The European Commission’s E-evidence Proposal: Toward an EU-wide Obligation for Service Providers to Cooperate with Law Enforcement?
By Vanessa Franssen
On 17 April 2018 the European Commission published its long awaited legislative proposal on e-evidence. This proposal – which actually consists of two strongly interconnected proposals, a Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (‘Proposed Regulation’) and a Proposal for a directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings (‘Proposed Directive’) – is probably the first one in the field of criminal justice cooperation that the Council of the EU urged the Commission to put forward. Indeed, while the Member States are usually quite reluctant to give up sovereignty and to accept EU approximating rules in the field of criminal law, a number of Member States strongly pushed for a legislative intervention by the EU.
This is not entirely surprising: due to the increased use of all kinds of online services and information and communication technologies (ICTs), police and judicial authorities are confronted on a daily basis with the problem to collect electronic evidence, as the data they are looking for are often processed, transmitted and/or stored by foreign service providers, including big global technology companies such as Google, Facebook, Microsoft or Amazon. To compel a foreign person to cooperate in a criminal investigation is not obvious – the enforcement jurisdiction of police and judicial authorities is, in principle, limited to their own national territory.
This post will present the highlights of the double e-evidence proposal that is on the table and the first reactions to the proposals, at a moment where the institutional negotiations are picking up speed.
Background : The Underlying Problem
Innovative information and communications technologies have thoroughly reshaped the way in which people communicate with each other and the way in which they store, access and share information. Whereas not so long ago, we mainly communicated by (cell) phone, text messages or emails, today we use all kinds of applications and online tools to store and share information (e.g. Dropbox, WhatsApp, Telegram, Instagram, Facebook, Viber or Skype). These ICTs have made communication and information-sharing easier, quicker and less expensive.
Yet, these new technologies create various unprecedented challenges for police and judicial authorities when fighting crime committed by means of, or involving the use of such ICTs. One recurring problem that particularly complicates the work of police and judicial authorities is that the information that criminals share or store by means of new ICTs is typically processed by private companies (technology companies or service providers), and thus not available to public authorities without the cooperation of those private actors. Without their help, police and judicial authorities are simply not be able to detect, investigate and/or prosecute a growing number of offences, ranging from typical ‘target cybercrimes’ (e.g. hacking), to ‘content-related cybercrimes’ (e.g. child pornography) and to ordinary offences (e.g. fraud, organized crime, drug trafficking, terrorism) when committed by means of a computer or other electronic device, leaving ‘digital traces’ that could be used as evidence.
The cooperation between police and judicial authorities and companies providing information and communications services is nothing new – police and judicial authorities have been collaborating for decades with telecommunications operators and providers. Yet, this cooperation has become increasingly challenging as new ICTs emerge and many of them are provided by service providers which are not covered by the obligations of telecommunications law and because of the importance of a number of global internet service providers (such as Facebook, Google and Microsoft) which are located outside the territory of the investigating police and judicial authorities. To address this problem, some Member States have adopted new legislation or practices that have substantial extraterritorial effects, affecting the sovereignty of other States (for an analysis of recent Belgian legislation and case law see V. Franssen in EDPL 2017; on the UK Investigatory Powers Act 2016 see e.g. L. Cropper). In addition, national legislation and practices also create conflicting legal obligations for service providers and raise serious challenges to effectively protect suspects’ and non-suspects’ fundamental rights. Moreover, a unilateral national approach may not be as effective as hoped for, especially in the long run.
Considering the growing awareness of Member States about the challenges new ICTs create for police and judicial authorities and their dependence on the cooperation of those private companies to detect, investigate and prosecute offences, the Council of the EU requested the European Commission in June 2016 to prepare a ‘common framework’ on this subject matter. After a first progress report in December 2016, the Commission published, in May 2017, a non-paper containing a number of practical measures to improve cross-border access to e-evidence, but also concluding to the need for legislative action regarding the direct cooperation with service providers – a conclusion that was subsequently supported by a ‘large majority’ of the Member States (Council conclusions, 8-9 June 2017).
