E-Evidence negotiations in the EU Council are currently locked in stalemate. The clock is ticking, due to the upcoming European elections and the will of the Austrian Presidency to conclude the Council negotiations by December. Yet, the October 11th meeting of the European ministers of Justice showed, according to the Austrian presidency’s conclusion that: “There is a big divergence of opinions and it will be difficult to find a compromise that bridges these differences”.i The meeting made progress on another contentious issue, with the Member States deciding to drop the request to introduce real time interception in the E-Evidence draft regulation. States remain profoundly divided, however, on the main subject discussed during this meeting: the one concerning the introduction of a notification mechanism between Member States affected by a European Production Order (EPO).
As explained in a previous post in this Forum, the issue is whether the Member State issuing an EPO should have a notice obligation to another Member State, with the latter potentially having the opportunity to review and object to the EPO. If there is notice, the next question is which Member State should be notified: the Member State where the service provider or its legal representative are established; the Member State of citizenship or residence of the target person; or, perhaps a combination of those. The Austrian presidency had stated that, since the notification issue “underpins the essence of the proposal, it should be clarified for the smooth progress of the negotiations”. As a consequence, Austria organized the October 11th meeting to address the notification issue, while proposing at the same time, “a solution where the notification is provided for information purposes only”, without a possibility to object, as a potential compromise.
In the first part, this paper will discuss the “big divergence of opinions” that marked the Council’s meeting and will present the main arguments used by the opposing camps.
In the second part, it will submit a proposal in order to disentangle the notification knot. The author of this paper believes that the best solution to this almost intractable problem is to combine the two following elements: 1) the introduction of a notification procedure for orders concerning all but subscriber data to the Member State of residence of the targeted person, with a possibility for the latter Member State to object; and 2) the preservation of a possibility for Internet and Cloud Service Providers (ICSP) to play a role in the review of an EPO. ICSPs could, for example, indicate a problem not known to the issuing or reviewing Member State or flag an eventual problem of conflict of laws involving Member States other than the country of residence.
I. TO NOTIFY OR NOT TO NOTIFY? THAT IS THE QUESTION IN THE COUNCIL
The debatesii during the October 11th meeting of the European ministers of Justice showed that a majority of States opposes the introduction of a notification procedure in E-Evidence. However, an important minority of States strongly defended the need for such a notification mechanism. States in both camps declared their will to reach a compromise. However, despite this spirit of conciliation, there were strong divergences concerning issues such as: if notification should be given for information purposes only or include the possibility to object; which State should be notified; and which kind of data should an eventual notification concern.
A) Arguments against notification
Some Member States, like Croatia, France, Ireland, Malta and Portugal, have strongly opposed a notification system. Several others, such as Belgium, Bulgaria, Estonia, Italy, Lithuania, Luxembourg, Poland, Romania and Spain, have opposed a notification system, declaring however at the same time that they would be open to a compromise for the sake of ending the discussions by December. These States have used several arguments against the introduction of a notification procedure arguing that such a mechanism would, among other things:
- undermine the basic operational structure and the very raison d’être of the proposal, its added value, efficiency and speed compared to the current European investigation order;
- bring back the criterion of territoriality via the backdoor;
- create practical and technical difficulties, including the need for translating the Orders into the language of the notified Member States and, finally, make the procedure more burdensome even than the European investigation order;
- create a very high workload for Member States with many service providers or legal representatives within their territory. As Commissioner Věra Jourová stated, “Ireland for instance would have to hire an army of new administrators only because Google and Facebook are based on their territory”;
- undermine mutual trust between Member States.
