Discussions on E-Evidence are heating up at the EU Parliament
Taking into consideration the significant legal challenges from the globalization of criminal evidence and considering that traditional instruments for cross-border cooperation such as Mutual Legal Assistance Treaties (MLAT) are too slow and cumbersome, the European Commission proposed, on 17 April 2018, the “E-Evidence” legislative package (E-Evidence), which aims, to streamline cooperation with service providers and supply law enforcement and judicial authorities with expeditious tools to obtain e-evidence.
Despite difficult negotiations among EU Member States, the EU Council of Ministers succeeded in adopting on December 7, 2018 its “general approach” on E-Evidence. This led to a storm of reactions by NGOs, the industry, members of the European Parliament (MEPs) and at least seven EU States, including Germany, who opposed the Council’s draft. The Netherlands, for instance, denounced the Council’s text for being adopted “too fast” and stated that it “opened the way for abuse by EU countries that lack sufficient guarantees over the rule of law and fundamental rights”. In an article published a year ago and entitled E-Evidence in a Nutshell: Developments in 2018, Relations with the Cloud Act and the Bumpy Road Ahead I presented an overview of the major features of the Council’s draft and the principal points of contention.
The months that followed showed the significant challenges that need to be addressed before a compromise is found at the EU on E-Evidence. The Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament spent most of the year 2019 in drafting seven working documents on the topic. On 8 November 2019, however, an important development took place: the LIBE Committee’s Rapporteur MEP Birgit Sippel released her draft Report on the E-Evidence draft Regulation.
Sippel’s Report constitutes a huge departure from both the Council’s general approach and from the initial Commission’s proposal. It presents… 267 amendments to the Commission’s proposal aiming to modify not only every single article in the Commission’s and the Council’s drafts, but also some important mechanisms and pillars of these drafts.
While this time the NGOs’ and the industry’s first reactions have been generally positive, Sippel’s Report has provoked a strong reaction by the Commission which led to an unusual institutional confrontation at the EU. More precisely, the Commission was accused of circulating to a selective list of stakeholders and MEPs (but not to the E-Evidence Rapporteur herself) a Non-Paper highly critical of Sippel’s Report and claiming that the amendments suggested by the Rapporteur will have a major impact on the efficiency of E-Evidence. This, in turn, led to a strong reaction by the chairman of the Parliament’s LIBE Committee, Juan Fernando López Aguilar, and Birgit Sippel herself, who wrote to Justice Commissioner Věra Jourová to complain about the Commission’s Non-Paper: “From an EU institutional point of view, such a practice by the Commission … raises serious questions as to the principle of sincere cooperation between the institutions,” their letter read. They also protested about the lack of transparency on the Commission’s side and the inclusion in the Non-Paper of factual errors about the content of Sippel’s Report. Following this, the Rapporteur also addressed a letter to her MEP colleagues intending to “clarify” the “misunderstandings” appearing in the Non-Paper and to defend the efficiency of her approach.
It is against this “electric” background that the different political groups introduced a total of 841 amendments to the E-Evidence proposal and that the first meetings between the shadows and the Rapporteur took place during the month of January. The LIBE Committee is due to vote in February or March on this legislative proposal, but it has not yet been determined whether the vote will take place on a new compromise proposal from the committee or whether there will be a vote amendment-by-amendment. A full plenary vote of the European Parliament should take place afterwards.
The objective of this paper is to present briefly some among the major features and mechanisms of Sippel’s Report. This paper is based in a much longer study that I have just published with the Cross Border Data Forum (CBDF) analyzing in detail the extent to which the legal regime proposed by the Rapporteur could strike the right balance between necessary protections and efficiency (see: “Lost in Notification ? Protective Logic as Compared to Efficiency in the European Parliament’s E-Evidence Draft Report”). The conclusion of this study is that, while there are reasons for a number of modifications and adjustments, Sippel’s Report is the product of much work and thinking and includes important ideas and mechanisms that appear useful for the future negotiations on E-Evidence. Here are some among the basic features of Sippel’s Report.