The e-evidence (or cross-border access to electronic evidence) proposal that was published by the Commission on 17 April 2018, is thus the fruit of two-years of intense preparation, involving an extensive stakeholder and expert consultation process. The proposal consists of two legislative texts that are closely connected, a Proposal for a regulation and a Proposal for a directive. The latter creates an indispensable legal framework for the former, as will be explained below. The double-text proposal made by the Commission tries to strike an extremely delicate balance between effective and efficient criminal investigations (for police and judicial authorities), legal certainty (for technology companies) and fundamental rights protection (of suspects and other users).
The Proposed Directive: Creating a Framework for EU-wide Enforcement against Service Providers
With the Proposed Directive, the European Commission intends, on the hand, to help national authorities investigating and prosecuting criminal offences to apply and enforce the obligations service providers have under national law and, on the other hand, avoid disparate national obligations for service providers considering that some Member States already require mandatory legal representation on their territory while others do not (yet). The Proposed Directive thus has a double logic: a criminal law logic and an internal market logic (Recital (5)). Still, the proposal is exclusively based on internal market’s provisions, in particular Art. 53 TFEU (freedom of establishment of self-employed persons) and Art. 62 (freedom to provide services). It is somewhat doubtful whether this legal basis is sufficient.
As stated in Article 1 of the Proposed Directive, it
‘lays down rules on the legal representation in the Union of certain service providers for receipt of, compliance with and enforcement of decisions and orders issued by competent authorities of the Member States for the purposes of gathering evidence in criminal proceedings.’
In other words, it obliges European service providers that offer services in more than one Member State (Art. 1 (3) and Art. 3 (1)) as well as non-European service providers which are active on the EU market (Art. 3 (2)) to appoint a legal representative in (at least) one Member State, which will function as the EU-wide legal contact person for national competent authorities. In the future, police and judicial authorities will no longer have to search for the right contact person – a search which sometimes proves particularly difficult, all the more because service providers have diverging and changeable practices. Neither will service providers have to wonder any longer whether they need to comply with the decisions and orders of other Member States – they will.
Once a legal representative is designated, the service provider will have to notify the central authority of its Host Member State (Art. 4 (1)), in charge of ensuring a consistent and proportionate application of the Directive (Art. 6 (1)), of the designation, the contact details and the official language(s) of the Union in which the representative can be addressed (Art. 4 (2)). Subsequently, the central authority of the Host Member State will make this information publicly available on a dedicated page of the European e-Justice portal (Art. 4 (4)).
The role of the Host Member State is, however, not limited to passing on information. It also plays a key role in ensuring compliance with the future decisions and orders addressed to the legal representative by the competent authorities of other Member States. Indeed, it is for the provider’s Host Member State to make sure that the designated representatives on its territory duly cooperate with the authorities of other Member States (Art. 3 (6)), for instance when they send a production order on the basis of the Proposed Regulation (infra). To that end, the Host Member State will have to enact rules on the basis of which the representative can be held liable for non-compliance with the decisions and orders coming from another Member State’s competent authorities (Art. 3 (8)).
In sum, the Proposed Directive aims at creating the necessary legal framework for the European production order and European preservation order which would be established on the basis of the Proposed Regulation (infra). That being said, an EU Directive can, of course, not resolve problems that are rooted in the national law of service providers that are not established in the EU. In particular, the so-called ‘blocking statute,’ i.e. the legal prohibition for U.S. service providers to hand over content data to foreign authorities which is laid down in the United States Electronic Communications Privacy Act (for a further analysis see e.g. A.K. Woods and A. Gidari), will remain an obstacle for the cooperation with EU competent authorities as long as the USA and the EU have not concluded a bilateral agreement.
