E-EVIDENCE: THE WAY FORWARD (Summary of the Workshop held in Brussels on 25 September 2019)
On September 25, 2019, the Grenoble Alpes Data Institute, in cooperation with the Cross Border Data Forum and Microsoft, held in Brussels an academic workshop on the topic of cross-border access to electronic evidence, entitled: “E-Evidence: The Way Forward”. The goal of this workshop, organized by Professor Theodore Christakis, was to provide a convening space for European researchers and experts working on these issues to advance thinking about the challenges in the domain of government access to digitally stored data. At the meeting, the participants were invited to examine the recent legislative developments, especially the E-Evidence proposal currently under discussion in the European Parliament and the negotiations for an EU/US Agreement on cross-border access to electronic evidence that have just started.
The workshop united academics well known for their work on privacy, data protection and criminal law from several countries, as well as some representatives of the European Parliament involved with the work of the LIBE Committee on E-Evidence.[i] It was held under revised Chatham House Rules which means that the list of participants can be mentioned but without revealing who made each comment. The discussions have been particularly interesting and the participants had the feeling that a publication of a summary of these discussions would be important not only for the academic community but also in order to inform political decision-makers, to help them dispose of all the necessary elements in order to make crucial policy decisions in relation with access to electronic evidence. It has thus been agreed that the organizer will draft a report with a summary of the discussions to circulate to all members for comments, following which the report will be published with the European Law Blog. The summary is to be found here-after. It is published in a very timely manner as we have just learned that the LIBE Committee of the European Parliament will publish its Report on E-Evidence very shortly, eventually by the end of this week or early next week. It is to be expected that the Report of the LIBE Committee will address several of the issues discussed during the workshop in Brussels and appearing below.
Indeed, to kick-off the workshop, Ms Birgit Sippel, MEP and Rapporteur for the E-Evidence package, gave an introductory speech about the EU Parliament’s view on E-Evidence – a summary of which is to be found below. The workshop was then divided in three sessions, discussing successively how E-Evidence could affect the relations between EU Members States; the relations with individuals, business and organisations; and the relations with third States. A summary of these discussions is presented below followed by a short conclusion resuming the most important elements of the discussion for policy-makers – elements that will undoubtedly be central in the LIBE Committee’s Report to be released soon.
MEP Birgit Sippel, introductory remarks on the views from the European Parliament (EP)
Ms Sippel noted that the efficiency arguments put forward by the Commission for the E-Evidence proposal should not override the need to protect fundamental rights.
The EP’s criticisms of the E-Evidence proposal include the following:
- The fact that the criminal laws of the Member States continue to diverge considerably and that the CJEU pointed out problems with current mutual recognition instruments undermine a shift to a system of absolute mutual trust without the involvement of the authority of the enforcing/executing state;
- There is a need to reintroduce certain protections into the proposal, including dual criminality which could also help narrow the divergences in the definition of what constitutes a ‘serious crime’ (the current three-year threshold would allow for virtually any crime to fall within scope of the European production order);
- Notification to the data subject is too easily circumvented; therefore, there is a need to ensure in the proposal the ability to inform users about authorities’ requests for their data to allow affected persons to exercise their fundamental rights, while at the same time respecting the need to avoid jeopardizing a criminal investigation if based on duly justified confidentiality grounds; in addition, affected persons should be able to bring proceedings before their local court, to guarantee the right to effective remedies and the principle of equality of arms;
- Notification to the executing/enforcing state, to enable rejection of a request, is crucial to protecting the rights of individuals; at the same time, notification to the state where the person resides may also be necessary;
- The proposal would shift the responsibility for protecting the rights of citizens and residents from Member States to private service providers, which is unacceptable; that said, service providers are important allies that can help ensure the necessity and proportionality of orders as long as they are not solely responsible for this process.
During Q&A, MEP Sippel cautioned against perceiving EU harmonization as a silver bullet for changing rights-intrusive practices of some Member States, citing the passenger name record (PNR) agreements and directive, which in her opinion resulted in a less protective standard for the EU than previously seen at a national level. Nevertheless, she expressed hope that the Parliament’s report will raise the overall protections and close the loopholes in the current draft of the proposal that would allow the law enforcement to use less rights-protective national measures.
