E-Evidence in a Nutshell: Developments in 2018, Relations with the Cloud Act and the Bumpy Road Ahead
The year 2018 was marked by some important legislative initiatives in the United States and the European Union reflecting a new approach concerning Law Enforcement Agents’ (LEAs) access to electronic evidence. These initiatives were motivated by the significant legal challenges that the globalization of criminal evidence is creating for LEAs: a 2018 report by the European Commission found that “more than half of all investigations involve a cross-border request to access [electronic] evidence”. Considering that traditional instruments for cross-border cooperation such as Mutual Legal Assistance Treaties (MLAT) are too slow and cumbersome, the United States (US) and the European Union (EU) decided to move ahead with new legislative tools that would allow requesting Internet and Cloud Service Providers (hereafter: “service providers”) to transfer directly the required data to LEAs of the State that issues such an order, and this regardless of the location where the data are stored or where the suspect in a criminal investigation resides.
In the US, the Cloud Act, adopted by Congress in March 2018, mooted the pending Supreme Court case of United States v. Microsoft. Under the Act, the kind of compelled disclosure orders at issue in the Microsoft Ireland case apply “regardless of whether such communication, record, or other information is located within or outside of the United States.” The Act (discussed for example here, here and here) also created a new “comity” provision for addressing possible conflicts between US law and the laws of other States, albeit applicable in limited situations.
Just a few weeks later, on 17 April 2018, the EU commission proposed “E-Evidence”, its own legislative package that basically constitutes the European equivalent of the Cloud Act and aims, in a similar way, to streamline cooperation with service providers and supply law enforcement and judicial authorities with expeditious tools to obtain e-evidence.
While the Cloud Act is already binding law in the United States, E-Evidence is facing strong headwinds. Following a few months of difficult negotiations among EU Member States1, the EU Council succeeded in adopting on December 7, 2018 its own draft of E-Evidence. This impression of success, however, needs to be highly nuanced. The EU Council’s draft differs significantly from that of the Commission, setting up potentially difficult negotiations in the future. In addition, the Council adopted its version by a qualifying majority and despite strong opposition by at least seven States, including Germany. It is rather unusual for such an important EU legal act to be adopted over such objections. The Netherlands, for instance, denounced the Council’s text for being adopted “too fast” and stated it that “opened the way for abuse by EU countries that lack sufficient guarantees over the rule of law and fundamental rights”.2
The EU Council draft has received sharp criticism outside of the Council. NGOs, who already opposed the initial Commission’s proposal, strongly reacted to the Council’s draft. EDRI entitled its press release “From Bad to Worse” and stated that “the Council’s text entails a severe deterioration of the few provisions that were meant to safeguard fundamental rights”. Industry reacted strongly, with the Business Software Alliance denouncing a “disappointing text” that “risks undermining the protection of citizens and enterprise data across Europe”. As discussed below, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has been very skeptical about the whole project. We thus can ask ourselves what are the chances of adoption of E-Evidence in 2019 with several States, all NGOs, the industry, and the EU Parliament opposing the Council’s draft.
This article presents the major features of E-Evidence and the principal points of contention. This should be useful not only to understand the developments within the EU, but also for considering the future negotiation of a Cloud Act Executive Agreement between the EU and the US. The first part of this article presents a brief background to the E-Evidence project and explains the legislative process within the EU and where we currently stand. The four following parts will discuss the major strategic issues related to the mechanisms of E-Evidence which lie at the heart of the existing disagreements: (i) the power of one EU member state to review orders from another; (ii) the power of service providers to challenge a legal order; (iii) resolution of conflicts of laws, and effects on third states; and (iv) a number of human rights issues.
For each issue I present the initial provisions on the Commission’s proposal, what changed in the Council’s draft, and what are the main consequences and problems. The article concludes by discussing the way forward for the E-Evidence proposal as well as impacts on upcoming negotiations between the EU Commission and the USA, which could start soon.
I. Background on the EU Legislative Process on E-Evidence
In April 2018, the EU Commission introduced an important legislative package called “E-Evidence”, aimed at facilitating access to electronic evidence by European police and judicial authorities. E-Evidence seeks to provide an alternative to existing tools of mutual legal assistance by enabling LEAs in one Member State to obtain stored data directly from online service providers located in or represented within a second Member State. The legislative package contains two texts: a draft Directive and a draft Regulation.
The draft Directive3 sets forth the necessity for the appointment of a legal representative for every online service provider that is “established” in or has a “substantial connection” to at least one EU Member State. That representative must have the capacity to accept and comply with orders to produce evidence in criminal proceedings from LEAs in any Member State.
The draft Regulation4 (hereafter: the “Commission’s proposal”) refers to four categories of data, namely “subscriber”, “access”, “transactional” and “content” data. The Regulation sets out a comprehensive scheme to facilitate LEAs’ access to these four categories of data through two new legal instruments, the European Production Order (EPO) and the European Preservation Order (EPrO). In the case of an EPO, providers would be compelled to produce the data directly to the issuing member state authorities (within 10 days in normal cases, six hours in emergency situations), subject to certain limitations.
Like the Cloud Act, E-Evidence stipulates that the obligation to produce or preserve electronic evidence exists “regardless of the location of data”. This means that an EPO could target a person residing in another Member State or in a third country and that the obligation for service providers to deliver the data sought exists even if the data are stored in another Member State or in a third country.5
To understand what has happened from April’s presentation of the Commission’s proposal through the Council’s actions in December, one needs to recall the EU legislative procedure: The Commission submits a legislative proposal to the European Parliament (directly elected) and the Council of the EU (representatives of the 28 EU countries). The Council and the Parliament have to approve an identical text for the proposal to become law. If the texts adopted by the Council and the Parliament present significant differences, inter-institutional negotiations take place. These usually take the form of tripartite meetings (“trilogues”) between the Parliament, the Council and the Commission. Conciliation is the final stage of the ordinary legislative procedure. The conciliation procedure is opened if the Council cannot accept all the amendments adopted by Parliament at second reading. Negotiations take place between the two co-legislators in the framework of the Conciliation Committee, with the objective of reaching an agreement.