The European Commission acknowledges this problem (Explanatory Memorandum to the Proposed Regulation, p. 11). A legal basis for such bilateral agreement has recently been enacted by US Congress: the so-called CLOUD Act (or in full: the Clarifying Lawful Overseas Use of Data Act), which was adopted on 23 March 2018 as part of the so-called Omnibus Spending Bill – discussed for instance here), creates, among other things (for a more general presentation of the CLOUD Act see J. Daskal and P. Swire and B. Smith), an explicit legal basis for the U.S. government to conclude ‘executive agreements’ with other foreign governments on access to data held by US service providers, and vice versa (18 U.S.C. § 2523). On the basis of such agreement, U.S. service providers could respond to valid legal orders of competent authorities in the other State, including with respect to content data. Nevertheless, the adoption of such agreement with the EU raises many questions and is not expected anytime soon (for a further analysis see J. Daskal and P. Swire).
The Proposed Regulation: Creation of a European Production and Preservation Order
1. Legal Basis
As far as the Proposed Regulation is concerned, the Commission bases its legislative intervention on Article 82 (1) (a) and (d) TFEU. Article 82 (1) (a) TFEU constitutes a basis for ‘rules and procedures for ensuring recognition throughout the Union of all forms of judgments and judicial decisions,’ while Article 82 (1) (d) allows the EU legislator to adopt measures to ‘facilitate cooperation between judicial (…) authorities of the Member States.’
Admittedly, the appropriateness of the latter legal basis can be questioned as the Proposed Regulation primarily concerns the cooperation between judicial authorities of one Member State (the Issuing Member State) with a service provider in another Member State. Unless the service provider refuses to comply with the order of the Issuing Member State, there is no involvement of the authorities of the Member State where the service provider is established or has chosen to appoint its legal representative for the EU.
By contrast, the choice for Article 82 (1) (a) TFEU is more convincing as the proposed measures essentially ensure the recognition of a judicial decision (an order) of one Member State throughout the EU – a production order issued by the Issuing Member State should thus be complied with in the same manner as a production order issued by the Host Member State of the service provider. No need for an exequatur or another kind of homologation procedure; the order can directly be enforced against a foreign service provider elsewhere in the Union. This approach is not new; it has already been applicable for a long time to judicial decisions in civil matters, which can be enforced directly by private parties without the intervention of public authorities of the Member State where the enforcement takes place.
Nevertheless, in the sphere of criminal law and criminal procedure, the enforcement of a judicial decision of one Member State in another Member State thus far has always required the intervention of the competent authorities of the Member State where the decision is executed, notwithstanding the principle of mutual recognition. This holds true for final judicial decisions imposing, for instance, a custodial sentence (Framework Decision 2008/909/JHA) or a fine (Framework Decision 2005/214/JHA), but also for decisions relating to the investigation such as a European arrest warrant (Framework Decision 2002/584/JHA) or a European investigation order (Directive 2014/41/EU – ‘EIO Directive’). In that respect, the Proposed Regulation entails a fundamentally different approach, as a European production order would be directly addressed to a service provider – a private person – without the intervention of the authorities of the provider’s Host Member State.
2. Choice of Legal Instrument
The choice for a Regulation in the field of EU criminal procedure is definitely noteworthy. So far, the EU legislator has only adopted directives on the basis of Article 82 (1) TFEU, in particular the EIO Directive. According to the European Commission, a regulation is preferable because the ‘proposal concerns cross-border procedures, where uniform rules are required,’ and because ‘a regulation allows for the same obligation to be imposed in a uniform matter in the Union’ (Explanatory Memorandum to the Proposed Regulation, p. 6).
Still, the option for a regulation also raises particular challenges. First of all, since the regulation will be directly applicable in the national legal orders, its provisions should be sufficiently precise. While the Commission highlights that a regulation will ‘provid[e] clarity and greater legal certainty’ (Explanatory Memorandum, p. 6), such legal clarity does not merely follow from the choice of legal instrument; it requires a very carefully drafted legal text. Second, considering that the Regulation creates an innovative and, in the field of criminal procedure, unprecedented legal framework for direct cooperation between the judicial authorities of one Member State with a service provider in another Member State, in principle without the intervention of the authorities of the latter, the need for a well-elaborated legal framework is all the more crucial. The Regulation should thus provide for clearly defined rules and explicitly regulated procedural safeguards in order to actually create legal certainty and a level playing field for all service providers offering services in more than one Member State, as well as to ensure adequate legal protection for suspects and other users in the EU territory. As will be explained below, at least a number of provisions in the proposal do not yet meet that standard.
