 So, welcome to our next talk. Our speaker is Elisabeth Niegrins. She is a lawyer, and she also works for the Digital Society in Berlin. And she studied in Leipzig. She studied law in Leipzig. And she also worked in criminal law. And she wrote a series of books about chaos and transformation. But today, our topic is a little different. It is about how international treaties on metadata extradiction work and how the EU evidence ruling will change this and how political persecution could have a new dimension in the future. So please give a warm welcome to our speaker, Elisabeth Niegrins. Yes, thank you very much for the announcement. Thank you for the introduction. Thanks a lot for the announcement and the introduction. And I'm delighted to be able to talk to you about this topic today. As was mentioned in the introduction, I want to talk about the EU perspective. So this is being talked about in parliament right now. And I'm sure that many of you have learned about it. So in some countries, providers will be obligated to hand over metadata. So this is not a singular prospect, but it comes in the context of many other regulations of the past few years. And I wanted to bring some context into this whole matter. So it is also about international law that is being questioned here, especially when it's about electronically storing data. And we have to have a look at if we want companies like Facebook and Google to be able or to be obligated to hand over data to jurisdiction. For example, this is a topic in Germany right now because of hate crimes that are being committed on the internet. So it is not a question that we can have a single perspective on. But we need to look at it from different angles because it's going to be an international transfer of email and transaction data. And it is about the question whether and in how far German authorities should be involved in this question. And it's also about companies like TikTok from China or companies from Russia that could be involved in criminal investigations in Germany or other countries because people meet up and that happens on those kind of platforms. So what is at stake here? Because it might be possible for Chinese authorities, for example, to get access to German data. And how would we react if these countries were able to access data from Germany? So what is being postulated is that then internet can be a free space and in more like it is at the moment. But we need access to certain kinds of data. And this is a debate that is not universal and enough just yet. So I would like to get a few different viewpoints on this. So what is this regulation trying to fix? As the EU Commission says, the internet is largely privately owned and borderless for everyone except authorities pursuing criminal investigations. So cloud services, social media being important for our daily work, and that means that many data is saved and that means that authorities and criminal persecution is interested in that. So the problem arises where data is saved across borders because then it is difficult for authorities to access them because normally authorities and police can only act within their own national borders. And there have been trends in the past few years like unilateralism and like authorizations widening across borders. So of course, police, forces, and national authorities want access to data from abroad. And on the other hand, we also have directives that forbid this interaction between authorities. And that rule that countries instead have their right to do their own investigations and rely on their own means. So if we think of unilateralism, that is problematic because national sovereignty has the function to defend fundamental rights. So let's have a look back or at the present how there's this cooperation between authorities, law enforcement authorities work. This is how it works so far. For many years or even for centuries, we have had legal assistance treaties or called MLAT. So you have bilateral and multilateral treaties on how countries cooperate. So for example, we have rulings that articulate that people are extradited to other countries in case they have committed crimes there. And I think it is obvious that this law about extraditing can be very relevant in international politics. So it is about extradiction, but also lower level things like confiscating documents and devices and things like that. So Germany is part of many of these international treaties since the Second World War. And normally it works like that. A country files for extradition or another kind of action. And then the other country has to check if that is within their interest. And then, well, the proceedings are like that. One state is then acting in their function as a country within another country. But countries can also refuse these kinds of cooperation, for example, for political reasons, but also dual criminality. Because the crime that has been committed must be defined as a crime in both countries. For example, that was the case with Putschdemont in Spain who wasn't extradited from Germany because his crime wasn't a crime in Germany. So this is because the countries just have a different definition of what is a crime. So the auto-public is very basic things about the public order. And the NABBC in Edem means that for every crime, a person can only be prosecuted once and not twice. The problem with this is that this is usually a diplomatic route. And there are a lot of different organizations involved. And that's why it takes a long time. According to the EU Commission, 10 months is the norm at the moment between the standards at the moment between EU countries. So everyone agrees that this should be easier and quicker, especially with electric data, which change quickly so you can't use an IP address very long. In 2013, the US government tried to do something new. They forced Microsoft to give them the emails from a user. And the special thing was that these data were saved at Microsoft server. And Microsoft did not comply. They said that they do not have the right to request them. And the EU data protection law does not allow us to give you the letters. They lost in front of the court in the first part. And the second part, the second instance, say one, because the court said that the law they wanted to apply is not enough to force Microsoft to give the email to the US prosecutors. So a lot of this court, this case, came in front of the Supreme Court and a lot of international organizations handed reports in, for example, reporters without borders. And this resulted in a new law, namely the Cloud Act. Cloud meaning clarifying lawful use of data, meaning that US companies have to give data to US prosecutors, irrespective of where they are saved. If you are in conflict with a law of a different country, then