B) Arguments in favor of notification
An important minority of States (Cyprus, Czech Republic, Finland, Germany, Greece, Hungary, Latvia, the Netherlands, Slovakia, Slovenia, and Sweden) declared, more or less strongly, that they were in favor of the introduction of a notification procedure in the E-Evidence Regulation. While some among them have expressed their openness to a compromise solution, none appeared to be convinced by the Austrian compromise proposal, which revolved around a notification with a solely informative character. For them, the introduction of a notification mechanism would be very useful inter alia for the following reasons:
- it would help in finding a balance between fighting crime and protecting other values, and making sure that the new tool “works smoothly”;
- it would help deal with the fact that the authorities of the issuing State are not always in the position to assess it properly, as they may lack the necessary information about its potential impact;
- it would improve the efficiency of the instrument, while safeguarding fundamental rights and introducing legal certainty;
- it would be particularly helpful in order to protect journalists’ sources and whistle-blowers;
- it would help transfer the burdensome tasks of assessing the compatibility of Orders with human rights and other fundamental values from the providers to the authorities;
- this would be particularly helpful for small companies which, otherwise, would not be able to deal with the burden, especially taking into consideration the strict deadlines;
- it would help safeguard national security and public interest;
- such a solution would not slow down the E-Evidence mechanism, as the strict deadlines would be the same.
C) Assessment
The arguments of both sides are both legitimate and powerful. This strange situation is the reflection of the complexity of the issues that the E-Evidence proposal tries to tackle.
The author of this article has previously explained why he thinks that the introduction of a notification mechanism with a possibility to object is necessary in order to protect more effectively not only human rights but also the fundamental interests of the Member State affected by an EPO. Beyond the above-mentioned arguments of the pro-notification side, the author also explained that the current EU Commission’s draft, especially if one takes into consideration the proposed revisions by the EU Council which weaken even further the limited protections of the original text, is problematic because it leaves solely to the issuing Member State the task to effectively protect the fundamental interests of other Member States, the immunities and privileges existing within the legal systems of these Member States, or the fundamental human rights of those citizens. Indeed, it is rather logical to fear that the authorities of the issuing State will prioritize their own interests over any foreign ones – especially if access to data is critical in order to resolve an important criminal case.
Moreover, the introduction of an adequate notification mechanism will help bridge the gap that seems to exist today between the Council and the Parliament on the issue of E-Evidence. Indeed, members of the European Parliament’s LIBE Committee, but also the Study commissioned by the European Parliament’s LIBE Committee and the Opinion on E-Evidence published on 8 October 2018 by the European Data Protection Board, have expressed their scepticism towards the initial draft regulation and the lack of oversight by the receiving Member State’s judiciary. If the Council could move towards enhancing the protections and safeguards of the initial proposal for Member States and individuals, this could help move in the direction of a compromise.
However, concluding that a notification mechanism should be introduced in E-Evidence does not resolve the issues at stake. Which State should be notified? And what should be the role of the ICSP if a notification mechanism is added? I will now turn to these issues with a proposal for a solution which could help States achieve a compromise without undermining the original “direct and quick access to criminal evidence” project.
II. SOLVING THE NOTIFICATION PROBLEM: A PROPOSAL
A) The variables in the equation
Even if States agree to introduce a notification procedure with a possibility to object, the problems do not end there. The notification issue is a complex one including multiple variables. Indeed, determining the weight to be given to each variable is necessary for resolving the E-Evidence equation in a balanced and satisfactory way that will be accepted by all States and stakeholders. The second part of this article will try to clarify at least three key issues.
The first issue is which Member State is the most suitable for receiving notification. The following Member States are potential candidates:
- The State where the ICSP provider or its legal representative is established;
- The State of nationality of the targeted person;
- The State of residence of the targeted person;
- The State where the requested data are stored;
- Or some combination between the above.
Member States appear to agree that multiplying the number of notifications would undermine the very raison d’être of the “direct access” mechanism. However, no agreement has emerged about who should be notified. In their oral and written observations in the Council some among the “pro-notification” States indicated that the notification should be given to the Member State of the service provider (see here p. 13 for the position of Finland, p. 12 for Latvia, p. 15 for Sweden). Germany, on the other hand, initially referred without precisions to the “affected Member State” (see here p.10) before expressing (here) its “clear preference” for the country of residence.
The second issue that needs to be resolved concerns the type of data requests that should be covered by the notification obligation. Belgium, for instance, declared that it was open to a compromise in favor of notification but subject to “a very clear limitation: it can only concern content data” – a position that Luxembourg agreed with. Other states, such as the Netherlands, seem to indicate that the notification system could include content and transaction data, but should exclude subscriber data.