3. Not a Complete, All-Encompassing Legal Framework
Before taking a closer look at the scope of application and some other aspects, it is important to highlight that the Proposed Regulation does not propose a complete, all-encompassing legal framework, detailing all aspects of the procedure. Indeed, should the proposed text be adopted without substantial amendment, Member States will still be required to combine EU rules with national rules on criminal procedure.
For instance, as far as legal safeguards are concerned, the Proposed Regulation only contains some minimum rules. For instance, it does not approximate the rules on the legal remedies that should be available under national law for suspects and other persons whose data has being sought. In this respect, the suggestion made by Germany to more precisely regulate the available legal remedies or even opt for ‘simple (e.g. form-based) remedies’ in Art. 17 of the Proposed Regulation should be welcomed (comments Germany, p. 11). What is more, it is questionable whether the sole obligation to create an effective remedy in the Issuing Member State – not in the Member State of the affected person (suspect or otherwise; Art. 17 (1)-(2)) -, really provides an effective remedy in the meaning of the Charter (cf. opinion of the European Economic and Social Committee, points 3.6-3.7).
Neither does the Proposed Regulation approximate the rules on the admissibility of evidence, leaving it up to the Member States to decide what the potential consequences of a violation of the procedural rules concerning the EPO are. For instance, if the EPO was not issued by the right authority (a prosecutor or a judge, depending on the type of data that is being requested; infra), and the service provider did not oppose the execution, it is up to the Issuing Member State to decide whether the illegally obtained e-evidence can be used or not to secure a conviction. In this regard, the Proposed Regulation differs significantly from the legal framework created by the EIO Directive, under which the Executing Member State will check if the legal requirements set by the Directive are met (see e.g. Art. 9 (3) EIO Directive) and which even provides for a clear-cut inadmissibility rule in certain cases (see Art. 31 (3) EIO Directive).
Furthermore, on a more practical level, the Proposed Regulation does not harmonize the reimbursement of costs. Whether or not service providers will be reimbursed for the costs of their cooperation will depend on the national law of the Issuing Member State (Art.2). This means service providers that are used to operate in a system with reimbursement of costs, will be confronted with new, additional operating costs in the near future as they will be required to directly cooperate with the judicial authorities of Member States where there is not cost reimbursement (see also CDT’s paper).
Finally, the Regulation does not include specific minimum rules on the sanctions to be imposed in case the service provider refuses to execute the order of the Issuing Member State. On this point, the Proposed Regulation refers once more to national law and solely requires Member States to provide for “effective, proportionate and deterrent pecuniary sanctions” (Art. 13). In addition, Member States may choose to impose criminal sanctions. This leaves Member States with a great margin of discretion and is likely to have forum shopping effects on the service providers’ side. Service providers may indeed be inclined to appoint their legal representative in a Member State where the sanctions for non-compliance are comparatively low and non-criminal in nature, as the law of this Member State will apply in case of non-execution of the order (Art. 14 (3) and (10)).
4. Scope of Application
As highlighted above, the e-evidence proposal creates an unprecedented EU-wide legal framework for direct cooperation between judicial authorities and service providers in the field of criminal procedure. Therefore, a first question of interest is to know which service providers would be obliged to cooperate with judicial authorities in other Member States under the proposed legal framework.
Unlike the Council of Europe Cybercrime Convention which entails a quite broad definition of the term ‘service provider’ (Art. 1 c), the Proposed Regulation targets specific subcategories of service providers: the providers of electronic communications services (as defined by Art. 2 of the Electronic Communications Code “Recast”, which is currently under negotiation), providers of information society services ‘for which the storage of data is a defining component of the service provided to the user,’ and providers of internet domain names and IP numbering services.