The EU Commission presented the E-Evidence proposal in April. Starting from this proposal, the Council organized several meetings and, despite the difficulties, was able to adopt on 7 December 2018 its own draft (called in the EU jargon its “general approach”) to give the Parliament an idea of its position on the legislative proposal submitted by the Commission. On the other hand, the Parliament has been advancing very slowly. As stated in the introduction, E-Evidence has been assigned to the LIBE Committee who named Member of the European Parliament (MEP) Birgit Sippel as its Rapporteur. The LIBE Committee remains far from adopting its report, which would then be submitted to the Plenary of the Parliament for adoption. It is only after this step that the “trilogues” between the Parliament, the Council and the Commission could start in order to agree to a common text.
So at this time we can only discuss the E-Evidence provisions in the Commission’s proposal and the Council’s draft – while also referring for some issues to the views expressed to date by the Parliament.
II. The Power of an EU Member State to Review the Orders of the Other
The most important point of contention during the negotiations in the EU Council concerned the key issue of whether and when one Member State should be able to review the requests of another. Such review can safeguard a State’s fundamental interests, privileges and immunities, as protected by its domestic legal systems, or the fundamental rights of its population. Both the Commission’s proposal and the Council’s draft limit the ability to review requests, in ways that raise fundamental rights issues.
1) Setting the Scene: “Mutual Trust” and Its Limits
The Commission proposal contained only very limited, if any, power of review for a Member State affected by the EPO issued by another Member State. The Commission emphasized that the draft Regulation “can only work on the basis of a high level of mutual trust between the Member States” (recital 11). The Commission’s logic was that there was no need for review because Member States should trust the legal and judicial systems of each other. The actions of the authorities of the issuing Member State should be deemed sufficient and trustworthy.
However, despite the importance of “mutual trust” in the European Union6, some concerns remain. Even if “a high level of mutual trust” existed today between EU Member States, this would still not provide an absolute guarantee that the issuing State will effectively protect the fundamental interests of other Member States and the human rights of their residents. Indeed, it is rather logical to fear that the authorities of the issuing State will prioritize their own interests over any foreign ones. If the judicial authorities of the issuing State consider that access to data stored in another Member State is critical in order to resolve an important criminal case (for example related to terrorism), they might take strong measures to access this data, downsizing the interests of the affected Member State.
Additionally, one should recall that there is, today, a mounting concern regarding a “rule of law backsliding” in some Member States. In July, the European Commission launched legal action against the Polish government over allegations that the changes regarding the way judges are appointed in the country undermine the independence of its Courts. In October 2018 the European Court of Justice ordered the Polish government to suspend “immediately” changes to the country’s Supreme Court. In September 2018, the EU Parliament asked EU Member States to determine, in accordance with Treaty Article 7, whether Hungary is at risk of breaching the EU´s founding values.
In this context, one can understand why several States considered the initial proposal by the Commission to be unsatisfactory. These states requested the introduction of a notification mechanism, to enable affected States to exercise their protective functions. Other States, nonetheless, strongly opposed the notification mechanism. They feared that such a mechanism would undermine the very raison d’être of the proposal – it might in essence bring back the existing delays for requests made under a Mutual Legal Assistance Treaty. The Council eventually introduced a limited notification mechanism that dissatisfied both the States who were in favor of notification (and who voted against the Council’s draft for not going far enough) and the States who, reluctantly, conceded this limited mechanism. Before discussing the Council’s compromise, the initial provisions concerning review in the Commission’s proposal will be presented here.
2) The Commission’s Proposal: A Limited Power of Review and Only A Posteriori
The Commission’s Proposal reserved only a limited role of review for the enforcing Member State (i.e. the Member State where the service provider is established). Two mechanisms appear in this proposal:
a) Article 5(7): Eventual consultation at the time of issuing the order
This article establishes criteria for when the issuing authority “has to seek clarification before issuing the European Production Order, including by consulting the competent authorities of the Member State [where the service provider is established]”. The issuing authority must seek clarification if it has reason to believe that (i) transactional or content data requested is protected by immunities and privileges granted under the law of the Member State where the service provider is addressed, or (ii) its disclosure may impact fundamental interests of that Member State such as national security and defence. Where the issuing authority finds that the requested data is protected by such immunities and privileges7 or its disclosure would impact fundamental interests of the other Member State, “it shall not issue the European Production Order”.
b) Article 14(2): Eventual refusal to enforce the EPO by the Enforcing Member State
This article allows the Member State where the service provider is established to refuse to enforce an EPO if it considers “that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence”. However, this mechanism only intervenes at the late stage of enforcement of an EPO.8 It also has other limits, notably that it can only be used if the service provider refuses to comply with the Order. If the service provider complies with an Order affecting the fundamental interests of another Member State or the fundamental rights of its citizens, the affected Member State might not even be made aware of that fact, let alone be able to object.
3) The Council’s Approach: A Limited Notification Mechanism
During the debates in the EU Council several States requested to go beyond these proposals of the Commission and to introduce a notification mechanism between Member States affected by a European Production Order. In a previous article I have discussed in detail the arguments presented in favor and against notification and how this whole debate led to what the Austrian Presidency called “a big divergence of opinions” among EU Member States. The same article explained why such a notification mechanism with a possibility to object was necessary in order to protect more effectively not only human rights but also the fundamental interests of the Member State affected by an EPO. I also submitted proposals to make this notification mechanism workable and efficient while assuring that it would not undermine or slow down the operational structure of E-Evidence.