1) Two in One? Merging the Regulation and the Directive
An important structural amendment is that the Report proposes to merge the two instruments proposed by the Commission (a Regulation and a Directive) into a single one. The Rapporteur advances several arguments to justify this, including the concern that by introducing a separate Directive (which will oblige service providers to designate a legal representative in the Union) the Commission might have the hidden intention to “also use it for other future instruments. “In that regard”, argues the Rapporteur, “the proposed Directive overreaches its goal and raises serious issues with its legal basis, namely the Articles 53 and 62 TFEU” (see Sippel’s Report, at 146).
According to my information, the Commission strongly opposed the suggested suppression of the proposed Directive, considering that this would deprive the whole E-Evidence package of its added value, especially as far as third country service providers are concerned. The Commission emphasized that the legal basis for the Regulation (Art. 82(1)) TFEU cannot be used to compel service providers from third States to designate a legal representative in the Union. As a result, a different legal instrument, with a different legal basis, is necessary.
2) A Double Notification Mechanism
By far the most important change proposed by Sippel’s Report is that it introduces a meaningful notification mechanism permitting EU Member States to exercise their traditional protective functions and ensure the respect of fundamental rights on their territory.
The Report provides for notification to both the “executing State” (i.e. the State of the service provider) and the State of residence (“affected State”), when the latter is known to be different from the “issuing” and the “executing” State.
The Notification mechanism is not toothless anymore (as in the Council’s version). The executing State can object with several grounds of refusal available, including protection of human rights, privileges and immunities.
The Report is not founded in ‘absolute’ mutual trust (as the Commission’s version) but on the idea that efficiency arguments should not override the need to protect fundamental rights. It claims, nonetheless, that efficiency will not be significantly affected because the timeframe proposed by the Commission can be respected with much stronger safeguards if each actor plays its own role.
In my CBDF study I analyze in detail the two proposed notification mechanisms and I assess the extent to which each one of them could strike the right balance between necessary protections and efficiency. My basic conclusions are the following.
A) Notification to the “Affected State”: High Protections with Low Burden
First, the introduction of a notification to the “affected State” (the Member State of permanent residence of the affected person) is undoubtedly the major single improvement introduced by Sippel’s Report. Notification to the “affected State” is highly protective. It has the great merit of bringing the targeted individual back into the equation. The Member State of residence would thus be able to exercise its traditional protective functions concerning the human rights of the targeted individual. It will have much more powerful incentives to proceed to such a control than the enforcing State (where the service provider is based) which, most often, has a weak link to a criminal case. Moreover, such a notification will permit to protect the sovereign prerogatives and fundamental interests of the Member State where the data subjects reside, such as the national security of the Member State of residence (if, for instance, the targeted person is an agent of the receiving Member State), trade secrets (if the target is a business executive) or other essential interests.
It is thus clear that the notification to the affected State will greatly enhance the human rights and other protections of E-Evidence. But what about efficiency? The Commission claimed that the system would be too burdensome. In my CBDF paper I explain in detail why the Commission is wrong, subject to the condition that notification to the affected State should only concern the most intrusive for human rights forms of data, namely content and transactional data. It would, however, be an error to introduce into the notification regime subscriber or access data, as the Rapporteur seems to suggest.
Indeed, notification of the affected State, where applicable, would remain entirely inside the timeframe (10 days) proposed by the Commission and the Council. Efficiency is affected much less than commonly assumed, because in most cases (93%) the investigating/issuing authority seeks data on its own residents. In contrast to a Mutual Legal Assistance Treaty request, which requires notice to a different country in 100 % of cases, the “affected state” provision would thus apply in less than 7% of cases. On the basis of the existing data, it seems reasonable to believe that the 20 smallest EU Member States would be notified as “affected State” no more than a few dozen times per year. The burden should thus be low and manageable for them. If one considers than during the year 2018 Facebook received and examined a total of 53,841 data requests, followed by 47,011 for Google, 43,480 for Apple and 22,919 for Microsoft (see here, at 12), it would be an insult to countries like Sweden or Austria to argue that they would be unable to examine a few dozen notifications per year in order to protect as “affected” States the human rights of their populations and their sovereign interests.