Clearly, this scope of application exceeds the traditional telecommunications providers and aims at including internet access services, ‘internet-based services enabling inter-personal communications such as Voice over IP, instant messaging and e-mail services’ as well as ‘cloud and other hosting services’ and ‘digital marketplaces’ (Explanatory Memorandum, p. 14). Hence, it seems the providers of online services and platforms like Skype, WhatsApp, Telegram, Dropbox, eBay, etc. would all be covered. Providers of internet domain names and IP numbering services are relevant because they ‘can provide traces allowing for the identification of an individual or entity envolved in criminal activity’ (Explanatory Memorandum, p. 14).
Nevertheless, the outer boundaries of the personal scope of application are not entirely clear. Excluded are indeed providers of ‘[s]ervices for which the storage of data is not a defining component,’ meaning services for which storage of data is ‘only of an ancillary nature (…) including legal, architectural, engineering and accounting services provided online at a distance’ (Explanatory Memorandum, p. 14). It is not entirely clear which services would be excluded on this basis.
Furthermore, it is important to stress that, territorially speaking, a large number of services providers are concerned: both EU service providers offering services in more than one EU Member State and service providers established outside the EU which offer services in the EU. Only purely national service providers which only have customers in one Member State and non-EU service providers which do not offer services in the EU, remain outside the scope of application of the new instrument. A cross-border element is thus indispensable.
At the same time, it should be noted that there is no exception for small(er) service providers, despite the call of certain industry associations representing SME service providers, such as EuroISPA, which are afraid of the additional administrative and financial burden they would be facing. For this reason, Finland considered the role attributed to service providers (which would be required to check, for instance, whether the order of the Issuing Member State is not abusive or does not manifestly violate the Charter of Fundamental Rights of the EU; infra) as ‘unrealistic’ because SMEs are simply not in a position to assume such role (comments Finland, p. 13).
Whether or not a service provider is ‘offering services in the EU,’ depends on the existence of a substantial connection with the EU – the mere accessibility of a service would not be enough (Explanatory Memorandum, p. 15). While the existence of an establishment or office in the EU is not required, this may be an indication of a substantial connection with the EU. Services offered by foreign, non EU-based service providers which have ‘a significant number of users in one or more Members States’ or which target ‘activities towards one or more Member States,’ will also have to comply with the orders of the judicial authorities of that/those Member State(s). Furthermore, whether or not a foreign, non EU-based service provider targets (part of) the EU market (it seems one Member State suffices in that case), will depend on factors such as ‘the use of a language or currency generally used in a Member State,’ ‘the availability of an app in the relevant national app store,’ ‘local advertising or advertising in the language used in a Member State,’ ‘the handling of customer relations (…) in the language generally used in a Member State’ or even the ‘use of any information originating from persons in Member States in the course of its activities’ (Explanatory Memorandum, p. 15).
In this respect, the new EU instrument will have undeniable extraterritorial effects, impacting a substantial number of international players located outside the EU. It should be noted, though, that the criterion of ‘providing services in the territory’ is not new in the field of criminal procedure. It was already introduced by the Council of Europe Cybercrime Convention in 2001, but only for the production of subscriber information (Art. 18 (1) b) – see also T-CY Guidance Note # 10 on Art. 18, adopted on 28 February 2017 – and is applied more widely to several kinds of cooperation duties of service providers in some recent national legislation (e.g. Art. 46bis, 88bis and 90quater Belgian Code of Criminal Procedure, as amended by the Act of 25 December 2016 – for an analysis see V. Franssen in EDPL 2017).
As to the material scope of application, it should be emphasized that the Proposed Regulation would only apply to ongoing criminal investigations. We are thus far from a mass surveillance or crime preventive instrument, a point that was also – thankfully – highlighted in the opinion of the European Economic and Social Committee (points 1.3 and 3.3).