The solution finally adopted as a compromise by the majority was to add a notification mechanism in new article 7a of the Council’s draft. However, this mechanism is limited and was coupled with a downgrade of safeguards and oversight measures initially appearing in the Commission’s proposals. Here are the main features and issues raised by article 7a:
a) Notification to the enforcing Member State (not necessarily the affected Member State)
Article 7a provides that, “in cases where the EPO concerns content data”, and the issuing authority “has reasonable grounds to believe that the person whose data are sought is not residing on its own territory”, the issuing authority “shall submit a copy of the EPO Certificate to the competent authority of the enforcing State” at the same time the EPO is submitted to the Service Provider.
This means that notification is to the “enforcing” Member State, i.e. the State where the service provider is established. Notice does not necessarily go to the State where the targeted person resides and which might be affected by the disclosure of the requested data. As explained elsewhere, this solution seems somehow artificial and is not closely linked to the interests at stake. If, for instance, Poland requests the data of a German person residing in Germany, it could be rather strange to provide notification only to Ireland just because the service provider (for instance Facebook or Google) is established in Ireland. Germany would have, in such a case, a much stronger interest and motivation in reviewing the EPO in order to assess if it conflicts with the fundamental rights of its residents or privileges and immunities and fundamental State interests protected by its domestic law. Ireland would have less interest in doing so. Moreover, for some Member States with many service providers or legal representatives on their territory, such a task could present a very heavy workload. Indeed, it is not surprising that Ireland was in favor of notifying the Member State where the person whose data are sought is residing.
Notifying the Member State of residence of the person whose data are sought would be preferable for several reasons.
Such a solution would find the right balance between the interest of the issuing authority (to access quickly digital evidence in order not to hinder criminal investigations) and the need for adequate safeguards to protect other values. The Member State of residence would be able to exercise its traditional protective functions concerning the human rights of the targeted individual. For instance, the State might act to protect particularly vulnerable groups such as journalists, lawyers, whistle-blowers, political dissidents, etc. Notice to the Member State of residence would also help protect the fundamental interests of the Member State where these persons reside, such as the national security of the Member State of residence (if, for instance, the targeted person is an agent of the receiving Member State), trade secrets (if the target is a business executive) or other essential interests.
Moreover, notice to the Member State of residence would maintain the advantages and efficiency of the “paradigm shift” proposed by the Commission. In the typical case, the investigating/issuing authority seeks data on individuals in residence in the same country. Indeed, a major service provider reported that only 6% of requests for subscriber data received in 2017 targeted individuals outside the investigating country. In 94% of cases, the individual, whose data was requested from a service provider located elsewhere, was in the same country as the investigating authority. This means that the obligation of notification will only exist in a very limited number of cases where more thorough consideration and the involvement of the country of residence9 are actually warranted.
A devil’s advocate could suggest that the choice to notify the enforcing Member State instead of the affected Member State (the State of residence) was made with some unstated desire to reduce the effectiveness of the notification mechanism. The enforcing State has less incentive and ability to object to a problematic EPO, when its residents are not involved and its own interests not affected.
In any case, it could be interesting to raise the question of the liability of the enforcing State if it does not protect effectively the rights of affected States and their residents. In the hypothetical example given above, for instance, what would be the consequences, in terms of liability, for Ireland if it does not object to an order issued by the Polish authorities despite the fact that this order violates German privileges and immunities or the human rights of German residents?
b) Limited grounds for reaction and no real right to object for the notified Member State
Under the Council’s approach, the notified enforcing Member State does not really have the possibility to “object” to the execution of an EPO.
Under traditional MLATs, there are “grounds for refusal,” where the State receiving the request can determine that evidence should not be produced. There are no similar “grounds of refusal” under article 7a. The notified authority “may as soon as possible (and no later than 10 days) inform the issuing authority” of any eventual problems. But the list of what can be flagged is limited. It only concerns situations where content data requested is protected by (i) immunities and privileges granted under the law of the enforcing State, or (ii) impacting fundamental interests of this enforcing State such as national security and defence, or (iii) affecting special legal protections in the enforcing State related to freedom of press and freedom of expression (but not other human rights).
As a consequence, for the example of Ireland receiving a notification from the Polish authorities concerning an EPO targeting a German person residing in Germany, Ireland can only react if its own laws and interests are violated. The Council’s draft does not appear to enable Ireland to flag a potential violation of immunities and privileges granted under the law of Germany, even though the EPO concerns a resident of Germany and possibly affects a fundamental interest of Germany. Under the Council’s draft, Ireland can only react if its own laws and interests are violated.
This limited approach of the Council’s draft seems to fall short of the standards of article 51 of the Charter of Fundamental Rights of the EU which provides that the provisions of the Charter are binding upon Member States“when they are implementing Union law”. Taking into consideration this element and the need for territorial cohesion of the Union, we could consider that Member States have an obligation to respect the Charter in all cases “when they are implementing Union law”. Indeed, in recent years the Court of Justice of the European Union (CJEU) has “started to accept exceptions to the principle of mutual recognition on fundamental rights grounds even in the absence of explicit provisions in secondary law to that effect”.10 This means that the enforcing Member State (Ireland in our example), just like the issuing Member State (Poland in the example), both have an obligation to protect the Charter of Fundamental Rights of the EU. This obligation exists irrespective of the place where the targeted person resides or the explicit provisions of E-Evidence.
