company to turn over emails stored on its servers in Ireland in connection with a drug-trafficking investigation.

Many law enforcement officials argue such powers are necessary for crime-fighting in the digital age. But campaigners say giving governments so-called extra-territorial authority to reach across borders and access data would erode individuals’ privacy rights. Technology firms like Microsoft, Apple and IBM say it would undermine consumer trust in cloud services.

The planned law, which would apply to all companies around the world that do business in the European Union, is an apparent shift in position for the European Commission, the EU executive, which has stood on the side of privacy advocates in the past.

In 2014, it said in relation to the Microsoft case that“extraterritorial application of foreign laws (and orders to companies based thereon) ... may be in breach of international law”.

Asked about the extra-territorial authority rules in the planned law, European Justice Commissioner Vera Jourova told Reuters the current method for accessing cross-border evidence was“very slow and non-efficient” and that law enforcement had to be quicker than criminals.

CONFLICTING LAWS

The proposed law would apply to the personal data of people of all nationalities, not just EU citizens, as long as they were linked to a European investigation, one of the sources said.

The legislation is still in the drafting stage and is expected to go before lawmakers and member states at the end of March. It can take up to two years for a law to be finally agreed.

Extra-territorial authority rules are however fraught with complexity, legal and privacy experts warn, as they could conflict with existing data protection laws.

In the United States, for example, certain companies are prohibited from disclosing information to foreign governments while in Europe itself, consumers’ data privacy is strictly protected and companies are restricted in how they can transfer data outside the bloc.

The sources said the EU executive acknowledged such complexities and that the decision to include extra-territorial authority in the law was partly aimed at strengthening its hand in negotiating a bilateral deal with the United States on the issue.

Jourova recognized the challenges.

“Of course when we look at the transatlantic regime there we have to agree on the reciprocity with the American authorities,” she said in an interview.“This issue of reciprocity in the law enforcement area is highly necessary to discuss in order to avoid the problem of conflict of laws.”

KEEPING PACE WITH TECH

The proposed rules are the latest attempt by authorities around the world to update regulations to keep pace with technology. In May the EU General Data Protection Regulation (GDPR) will come into effect, requiring firms to give customers more control over their online information.

The planned law would give European prosecutors the power to compel companies to hand over data, bypassing existing legal channels known as mutual legal assistance treaties (MLAT).

Jourova said the law would apply to crimes which carry a minimum penalty of three years to ensure serious crimes like terrorism and drug trafficking are covered, however discussions are still ongoing.

Under MLAT, which is widely criticized for being unwieldy and slow, a European prosecutor would have to go to the government of the country where the data was stored and ask for a local subpoena or search warrant.

Some privacy campaigners agree that the MLAT system needs to be changed to speed up the process, but oppose any moves to requisition personal data across borders.

“The Commission’s main course of action is once again to circumvent this process ... rather than proposing to reform the problem they have identified,” Estelle Masse, Senior Policy Analyst at Access Now, a digital rights advocacy group, said at a conference in late January.

Asked about the Commission’s plans, John Frank, vice president for EU government affairs at Microsoft, said he thought it was generally“a bad idea.”

“I think the international law is pretty clear that police jurisdiction exercised outside your territory infringes the sovereignty of other countries,” he said at the same Brussels conference.

“If every country asserts extraterritorial jurisdiction ... then everybody gets everybody’s data.”