“E-evidence”: Mixed results in the European Parliament

On 7 December, the European Parliament Committee on Civil Liberties (LIBE) agreed on a final text for the Regulation on cross border access to data (so-called “e-evidence” proposal). Despite some improvements designed to better protect people against law enforcement overreach across jurisdictions, the Committee’s majority has unfortunately also made major compromises that will put the rights of journalists, lawyers, doctors, social workers and individuals in general at risk. These compromises are particularly deplorable given that the European Parliament Rapporteur’s original draft had introduced adequate measures to safeguard human rights and the rule of law.

The final Regulation will likely be even more underwhelming considering that the Parliament will now have to accept further compromises in its negotiations with the Council. The Council has previously taken a position on e-evidence which largely ignores even the most basic protections needed to be in conformity with fundamental rights and the EU’s own rules on due process. Here is a short, non-exhaustive analysis about what the Parliament is coming to the negotiations table with.

Moving away from the Commission’s faulty approach

The initial proposals of the European Commission raised concerns regarding the fundamental rights to privacy and protection of personal data, to a fair trial and to access to justice. Indeed, they distance themselves from the traditional EU framework of judicial cooperation that requires a system of mutual ‘peer review’ of criminal justice decisions through the systematic ex ante involvement of at least two competent judicial authorities. Instead, the Commission proposed that private companies holding people’s data shoulder the responsibility of the second check.

The LIBE Committee’s report tries to repair this flawed approach by reinstating some of the necessary safeguards for the rule of law and procedural rights. Under the Committee report:

• Service providers are no longer required to oppose potentially abusive orders and to know how to interpret the EU Charter of Fundamental Rights and 27 Member States’ criminal legislation
• A notification regime gives the State in which the service provider is based (the executing State) the possibility to reject foreign production orders based on a list of possible grounds for non-recognition or non-execution;
• The definitions of different types of personal data are improved and brought in line with existing EU legislation.
• Users whose data has been assessed need to be informed by default; any exceptions need a judicial order;
• Data obtained through an e-evidence order cannot be reused for other proceedings (purpose limitation);
• Data that is illegally obtained through an e-evidence order must be erased and is not admissible in courts;
• The European Commission needs to put in place an EU-wide exchange system for the authentic and secure exchange of information between judicial authorities and companies.

A job half-done

Despite these obvious improvements in comparison to the Commission’s original proposal, the Committee left out a number of crucial safeguards that EDRi and many other experts and stakeholders have long been advocating for:

• Missing involvement of the “affected State”

Under the Committee Report, the judicial authorities of the affected person’s country of residence are no longer consulted nor required to validate any e-evidence orders as originally suggested in the Rapporteur’s draft report. The so-called “affected State” would therefore be unable to block illegal foreign data requests. This is particularly unfortunate as the affected person’s Member State of residence is usually best placed to protect their fundamental and procedural rights and to know about potential special protections of journalists, doctors, lawyers, etc. This also creates barriers for the affected person’s right of access to justice.

• Insufficient involvement of the executing State

The service provider is requested to hand over subscriber data and IP addresses as soon as possible and within set short deadlines without being allowed to await a validation of the judicial authorities of its Member State of establishment. Extending an EU member state’s law enforcement powers beyond its own national borders is a fairly novel and highly risky approach. What is more, some of the safeguards approved by the Committee will have little to no effect in practice, such as the erasure obligation in case the executing State objects to an order after the data has been transferred.

• Lack of safeguards against fishing expeditions

The report fails to adequately protect against fishing expeditions, whereby law enforcement authorities request untargeted, massive amounts of data without justification in order to uncover incriminating evidence that was not previously suspected to exist. The Committee Report should have clarified a service provider’s right to refuse an order in case it is “manifestly abusive” because it is not targeted at a specific person or a limited group of persons.

• Lack of safeguards against deficiencies in mutual trust and EU judicial cooperation

The Committee report introduces stronger safeguards for data requests coming from Member States that are currently under Article 7 investigations for systematically breaching the rule of law. Those stronger safeguards should have been the norm for all EU Member States and be extended to e-evidence orders for subscriber information and IP addresses as well.

Shortly after the Committee vote Rapporteur Birgit Sippel announced that the Parliament’s position won’t “crack before our courts”. Sadly, there is little chance that her compromise will ever become the final Regulation but is merely another small step of weakening fundamental rights in law enforcement practice in the EU. The next step is going to be the trilogue negotiations with the Council and the Commission, both of which have even less interest in subjecting cross-border access to data to proper safeguards.

Contribution by: