“e-Evidence” trilogues: what’s left of fundamental rights safeguards?

Shortly before the end of their mandate, the French Presidency of the Council nearly reached a political compromise with the European Parliament on the so-called “e-Evidence” proposal. This draft compromise lays down general guidelines to establish a future legal framework enabling national law enforcement to request personal data from private companies located in other Member States of the European Union (EU).

However, a few points remain to be agreed upon before the final text can be adopted by the co-legislators.

Unfortunately, the direction of the negotiations does not favour the protection of fundamental rights. An EDRi-led coalition of digital rights, lawyers, journalists, media organisations and internet service providers associations are ringing the alarm bell in an open letter addressed to policymakers. We warn against the foreseen framework that could seriously endanger freedom of expression, privacy rights and the right to a fair trial.

A severely weakened notification system

The compromise between the two institutions has led to the weakening of the notification system – a key safeguard for which we have been advocating since the start of the negotiations. A notification to the “executing State” (the Member State in which the private company is located) guarantees that essential principles of judicial cooperation are respected and ensure that a second authority verifies the legality of orders and blocks the ones that could lead to fundamental rights violations. In the compromise text, the notification mechanism is weakened in three manners.

1. First, no notification is required when the investigative authority (in the “issuing Member State”) seeks subscriber data and traffic data for the sole purpose of identifying the suspect (in most cases, IP addresses).
   However, identity data can become very sensitive in cases where it discloses the identity of whistleblowers, protesters and investigative journalists to authoritarian governments willing to crack down on the free press and on social movements. When the police obtain someone’s identity, it can put their personal safety at grave risk.
2. Second, the Council pushed for an additional exception to the notification rule. When the issuing authority believes that the person whose data is sought is residing on the territory of its Member State, it can abstain from notifying the executing authority.
   The assessment of where the person lives will be at the sole discretion of the issuing State which has clear incentives to avoid the notification – considered by Member States authorities as “red tape”. The issuing authority is neither asked to justify its beliefs nor to provide objective evidence. Nothing in the draft provisions foresees the possibility to scrutinise that decision. It, therefore, represents a major loophole that can be easily abused to circumvent the notification requirement.
3. Third, the rules to re-use data in other proceedings or to transmit them to another Member State could be used to circumvent the notification procedure. The draft compromise would let the issuing authority decide on its own whether the data can be re-used to prosecute a completely different offence or a different person or give the data to another authority in a different Member State.
   This is undermining the case-by-case review of necessity and proportionality afforded by the notification system. It is especially problematic if a Member State with systemic rule-of-law issues get hold of data obtained via an order through a secondary transfer. For example, Austria could transfer data obtained via an e-Evidence production order to Hungary, despite the possibility that Hungary would have been refused to receive such data if it had issued the production order itself due to a risk of a fundamental rights breach.

Many questions remain unanswered

The coalition is also raising several issues that need to be addressed to ensure legal certainty for all stakeholders involved, notably the affected individual(s) and the addressee of the order.

For example, the negotiators tentatively agreed that the executing authority notified of an order has to refuse it if it breaches certain rules. However, it is unclear whether the affected individual can complain against the executing authority once their data have been wrongfully disclosed to the investigative authority in case a ground for refusal has not been successful.

The political trilogue will take place on Tuesday, 29 November, and the technical meeting will occur just before that on Friday, 25 November, so the coalition hopes that its concerns and recommendations will be taken into account in order to ensure the proper protection of fundamental rights in cross-border law enforcement and the respect for the rule of law.