The third issue concerns the role that the ICSP would play in any notification mechanism. It should be recalled, in this respect, that the ICSP have an important role to play under articles 9, 15 and 16 of the original E-Evidence proposal submitted by the EU Commission (mechanisms explained in detail in this post, which also highlighted how a revised draft of the Council would substantially limit these powers). During the October 11th meeting of the European ministers of Justice there were few, if any, discussions about how these ICSP review powers could be affected by the introduction of a notification mechanism. Still, some States (such as Belgium, Finland, Sweden or Greece) seemed to indicate that a notification system could replace the provider’s ability to object to orders.
B) Proposed solution
In order to advance the debate on these complicated issues, this paper would like to submit the following proposal.
First, the notification should be sent to the Member State of residence of the targeted person, with a possibility of objection by that Member State.iii
Second, a notification should not be limited to content data, but also to transactional data (or “metadata”). In contrast, a notification should not be required for subscriber data requests.
Third, the ICSP should have the ability to continue to play a role in the reviewing process in order to protect their clients’ interests and notably also to flag other potential problems (including errors or problems of conflict of laws involving other States).
The remainder of this article will present arguments in favor of the first and third solutions proposed. It will only discuss briefly here the issue of which categories of data should be concerned. The E-Evidence draft introduced new categories of data, the delineation of which are not yet crystal clear. As there is not enough space to open such an important discussion within a single article, it is sufficient to mention that the recent case law of the two European Courts does not seem to justify to adopt Belgium’s distinction and preference for only “content data”. The Court of Justice of the European Union has ruled in its judgement in Tele2 Sverige that metadata such as traffic data and location data provide the means of “establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications” (see here, para. 99). Similarly, the European Court of Human Rights emphasized in its recent Big Brother Watch et al. Judgment that access to communication data (or metadata) could be just as intrusive as access to content data (see here, para. 356). As a consequence, limiting notification to content data could be problematic. On the other hand, the less intrusive character of subscriber data and the widespread direct cooperation between requesting States and ICSP on this field, does not justify introducing subscriber data requests in the notification system.
C) Advantages of Notifying the Member State of Residence
Among the possible mechanisms for notification, there would be several advantages in notifying the Member State of residence.
1. A workable and efficient solution
Notifying the Member State of residence would maintain the advantages and efficiency of the “paradigm shift” proposed by the Commission. Such a notification procedure is consistent with the operational structure and the raison d’être of the proposal and should not alter its efficiency and speed.
First, in the typical case, the investigating/issuing authority seeks data on individuals in residence in the same country. For example, a murder investigation in Rome will very often seek data of persons residing in Italy, rather than persons residing elsewhere. In such cases, there will not be any need for “notification” because the issuing State will not have to notify… itself! Similarly, in cases where it is impossible to identify which is the Member State of residence, no notification should take place. The practical impact of notification would thus be far less important than some of the concerns expressed by those opposing notification.
Second, in cases where the State of residence differs from the issuing State, the deadlines would remain the same as in the current Commission’s project. The Member State of residence, after receiving the notification of the European Production Order Certificate (EPOC), could agree expressly, in which case the ICSP can immediately provide the data to the issuing authority without waiting for the expiration of the deadline. In the alternative, the Member State of residence will be considered as having given a “tacit” agreement at the expiration of the deadline (“qui tacet consentire videtur”).
Under the proposal here, the difference would exist only for that small sub-set of cases where the Member State of residence affirmatively decides to object, based for instance, on the interests of that State (including privileges, immunities and trade secrets), and the fundamental rights of its population. In short, the proposal here would delay access only in those cases where a Member State objects for fundamental rights or other important reasons. In that subset of cases, more thorough consideration is actually warranted.
2. The link with the Member State where the ICSP is established is artificial
The solution, proposed by some States, to notify the Member State where the ICSP or his legal representative is established seems artificial and is not closely linked to the interests at stake. If, for instance, Italy requests the data of a Spanish person residing in Spain, it could be rather strange to provide notification only to Ireland just because the addressee ICSP is established there. Spain would have, in such a case, a much stronger interest and motivation in reviewing the EPO in order to assess if it conflicts with the fundamental rights of its residents or privileges and immunities and fundamental State interests protected by its domestic law. Ireland would have less interest and incentive in doing so. Moreover, for some Member States with many service providers or legal representatives on their territory, such a task could present a very heavy workload. Indeed, it is not surprising that Ireland is probably the State most strongly opposing the notification solution.