The LIBE Committee aims for the publication of the draft report in November with debate on amendments continuing through the end of December. The final adoption of the report is tentatively scheduled for the beginning of next year.
Session 1: E-Evidence and the Relations Between EU Member States
In this first session, the participants discussed the legal and conceptual basis for the E-Evidence proposal.
As regards the legal basis, there was debate about whether Art. 82(1) TFEU was the correct basis for the measure. Some participants expressed the view that it was not and noted that the measure was vulnerable to challenge before the CJEU. Others considered nonetheless that this article might provide a sufficient legal basis.
An important discussion then followed on what the concept of ‘mutual trust’ between EU Member States meant and whether, and to what extent, it was achievable.
Some participants acknowledged that the EU had enabled Member States to move beyond traditional mutual legal assistance (MLA) to mutual recognition as embodied in the European Investigation Order (EIO). There was now the potential for a further shift towards unlimited mutual trust under the E-Evidence proposal (by excluding the executing state ab initio). Under MLA, procedures operate on the presumption that a recipient state’s rules need to be complied with by the requesting state. Under current mutual recognition, the presumption is that the recipient state will treat the foreign state request on a non-discriminatory basis, handling the requesting state’s request as if it were domestic. The E-Evidence proposal is based on the assumption that the current instruments are not efficient and that states have absolute mutual trust that the requesting state will make a request to an entity within the recipient’s territory in accordance with its domestic law, which is equivalent to that of the recipient state. However, some participants wondered whether “absolute mutual trust” was not in reality somehow wishful thinking. Others suggested that the very terminology needs to be challenged. Trust can be blind, thus one should aim for trustworthiness instead. Trustworthiness is comprised of two components: transparency and accountability.
Some see the notion of unlimited mutual trust as a paradigm shift in international cooperation, while others see it as an inevitable and necessary evolution of mutual recognition. Acknowledging that there is a spectrum of mechanisms for access to digital evidence, participants discussed whether they would, or should, operate concurrently offering law enforcement agencies (LEAs) a choice of mechanisms to use. Participants also raised the question of what could be the future relevance of MLA mechanisms in this field if E-Evidence is adopted.
The E-Evidence proposal does not currently include an exclusivity provision, obliging LEAs to make requests under the E-Evidence regime as opposed to other available mechanisms. In addition, the E-Evidence proposal states that it is ‘without prejudice’ to national measures (Art. 1 of the proposed Regulation), which potentially enables LEAs to avoid using any international cooperation mechanism, but instead pursue national rules against service providers offering services in their territory. As such, the E-Evidence proposal may enable LEAs to use direct access simply as an additional tool, picking and choosing between different access mechanisms according to the particular circumstances. Therefore, one issue participants discussed was whether there should be some sort of order of precedence or conditions governing which regime to use in which circumstances.
It was noted that the recently adopted European Electronic Communications Code (EECC) would bring OTT communication services within the traditional telecommunications’ regulatory regime. This would not only level the playing field in respect of general regulatory obligations, but could also impact LEA access to data (it was noted that this would be the case if the rules applicable to criminal investigations would have the same broad personal scope of application). However, it was also noted that some jurisdictions (e.g. UK and Belgium) have already extended national rules of criminal procedure to encompass OTT communication providers, so the EECC will have little impact in those states.
Some participants thought unlimited mutual trust was a fundamentally undesirable development, leading to individual rights being undermined (‘race to the bottom’) and that the focus should be on improving existing MLA procedures.
Questions were raised about whether there is sufficient mutual trust between EU Member States for the E-Evidence proposal to work, given the following issues:
- Current concerns about challenges to the rule of law in countries such as Hungary and Poland (for example, should there be some form of annual review of the state of the rule of law in Member States, under Art. 70 TFEU?);
- Historic and fundamental divergences between Member State concerning not only criminal procedure regimes but also substantive provisions of criminal law;
- Lack of agreement on applicable criminal offences, particularly as the concept of ‘serious crime’ is not sufficiently harmonized;
- Current divergences on issues such as mass retention of communications data, despite the CJEU judgements in 2014 (Digital Rights Ireland) and 2016 (Tele2Sverige) about the compatibility of a general data retention obligation with the Charter.