In my CBDF paper I also advance a series of arguments in order to rebut the Commission’s argument that “notification to the affected State will go far beyond what exists under current mutual recognition and legal assistance instruments”. In my view, the introduction in the E-Evidence package of the concept of the “affected State”, as Sippel suggests, will permit to “adapt” in an appropriate way in the digital world protections that already existed traditionally “in the physical world” under MLA systems. As a conclusion, while the burden for affected States should be low and the “protecting human rights/sovereign interests benefit” for them and their populations should be high, law enforcement people involved in the e-evidence negotiations do not always seem to realize the importance of this mechanism and do not necessarily declare themselves willing to ensure this “responsibility to protect” function envisioned for them by Sippel.
B) Notification to the “Executing State”: More Challenging but Could Become Feasible
Things are more challenging concerning the mechanism of notification to the executing State also put forward in Sippel’s Report.
While notification to the “affected State” (if the State of residence of the person whose data is sought is other than the issuing State) makes real sense for the reasons explained above, notification to the executing State seems less compelling. Imagine a crime committed in France. The victim is French, the suspect is a French person and resident. What is the point of obliging France to notify Ireland only because the service provider of the suspect is established in Ireland or has his legal representative there?
Despite the lesser relevance of notification to the executing State, whose link to a criminal case is often very weak, it seems that this idea is strongly imprinted in the mind of different stakeholders.
In Sippel’s Report there is no doubt that notification to the executing State, combined with notification to the “affected State”, offers important additional protections and guarantees. Among other things, such a notification permits to deal with a number of issues such as conflicts of laws concerns or rule of law problems in the issuing State – especially taking into consideration that 93% of all criminal investigations have an entirely “domestic” character and there will thus be no notification to an “affected State” for them. In Sippel’s mind, the involvement of the executing State is absolutely necessary not only in order to resolve such rule of law problems but also in order to give a solid legal basis to E-Evidence (Art. 82 TFEU, based on the notion of cooperation between two judicial authorities). She introduces the concept of the “executing” State (instead of “enforcing” State in the Commission’s draft) which will be automatically involved in all European Production Orders (EPOs) thanks to this system of notification and which will be considered as having recognized automatically the EPO Certificate unless if it raises a ground for refusal.
As I explain in my CBDF paper, there is a strong protective logic behind Sippel’s proposal, but the system, as it was introduced, would undoubtedly create a huge burden for the executing State and might make the future instrument unattractive to law enforcement authorities (LEAs). It seems to me that the only way to make this notification less burdensome would be not only to introduce some necessary amendments exposed in my CBDF paper but also to implement this system on the basis of the understanding that the executing authorities will not need to systematically examine each EPO but will only need to take action in some exceptional circumstances. The whole idea would thus be that there will be a “guardian of the Temple” in case of trouble, but this guardian will not need to check and clear all persons entering the Temple.
3) Enhanced Human Rights Protections
Numbers are not always relevant, but it is interesting to note that Sippel’s Report mentions Human Rights 31 times – up from 17 in the Council’s draft.
The meaningful notification system, explained above, is presented as the major step forward to allow that the rights of affected persons are guaranteed by the executing State and, where applicable, the affected State. Others pro-human rights amendments include:
- Notice-by-default for persons targeted by orders issued under the Regulation (unless there is a non-disclosure order validated by a court to avoid jeopardizing the specified investigation – see amendment 164). This is in contrast with the downgrade operated by the Council and the lacuna in the Commission’s draft discussed here. It is interesting to note that the non-disclosure Court order is directly influenced by the US system of gag orders.
