By Chloé Berthélémy

On 6 June 2019, the Justice and Home Affairs Council (JHA) – which gathers all EU Member States Ministers of Justice – asked the European Commission to start international negotiations on cross-border access to electronic evidence in criminal matters (so-called “e-evidence”) in the upcoming months. The Commission should enter into bilateral negotiations with the United States (US), and at the same time, it should join the ongoing discussions at the Council of Europe about the adoption of a Second Additional Protocol to the Budapest Convention on Cybercrime – which also deals with access to e-evidence.

Both negotiation mandates were issued while the Commission’s own proposal for a European e-evidence regulation is highly contested and still being debated in the European Parliament. According to this proposal, law enforcement authorities in any EU Member States would be allowed to force providers like Facebook or Google to hand over personal data from users, even if the provider is located in a different country. The authorities of the provider’s country would have almost no say in it, and in most cases would not even know that their citizens’ data has been accessed by foreign authorities.

Many critics, including EDRi, lawyers, academics, the European Data Protection Board (EDPB), and other civil society organisations oppose the very idea behind the e-evidence proposal as it heavily infringes on our fundamental rights without due safeguards.

Even within the EU, some activities are considered criminal in one country, and legal in another. Negotiating similar data access rules with countries like the US or even Russia and Azerbaijan (as part of the Council of Europe) that often have very different concepts of the rule of law, puts people in Europe at risk. This is especially dangerous for political dissidents and activists who have come to the EU as a “safe haven”.

In fact, the previous European Parliament Committee responsible (Committee on Civil Liberties, Justice and Home Affairs, LIBE) expressed serious criticism in a series of Working Documents. Still, the Commission intends to negotiate on its own terms and those of the Council of the European Union, which are very similar.

It is unacceptable that the Commission does not wait for and is unlikely to take into account the position of the co-legislator. In line with the European democratic legislative process, negotiations with third parties should not start as long as no official position of the EU as a whole has been reached. Worse yet, the Commission will likely be obliged to amend its own negotiation position on in order to follow the outcomes of internal discussions between the EU Council and the Parliament. It will greatly undermine the legitimacy and credibility of the EU as a negotiating partner.

No transparency

As usual when the Commission is representing the EU in negotiations of international agreements or treaties, few transparency mechanisms are put in place to inform citizens about what is being discussed, what compromises are being struck, and what concessions are being given from which side of the table. Often such information is kept secret while the issues at stake have considerable impact on people and our democracies. The Commission announced that it will regularly inform the Member States about the progress made, but no such reports seem to be foreseen to the European Parliament. Yet, it is the Parliament that represents European citizens and that is key for democratic scrutiny and transparency. It goes without saying that scrutiny by and participation of civil society will be even more challenging.

The European Data Protection Supervisor (EDPS) recently published a recommendation demanding to include additional data protection principles and fundamental rights protections into the negotiation mandates given to the Commission. It is unclear how this recommendation and the strong criticism from experts across the board will be taken into consideration.

Recent CJEU ruling puts the Commission’s proposal in jeopardy

In addition, the Court of Justice of the European Union (CJEU) recently released a ruling on the issuance of European Arrest Warrants by public prosecutors. It decided that for the purpose of cross-border judicial cooperation, certain public prosecutors cannot qualify as competent “issuing judicial authority” under the European treaties. According to the CJEU, public prosecutor’s offices in countries such as Germany cannot be considered independent as they are likely exposed to direct or indirect instructions from the Minister for Justice and thus to political decisions. Issuing authorities should be capable of exercising their functions objectively, taking into account all incriminatory and exculpatory evidence and without external directions or instructions. This ruling is of importance in the context of the e-evidence proposal. It proposes that judicial authorities, including prosecutors, can issue European production and preservation orders to obtain data in cross-border cases. In line with this CJEU’s ruling, public prosecutors would not be allowed issue these orders for the purpose of judicial cooperation as set out in Article 82(1) of the Treaty on the Functioning of the European Union (TFEU). Thus, the current proposal is weakened in regard to its legality and will need great improvements to ensure compliance with CJEU case law.

Cross-border access to data for law enforcement: Document pool
https://edri.org/cross-border-access-to-data-for-law-enforcement-document-pool/

CCBE press release: CJEU ruling casts doubts on the legality of the proposed e-evidence regulation (29.05.2019)
https://www.ccbe.eu/news/news-details/article/cjeu-ruling-casts-doubts-on-the-legality-of-the-proposed-e-evidence-regulation/

EDPS Opinion on the negotiating mandate of an EU-US agreement on cross-border access to electronic evidence (02.04.2019)
https://edps.europa.eu/sites/edp/files/publication/19-04-02_edps_opinion_on_eu_us_agreement_on_e-evidence_en.pdf

EDPS Opinion regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention (02.04.2019)
https://edps.europa.eu/data-protection/our-work/publications/opinions/budapest-cybercrime-convention_en

(Contribution by Chloé Berthélémy, EDRi)