The E-Evidence proposal only permits refusals to requests on a case-by-case objection, rather than the possibility for the suspension of the regime in respect of particular Member States.
Some participants raised the concern that prosecutors are not sufficiently independent to meet the requirement under the ECHR for a judicial or independent authority to authorize the use of coercive and covert investigative techniques.
There was considerable discussion about the role of notification to states under the E-Evidence proposal. Unlimited mutual trust distinguishes itself from MLA by removing the role of the recipient state, by enabling direct contact with the service provider in the recipient state. In other terms, while MLA regimes are based on cooperation between judicial authorities (with some grounds of refusal recognized in favour of the recipient state), the E-Evidence proposal is based on cooperation between the judicial authorities of the issuing state on the one hand and private actors on the other. The Commission’s original proposal did not contain any need for notification to states where the service providers are established or where the targeted persons are located. After a heated debate, the Council introduced a notification provision in favour of the executing state without, nonetheless, an effective possibility to react after receiving such a notification. Participants discussed a range of issues relating to a state notification system, including the following concerns:
- Notification is seen as necessary by some to enable the recipient state to have an opportunity to refuse the data disclosure on specified grounds, as provided for under MLA regimes.
- Some viewed state notification as undermining the potential efficiencies of a direct cooperation mechanism, which is the primary objective of the E-Evidence proposal.
- Concerns were raised about the capability (and the desire) of the recipient state(s) to act on any notification received.
- What would meaningful notification be, in terms of the information disclosed and time required to review and object (e.g. 10 days)?
- Which state(s) should be notified, i.e. the state of the service provider and/or the state where the data subject resides or is a citizen? Some participants expressed the view that the EU Council’s approach on notification is not satisfactory. Notifying the Member State of residence of the person whose data is sought would be a preferable solution for several reasons. It would give the possibility to the affected State to exercise its classical protective functions in this field, in order to protect its own essential interests but also some particularly vulnerable groups on its territory such as journalists, lawyers, whistle-blowers, political dissidents, etc.
- In the absence of state notification, protection against abuse is dependent on the service provider challenging the request, as specified in the Commission’s proposal, which is viewed by some as an inappropriate role for the private sector and/or insufficient in terms of a state’s obligation to safeguard the rights of those in its territory.
Notification issues also arise with respect to the individual that is the subject of the request. The E-Evidence proposal provides for the possibility of notification, but under restrictive conditions (Art. 11 of the proposed Regulation). In the US, the presumption is reversed, i.e. a LEA has to make a case for non-disclosure to users, following litigation by Microsoft that resulted in a declaratory judgement from a US Court. It was also noted that state and individual notifications are linked to the extent that the latter may need an opportunity to make representations against disclosure, as well as assert their rights against the state or the service provider post-disclosure.
It was noted that the Council carve-out for public sector data from the scope of the E-Evidence proposal (Art. 6a of the proposed Regulation) could lead to the exclusion of other categories. In these situations, alternative cross-border mechanisms will either need to be used (e.g. MLA) or such data will simply be exempt from disclosure in a cross-border context.
Mention was made of the need for an EU measure on electronic evidence, relating to issues of admissibility and authenticity. But it was noted that negotiations on previous legal instruments have shown that Member States are not ready to harmonize on such matters.
Session 2: E-Evidence, Citizens and Organizations: Which Protections, Safeguards and Remedies?
Are service providers the right entities to protect the rights if users? Mention was made of the CJEU’s judgement in Google v CNIL (24 September 2019), para. 70, which, according to some participants, could be interpreted as obliging a service provider to protect the fundamental rights of its users. Others, however, took a different reading of this paragraph, namely that the judgement merely confirmed that service providers have to comply with their legal obligations under the GDPR. Participants also noted the ‘horizontal effect’ of human rights treaties such as the European Convention of Human Rights, which could play a role in this field. It was noted, nonetheless, that the formal imposition of obligations on service providers under the E-Evidence proposal would require a different legal basis (Art. 114 TFEU, rather than Art. 82 TFEU).
However, service providers are generally expected to hand over data to LEAs and may face the threat of sanctions if they fail to do so. While the large US providers have the resources and the expertise to push-back against inappropriate or improper requests, European SME service providers will find it difficult to resist such demands.
