“E-evidence” state of play: Building compromises, sweeping rights under the carpet

Despite the Pegasus scandal which has sent shock waves across Europe, and served to shine a light on illegal surveillance practices used by governments, the Council and the European Parliament are moving closer to an agreement on a new data-harvesting tool that could be similarly abused.

By EDRi · October 6, 2021

In the direct aftermath of the Pegasus Project revelations, the European Commission has announced that it would launch an investigation into the surveillance of journalists by EU governments through the use of the Israeli spyware. Right at the centre of the controversy is Hungary, accused of having illegitimately hacked journalists’ phones and thus, accessed messages, emails, calendars and phone records, which in principle should have been protected by the right of the freedom of the press.

Despite EU policymakers’ expressing dismay at the crumbling state of the rule of law and illegal surveillance in Hungary, they are about to give European law enforcement a similarly threatening data-gathering tool, which could essentially hurt free speech, privacy and the right to a fair trial. 

A recently leaked document by EDRi member Statewatch, which was prepared by the Slovenian Council Presidency, has revealed that legislators have identified “possible compromises” on the “e-Evidence” Regulation. The legislative proposal would give law enforcement authorities the power to request any sort of data directly from all service providers in the EU. This system would bypass all previously established safeguards in the field of judicial cooperation.

Can you see the link? 

One of these “possible compromises” is particularly telling in light of the Pegasus affair. In its own position, the European Parliament had proposed  to set up a notification mechanism in order to have a second Member State authority (the “executing authority”) verify data access orders. This verification would enable them to reject orders that violate fundamental rights. In addition, when orders would be issued by a Member State subject to an Article 7 procedure under the Treaty on the European Union (meaning that there were serious and persistent breaches of the rule of law in that State), the executing authority would be able to automatically raise an objection and halt the orders.

However, the Council seems unhappy with the Parliament’s proposal to safeguard the rule of law. The compromise says that references to Article 7 procedures “will not be included in the Regulation” and that “such procedures will not affect the way the data is obtained from service providers”. This stands at odds with the EU’s recent efforts to address rule of law issues in a more prominent way, for example by tying the dissemination of EU funds to the respect of the rule of law.

On one hand, the EU condemns the widespread state surveillance and defiance of European core values by some Member States, while on the other hand, it gives Member States an intrusive tool ripe for abuse.

Is relying on police officers’ amnesia our only option?

What happens when data that should not be transferred is transferred nonetheless? This could happen more often than before if the “e-evidence” Regulation is adopted according to the Council Presidency’s plans. The document indicates that 

  • no notification to the executing State would be required for preservation orders (when the data is prevented from being deleted until an access request is sent), 
  • no notification would be required for subscriber data and traffic data sought for identification purposes – aka not “real traffic data” in the words of the Slovenian Presidency, but actually, traffic data is traffic data – and,
  • in any case, notifications will not have suspensive effects.
  • notifications for access to “real” traffic data and content data is still an outstanding issue. The Council wants to limit notifications to cases where the person is not residing in the issuing State. 

This means that orders for subscriber data or IP addresses will be sent directly to service providers abroad, without any further checks or possibilities to question the requests before they are executed. It will facilitate the identification of whistleblowers, protesters and investigative journalists by authoritarian governments willing to crack down on the free press and on social movements. When the police obtain someone’s identity, it can put their personal safety at grave risk.

With the residence criterion advocated by Council, even cross-border requests for content data will take place without notifications in many cases. Journalists or activists residing in a Member State with serious rule of law problems cannot protect themselves against abusive domestic authorities by choosing a service provider in another Member State. The Council rejects the heightened need to protect fundamental rights in such cases. The Council’s argument for the residence criterion is to prevent authorities in the executing State from receiving too many notifications. This strongly suggests that the Council foresees a substantial increase in the number of cross-border requests for content data.

No suspensive effects means that the service provider has to send the requested data before the deadline whether or not the notified State has had the time to assess the request and give its opinion. If it objects to an order but the service provider has already given out the data (metadata or content data like emails, messages, photos, videos etc.), it is already too late. The compromise specifies that “when the data is gathered in breach of the Regulation or a ground for refusal is raised, this data shall not be used in the proceedings and shall be deleted.” This proposal wrongly assumes that once an investigating police officer gets new information (e.g. the name of another suspect mentioned in a message), they will be able to immediately forget what they’ve just learned. Worse, it encourages the use of unlawfully obtained data to obtain evidence indirectly which may be ultimately admitted in court. 

In order to avoid these situations, an order should not be executed without the authorisation of the executing authority. This procedural requirement should apply for all types of data and orders.

Ex-post safeguards are insufficient on their own

The Slovenian Presidency proposes instead “a formula” to limit the number of notifications to the executing authority. Notifications of subscriber and ‘unreal’ traffic data “would only be done once a year, in the form of compiled information, without any personal data being shared”. It argues that such a mechanism would enable the executing authorities to “follow developments and examine any possible malfunctions.” 

First, it is very hard to see how authorities will effectively spot abusive orders when the data is compiled and anonymised. Second, if they miraculously manage to “examine malfunctions”, what remedies will they have to change the situation? The data will have already been transferred a long time ago. Will they be able to systematically request suspensive orders from then on? The document does not say. The aggregated notifications are really transparency statistics that should be compiled in any case for assessing the functioning of the e-Evidence Regulation.

Third, relying solely on ex-post safeguards (that certain Council members want to water down) puts pressure on the rule of law and the fairness of the criminal justice system. Ex-ante safeguards are as important as ex-post safeguards to hamper disproportionate use of law enforcement powers. They ensure every individual situation is carefully treated in respect of all the applicable laws and deter law enforcement from acting outside of the law. In a nutshell, they prevent the illegality from occurring. Once again, notification to the executing State should take place systematically, for all orders and data categories. 

( Contribution by: )

Chloé Berthélémy

Policy Advisor

Twitter: @ChloBemy