EU Council’s general approach on “e-evidence”: From bad to worse
On 7 December 2018, the Justice and Home Affairs Council (JHA) adopted its general approach – a political agreement before entering into negotiations with the European Parliament – on the proposal for a Regulation on European Production and Preservation Orders in criminal matters. The initial proposals of the European Commission already raised concerns in terms of fundamental rights. The concerns are now growing as the Council’s text entails a severe deterioration of the few provisions that were meant to safeguard fundamental rights.
Solving political dissent by ignoring legal challenges
The main change brought by the Council to the Commission’s framework of “direct cooperation” is the introduction of a notification mechanism to the State where the service provider is established (Article 7a). This is the solution found to break the political deadlock between Member States that are supportive of the Commission’s approach and a group of eight other Member States that are against it. The latter expressed their concerns with regards to the lack of consideration for “checks and balances” and “guarantees for the protection of fundamental rights” in a letter to the Austrian Presidency of the Council and the Commission. In addition, incompatibility with national constitutional principles, notably related to the freedom of press, was pointed out by several Member States. The Council text represents the attempts to compromise and settle the different claims.
However, the additional notification procedure is coupled with a downgrade of safeguards and oversight measures. The notification only applies when content data is sought, and the issuing authority has reasonable grounds to believe that the person whose data are sought is not residing on its own territory. The notification does not give the notified authority enough possibilities to oppose the order. Indeed, refusal grounds are minimal. They only relate to immunities and privileges, liability exceptions associated with the freedom of press and freedom of expression, and national security interests. This comes with the discharge of service providers from assessing the legality of the orders. They can only refuse to comply on the sole ground of de facto impossibility – if the data was already deleted or the targeted person is not a customer. In the event where they refuse to comply for other reasons, the enforcing authorities also have only limited grounds to refuse recognition and enforcement of an order: a violation of the Charter of Fundamental Rights of the European Union does not feature anymore among the valid reasons of refusal. In this framework, there is no effective redress and protection from a breach in fundamental rights, but it’s the sole responsibility of the issuing authority, which is not necessarily an independent judicial body in every country. This undermines judicial cooperation and mutual trust.
Furthermore, the notification does not suspend the obligations of the service providers to hand over the requested data, thus doesn’t give power to the executing State to stop the data transfer (para. 4). Only “if the data were not provided yet” (para. 2), the issuing authority should withdraw or adapt its order following the executing State’s grounds for non-execution. This creates high risks of fundamental rights breaches without the executing authority being able to apply the possible safeguards in its national law.
Compromises based on the sensitivity of data are wrong
This compromise is fundamentally flawed as it is trying to solve political challenges by adding conditions based on the supposed sensitivity of data. The Council’s premise is that “As opposed to non-content data, content data is of particularly sensitive nature because persons may reveal their thoughts as well as sensitive details of their private life.” (recital 35c).
The Council’s assessment of the presumed degree of sensitivity for different categories of data is confusing and is not in line with the case law of the highest European courts. The Court of Justice of the European Union (CJEU) held in its Tele2/Watson judgment that metadata “provides the means (…) of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications.” (para. 99). The European Court of Human Rights in its recent case Big Brother Watch and Others v. the UK came to similar conclusions (para. 355 to 357). Therefore, working out compromises in the Council resting on the idea of supposedly more or less sensitive metadata makes no sense in the light of the European courts’ judgments.
The Council fails to fix the proposal’s flaws
Some amendments brought to the initial text attempt to patch the pitfalls of the proposal. However, it fails to provide clear and precise provisions to enact those changes. For example, the Council introduced references to the ne bis in idem principle – by which a person cannot be prosecuted twice for the same crime. Yet, without a meaningful involvement of the State concerned, the issuing authorities still encounter a lack of information on ongoing investigations and can only rely on “indications” (recital 12).
Furthermore, recital 29 adds that the issuance of European Production Orders should “take due account of the impact of the measure on fundamental rights of the person whose data are sought.” Sadly, this statement of intent does not translate into concrete safeguards for the affected person.
Worse still, the Council removes the possibility for service providers to notify their users about their data being requested and accessed by inserting a non-notification by default clause. The confidentiality of the investigation takes priority over the affected person’s rights. The suspected person is allowed to contest the legality of an order only in the issuing State – possibly with a different judicial system than the State in which the person resides and in a foreign language. In addition, if there are no criminal proceedings launched against the affected person or if the data accessed is not being used during the trial, the affected person has no possibility to exercise their right to effective remedies against the order.
In general, the Council’s position goes in the wrong direction from an already worrisome proposal.
An urgent need for criminal prosecution?
It seems recurrent that Member States rush to pass European pieces of legislation on the basis of security arguments without proper evaluation and safeguards and then drag their feet when it comes to implementation. This already happened for the EU Passenger Name Record (PNR) Directive and the European Investigation Order.
While the Council of Ministers is eager to pass the proposed legislation as soon as possible at the European level – disregarding potential impacts on fundamental rights – it also conveniently agrees to postpone the implementation deadline at national level from six months to 24 (Article 25). It is perfectly understandable that a complicated piece of legislation with novel extra-territorial powers for Member States cannot be implemented at the national level in just six months. However, the necessity of two years for national implementation also means that there is absolutely no urgency to rush the decision at the Council level. This can only be relevant for purely political reasons. Fortunately for European citizens and the rule of law in the Union, the European Parliament wants a thorough assessment of the Commission’s proposal before adopting its position.
18 civil society organisations’ letter urging the Council to seriously reconsider the general approach (05.12.2018)
EU “e-evidence” proposals turn service providers into judicial authorities (17.04.2018)
Independent study reveals the pitfalls of “e-evidence” proposals (10.10.2018)
European Commission proposals on cross-border access to data (17.04.2018)
Committee for civil liberties, justice and home affairs’ first working document (07.12.2018)
(Contribution by Chloé Berthélémy, EDRi intern)