the company is allowed to refuse if the person is not a US citizen or if it risks the company violating the laws of another country, but not every country. But only countries with which the US has some special treaty. At the moment, there aren't that many countries with which the US has such a treaty. But recently the UK signed such a treaty, meaning that companies which are in the US, say, companies in the US are forced to either violate the US or the EU law because the GDPR does not allow companies to give the data to the US prosecutors. But in the US, they can be forced to do it. So that's another reason for signing these treaties because then you can also force companies to give data to EU countries which are saved, stored in the US. And a lot of prosecutors in the EU want this because there are a lot of companies in the US. So that's why the UK signed such an agreement, as I already mentioned in October. And there was a lot of criticism of this because, first of all, it could be an example for other countries. And... But they did not specify what exactly this means for countries with different laws. So with the UK, they have a very similar law with the US. But they did not clarify what happens if a country has a much lower standards regarding independence of judges and similarity. So politically, you have to regulate with how the EU states or countries can access data stored in another country in the EU. That's how we get to the treaty I mentioned earlier. The UK already signed the treatment because before they signed the EU treaty, so that's kind of problematic because the EU should find an agreement before some country signs a treaty with another country. So what does this evidence treaty say? So this regulates the relationship of states in the EU. There are different kind of data types and there are different treatments of these different kind of data. But the basic thing is that the country A would not contact state B, but the country A, let's say Bulgaria, would, for example, directly contact a company in Austria with a request. And Austria only has the requirement that if the company does not comply, then the country B, in this case Austria, has to force a company to give out the data. This has to be fairly quickly and in the fastest case, up to six hours. And there should be sanctions up to 2% of their yearly profits. So this strictly violates the sovereignty of the country because another country can contact the company directly. And the biggest problem is that the criterion of mutual crimes is not necessary. What does that mean? In most cases, the laws are not similar. So, for example, in Malta, it's illegal to abort. If a doctor from Malta does these abortions and communicates with German people via posteo, then posteo could be forced to give data to the Malta's prosecutors. And in Poland, it's illegal to say that Polish people participated at the Holocaust. So if people in Poland publish such statements on Facebook or Twitter, then these companies are forced to give out data to the Polish prosecutors. So you can imagine a lot of conflicts where, in one state, it is legal and they are absolutely not in agreement that this is a crime. But the company still has to, the private company still has to comply and give out the data. Additionally, especially the direct access, is that if your data is given out, then you have to fight back in a different, you think, the laws of a different country. And also, there are a lot of EU countries where there are a lot of problems with the fairness of a lot of court cases. So if you come back to this example, if Bulgaria requests something from a company in Austria, then this request is according to Bulgarian law and not whatever is legal in Austria. So it's possible to have Bulgarian prosecutors allowed to do more in Austria than Austrian prosecutors. And that doesn't really make sense and reduces protections of national protections, for example, in Germany by the highest court. So far, that's not possible to veto anything according to the draft of the Commission. As a state, as a country be here, at the moment, don't have any chance to fight against it or say it's not allowed. It's a little bit different the current draft of the European Parliament. The Commission for Civil Liberties wants to introduce a veto right that includes a 10-day period within which the provider can react to the extradition request by the execution state, for example, because the action is not a crime in their country. This is not a compulsory provision. So the provider has the possibility to have a look into it and to write a statement refusing it. As a digital society, we do not think that this could lead to and all together why control of data. But what would happen if the provider is located in another state that is not in the European Union? That provider has the possibility to address the possibility that they could criminalize themselves through those actions. So when it comes to third states being involved, this is rather a unilateral directive. So of course there is an incentive for other states to postulate regulations that would allow for data to be extracted and delivered to other countries. So my association, Digital Society, has posted an open letter to the European parliamentarians residing in Germany. And there is also an English version of that letter. And we are in exchange with other media representatives and other organizations. So one last regulation that I would like to talk about is the cybercrime convention that dates back to 2001 and is about harmonizing what is considered a crime and also regulates legal aid. And there has been an additional protocol that would have countries be able to directly have other countries send over data. And this involves a lot more states. As far as we know, there are 64 states such as Argentina, Australia, Chile, Japan, Morocco, and many others. So the problems that we currently have in the EU will be exported to other countries, so to say. So we have seen that national authorizations are transgressing borders. And often they digress from the principle that fundamental rights are being protected. And there is the notion that data can't be considered territorial. Jennifer Deskel, a US scientist, for example, says, or has a few arguments why that should be OK, because data is fluid like a water bottle. They are very fast, and they can also be present at many locations at the same time. And also data is controlled by third party. So sometimes people don't have a choice as to where the data is saved. But if you look at data as non-territorial, you have a few fundamental problems. For example, because the protection of fundamental rights cannot be guaranteed in a country where it should be protected. So the national sovereignty would be at stake. And I