In particular, the Proposed Regulation creates two new investigative measures enabling judicial authorities of the Issuing Member State to require a (foreign) service provider either to produce certain data (i.e. the European Production Order, ‘EPO’) or to preserve the data until a subsequent production order is issued (i.e. the European Preservation Order, ‘EPrO’). In both situations, the material scope of application is limited to stored data, meaning that data which are not (yet) stored by the service provider would not be covered by the new instrument. This obviously limits the usefulness of the instrument: for instance, it would not be possible to use an EPO or EPrO to compel a service provider to keep and produce future traffic and location data. Considering the legal challenges police and judicial authorities are facing in the aftermath of Tele2 Sverige AB case (see O. Lynskey’s case comment on this blog and V. Franssen’s comment on the more nuanced opinion of Advocate General Saugmandsgaard Øe), as is illustrated by several new references for preliminary rulings to the CJEU (see F. Verbruggen, S. Royer and H. Severijns on the latest Belgian reference), the choice to exclude data which are not stored at the moment of issuing the order is quite surprising. Apparently, national sensitivities with respect to real-time interception of private communications, for both historical and constitutional reasons, create an insurmountable obstacle for direct cooperation with foreign service providers. Nonetheless, one might wonder whether the traditional distinction between real-time collection of data and the gathering of stored data is still that relevant in a digital age. For certain types of data (e.g. emails and chat messages), it is not always clear whether they are ‘in transmission’ or already ‘stored.’
Unlike other legal instruments such as the Council of Europe Cybercrime Convention or the annulled Data Retention Directive, the Proposed Regulation makes a distinction between four categories of data: subscriber and access data on the one hand, and transactional and content data on the other. Readers familiar with those other legal instruments will in vain look for the term ‘traffic and location data’ or ‘metadata’; this traditional data category is, for the purpose of swifter evidence gathering, cut up in ‘access data’ and ‘transactional data’ – a distinction that is definitely questionable: are access data (i.e. metadata the prosecutor or judge deems ‘strictly necessary’ to identify the suspect, such as the date and time of use or a dynamic IP address (Art. 2 (8)) really less sensitive than transactional data? Still, according to the Proposed Regulation, subscriber and access data are less sensitive in nature, justifying less stringent legal conditions for their production and a larger scope of application – the European production order could be issued by a prosecutor or a judge (so not any judicial authority) for any type of offence, regardless of its seriousness. By contrast, the production of transactional and content data requires the intervention of a judge and is limited to certain categories of offences (Art. 5 (4)): offences punishable by a maximum imprisonment of at least three years and a number of harmonised offences that ‘typically’ involve e-evidence (Explanatory memorandum, p. 17). It should be noted that, apart from the harmonised offences, there is no dual criminality requirement. Finally, the European preservation order would apply to all offences, without distinction, and could be ordered by a prosecutor or a judge.
5. Some other aspects of the Proposed Regulation
A fully-fledged analysis of the procedure for the ‘EPO’ and the ‘EPrO’ exceeds the ambition of this (already lengthy) blog post. But let us nevertheless highlight a couple of important points which are likely to provoke heated discussions in the weeks and months to come.
As emphasized above, the order to produce or to preserve specified data will be addressed directly to the service provider in another Member State, without the intervention of the judicial authorities of the latter. It is noteworthy that the location of the data does not play a role.
The service provider will, however, not receive the full order entailing the ‘full reasoning with the grounds for necessity and proportionality or further details about the case’ in order ‘to avoid jeopardizing the investigations’ (Explanatory Memorandum, p. 18), but only a standardized certificate, an ‘EPOC’ or an ‘EPOC-PR’, containing less information (Art. 8).
The service provider is obliged to comply with the EPOC or EPOC-PR, unless the certificate is ‘incomplete, contains manifest errors or does not contain sufficient information to execute the [certificate]’ (Art. 9 (3) and Art. 10 (4)). In that case the service provider should request the issuing authority to provide further information, and in the meantime preserve the requested data (Art. 9 (6)). The Proposed Regulation thus allows for a constructive dialogue between the service provider and the issuing authority, which is definitely positive.
The Proposed Regulation also provides for a limited number of grounds for refusal: services providers can, for instance, invoke force majeure or a ‘de facto impossibility’ to produce or preserve the requested data as a defence (Art. 9 (4) and Art. 10 (5)) – it remains to be seen, though, what the latter precisely entails. More importantly, service providers should refuse the execution of the EPOC if it ‘manifestly violates the Charter of Fundamental Rights of the European Union’ or if it is ‘manifestly abusive’ (Art. 9 (5), para. 2).