In any case, even if the enforcing State flags problematic issues, this does not lead automatically to the withdrawal of the EPO. According to article 7a, the “issuing authority shall take these circumstances into account in the same way as if they were provided for under its national law and shall withdraw or adapt the Order where necessary to give effect to these grounds if the data were not provided yet”. This provision thus leaves some discretion to the issuing State.
c) Notification only for content data
The notification mechanism of Article 7a only concerns content data and not transactional data (or metadata). Recital 35c states that “as opposed to non-content data, content data is of particularly sensitive nature because persons may reveal their thoughts as well as sensitive details of their private life”. The recent case law of the two European Courts, however, seems contrary to this distinction. The Court of Justice of the European Union has ruled in its judgement in Tele2 Sverige that metadata such as traffic data and location data provide the means of “establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications” (see here, para. 99). Similarly, the European Court of Human Rights emphasized in its recent Big Brother Watch et al. judgment that access to communication data (or metadata) could be just as intrusive as access to content data (see here, para. 356). As a consequence, limiting notification to content data and not including transactional data could be problematic.
d) No suspensive effect
Article 7a emphasizes that “the notification shall not have suspensive effect on the obligations” of the service provider to respond to an EPO. This means that, even if the enforcing State eventually has a strong negative reaction, the service provider may already have provided the data to the issuing State. This could happen pretty often in practice11 and render the notification mechanism an empty shell.12 It would be much more protective for the notification to have a suspensive effect for the service provider. The service provider would then be compelled to provide the requested data either immediately after receiving the information by the notified State that there is no problem, or at the expiration of the deadline of 10 days given to the notified State. If, on the other hand, the service provider is informed that the notified State objected to the order, it should logically have the power not to deliver the requested data to the issuing authority.
III. The Power of Service Providers to Challenge the Legality of Orders
Under the Commission’s proposal, service providers possess a variety of options to challenge the legality of EPOs and/or refuse to execute an order in some cases. These options, however, are completely downgraded in the Council’s draft. That draft also introduces strong sanctions if a service provider does not comply with an EPO.
- Under the Commission’s proposal [art. 9(3)], the service provider has an obligation to inform the issuing authority whenever it cannot comply with its obligations due to: (i) an incomplete EPO; (ii) if it contains manifest errors; (iii) or does not contain sufficient information to execute it. This provision is maintained in the Council’s draft.
- Similarly, both texts [art. 9(4)], recognize that the service provider might be unable to comply because of a “de facto impossibility” (for example because the person whose data is sought is not a customer).
- The Commission’s proposal [art. 9(5b) and 14(4f)], provided that the service provider could oppose the execution if it considers that the EPO “manifestly violates the Charter of Fundamental Rights of the European Union or that it is manifestly abusive”.13 This possibility was deleted from the Council’s draft.
- The Commission’s proposal [art. 14(4a)] provided that the service provider may oppose the enforcement of an EPO if the EPO “has not been issued or validated by an issuing authority”. This ground of non-compliance also disappeared from the Council’s draft.
- The Commission’s proposal [art. 14(4b)] provided that the service provider may oppose the enforcement of an EPO if the EPO “has not been issued for an offence provided for” by the Regulation. This possibility was also removed by the Council.
- The Commission’s proposal [art. 15 and 16] provided that the service provider may refuse the execution of an EPO if it considers that compliance with the EPO would be in conflict with the applicable laws of a third country. As will be discussed later (part IV) the Council’s draft maintains this option, but greatly downgrades the review mechanisms by deleting article 15. This means that, contrary to the Commission’s proposal, the service provider might in theory find itself compelled to execute an EPO despite the fact of a conflict of laws with a third country (for instance the US).
- The Commission’s proposal [art. 11(1)] provided that the service provider had a right to provide notice to the client/person whose data is being sought by an EPO unless it is requested not to do so by a “gag order” on behalf of the issuing authority. The Council’s draft entirely reverses the situation by imposing a non-notification by default: service providers “shall only inform the person whose data are being sought if explicitly requested by the issuing authority”.
If this downgrade was not deemed enough, the Council’s draft also introduced a paragraph in article 13, according to which “Member States shall ensure that pecuniary sanctions of up to 2% of the total worldwide annual turnover of the service provider’s preceding financial year can be imposed” in case of a non-compliance. This could have a chilling effect for service providers who might wish to challenge the legality of an EPO. The possibility of large fines would make it very risky for a service provider to bring a “Microsoft Ireland”– style case.
Of course, one could argue that this hypothesis of challenging the legality of EPOs is not really relevant anymore. As seen above, only the skeleton of the initial protective powers conferred to service providers by the Commission’s proposal remains within the Council’s draft. According to the Council’s approach, service providers only exist in order to comply with the EPOs addressed to them by the issuing State (with little, if any control, as we have seen, by any affected State), with but a few exceptions.
This is indeed, a striking new direction for E-Evidence. Various actors, from LIBE’s E-Evidence Rapporteur Birgit Sippel to Professor Bose’s LIBE-commissioned report, passing through NGOs to the Vice-President of Deutsche Telekom, had criticized the Commission’s proposal about what they called a “reallocation of protective functions” from the States to service providers. Taking into consideration the important review powers conferred to service providers by the Commission’s proposals and, inversely, the almost complete lack of review powers for States other than the issuing State, these and other commentators have questioned the capacity of service providers to “ensure the protection of personal data as efficiently as public authorities are able and obliged to do so”.14
From this point of view, a more effective notification mechanism would have been welcomed both by these actors and by service providers. Such a mechanism would have relieved substantial judicial and financial burden from the shoulders of service providers. Ideally, it is the responsibility of the Member State of residence to exercise its protective functions in order to safeguard not only its own fundamental interests but also the human rights of the persons present within its territory, as required by Human Rights treaties.