would also say that it isn't really about internationalization and countries finding standards. But it's about nationalization and national needs and requirements that are being reinforced. So you shouldn't romanticize it. But I would say that the internet still is a space where certain political action can take place. And this is at stake when we talk about physically connecting the internet with the legal authorizations of a country. And this limits freedoms that we have at the moment and that we need. And in some way, we can see the internet as an asylum for people to take political action. For example, if you think of Hong Kong, where activists have to stay anonymous, it is very important that services like Reddit or Telegram or other services that are not located in Hong Kong or China and where the Chinese government doesn't have access to. So many companies that are located in the US do not hand over data to Turkey and for very good reasons, as I'm convinced. And if those companies were obligated to hand over this kind of data, which hasn't happened yet, but which would be the next logical step, then many doors would be closed. So that doesn't mean that this kind of communication can't take place anymore. And that doesn't mean that activists won't find ways to communicate. So for example, they can use proxy service and VPN, but still it restricts people in their political leeway. And that is a considerable thing. So we also see a reduction of press freedom. So political action that is taking place in clouds wouldn't be able to function like it is working now. More concretely, you can see the statement on the slide. So in a Supreme Court case in the US, it was stated that if the US take the right to hand over data to other countries, then other countries would do the same. And there's also the argument that people don't define the location where their data is stored themselves. I think there's many cases, especially with politically active people that do make a conscious choice on where they save their data. And pragmatically, that would also result in a decision being dropped, and that locations become impossible. And lastly, you have the provider as the only instance who would be able to refuse to carry out the action of handing over data. And this should be the job of state agencies, actually. So something that is also exciting is this statement that in the Microsoft warrant case, there was a warning against US regulations having ramifications on other countries and of the effectiveness of international cooperation in criminal persecution. So they say that unilateralism will lead to conflicts between countries and will lead to corrupted cooperation and also to localization obligations. And this would fraction up the internet. So lastly, I would like to recommend some literature to you for those who are interested in further researching this topic. Borchardt, for example, and Jennifer Dasker with a de-territorial approach, and Martin Buse, which is a very large compendium of the evidence. You often see the postulation that there should be no restrictions on the internet. And if you think about these measures being implemented, what ramifications could it have? In many political discourses, you don't really talk about the criminal consequences and persecution consequences. And I think that I can make it clear that international cooperation in criminal persecution, there can be spaces for political activism between countries that have differing laws and legislation and where data cannot be handed over at the moment. And if even people who have been in the persecution system warn against this kind of legislation, that this can't be the right solution. So whether we are going to have this network of data being handed over from country to country or not is I cannot really say. But if you want effective criminal persecution, you would have to make better processes and proceedings and follow the decisions that have been taken in 2014 and 2017 and evaluate them and see where you can take further action. But you cannot just blanket introduce this kind of legislation. I think this is very problematic. So that's it from my side. If you like the work from my association, I would love for you to donate or become a member or join one of our events. Thank you very much. So now we have time left for some Q&A. We have three microphones in the room. So please get to the microphones. So I will ask the internet first. Are there questions from the internet? There are no questions from the internet, which is the first time. So the first question from Mike to you, please. Hello and thank you. Can you say something about judge provisions after this provision? So from the e-evidence draft, there are three versions, one from commission and one from parliament, which isn't really done yet, and from the draft Burger Zippel presented, which is the first guess of what the parliament might conclude with a said that it should be an independent organization, independent body, meaning that according to the... For Germany, they have to be judges because the prosecutors in Germany aren't independent. So the target state of the... Where the target state controls. From the draft, from the commission, there is something similarly, but only restricted, only for very similar and for very intimate data. For messaging data, for example, but just for metadata, this is not all. I would be interested if there is a conflict between the EU and this evidence provision. What could be a possible result? And how could that conflict be cleared? So the conflict we have at the moment, which is maybe what you're referring to, that's between the GDPR and the Klaudeck, is that what you mean? Yes, I mean that, and if that idea becomes into law and then it is not compatible with current law, what will happen then? Klaudeck, e-evident situation. So it's a moment for a provider, if I get a request from the S, there is like the larger pressure from the S, but I don't know if there has been such a case where companies violated GDPR regulations by giving data to the S, but I assume it's true, but I haven't heard from any German organizations getting active. If you want to sanction them, you have to take into account that the companies are in kind of a bad situation and didn't really want to violate law. The European law court don't really consider this at the moment. The e-evidence GDPR clash was a normal conflict. I can't really say that at the moment, because the conflict I refer to with the Klaudeck is about if you transfer data from the EU to another third country, and this is not included in the e-evidence at the moment. Okay, then this is unfortunately it for all the questions. You may address the speaker at the stage. And I would like to thank the speaker and warm applause for her.