Besides these considerations, it should be recalled that the Member State where the ICSP or his legal representative is established already has, under the E-Evidence proposal, an important power of review, but which exists only under some conditions and at a later stage. More precisely, if (and only if) an ICSP refuses to comply with an EPO, this EPO is transmitted, under article 14 of the draft, for enforcement to the Member State where the addressee of the EPO is established. Article 14(2) of the draft Regulation gives the possibility to such a Member State to refuse to enforce an EPO if it considers “that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence”. From this point of view, then, the Member State where the ICSP or his legal representative is established will always be able to review eventual important problems affecting it at the stage of execution of the EPO.
3. The link with the Member State of nationality is less relevant
Similarly, the link with the Member State of nationality of the suspect, while probably more relevant than the one with the Member State of establishment of the ICSP, still appears less satisfactory than the criterion of the country of residence. In the physical world, a citizen of State A who lives and works in State B, will need protection (against threats to his integrity, intrusions to his private life, etc.) in the territory of State B where the breaches can logically take place – not in his country of origin where he is not present anymore. The same protection of privacy is relevant in the digital sphere. State B has not only a right, under its territorial jurisdiction, but also a duty to protect against abuses all persons present in its territory, including non-national residents and aliens. General International law requires States to punish offenses against the life, liberty, property and honor of aliens and “States fulfill this duty if they protect aliens in the same way as they do their nationals”. Moreover, under Human Rights treaties each State has an obligation “to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in [these treaties], without distinction of any kind” (see, for instance, art. 2 of the ICCPR). It is thus clear that the Member State of residence is the most suitable in order to protect the human rights of the persons residing in its territory (European citizens or not) as well as its own fundamental interests that might be affected by a request targeting a person residing and working on its territory.
4. A solution putting back in the heart of the debate the targeted individual
The great merit of the proposed solution is, precisely, to bring the targeted individual back into the equation. Such a solution would permit to strike the right balance between the interest of the issuing authority to access quickly digital evidence in order not to hinder criminal investigations and the necessity to introduce adequate safeguards in order to protect other values. From the point of view of the human rights of the targeted individual, the Member State of residence would be able to exercise its traditional protective functions, including acting in order to protect some particularly vulnerable groups such as journalists, lawyers, whistle-blowers, political dissidents, etc. From the point of view of protection of the fundamental interests of the Member State where these persons reside, this mechanism will help assure that there is no error or abuse by the issuing Member State which could affect the national security of the Member State of residence (if, for instance, the targeted person is an agent of the receiving Member State), trade secrets (if the target is a business executive) or other essential interests. Moreover, but this is not a point that will be further discussed here, such a notification mechanism could facilitate the introduction and implementation in E-Evidence of the dual criminality principle, strongly requested by authorities such as the European Data Protection Board (see here, pp. 6-8).
5. A solution that could help resolve the problem of the legal basis of E-Evidence
Last, but not least, such a notification mechanism could help resolve the problem of the legal basis of E-Evidence. The legal basis advanced by the EU Commission, namely Article 82 TFEU, has been strongly challenged by the EDPB in its recent opinion (see here, pp.4-5) and by other stakeholders (see for example this, pp. 36-37 and this, p. 31). The main argument used by these authorities is that Article 82 TFEU can serve as legal basis in cases where there is a “cooperation between judicial or equivalent authorities of the Member States”. According to them, this is not the case in the Commission’s proposal because the only relation is between the issuing Member State and the “addressee”/service provider.