Instead, the Council introduced, as we have seen, a limited and pathetic notification mechanism, while at the same time almost completely deleting the powers of service providers to object to E-Evidence requests. Even if a more effective notification mechanism were to be introduced in the future, the service providers should still be able to play at least some role to protect the interests of their clients. Service providers can flag issues that may not be identified or dealt with by the issuing State, the enforcing Member State or the Member State of residence. Indeed, as discussed elsewhere, service providers are in a unique position to understand the data being requested and identify reasons why an EPO is deficient and could contribute to enhancing the protection and safeguards of the whole regime.
In conclusion, some service providers initially hailed the Commission’s E-Evidence proposal as “a positive step forward” that could, if greatly improved, introduce legal certainty in a field where it is desperately needed. All these companies have now thrown the towel heavily criticising the Council’s draft. For instance, the Business Software Alliance (a leading advocate for the global software industry) denounced a “disappointing text, clearly in conflict with the European Commission’s initial and promising proposal” while at the same time emphasizing that service providers “need to be able to properly protect [their] customers’ data from abusive production orders”.
IV. Resolution of Conflict of Laws and the Powers of Affected Third States
Resolving conflicts of laws is another important issue, of great interest for instance for the United States. As mentioned earlier, E-Evidence imitates the Cloud Act in permitting a potential extraterritorial reach to EPOs: the issuing authority of a Member State may order a service provider “offering services in the Union” to produce electronic evidence “regardless of the location of data”. To the extent that such EPOs might be addressed to US or other countries’ companies, they might conflict with the laws and blocking statutes of these third States. Similarly, fundamental interests of such third States, including national security and defence interests, trade secrets, or human rights considerations, might militate against disclosure of certain types of data to the issuing Member State.
In the United States, for example, the Stored Communications Act (SCA), in Title II of the Electronic Communications Privacy Act (ECPA), is a blocking statute that prohibits US-based providers from turning over the content of communications to foreign governments.15 Application of E-Evidence might give rise to significant disputes with the United States (or, indeed, any other third State that has similar blocking statutes): E-Evidence would require production of evidence, while the blocking statute would forbid it. To mitigate such risks, the Commission’s proposal introduced an effective mechanism to resolve conflict of laws. However, the Council’s draft significantly downgraded those protections.
1) The Commission’s Proposal: An Effective Mechanism to Resolve Conflicts of Laws
Articles 15 and 16 of the Commission’s proposal provide for two different review procedures in case service providers addressed with an EPO consider that compliance with the European Production Order would be in conflict with the applicable laws of a third country.
Article 15 establishes a “Review procedure” in case of conflicting obligations based on the “protection of fundamental rights of individuals” or “fundamental interests of a third country related to national security or defense”. It provides that, if the addressee considers that such a conflict of laws exists, it shall inform the issuing authority of its reasons for not executing the EPO. If the issuing authority intends to uphold the EPO, it shall request a review by the competent Court within that Member State. If the competent Court finds that there is no conflict (either because the third country’s law does not apply, or because it does not prohibit disclosure of the data requested, or because it manifestly seeks to protect other interests than the ones mentioned above), then the Order will be upheld. If, on the other hand, the Court finds that there is a conflict, it has an obligation to “transmit all relevant factual and legal information as regards the case, including its assessment, to the central authorities in the third country concerned”. The third country is then entitled to object to the Order within a timeframe of a maximum of 50 days, in which case the Court shall lift the Order.
Article 16 establishes a “Review procedure” in case of conflicting obligations based on “other grounds” than the ones mentioned in article 15. The procedure is much different here: the competent Court has no obligation in this case to notify the authorities of the third State of a potential conflict of laws. Furthermore, it has no obligation to dismiss the Order if it concludes that there is such a conflict of laws. Article 16 gives discretion to the Court in this respect, while setting out the factors to be considered in determining whether to uphold or withdraw the Order.
Article 15 thus provides for a review mechanism which allows, should the various conditions be met, affected third States to exercise their protective functions in relation with human rights and/or to protect their own State interests by preventing the execution of an EPO. The possibility for third States to object to the execution of an EPO in case of conflict of laws was a significant departure from the “comity analysis” mechanism introduced by the Cloud Act in the US, for disputes where an executive agreement is in effect. The Cloud Act does not impose an obligation to a US Court to inform the affected third country. Nor does it impose an obligation to lift the order if the US Court finds that such a conflict of laws exists. Instead, the Cloud Act gives discretion to the US Court to modify or quash such an order, taking into account a series of considerations appearing in §2713(h3).
Taking into consideration the capacity of article 15 to prevent conflict of laws, the European Data Protection Board (EDPB), otherwise critical to the Commission’s proposal, welcomed this article as a positive development. The EDPB emphasized that it “deems essential that the proposal provides for the consultation of third-countries authorities, at least where a conflict arises, as well as the obligation to lift the order when a third country’s authority raises an objection”. It called for the improvement of article 15 and a “wider obligation to consult the competent authorities of the concerned third countries in order to ensure that the procedure will more systematically ensure that the arguments of both sides will be taken into consideration and to show even more respect for the laws of third countries” (see here, p. 17-18). The Council, however, set forth changes in the opposite direction of those supported by the EDPB.
2) The Council’s Approach: Downgrade and Transposition of a “Cloud Act”-inspired Comity Analysis
Far from following the EDPB recommendations, the EU Council entirely downgraded the protections appearing in the Commission’s proposals. The Council’s draft deleted article 15 in its entirety and introduced a single article 16 now entitled: “Review procedure in case of conflicting obligations”. In simple words, the Council’s draft made two key changes:
- It substantially reduced the influence that the authorities in the third country can have in the process. The Council’s draft includes no obligation to inform them in case of problem anymore – as was provided for by article 15(5) of the Commission’s proposal. Instead, the new text provides just a possibility for the reviewing Court to “seek information from the competent authority of the third country […] to the extent that such a transmission does not obstruct the relevant criminal proceedings”.
