欧盟推出自己的“Cloud Act”

3月初在Cloud Act法案即将生效之前，欧盟司法最高官员提前向媒体透露了欧盟的应对措施【欧洲将立法允许执法跨境直接调取数据】。

4月17日，欧盟对外公布了该立法Package: e-evidence proposals. 目前该法案文本尚未公开。但欧盟委员会对其中的重点内容进行了“剧透”。本公号将其中会对（未在欧盟设立分支机构的）中国公司产生重要影响的内容摘出如下：

首先，如果面向欧盟提供服务，服务提供者应当在欧盟境内设立法定代表，以接收调取证据的法令。但欧盟强调，这个要求并不会强制要求服务提供者对数据存储地的选择。

欧盟解释的原文如下：

What is the proposal on legal representatives about?

Currently, there are different approaches across Member States regarding obligations imposed on service providers, especially in criminal proceedings and for service providers which do not have an establishment in the Union.  This fragmentation creates legal uncertainty for those involved and can place service providers under different — sometimes conflicting — obligations.

The proposal obliges service providers to designate legal representatives in the EU to facilitate the receipt  of , compliance with  enforcement orders to gather electronic evidence on behalf of these service providers.

This will remove the need for individualised national approaches and provides legal certainty at EU level. In addition, a uniform approach creates a level playing field for all companies offering the same type of services in the EU, regardless of where they are established. Moreover, it does not affect companies' freedom to store the data where they choose to.

其次，如果证据调查令指向的是存储在欧盟境外的数据，则在满足两个条件的情况下，服务提供者应当向发出命令的欧盟成员国提供：1）发出调取证据命令的司法机关对刑事侦查具有管辖权限；2）服务提供者确实向欧盟居民提供服务（无论是否在欧盟境内设立了分支机构）。

如果导致了法律冲突怎么办？例如我国的网安法不允许服务提供者对外提供某些数据？欧盟指出，在立法中会考虑这样的情况，但最终决定是否应该提供证据的还应该是欧盟成员国的法院。（Ultimately the decision whether to uphold the request will be up to the competent national court.）对此，笔者猜测，欧盟的路径应当和美国类似，允许服务提供者提出撤销调取命令的动议，由成员国法院作出礼让分析（comity analysis）。

至于欧盟成员国的法院在做礼让分析时，会不会像美国同行那样以“维护国内利益为主”采取极端强势的态度，还得进一步研究。同时欧盟也还未透露，服务提供者是否仅能在涉及特定国家法律冲突（如美国Cloud Act对适格外国政府提出了很高的门槛，见【美国Cloud Act法案到底说了什么】）时，才能够提出撤销动议。

What will happen if the data is stored in a non-EU country?

There is a difference between where the data is stored and where the service provider is based. The service provider might be based in a third country, but the data might be stored in the EU, even in the country of the investigating State. Still, under the current system the judicial authorities have to address a request via mutual legal assistance to the service provider in the third country. This would change under the proposal.

The Regulation departs from data storage as the determining factor for jurisdiction, and rather requires that the requested data is (1) needed for a criminal proceeding for which the issuing authority is competent and (2) related to services of a provider offering services in the Union. If this is the case, the data must be preserved and produced, irrespective of the place of data storage

In case a service provider is confronted with conflicting obligations deriving from the law of a non-EU country when evidence is requested, the proposal foresees a review procedure to clarify such a situation. Ultimately the decision whether to uphold the request will be up to the competent national court.

A service provider who stores data relating to its European users outside of the EU, e.g. in the US, will thus have to provide data to European authorities if addressed with a European Production Order, unless there is a conflict with a third-country law.

总的来说，美国和欧盟都完成了自己对数据主权的战略布局。我国急需出对手了。本公号相关文章汇集如下：【美国Cloud Act法案到底说了什么】、【Cloud Act可能本周就得以通过！】、【如何看待“iCloud中国账户密钥将存储在中国”】、【苹果公司境内存储密钥的法律效果再分析】、【欧洲将立法允许执法跨境直接调取数据】、【修改版的Cloud Act终成为法律】

在4月21日，公号君将在武汉大学法学院举办的“首届中国网络法治高峰论坛”上做分享：“数据主权战略博弈——美欧中的比较”，系统阐述目前的局势。