Blogs | Privacy and data protection | Cross border access to data

LIBE Committee analysis: Challenges of cross-border access to data

By EDRi · February 13, 2019

On 7 February, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) presented two new working documents analysing further the issue of cross-border access to data in criminal matters, also known as “e-evidence”.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

Following the Rapporteur Birgit Sippel’s demand to examine several problematic aspects of the proposed legislative file and provide input in view of the further phases in the European Parliament, Members of the European Parliament (MEPs) Nuno Melo (EPP) and Daniel Dalton (ECR) presented their research on

  1. the chosen legal basis in the European Commission’s proposal
  2. the relations with other existing instruments in the field of criminal justice cooperation, and
  3. the role of service providers in this new mechanism.

Doubts over the interpretation of the legal basis

The European Commission based the Regulation for European Production and Preservation Orders on Article 82(1) of the Treaty on the Functioning of the European Union (TFEU) as a legal basis. The working document starts by discarding the possibility to base the new instruments on paragraph (d), according to which mutual recognition of judicial decisions can be supported by facilitating cooperation between judicial or equivalent authorities of the Member States. A system where a private entity – a service provider – has to disclose data to a law enforcement authority in another Member State, falls outside the scope of cooperation between judicial authorities. The argumentation refers notably to the Court of Justice of the European Union’s (CJEU’s) interpretation of the notion of “judicial authority” (Opinion 1/15 on the Passenger Name Record agreement with Canada) and to past instruments systematically involving judicial authorities in two Member States.

Understanding that the legislative proposal would rely on Article 82(1)(a) which states that rules ensuring recognition throughout the Union of all forms of judgments can be adopted, the analysis concludes that the Commission is pushing the concept of mutual recognition far beyond its current application. Nuno Melo MEP therefore questions the adequacy of Article 82(1)(a) for a mutual recognition mechanism without systematic involvement of the Member State in which the order is executed. The Council’s amended proposal (general approach) only introduced a limited notification to the executing Member State, as this requirement would only apply when content data is sought and with very few possibilities to oppose the order execution.

Is a Regulation too ambitious?

The working document notes that European legal instruments in the area of mutual recognition in criminal law favour elements of a Directive, due to remaining national cultural and constitutional differences − Regulations enter directly into force in Member States, whereas Directives are transposed into national laws. There are significant differences between Member States about what is a criminal offence and maximum custodial sentences for comparable criminal offences. Under the CJEU case law, a legal act must, as the main rule, have a sole legal basis that reflects the main or predominant purpose of the measure. In exceptional cases, where there are two purposes without one purpose being incidental to the other, a legal act may be founded on multiple legal basis, but only if they are not incompatible with each other. As the proposed Regulation also establishes a harmonisation of the competent issuing authorities for production and preservation orders on top of facilitating cross-border access to data, the working document suggests that another legal basis would be necessary for the instrument to be valid: Article 82(2). However, this article only allows for Directives to be adopted. As a result, the “e-evidence” proposal would need to take the form of a Directive to retain its two objectives.

The problematic definition of “subscriber data”

The second part of the working document looks at the European Investigation Order (EIO) and the Budapest Convention on Cybercrime to identify possible connections with the Commission’s proposal. “Subscriber data” is generally the first type of data sought in investigations as it allows to identify the suspect and represents the first link in the evidence chain. Considered as a data category with the lowest intrusion into fundamental rights, the EIO and the Cybercrime Convention remove legal and administrative barriers to facilitate access. The problem resides in the use of IP addresses and other types of traffic data to gather subscriber information. A significant amount of traffic data including IP addresses, especially if allocated dynamically, may need to be processed in order to disclose the requested subscriber information, and this processing can lead to the profiling of individuals. While the EIO allows Member States to decide whether traffic data should have the same safeguards as for content data or apply a “lighter” approach like subscriber data, the European Court of Human Rights has stated that additional safeguards are required if traffic data is analysed in quantities.

In light of this, the working document mentions the Cybercrime Convention Committee’s opinion on the new data categorisation proposed by the Commission, which introduces the concept of “access data” that is treated similarly to subscriber data but includes potentially significant elements of traffic data. The Committee warns against the further misunderstanding the introduction of new categories of data could produce regarding the application of rules and safeguards by practitioners.

More legal uncertainty for service providers

Daniel Dalton MEP’s working document focuses on the impacts the new instruments would have on service providers. The current model of cooperation is voluntary. Service providers review the received orders and choose to execute them or not, with a possibility of assessing in this process whether the orders are manifestly erroneous, arbitrary or unspecified. The draft Regulation harmonises the order format by offering a certificate template. However, the working document observes that this certificate does not provide sufficient information regarding the specific case for service providers to further conduct their assessment.

In addition, Dalton MEP sees as highly problematic the outsourcing of the fundamental rights assessment to private entities. “As a result, the authorities of the state of enforcement would basically lose any sovereign prerogatives on data, or on guaranteeing fundamental rights on their territory”. He further cautions that considering the diversity of data retention laws in the EU and the divergence in approaches for dynamic IP addresses, Member States should protect their sovereign prerogatives in terms of privacy rights against “unjustified encroachments of foreign authorities”.

Lastly, the removal of the dual criminality requirement makes it also hardly feasible for service providers to “comply” with all obligations expected of the enforcing State, as they might be obliged to hand over data for an act that is not a crime in their State of location. Liability for data protection breaches also remains unclear in the opinion of Daniel Dalton, as he finds it doubtful whether recital 46 of the proposal is sufficient to protect service providers from liability. Furthermore, the working document points out that despite the instrument being a Regulation, it leaves open to Member States the choice of modalities for secure data transmission and authentication of orders, sanctions and cost reimbursements – which, in Dalton’s views, cannot be borne by service providers on the legal basis of Article 82 TFEU. The Regulation exacerbates the legal uncertainty service providers are facing. Therefore, the working paper advocates for the consideration of a notification mechanism to the enforcing State.

Cybercrime Convention Committee discussion paper on the conditions for obtaining subscriber information in relation to dynamic versus static IP addresses (25.10.2018)

Birgit Sippel MEP’s first working document on the Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters – Introduction and overall assessment of issues (07.12.2018)

EU Council’s general approach on “e-evidence”: From bad to worse (19.12.2018)

Independent study reveals the pitfalls of “e-evidence” proposals (10.10.2018)

Access to e-evidence: Inevitable sacrifice of our right to privacy? (14.06.2017)

(Contribution by Chloé Berthélémy, EDRi intern)