In other words, under the Commission’s proposal, private actors will have to assess compliance with the Charter – a responsibility which, in principle, lies with the Member States and the EU institutions. It is therefore not surprising that the role attributed to service providers is heavily criticized by various stakeholders, alleging that the e-evidence proposal leads to a ‘privatisation of law enforcement’ (see EuroISPA and EDRi). Several Member States have already indicated that this will be a breaking point in the negotiations (infra). By contrast, the opinion of the European Economic and Social Committee is fairly neutral on this point (point 3.7). Furthermore, on a practical level, checking compliance with the Charter may not be easy as that the certificate will, for instance, not contain a necessity and proportionality analysis (see also DigitalEurope). Nor will this role be easy to assume for start-ups and SME service providers, which lack the financial and human resources to do so. In this respect, the e-evidence proposal may have adverse effects on innovation and competition. Traditional telecommunications providers, for their part, seem highly reluctant to enter into any legality/fundamental rights assessment of the order. Finally, the role allocated to service providers also raises important questions regarding their liability towards their customers.
The time limits for compliance are pretty strict: upon the receipt of an EPOC, the service provider should ‘directly’ transmit the requested data to the issuing authority, or within the limit set by the latter and at the latest within ten days (Art. 9 (1)). In emergency cases, the time limit is six hours (Art. 9 (2)). Hence once more the concern that SME service providers will not be able to comply with the obligations created by the e-evidence proposal (see EuroISPA).
If the service provider refuses to comply with the EPOC or EPrOC without having a legitimate defence, the competent authorities of its Host Member State should step in and ensure compliance in accordance with its national law (Art. 14; supra). From that moment on, this Member State will become the Enforcing Member State.
In addition, the Proposed Regulation contains specific provisions to deal with the potential conflicting legal obligations, which originate from third country law (Art. 15-16) or from the immunities or privileges applicable in the Host Member State (Art. 18). An in-depth analysis of these provisions would merit a separate post (see e.g. T. Christakis), but it is clear that they provoke substantial debate among the Member States, particularly with respect to Articles 15-16 giving a quasi-veto role given to the third country, reason why the Austrian Council presidency decided on 19 September 2018 to organize an in-depth discussion on the issue, separately from the examination of the rest of the proposal.
The EU Legislator on a Tight Schedule
The timeline set forth for the adoption of the e-evidence proposal is extremely tight: for the Commission and some Member States, it would ideally still become legislation before the European elections of May 2019. This would basically require an institutional agreement by the end of the year. While the Austrian Council Presidency seems committed to respecting this timeline, it is less certain the European Parliament will be moving forward equally fast.
So far, the LIBE Committee of the European Parliament has held a number of introductory debates on the e-evidence proposal and ordered two academic studies. The first study (by E. Sellier and A. Weyembergh), published in August 2018, analyses the impact of national criminal procedure on the development of EU legislation. While the scope of the study is more general, it also looks into the e-evidence proposal. In particular, the authors raise questions about the legal basis of the e-evidence proposal, the role of the service provider in safeguarding fundamental rights, the limited legal remedies for the suspect, and the disputable distinction between access data and transactional data in light of the CJEU’s case law on the sensitivity of metadata (p. 29-31).
The second study (by M. Böse), published in September, is entirely dedicated to the e-evidence proposal. This report is quite critical of the added value of e-evidence proposal, especially considering the recent implementation of the EIO Directive (p. 47), and questions, once more, the Commission’s choice to assign the protection of fundamental rights to service providers. Moreover, the author of the study doubts whether the proposal really provides for effective remedies and whether it truly creates more legal certainty considering the significant reliance on national law (p. 42-45).
Considering those critical studies and the recent experience in other legislative dossiers (such as the GDPR and the e-Privacy Directive), one may expect the European Parliament to take a strong privacy-protective stance on the e-evidence proposal. This does not seem premonitory of a quick legislative outcome.