Participants emphasized that, in any case, there is a need for legal certainty in this field: the E-Evidence Regulation should clearly explain if service providers have a role to play in protecting the rights of users and what exactly should be this role.
Questions were raised about whether the E-Evidence proposal is sufficiently aligned with the terminology (i.e. controller/processor) and their respective obligations under the GDPR (e.g. Art. 23 GDPR).
Concerns were raised about the continued use of voluntary disclosure mechanisms by service providers once the E-Evidence proposal was implemented. Would LEAs continue to approach service providers to request data outside MLA regimes or the regime established by E-Evidence? Could voluntary co-operation breach fundamental rights sometimes?
Under the E-Evidence proposal, individuals must pursue remedies before the courts in the issuing state, even if they are located in another state (Art. 17 of the proposed Regulation). It was noted that this is different from the position under the GDPR, where a data subject can bring an action before his/her local courts. The latter position was apparently adopted following advice from the Commission’s Legal Service that to require an individual to bring a claim outside of their jurisdiction was not compatible with the notion of ‘effective remedies’ under the Charter.
It was noted that the E-Evidence proposal focused on targeted data requests, not bulk collection and disclosure. A few participants expressed nonetheless concerns that such bulk requests also need to be considered. Others noted that national laws do cover bulk retention, collection and disclosure, but usually under national security justifications, and involving intelligence services, rather than criminal law enforcement and associated LEAs.
Concerns were also expressed that the political dimension of the E-Evidence proposal has not been fully considered in terms of how the measure will, or could, be perceived by European citizens, during an era of increased Euro-skepticism. Will citizens view such mutual trust as integration gone too far, too fast? The European Arrest Warrant generated similar reactions. Several participants argued that a requirement of dual criminality could be seen as a necessary protection against such over-reach. Other participants challenged, nonetheless, this idea, arguing that the dual criminality is only an optional ground of refusal under the EIO Directive and that there is a long list of exceptions under other instruments. They also noted that, from an efficiency perspective, it does not make sense to introduce a dual criminality requirement for all data categories, as LEAs can get that data quite easily on the basis of voluntary cooperation (without such restrictions). Going beyond the discussion about dual criminality, participants raised the idea of introducing in the E-Evidence Regulation a commonly agreed list of crimes.
The discussion then moved towards the mechanisms that could permit to ensure the effectiveness of the E-Evidence human rights protections. It was suggested that a provision could be introduced into the E-Evidence proposal stating that data obtained in breach of the measure would be inadmissible as evidence, to safeguard human rights. However, some participants considered this an insufficient protection.
Last, but not least, participants highlighted the need for the EU legislators to ‘do it right’ in the field of protection of fundamental rights and to introduce the highest level of protection while facilitating access to e-evidence by LEAs. The majority of participants had the feeling that the human rights protections introduced in the EU Council’s general approach on the E-Evidence proposal were not adequate.
Session 3: E-Evidence and Third States: Resolving Conflict of Laws and Negotiating International Agreements
The current situation in the US was reviewed, such as the Stored Communications Act operating as a blocking statute.
The potential for bilateral agreements under the CLOUD Act were discussed. The UK will be the first, but other countries are lining up, including Australia, Canada, New Zealand, Argentina and India.
For an EU-US agreement, reciprocity will be a big issue to resolve, protecting EU citizens and residents in similar fashion to the way the CLOUD Act protects US citizens and residents. The participants noted that the issue of reciprocity is a fundamental condition appearing in the EU negotiation mandate. Indeed, the negotiation mandate given by the Council to the Commission requires that ‘the agreement should be reciprocal in terms of the categories of persons whether legal or natural whose data must not be sought pursuant to this agreement.’ One participant expressed the opinion that the US might adopt a flexible approach which could permit to conclude a fully reciprocal agreement. Participants also explained that the priority for both sides should be to deal with the overwhelming majority of criminal investigations which concern ‘local crime’, in other terms situations where the suspect is located in the country requesting the data. It has been said that according to some service providers this is the situation in more than 93% of all criminal investigations. An EU-US agreement would greatly facilitate such ‘routine/domestic’ investigations. It is thus unfortunate that the debate sometimes focuses on the rare cases where the suspect is not located in the country requesting the data – cases for which solutions satisfactory for both sides can be found when concluding the agreement.