- It deleted the obligation of the competent Court of the issuing country to dismiss the Order if it finds that there is a conflict of laws. The Court of the issuing country instead only has henceforward discretion to dismiss the Order after weighing a series of relevant factors appearing in article 16.
In other words, the Council’s draft deleted all the enhanced protections appearing in the Commission’s proposal. The Council’s approach instead presents striking similarities with the comity provisions in the Cloud Act. One could hardly imagine, however, the United States will be happy with this development, with its lesser protections for the laws of third countries. Despite the limited reach of the comity provisions of the Cloud Act, the United States had strong reason to support article 15 in E-Evidence and to be in favor of its conservation and improvement, in order to avoid future conflicts of law and disputes with the EU.
There is some irony in the fact that European countries, after having criticized the extraterritorial reach of the Cloud Act16, now imitate the Cloud Act: the Council’s E-Evidence text has extraterritorial reach and also does a kind of “copy/paste” of the Cloud Act comity provisions, while deleting the special protections provided in the Commission’s proposals. Interestingly, this decision to delete article 15 seems consensual. It seems that, contrary to the other points mentioned above, no Member State objected to this deletion. Only the Commission (Commissioner of Justice Vera Jourova) expressed concern over the deletion of article 15. According to her, Article 15 is an “important provision” in order to protect both service providers (who otherwise will suffer from conflicts of laws situations) and the fundamental rights of European citizens: in a clear allusion to the Cloud Act, Commissioner Jourova explained that article 15 “avoids legitimising similar actions by foreign authorities which might violate fundamental rights of European citizens including data protection”.17
It remains to be seen how developments in the EU Council will affect the future negotiations of a Cloud Act executive agreement between the US and the EU. Perhaps the deletion of article 15 was dictated by the willingness to place the US and the EU on a level playing field concerning these issues during the negotiations. Indeed, any US concerns about the extraterritorial reach of E-Evidence and eventual future conflicts with the SCA blocking statutes have as a mirror European concerns about the extraterritorial reach of Cloud Act and eventual conflicts with the GDPR and blocking statutes in the EU Member States. Mitigating the risks of such conflict of laws on a reciprocal basis will undoubtedly be a major task for the negotiators. For the EU Member States, it appears that enhanced mechanisms for the prevention and resolution of conflicts of laws is an issue for negotiation – not a “gift” that should be granted by E-Evidence.
V. Human Rights Issues
The term “fundamental rights” appears 20 times in the Commission’s proposal (15 in the recitals and 5 in the articles), a number which is brought down to 17 in the Council’s draft (14 in the recitals but only 3 remaining in the articles). It is only logical that such an important draft regulation authorizing direct access to personal data should, as the Council stated in recital 29 of its draft, take “due account of the impact of the measure on the fundamental rights of the person whose data are sought”. However, one could ask if both the Commission’s proposal and the Council’s draft go far enough in the direction of protecting effectively human rights. Indeed, several outstanding issues remain and need consideration and improvement. I will briefly discuss five of the most important issues.
1) Entrusting Human Rights Protection Solely to the Issuing Authority?
The first issue is of primordial importance but has, in reality, already been discussed. The Commission’s proposal and, even more so, the Council’s draft entrust the mission of protecting human rights almost solely to the issuing authority. Recital 46 of the Council’s draft clearly explains that “the responsibility to ensure the legality of the Order, in particular its necessity and proportionality should lie with the issuing authority”. As we have seen, nonetheless, it is doubtful if the issuing State has enough incentives to protect effectively the human rights of persons residing outside its territory18 and, in any case, this creates a lot of practical difficulties, including in relation with remedies and redress mechanisms (see below). The Commission’s proposal gave the possibility to service providers and, under some conditions, to the enforcing State to refuse to execute an EPO on the ground that it “manifestly violates the Charter of Fundamental Rights of the European Union or that it is manifestly abusive”. This possibility has been deleted in the Council’s draft. The notification mechanism in the Council’s draft presents, as we have seen, serious limitations and does not give any practical possibility to the Member State of residence (if other than the issuing and the executing State) to protect the human rights of its population by opposing an EPO.
2) Dual Criminality Principle (and the Idea of a Listing of Crimes)
Both the Commission’s proposal and the Council’s draft abandon the dual criminality principle that was one of the cornerstones of the mutual recognition system in EU criminal law. According to both texts, preservation orders, as well as production orders for subscriber and access data, could be issued for all criminal offences. Production orders for transactional and content data can be issued for all criminal offences punishable in the issuing State by a custodial sentence of at least 3 years. With this, the principle of dual criminality will no longer apply, meaning that orders could be sent for offences that are not deemed criminal in the Member States where the service provider is located.
As the LIBE Committee of the EU Parliament noted (here, p. 6): “bearing in mind the limited amount of harmonisation in criminal law between Member States regarding, on the one hand, the definition of crimes (e.g. definitions of rebellion against the state, limits to freedom of expression, abortion rights, etc.), as well as the respective national rules regarding investigations of these crimes, the proposal goes much further than the current mutual recognition system in EU criminal law”.
The EDPB also called (here, p. 6) for introduction in E-Evidence of the dual criminality principle emphasizing that this “would for instance prevent a State from requiring the help of another one to imprison someone for their political opinions if these opinions are not criminalized in the requested State or to prosecute someone for having aborted if this person is residing in another State where it is not illegal”. Another solution proposed by some Member States was to introduce in E-Evidence a consensual list of serious crimes punished in all Member States and to reserve EPO requests only for investigations concerning such crimes.