- A rejection of the new data categories introduced by the Commission (“access” and “transactional” data) and return to what is presented (see Report at 147) as “clear data categories (based on existing EU and national legislation and in line with CJEU case law)”, namely: “subscriber”, “traffic” and “content” data. The Commission, however, insisted that its proposed new category of “access data” (as opposed to traffic or transactional data) is extremely important in order to enable LEAs to identify the subscriber of a service at the early stages of the investigation – and should thus not be deleted as suggested by the Rapporteur.
- Due regard for issues such as respect of ne bis in idem principle, dual criminality considerations, privileges and immunities, including protections for medical and legal professions, freedom of press and freedom of expression.
- Limitations to the use of data obtained, including rules on (in)admissibility of evidence & erasure of data obtained in breach of Regulation.
- Much greater concern for effective legal remedies not only in the issuing but also in the executing State in accordance with national law, including the possibility to challenge the legality of the order.
4) A More Appropriate Role for Service Providers
The Report proposes a more appropriate role for service providers. The logic is that the responsibility of protecting human rights should not be shifted from States to service providers, but recognizes that the latter may be able to provide critical information relevant to the assessment of the necessity and proportionality of orders as long as they are not solely responsible for this process.
While logically providing for sanctions if service providers do not cooperate, the Report abandons the hugely punitive sanctions of the Council (“2% yearly turnover”) which could have a chilling effect on providers’ incentive to challenge abusive orders.
The Report also introduces an immunity from liability provision for service providers for any consequences resulting from compliance with an EPO, subject to other data protection obligations.
The Report seems to partially resolve a concern raised by service providers, academics and others, regarding when an EPO should be used instead of domestic procedures. Both the Commission and Council’s approaches created uncertainty and raised the possibility that Member States could resort to the use of domestic measures, potentially in cross-border scenarios, but Sippel’s Report seems to clarify that Union measures should always be used in cross-border scenarios. Service providers have expressed concern that, without clarifying language, the Commission and Council’s approach would have created a backdoor, allowing Member States the opportunity to simply ignore the E-evidence legislation altogether and use domestic measures which could lead to fragmentation and conflicts of law. Sippel’s amendment 83 would delete language preserving use of a domestic backdoor (“without prejudice to the powers of national authorities to compel service providers established or represented on their territory to comply with similar national measures”). However, there is no affirmative requirement that would require Member States to use the E-Evidence mechanisms over national measures in cross-border cases.
5) Other Features
At least four other important features of Sippel’s Report need to be mentioned:
- Conflict of laws -– On conflict of laws, interestingly, the Report does not go back to the elaborated mechanism proposed by Commission and abandoned by the Council (explained here) but provides for a reasonable mechanism based on the appreciation of both the issuing and the executing State’s authorities.
- A higher threshold for issuing production orders – Sippel’s report provides that European Production Orders requiring production of content or “traffic” data (which includes the “access” data category introduced by the Commission) “may only be issued for criminal offences punishable in the issuing State by a custodial sentence of a maximum of at least 5 years”. This is 2 years more than the threshold in the Commission’s and Council’s drafts (“3 years”) and means that, for these categories of data, EPOs can only be issued for the most serious crimes. It would be surprising if LEAs around Europe accepted such a high threshold.
- Extension of timeline for application of the Regulation – Sippel’s Report extends the timeline for application of the draft Regulation from six months after its entry into force (provided in the Commission’s proposal) to three years. This means that, in the best case, E-Evidence will not be applicable until the end of 2023. While it makes a lot of sense to provide for the necessary time in order to implement a new and complex system as E-Evidence (the Council itself proposed a deadline of 24 months in its general approach), three years might appear too long for law enforcement people. This, in turn, raises the risks that some Member States might enact in the meantime national laws to enable access of their LEAs to e-evidence (through extraterritorial or data-localisation measures) leading to fragmentation and unwelcome complications.