Several participants highlighted that the future EU-US agreement should be ‘Court-proof’. A discussion followed on the case law of the CJEU in scrutinizing other EU data agreements (such as the PNR agreement with Canada) and participants argued that the Court applied in such cases a high level of scrutiny, sometimes controlling almost each single word of the agreement. It would thus be important to ‘get this agreement right’ from a fundamental rights’ perspective. However, the Umbrella Agreement does contain some strong protections, which should bolster the validity of any EU-US agreement. It was noted that the European Parliament cannot participate directly in these negotiations, but should follow closely these developments and might require strong safeguards prior to consenting to such an Agreement.
The US has a strong exclusionary rule (at least for content data) under its criminal procedure (and applies the ‘fruit of the poison tree’ doctrine) that acts as a strong disciplinary control over the practices of US LEAs.
Finally, participants expressed the opinion that an EU-US Agreement cannot be concluded before there is a clear EU-internal position on how to regulate direct cooperation with LEAs and service providers. They highlighted that the conclusion of an EU-US agreement might take a long time and it is not certain, at this stage, whether this will take the form of a framework agreement to be followed by bilateral agreements between the US and EU member states – as the US currently wishes.
The experts’ meeting held in Brussels on September 25, 2019 showed the great variety and importance of issues that need to be addressed in order to put in place a satisfactory legal regime of access to digital evidence. While the participants acknowledged the need to improve the current legal system in order to give the possibility to law enforcement authorities to access quickly data relevant to the investigation of serious crimes, they also emphasized the necessity to “do it right”, by providing the necessary human rights safeguards and legal certainty for service providers. The general feeling of the participants was that the EU Council’s general approach did not adequately address human rights safeguards and that there was room for improvement. The main issues that policy makers should address include the following:
- How to deal with the divergences in the criminal laws of EU member States as well as potential rule of laws issues in some of them.
- What should be the proper role of the different Member States involved: the issuing State; the enforcing/executing State; and the “affected” State where the targeted person resides and/or is located. One major question in this respect would be to determine what should be (if any) a satisfactory notification regime and what should be the powers of States other than the issuing State to act in order to protect human rights, privileges and immunities.
- What should be the proper role and a workable regime for service providers. While the responsibility of protecting human rights should not be shifted from States to service providers, the latter should be able to play some role and challenge orders that are manifestly abusive or otherwise problematic.
- The additional human rights safeguards, including a satisfactory regime of notice to users and the possibility for targeted individuals to dispose of realistic and effective remedies.
- The issue of whether E-Evidence will include or not an exclusivity provision, obliging LEAs to make requests solely under this regime as opposed to the possibility to use alternative national rules and mechanisms of access to e-evidence which could create complexities in the overall legal regime.
- Finally, the need to address adequately human rights and reciprocity issues in the data sharing international agreement that the EU is currently negotiating with the US.
It will be interesting
to examine how the draft report of the LIBE Committee, expected to be published
very soon, will address all those issues – as well as other issues discussed
during the Brussels workshop. It will also be interesting to follow the
subsequent work of the European Parliament on those issues and the trilogues
expected in 2020.
[i] The following persons participated in the workshop: Petra Bard, Central European University (Hungary); Heidi Beate Bentzen, University of Oslo (Norway); Raphael Bossong, Stiftung Wissenschaft und Politik (Germany); Christoph Burchard, Goethe University Frankfurt (Germany); Theodore Christakis, Université Grenoble Alpes (France) – organizer; Alexander Dix, European Academy for Freedom of Information and Data Protection (Germany); Michele Dubrocard, European Parliament; Anze Erbeznik, European Parliament; Vanessa Franssen, University of Liège (Belgium); Mona Giacometti, UCLouvain (Belgium); Emily Johnson, Universität Wien (Austria); Eleni Kosta, Tilburg University (The Netherlands); Christopher Kuner, Vrije Universiteit Brussel (Belgium); Ricard Martinez, University of Valencia (Spain); Sakari Melander, University of Helsinki (Finland); Michele Simonato, European Parliament; Peter Swire, Georgia Tech (USA); Stanislaw Tosza, Utrecht University (The Netherlands); Ian Walden, Queen Mary University of London (United Kingdom).