3) Notice to Users
Another important element of the discussions concerns procedural rights guarantees that begin with the right of the person whose data is sought, to learn that she/he has been the target of an EPO. As stated above the Council’s draft has a default of non-notification to users, reversing the Commission’s proposal. On the other hand, the Council’s draft includes a very positive development: it fills a gap existing in the initial Commission’s proposal by introducing an obligation for the issuing authority to inform the person whose content or transactional data are sought in all cases.19 This means that the targeted person should always receive a notification, either by the service provider (if explicitly requested to do so by the issuing authority) or by the issuing authority itself.
4) Ne Bis in Idem (multiple prosecutions)
The Council’s draft also constitutes an improvement by introducing a recital 12a according to which “a European Production Order should not be issued, if the issuing Member State has indications that this would be contrary to the ne bis in idem20 principle”. However, nothing appears in this respect in the articles. One could also ask how the issuing Member State will learn that parallel criminal proceedings on the same matter may be ongoing in another Member State. Once again, a notification procedure to the country of residence could permit to inform the issuing State that such parallel criminal proceedings have been undertaken in the country of residence, so that the the ne bis in idem principle (no multiple prosecutions for the same offense) will be respected.
Both the Commission’s proposal and the Council’s draft provide in article 17 for “effective remedies” for the person whose data was sought. However important problems remain.
Both texts emphasize that “such right to an effective remedyshall be exercised before a court in the issuing State in accordance with its national law and shall include the possibility to challenge the legality of the measure, including its necessity and proportionality” (art. 17(3), emphasis added). This could be highly problematic if the affected person does not reside in this country. If, for instance the Greek authorities request the data of a Spanish person residing in Spain, this means that the only possible remedy for this Spanish person to challenge the legality of the EPO will be to… travel to Greece and present his/her case before a Greek Court. This is already highly problematic, let alone the fact that the targeted person will have little knowledge of the legal system of the issuing Member State and might be unable to comprehend and communicate in its official language. The introduction of a notification mechanism to the country of residence with the possibility for the latter to object could resolve this problem also: the affected person will be able to challenge the decision of her country of residence not to object to an illegal order violating her human rights and to request reparation without having to engage in costly and highly uncertain judicial procedures in the issuing Member State.
VI. Conclusion: The Way Forward
E-Evidence will not take effect for some time. Recognizing the difficulties that E-Evidence could create for domestic legal orders, article 25 of the Council’s text provides that E-Evidence will not take effect until 24 months after its entry into force. Even if E-Evidence is adopted by the end of 2019, it will not be applicable law before the end of 2021.
In reality, it is doubtful if E-Evidence will be adopted in 2019. The Council of Ministers is eager to see E-Evidence adopted as soon as possible, to gain easier access to evidence of crimes. Even within the Council, however, the strong opposition of several States will make the task more difficult. Moreover, the ball is now entirely in the camp of the EU Parliament which seems far from sharing the Council’s urgency on the matter. While the Council was moving, despite the difficulties and disagreements, like a hare during 2018, the LIBE Committee of the EU Parliament was moving like a tortoise. The committee had: a public hearing on 27 November 2018 highly critical of E-Evidence; a first working document full of questions published on 6 December 2018; an announcement of several working documents to follow on specific issues; and no timeline set for the adoption of the Parliament’s position on E-Evidence.
The LIBE Committee and its Rapporteur Birgit Sippel appear indeed very skeptical about the whole E-Evidence project. They question not only the details but also the very raison d’être and necessity of the whole project. The Rapporteur and several MEPs seem skeptical of the “paradigm shift” (direct access to data) proposed by the Commission and the Council. Instead, they appear to favor improving MLA mechanisms. In particular they wish to assess if a recent new instrument of mutual legal assistance, the European Investigation Order (EIO), could be enough to respond to the needs of LEAs in Europe for cross border access to data.
Taking all this into consideration, the EU Parliament appears unlikely to adopt its position on E-Evidence during its current term. More likely, we will have to wait for the new Parliament, formed after the EU elections of May 2019. Parliament’s position could thus only be adopted in 2020. Only then could trilogue negotiations between the Commission, the Council and the Parliament begin to arrive to a common agreement. With the 24 months delay for implementation of E-Evidence, it appears unlikely for E-Evidence to become binding law before 2022. A striking difference, indeed, with the Cloud Act, which was adopted with the speed of light and almost following no discussion at all by the US Congress as part of the omnibus spending bill…
One could wonder, then, how these delays in the adoption of E-Evidence could influence the negotiation of a “Cloud Act executive agreement” between the US on one hand and the EU and/or its Member States on the other. Concerning the later the response seems clear: now that the E-Evidence process is under way and the exclusive competence of the EU on these matters has been affirmed, Member States are not normally entitled to conclude separately a Cloud Act executive agreement with the United States. This means that the only option on the table right know concerns the possibility of a framework agreement between the EU as a whole and the US. Indeed, the EU Commission has been strongly requested by the EU Council to present as soon as possible a negotiation mandate. This should be done on 30 January 2019.21 At the same time, both the EU Council and the Commission have affirmed several times that there is no need to wait for E-Evidence to be adopted in order to negotiate a data sharing agreement with the US. The Commission affirmed its readiness to start negotiating such an agreement immediately after the approval of its mandate, which means that, if there is also willingness from the US side, official negotiations could start very soon.
