Blogs | Privacy and data protection | Cross border access to data

Independent study reveals the pitfalls of “e-evidence” proposals

The conclusion of the study could not be clearer: “The added value of the new cooperation regime (quick and effective access to provider data) is mainly based on the abolition of cooperation obstacles and procedures ensuring effective protection of fundamental rights.”

By EDRi · October 10, 2018

On 21 September 2018, the European Parliament released an independent study written by Professor Martin Böse assessing the European Commission’s proposals for law enforcement authorities to have cross-border access to data (“e-evidence”). If adopted, these proposals would introduce European Production and Preservation Orders (EPO) for criminal matters. In order to inform the legislative process of this proposal, the study looks at the different aspects of the draft Regulation and the legal implications for the territoriality and sovereignty principles as well as for fundamental rights.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

The conclusion of the study could not be clearer: “The added value of the new cooperation regime (quick and effective access to provider data) is mainly based on the abolition of cooperation obstacles and procedures ensuring effective protection of fundamental rights.” In this article, we summarise the main findings of the study.

1. Mutual cooperation should not mean lower level of protection for individuals

The study recalls the current framework for accessing data in a cross-border situation and existing instruments such as the European Investigation Order (EIO) that was only recently implemented. The study points out that the EIO, introduced in 2017, was designed to speed up the procedure for the enforcement of preservation and production orders by limiting the grounds for refusal for issuing and executing such orders. It was the opinion of the Commission that traditional investigation tools are not always adapted to the digital era because internet data is not easily traceable. Thus, it decided to find another tool for judicial authorities to simplify their cross-border access to “evidence”, including electronic data. Comparing the EIO with the EPO, the study finds that there are two main differences: the first is that the EIO requires prior validation by an independent authority in the executing Member State, and the second is the still further reduced number of refusal grounds both at the issuing and enforcement stages.

While “the EIO Directive has maintained traditional rules of cross-border cooperation such as the double criminality requirement and the analogous application of thresholds for particularly intrusive investigative measures”, the new draft Regulation removes all of these.

On top of that and “contrary to the Commission’s explanatory memorandum”, the minimum maximum penalty threshold does not exclude petty offences, such as theft or fraud, from the scope of the Regulation. The study is unequivocal on that matter: these new thresholds do not reach a similar level of protection than requirements provided by individual Member States in the Union to access sensitive data. As a result, an EPO can be executed in a Member State even if has has higher national protection standards in place than the issuing state. It can also cover alarger range of crimes.

2. Unilateral enforcement is not a good idea

The study raises concerns about the approach of the European Commission allowing the unilateral extension of enforcement jurisdiction.

First, the study shows there is a problem with the legality assessment of an order. According to the draft Regulation, if law enforcement authorities of Country A order the production of data to a service provider whose services are offered in Country B, it means that Country A is the issuing Member State and Country B the executing Member State. The proposal shifts the competence of assessing legality of the order from the executing authority in Country B to the issuing authority in Country A. In particular, law enforcement authorities in Country A are required to verify if the data requested is not protected under the law of Country B. According to the study, there are good reasons to believe that the law enforcement authorities will bypass this obligation as they are serving their own national interests in a criminal investigation and have little or no incentive to seriously consider the sovereign interests of the other State.

Second, direct “cooperation” with service providers affects the territorial sovereignty of Member States in which the new cooperation instruments should be executed. The executing State cannot effectively fulfill its responsibility to protect fundamental rights. Why? Because under the proposals it is either not aware or notified of foreign orders or it can only act once the service provider refuses to execute the order.

Third, this model could be copied by third countries, which could put in place extraterritorial enforcement rules to access data stored in the EU. The study recalls that moving away from a jurisdiction based on the data storage location as in the Commission’s proposal, opens the way for third countries to access EU citizens’ data in turn. There is a risk of clash with the General Data Protection Regulation (GDPR). This would leave service providers and citizens alike with legal uncertainty, which is precisely one of the drawbacks the Commission is trying to remedy.

Lastly, the study questions the validity of the legal basis used by the proposal – Article 82(1) of the Treaty on the Functioning of the European Union (TFEU) establishing the principle of mutual recognition. Article 89 of the TFEU says that law enforcement operations should be carried out in liaison and in agreement with the Member State authorities whose territorial sovereignty is affected. In this case, the principle of direct cooperation with service providers goes against limitations to extraterritorial operations. It is to be underlined that the notification requirement could only be a solution to this problem if the executing State is not just informed but explicitly agrees with the order.

3. The narrow window for contesting a European Production order is problematic

The service provider is responsible for carrying out a first assessment of the order. This does not include the possibility to challenge the legality of an order in the issuing Member State. The provider only benefits from procedural safeguards in the enforcement process as it can appeal sanctions. The study expresses doubts on the quality of the protective function of a service provider as regards fundamental rights. “The limited number of grounds for non-execution suggests that the addressee must not refuse to produce […] the requested data for other reasons; for instance if the formal and substantial requirements for issuing an EPOC […] are not met (e.g. proportionality, comparable domestic case).”

In the case of the service provider refuses to execute the order, it is then referred to the executing Member State authorities which become the enforcing authorities. There again, “the effectiveness of judicial protection in the enforcing MS […] is compromised by the limited number of refusal grounds. The draft regulation provides for a rather far-reaching obligation of the enforcing authority to recognise and enforce of an [EPO].”

When it comes to the rights of the individuals whose data have been collected and transferred, there is no mention when they will be informed about the order and the possible legal remedies to contest it. The only possibility to contest arises during the criminal proceedings, which comes very late in the process – if criminal proceedings take place, of course.

4. Upholding of usual mutual recognition safeguards is essential

The study sees in the proposal a strong imbalance between the interests of service providers for legal certainty and the “legitimate expectations of users and customers”. “The objective to enhance legal certainty for service providers in the Union should not be pursued at the expense of the fundamental rights of users”, the study highlights.

The study concludes with recommendations, including a preference for using and improving the EIO to better protect fundamental rights, as well as reestablishing mutual recognition principles such as traditional restrictions, a notification mechanism, and effective legal remedies. Hopefully the study influences the co-legislators, the Council of the European Union and the European Parliament.

An assessment of the Commission’s proposals on electronic evidence (24.09.2018)

EU “e-evidence” proposals turn service providers into judicial authorities (17.04.2018)

New Protocol on cybercrime: a recipe for human rights abuse? (25.07.2018)

Wiretapping & data access by foreign courts? Why not! (13.06.2018)

As of today the “European Investigation Order” will help authorities to fight crime and terrorism (22.05.2017)

(Contribution by Chloé Berthélémy, EDRi intern)