E-Evidence: trilogues kick off on safeguards vs. efficiency

The Regulation on European production and preservation orders for electronic evidence in criminal matters (E-Evidence) aims to create clear rules on how a judicial authority in one Member State can request electronic evidence from a service provider in another Member State. One such use case would be requesting user data from a platform in another EU country during an investigation. We wrote about our main issues in the past.

What Wikimedia worries about

At Wikimedia they were originally worried mainly about a new data category – access data. This would mean that prosecutors would be able to demand information such as IP addresses, date and time of use, and the “interface” accessed, without judicial oversight. In the Wikipedia context, however, this information would also reveal which articles a user has read and which images she has looked at.

The second aspect they care about is whether the service provider’s hosting country’s authority will have the right to intervene in some cases where fundamental rights of its citizens are concerned. Wikimedia know that unfortunately not all EU Member States have good rule of law records, which calls for safeguards at least  against potential systemic abuse. Again, knowing which Wikipedia articles or which Wikimedia Commons images someone opened is information that should be hard to get and only in rare and well justified cases.

“Knowing which Wikipedia articles or which Wikimedia Commons images someone opened is information that should be hard to get and only in rare and well-justified cases.”

“Access Data” to drop out?

After the Council reached its negotiation positions in late 2018/early 2019 and so did the European Parliament in December 2020, the trilogue rounds (meetings between the two co-legislators plus the Commission) have now begun. So far the good news from the second meeting on March 18th is that the Council seems open to follow the Parliament’s position in dropping the “access data” category. However, in exceptional emergency situations judicial authorities will be allowed to request data needed to identify persons quickly. Details are important here.

Notification regime for hosting country’s authority?

On the second main point, we are seeing that both European Parliament and Council have started the negotiations around the issue of a “notification” regime for the hosting country’s authorities. The European Commission didn’t include anything like that in its proposal. The European Parliament wants to make sure citizens are (doubly) protected against prosecutorial misuse, having in mind that not all EU members have a great record on this. The Council mainly worries about simplicity and speed of procedures. Again, we will need to see a possible compromise, as details are key.

Donate to EDRi to build a people-centered, democratic digital future. Donate Now

Further aspects

Furthermore, based on a proposal from the Parliament, a common EU exchange system for such requests is discussed. Through the system the platforms would receive production and preservation orders and through which the requested data would be sent. This would solve the issue of each platform knowing which the competent authority is in each Member State and also ensure the secure transmission of data.

A harmonised right for platforms to request reimbursement for the costs incurred by such orders from the issuing authorities , as introduced in the Parliament’s position, is also still under discussion and it is rather opposed by the Council and the Commission.

Next steps

The next trilogue will be on 20 May, still under the Portuguese Presidency. In the meantime there will be technical meetings (between assistants, experts and advisors). Participants are certain the talks will continue throughout the Slovenian Presidency taking place in the second half 2021.

The article was first published here.

(Contribution by: Dimi Dimitrov, Wikimedian in Brussels)