The Council, for its part, seems to be advancing pretty well under the Austrian Presidency. On 19 September 2018, a revised text of the Proposed Regulation was published, which makes a number of important amendments : it extends the scope of application of the EPO and EPrO to the enforcement of prison sentences (Art. 3 (2)), creates the possibility of an ex post judicial validation in emergency cases (Art. 4 (5)), introduces a limitation for an EPO relating to data stored or processed on behalf of public authorities (Art. 5 (6a)), stresses the need for a secure and reliable transmission of the certificate (Art. 8 (2) and 9 (1)), clarifies certain grounds for refusal (Art. 9 (4) and 10 (5)), introduces a speciality principle limiting the use of the data obtained on the basis of an EPO (Art. 12a) and suggests two options to further harmonize the sanctions applicable in case of non-compliance (Art. 13). Thereby, the Presidency tries to meet a number of concerns voiced by certain Member States as well as by civil society and industry. In addition, a compromise on the conflicting legal obligations clauses (Art. 15-16) is in the make (supra).
Nevertheless, a number of fundamental choices still need to be made. The Council discussions have indeed revealed a major divide between the Member States with respect to the very limited role for the Host Member State. While all Member States agree on the need for more efficient and swift procedures to gather digital evidence in a cross-border situation, the opinions on how to do so still differ greatly. On the one hand, many Member States strongly advocate direct cooperation between the Issuing Member State and a foreign service provider, and thus support the approach chosen by the European Commission (comments Belgium (p. 4); Council document 4 October 2018 (p. 2)). On the other hand, several Member States fundamentally question the huge responsibility of the service provider for guaranteeing the protection of fundamental rights and advocate a more active role for the provider’s Host Member State from the very start (see comments made by the Czech Republic (p. 7), Germany (p. 10), Latvia (p. 12), Finland (p. 13) and Sweden (p. 15)).
To meet the concerns of the second group of Member States, the Council Presidency has suggested the possibility of introducing a notification obligation, either to the service provider’s Host Member State (as several Member States suggested in June) or to the Member State of the person whose data are sought, which so far has no say whatsoever in the procedure laid down in the e-evidence proposal (see here and here). Under a notification system, the issuing authority would have to notify the other Member State of the order and the latter would have the possibility to object to the order within a certain time limit. The objection of the latter Member State would prevent the service provider from handing over the data to the issuing authority, or if the data has already been produced, would prohibit the prosecuting authorities of the Issuing Member State from using the data as evidence. This alternative suggestion basically comes down to an ‘EIO+’ solution. It indeed strongly resembles the rules on trans-border interception of data laid down in Article 31 EIO Directive, which requires a notification by the Executing Member State to the Member State on whose territory the target is. The main difference would probably consist in shorter time limits. Under those conditions, one may wonder whether a completely new legal instrument is actually necessary (see also M. Böse’s report, p. 47-48) and whether it may not be wiser to amend the EIO Directive or to simply reach a compromise on future best practices.
In an effort to speed up the negotiations, the Austrian Council Presidency requested the Member States on 26 September 2018 and again on 4 October 2018 to clearly express their preference, either for the direct cooperation approach as proposed by the Commission, or for a notification system, in which case they should indicate which Member State ought to be notified, the service provider’s Host Member State or the Member State of the person whose data are sought. At the same time, the Presidency also presented a notification ‘light’ system, which would merely consist in informing the other Member State without the possibility of objecting to the EPO. It is doubtful, though, whether such notification ‘light’ actually ensures a better protection of the affected person’s fundamental rights.
The Member States are thus standing at an important crossroads in the negotiations. The near future will tell us which direction they are willing to take and whether this will facilitate an institutional compromise with the European Parliament.
Meanwhile, representatives from civil society (such as EDRI and CDT) and industry (see for instance DigitalEurope, EuroISPA and Microsoft) are trying to steer the institutional discussions in what they consider the right direction. Clearly, the stakes are very high, for all involved stakeholders.