Blogs | Privacy and data protection | Cross border access to data | Surveillance and data retention

“E-evidence”: Repairing the unrepairable

By EDRi · November 14, 2019

On 11 November 2019, Member of the European Parliament (MEP) Birgit Sippel (S&D), Rapporteur for the Committee on Civil Liberties, Justice and Home Affairs (LIBE) presented her draft Report, attempting to fix the many flaws of the European Commission’s “e-evidence” proposal. Has Sippel MEP been successful at repairing the unrepairable?

The initial e-evidence proposal by the Commission aims to allow law enforcement agencies across the EU to access electronic information more quickly by requesting it directly from online service providers in other EU countries. Unfortunately, the Commission forgot to build in meaningful human rights safeguards that would protect suspects and other affected persons from unwarranted data access.

The Commission proposal is not only harmful, but simply not needed at this point. To speed up cross-border access to data for law enforcement, there already is the European Investigation Order (EIO). It exists only since 2018 and has never been systematically evaluated, let alone improved.

From a fundamental rights perspective, the draft Report comes with a number of very important improvements. If adopted, they would help fixing some of the worst flaws in the original e-evidence proposal.

Here is what Member of the European Parliament (MEP) Birgit Sippel suggests, and what that means for fundamental rights:

👍 Framing is important. While the Commission’s proposal treats all information accessed under the new law as if it was admissible evidence, Sippel MEP recalls that what law enforcement actually accesses is people’s data. Only a fraction of that data is likely to be relevant for ongoing criminal proceedings. She therefore correctly proposes to replace “electronic evidence” with the more accurate term “electronic information”.

👍 One of the Commission proposal’s biggest flaws is that it would allow any law enforcement agency or court in the EU to force companies like email providers and social networks in other EU countries to directly hand over the personal information of their users. The judicial authorities of that other EU country would no longer be involved and would in fact never know about the data access. To mitigate those risks, Sippel MEP proposes a mandatory notification to the judicial authorities of the country in which the online provider is located. That way, authorities can intervene in cases that threaten fundamental rights and stop unwarranted data access requests.

👍 & 👎 Sippel MEP proposes that authorities requesting data must consult the judicial authorities of the country in which the affected person has their habitual place of residence “where it is clear” that the person whose data is sought is residing in another country. Involving the country of residence makes a lot of sense because only their authorities may know about particular protections a lawyer, doctor, or journalist has. Unfortunately, according to the draft Report, this consultation only needs to happen where it is clear that the affected person lives in another country—a term that is undefined and easy to bend.
🔧 How to repair it: The involvement of the country of residence should be mandatory when it’s known or could have been known that the person whose data is sought lives there.

👎 Although the judicial authorities of the affected person’s country of residence would be consulted in some instances under the proposal by Sippel MEP (see point above), their opinion in any given case would only be “duly taken into account”.
🔧 How to repair it: The authorities of the affected person’s country of residence should be able to block infringing foreign data requests. The affected person’s country of residence is usually best placed to protect their fundamental and procedural rights and to know about potential special protections of journalists, doctors, lawyers, and similar professions.

👍 The draft Report streamlines and fixes the skewed data definitions introduced by the Commission and brings them in line with existing EU legislation. “Traffic data” replaces former overlapping “access” and “transactional” data categories. IP addresses, which can be very revealing of private lives and daily habits, benefit from a higher protection level by being defined as traffic data.

👍 The draft Report introduces an extensive list of possible grounds for non-recognition or non-execution of foreign data access requests aimed at protecting accused persons from illegitimate requests. The grounds of refusal include the non-respect of the principles of ne bis in idem (one cannot be judged twice for the same offence) and of dual criminality (the investigated conduct need to be a criminal offence in all jurisdictions concerned).

👍 Sippel MEP proposes to extend the data access request instruments created by the new law to the defence of the suspected or accused person. This approach strengthens the principle of “equality of arms”, according to which the suspected or accused person should have a genuine opportunity to prepare and present their case in the event of a trial.

👍 The LIBE draft Report beefs up the rights of the affected person to obtain effective remedies and to a fair trial. She proposes that the person who is targeted by a data access request should be notified by default by the service provider, except in circumstances where such notification would negatively impact an investigation. In that case, the state requesting the data (issuing state) has to obtain a court order to receive it.

👎 Lastly, the draft Report fails to question whether direct cooperation with online service providers is at all needed. The Commission argues that direct cooperation for law enforcement is necessary to prevent relevant electronic evidence from being removed by suspects. However, the proposed instrument of a European Preservation Order would be less intrusive and most likely sufficient to achieve that aim (similar to a “quick data freeze” order).
🔧 How to repair it: The European Production Order Certificate (EPOC) should be completely removed from the law. Law enforcement agencies should use the European Preservation Order to quick-freeze data they believe could contain relevant electronic evidence. The acquisition of that data should be done through the safer channels of the European Investigation Order (EIO) and Mutual legal assistance treaty (MLAT).

LIBE draft Report on the “e-evidence” proposal (24.10.2019)
https://www.europarl.europa.eu/doceo/document/LIBE-PR-642987_EN.pdf

EDRi Recommendations on cross-border access to data (25.04.2019)
https://edri.org/files/e-evidence/20190425-EDRi_PositionPaper_e-evidence_final.pdf

Cross-border access to data for law enforcement: Document pool
https://edri.org/cross-border-access-to-data-for-law-enforcement-document-pool/

EDPS opinion on Proposals regarding European Production and Preservation Orders for electronic evidence in criminal matters (06.11.2019)
https://edps.europa.eu/sites/edp/files/publication/opinion_on_e_evidence_proposals_en.pdf

EU rushes into e-evidence negotiations without common position (19.06.2019)
https://edri.org/eu-rushes-into-e-evidence-negotiations-without-common-position/

(Contribution by Jan Penfrat and Chloé Berthélémy, EDRi)