Introducing a notification mechanism would help address this criticism. Such a notification mechanism would create a direct relation between two Member States: the authorities of the issuing Member State and the authorities of the Member State of residence. The execution of the EPO would thus be based on the cooperation between the two and the fact that the latter does not object to the EPO. It should also be recalled that the mechanism of article 14 creates another link of cooperation, this time with the enforcing State (to which the EPOC is transferred for execution in case of non-compliance by the addressee). This double cooperation link (on the one hand between the issuing Member State and the Member State of residence and, on the other hand, between the issuing and the enforcing Member State), should help accept the “new dimension” of article 82 proposed by the Commission in its Impact Assessment Study.iv
D) Advantages of Maintaining a Role for Service Providers
As discussed next, there is an important continuing role for ICSP. To begin, systematic notification to the Member State of residence, combined with the possibility to object, would justifiably reduce the burden placed on ICSP under the Commission’s draft. Under that draft, providers need to assess not only if the EPO is incomplete or contains “manifest errors” [9(3)], but also if it “manifestly violates the Charter of Fundamental Rights of the European Union or […] is manifestly abusive” [9(5)] and also if there is a “conflict with applicable laws of a third country prohibiting disclosure of the data concerned on the grounds that this is necessary to either protect the fundamental rights of the individuals concerned or the fundamental interests of the third country related to national security or defence” [15(1) – cf. Also 16(1)]. Hard as these tasks already are, some States went even further during the EU Council debates by proposing to couple them with a liability regime. This was the case of Lithuania, for instance, which, on the one hand objected to the notification solution, while on the other hand proposed that ICSP should be held “liable for the damage caused by the transferred data if the order is later found unlawful”.
Notification to the Member State of residence should put an end to such calls and relieve a good deal of judicial and financial burden away from the shoulders of ICSP. Indeed, it will be for the authorities of the Member State of residence to exercise their protective functions in order to safeguard the human rights of the persons present in their territory, as required by Human Rights treaties, and also their own fundamental interests. Such an evolution should be reassuring for all those who criticized what they called a “privatization of law enforcement”, from LIBE’s E-Evidence Rapporteur Birgit Sippel to Professor Bose’s LIBE-commissioned report, passing through NGOs to the Vice-President of Deutsche Telekom.
This being said, the author of this article considers that the ICSP should not be deleted from the E-Evidence equation. Even if a notification mechanism is introduced, the ICSP should still be able to play a role in order to protect the interests of their clients and to flag issues that may not be identified or dealt with by the issuing State nor the Member State of residence. The ICSP could play a useful role in issues such as the following:
- Verify that the EPOC is complete and does not contain manifest errors (such a mechanism already exists in article 9(3) of the Commission’s draft).
- Verify that notification has been given to the Member State of residence. The issuing Member State should be obliged to indicate on the EPOC that it has provided notice to the Member State of residence. If there is no indication that this State was notified, the service provider should have the opportunity to offer evidence showing which Member State is the State of residence (using, for instance, IP addresses or other means) so that the issuing authorities can complete the legal process by notifying the affected State. Similarly, the ICSP should not execute the EPO before having received confirmation that the Member State of residence has agreed (expressly or through tacit agreement) to the execution of the EPO.
- Inform the issuing or reviewing Member State about potential errors or misunderstandings related to the EPO which could have undesirable or negative effects. Indeed, ICSP are in a unique position to understand the data being requested and identify reasons why an EPO is deficient – reasons that might not be apparent to the issuing or to the reviewing Member States. For instance, a State might issue an EPO for all user content corresponding to a single, specific IP address. On its face, this request could appear to be targeted and proportionate, including to a competent Court. However, certain services rely on “dynamic” IP addresses that are constantly and rapidly re-assigned to new users. A single IP address might thus be used in a single day by hundreds of different users, only one of whom may have anything to do with the crime under investigation. Although compelling the production of content from hundreds of innocent users would clearly be disproportionate, this might not have been apparent to either the issuing or the reviewing Member State, since it is often impossible to know from the IP address itself whether it is static or dynamic. Typically, only the service provider that receives the EPO will be in a position to identify this and call attention to it. It will therefore be important for protection of fundamental rights to give the possibility to service providers to flag such an issue.v
- Be able to request the issuing Member State to review an EPO in case they realise that there is a conflict with the applicable laws of a third State which prohibit the disclosure of the data concerned on the grounds that this is necessary to either protect the fundamental rights of the individuals concerned or the fundamental interests of the third country related to national security or defence, or based on other grounds (such a mechanism already exists in articles 15 and 16 of the Commission’s draft). For instance, to the extent that EPO orders are often directed at US companies, the maintenance of such review mechanisms could permit them to flag potential conflicts with US law, especially pending the conclusion of CLOUD-Act executive agreements between the USA and the EU and, eventually, its Member States.