- “Independent” Prosecutors – The Report proposes to systematically replace the term “prosecutor” in the draft Regulation by the term “independent prosecutor”, defined as not be “exposed to the risk of being subject, directly or indirectly, to directions or instructions in a specific case from the executive, such as a Minister for Justice, in connection with the adoption of a decision”. This was done in order to reflect recent CJEU case law (see eg Minister for Justice and Equality v OG and PI, discussed in this Blog here). This means, in practice, that prosecutors that have been found by the CJEU not to respond to these “independent” requirements (such as German prosecutors) would not be able under the draft E-Evidence Regulation to request the production of subscriber data and the preservation of data. This would be a limitation to what these prosecutors can already do under domestic law. It would thus be surprising if LEAs all over Europe accepted such limitation. More generally, it should be important to think if CJEU (or European Court of Human Rights) judgments adopted under different circumstances are automatically transposable to other situations. The above-mentioned CJEU cases concerned the sensitive issue of which bodies are “issuing judicial authorities” capable of issuing European Arrest Warrants with a view to the arrest and surrender, by another Member State, of a requested person. One could argue that the particularly high threshold of independence of prosecutors required by the CJEU when the very right to liberty is at stake, should not necessarily be transposed automatically to the E-Evidence context, in relation with the bodies authorized to issue requests for the production of subscriber data and the preservation of data which are less intrusive measures for human rights than the ones envisioned by the original judgment.
Sippel’s version of E-Evidence is far more protective for human rights than the Commission’s or the Council’s drafts. Thanks to this protective approach Sippel succeeded in making the “paradigm shift” introduced by E-Evidence acceptable to fundamental rights experts (and likely very hard to challenge tomorrow in European courts). NGOs and other stakeholders who were firmly opposed to E-Evidence, pleading instead for an improvement of MLA mechanisms (such as the European Investigation Order), suddenly seem to consider that E-Evidence could be compatible with strong human rights protections. “Has Sippel MEP been successful at repairing the unrepairable?”, asks for instance EDRi.
There is also little doubt about the fact that Sippel’s version of E-Evidence is much better for service providers than the Council’s or the Commission’s drafts. Sippel’s report provides a workable regime for service providers and legal certainty while relieving them from liability issues. Without transforming them to legal assessors of fundamental rights (as the Commission did), Sippel’s system gives the possibility to service providers to protect their customers and users and to flag eventual problems to States who remain, nonetheless, the traditional guardians of human rights. When the Council of the EU adopted its draft, the Business Software Alliance denounced a “disappointing text” that “risks undermining the protection of citizens and enterprise data across Europe”. In contrast, the BSA “welcomed” the European Parliament’s E-Evidence draft report, considering that it “introduces much clearer liability rules for companies complying with the Regulation, strengthens the fundamental rights protections of EU citizens, and ensures that cooperation between law enforcement agencies and technology providers is fostered and balanced”. Similarly, a recent joint industry/NGOs statement offered strong support to Sippel’s Report.
If Sippel’s Report is “good for human rights” and “good for service providers”, the big question is whether it might also become acceptable for law enforcement authorities. The double notification mechanism introduced by Sippel does not affect the timeframes proposed initially by the Commission and the Council for the production of data (10 days in normal situations, 6 hours – extended to 24h by Sippel – in cases of emergency). These notification mechanisms create nonetheless a bureaucratic burden and additional responsibilities for the issuing State, the executing State and the affected State. Some modifications and adjustments will be necessary in order to make this system less burdensome for the States concerned, and especially for the executing State. Still, it remains to be seen if these States will accept to play the “responsibility to protect” role envisioned for them by Sippel.
The author will like to thank all the persons who contributed comments to a previous draft of this article, and especially Karine Bannelier, Vanessa Franssen, Ken Propp and Peter Swire. The views expressed in this article are entirely the author’s.