The issues discussed in this paper give a good hint of the major debates that took place in Europe during the year 2018 during the negotiations concerning E-Evidence. While the logic of the conclusion of bilateral agreements is different, it is to be expected that several of the issues that marked the debates in Europe will re-emerge, in one way or another, during these bilateral negotiations: we could think about prevention and resolution of conflicts of laws; reciprocal protection of sovereign and fundamental interests of the affected States; the question of human rights and effective remedies; the definition of “serious crime” and the eventual introduction either of the dual criminality principle or of a list of “serious crimes”; and several other issues discussed above. One thing is sure: 2019 will be an even busier year than 2018 concerning legal developments in relation with cross border access to criminal evidence!
Theodore Christakis (@TC_IntLaw) is Professor of International Law at the University Grenoble Alpes. He is the Director of the Centre for International Security and European Studies (CESICE) and the Deputy Director of the Grenoble Alpes Data Institute. He is a Member of the Institut Universitaire de France and of the French National Digital Council and a Senior Fellow with the Cross-Border Data Forum. The author would like to thank Karine Bannelier, Jennifer Daskal, Serge Slama and Peter Swire for their useful comments on an earlier version of this article. He would also like to thank Katerina Pitsoli for assisting with research. All errors mine.
1 With the exception of the UK which opted out from E-Evidence.
2 “EU Governments approve draft rules on sharing ‘e-evidence’”, Financial Times, 7 December 2018.
3 A Directive requires enactment of further legislation in each member state to take effect.
4 A Regulation, once in force, applies directly throughout the EU, without the need for further legislation in each member state.
5 Under U.S. law, the Electronic Communications Privacy Act currently bars content held by a U.S. service provider from being disclosed to a non-U.S. government except subject to U.S. law, which generally requires a U.S. judicial order, obtained through a Mutual Legal Assistance Treaty. But see endnote16 below.
6 The Court of Justice of the European Union (CJEU) has taken the defense of mutual trust in a number of cases, pushing a scholar to observe that “the Court may have become the strongest fortress of defence of mutual trust in spite of the crisis lingering around this concept” (Tomasz Ostropolski, “The CJEU as a Defender of Mutual Trust”, New Journal of European Criminal Law, Vol 6, Issue 2, 2015, at 166). However, the CJEU has also highlighted that mutual trust is not blind. As Sofia Mirandola summed it up: “The framing of limitations to mutual trust, and the ensuing power of the national authority to check compliance with fundamental rights by another Member State, is thus a particularly delicate matter: a balance must be struck between the effectiveness of judicial cooperation and the protection of fundamental rights”.
7 Recital 35 of the draft regulation explains, among other things, that: “Immunities and privileges, which may refer to categories of persons (such as diplomats) or specifically protected relationships (such as lawyer-client privilege), are referred to in other mutual recognition instruments such as the European Investigation Order. Their range and impact differ according to the applicable national law that should be taken into account at the time of issuing the Order, as the issuing authority may only issue the Order if a similar order would be available in a comparable domestic situation. In addition to this basic principle, immunities and privileges which protect access, transactional or content data in the Member State of the service provider should be taken into account as far as possible in the issuing State in the same way as if they were provided for under the national law of the issuing State”.
8 “Enforcement of an EPO” refers to a situation where the service provider does not comply with an EPO. According to article 14 of the draft regulation, in such a case the Member State that issued the EPO transfers the EPO to the State where the service provider is established (“enforcing State”) in order for the later to take the necessary measures for its enforcement.
9 If the country of residence of the targeted person cannot be determined despite the reasonable efforts of the issuing authority then, of course, there should be no obligation to notify.
10 See for instance the analysis of Sofia Mirandola here.
11 Especially if the “6 hours emergency procedure” is used or, more generally, taking into consideration that the authorities in the issuing State might need more than 10 days (the deadline imposed to the service provider for delivering the requested data) in order to assess the objections submitted by the notified State and to withdraw the order.
12 The remedy introduced in article 12a of the Council’s draft (that in such a case the competent authorities in the issuing State shall ensure during the criminal proceedings for which the Order was issued that these grounds are taken into account in the same way as if they were provided for under their national law) is hardly efficient to deal with this problem.
13 The Commission’s proposal gives in recital 55 the following example: “an Order requesting the production of content data pertaining to an undefined class of people in a geographical area or with no link to concrete criminal proceedings would ignore in a manifest way the conditions for issuing a European Production Order”. This was deleted from the Council’s draft.
14 As mentioned here, in p.7, by the European Data Protection Board which unites all the European Data Protection Authorities.
15 The Cloud Act created the possibility for a foreign government to conclude an “executive agreement” with the USA. Such an executive agreement would lift the blocking statute for requests covered by the agreement. The elimination of the blocking statute, however, is limited to situations where an executive agreement is in force (with no such agreements in force today), and could only concern the data of foreign citizens who reside outside of the US.
16 See, for instance, this position of the French Secretary for Digital Affairs M. Mahjoubi.
17 The intervention of Commissioner Jourova and all the other interventions during the Council’s meeting are available under the E-Evidence tab (below the video) here : https://video.consilium.europa.eu/en/webcast/2e938e2f-a272-420f-81b9-a058d9da74a8#
18 However, as we have also seen, both under E-Evidence and the Charter of Fundamental Rights of the EU, the issuing Member State has a legal obligation to respect the Charter of Fundamental Rights of the EU irrespective of the place where the targeted person resides.
19 Although notice can be delayed in the interest of the investigation.
20 The legal principle of ne bis in idem “restricts the possibility of a defendant being prosecuted repeatedly on the basis of the same offence, act, or facts”. See here.
21 EU Commission’s Vice-President F. Timmermans is due to present, on 30 January 2019, a Recommendation for a Council Decision ‘authorising the opening of negotiations in view of an agreement between the EU and the USA on cross-border access to e-evidence for judicial cooperation in criminal matters’, which will then be discussed in Council.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.