CONCLUSION
The debate on notification in the EU Council is a very complicated one marked by a series of dilemmas and difficult questions: To notify or not to notify? To permit objection or not? Which State should be notified? For which categories of data requests? Following which exact mechanism? And what should be exactly the remaining role for Internet and Cloud providers?
The objective of this article was two-fold. First, it intended to clarify as much as possible the terms of the debate by trying to clearly distinguish the different issues at stake. Second, this article tried to advance some ideas in order to resolve a problem which seems almost intractable if one listens to the debate that took place during the October 11th meeting of the European ministers of Justice.
The author of this article knows well that the “notification knot” is not a “Gordian knot”, capable to be loosed by a miraculous easy solution or stroke of sword. The notification problem recalls instead the myth of the Lernaean Hydra: for every head chopped off, the Hydra would regrow two heads and for every question answered in this article, two new queries might emerge. For instance, the technical and legal identification of the Member State of residence might raise some difficulties. Similarly, if the proposed solution of a notification system with a continuous (but diminished) role for the ICSPs was introduced, work would need to be done in order to determine how exactly this will affect the existing articles in the Commission’s proposal. Furthermore, it remains to be seen how the issues discussed in this paper relate to other complicated issues, such as the future negotiation by the EU of data sharing agreements, starting with the United States under the Cloud Act provisions. Indeed, during the meeting of the European ministers of Justice, Commissioner Věra Jourová stressed that the discussions around the notification regime that had taken place at the meeting are of vital importance to the process of preparing a mandate for an EU-US agreement on cross-border access to e-evidence.
These, along with several other questions, remain challenging. Still the author hopes that the ideas presented in this paper could be useful in order to disentangle the “notification knot” in the EU Council and strike the right balance between the conflicting values at stake and the diverging views. This, combined to other reforms, could also help bridge the gap that seems to exist between the EU Council and the European Parliament’s LIBE Committee, helping move towards the direction of a compromise and speeding up progress on the adoption of E-Evidence in the interest of all stakeholders.
Theodore Christakis is Professor of International Law at the University Grenoble Alpes. He is the Director of the Centre for International Security and European Studies (CESICE) and the Deputy Director of the Grenoble Alpes Data Institute. He is a Member of the Institut Universitaire de France and of the French National Digital Council and a Senior Fellow with the Cross-Border Data Forum. The author would like to thank Karine Bannelier and Peter Swire for their comments on previous versions of this article. He would also like to thank Katerina Pitsoli for assisting with research. All errors mine.
i The debates are available, listed by country, under the E-Evidence tab (below the video) here : https://video.consilium.europa.eu/en/webcast/ffa13ca3-8e18-4bc1-9c80-8fdaa18265ac
ii See previous note.
iii This article only refers to relations between EU Member States and the notification procedure examined here only refers to a Member State of residence in the EU. The issue of non-EU Member States is an entirely different one and will not be discussed here. Indeed, as explained in another post, there is a need to clearly distinguish between situations concerning EU MS only, and situations involving non-EU States.
iv According to the EU Commission (see here, page 37): “This would introduce a new dimension in mutual recognition, beyond the traditional judicial cooperation in the Union, so far based on procedures involving two judicial authorities, one in the issuing State and another in the executing State”. As explained by Vanessa Franssen, the approach proposed by the EU Commission has already been applied “to judicial decisions in civil matters, which can be enforced directly by private parties without the intervention of public authorities of the Member State where the enforcement takes place”. Nevertheless, in the sphere of criminal law and criminal procedure, the enforcement of a judicial decision of one Member State in another Member State thus far has always required the intervention of the competent authorities of the Member State where the decision is executed, notwithstanding the principle of mutual recognition. This holds true for final judicial decisions imposing, for instance, a custodial sentence (Framework Decision 2008/909/JHA) or a fine (Framework Decision 2005/214/JHA), but also for decisions relating to the investigation such as a European arrest warrant (Framework Decision 2002/584/JHA) or a European investigation order (Directive 2014/41/EU – ‘EIO Directive’). In that respect, the Proposed Regulation entails a fundamentally different approach…”.
v The author would like to thank Microsoft for indicating this issue.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.