Cross-Border Data Forum Bannner

E-Evidence in the EU Council: The Key Issue of When One Member State Can Review the Requests from Another

More than half of all criminal investigations today in Europe include a cross-border request for access to electronic evidence such as text messages, emails or messaging apps. Following an invitation by the Council of the European Union, and after an extensive expert process and consultations with Member States and relevant stakeholders, the EU Commission presented in April 2018 the E-Evidence legislative package which aims to streamline the cooperation with internet and cloud service providers and supply law enforcement and judicial authorities with expeditious tools to obtain e-evidence. The E-Evidence proposal is currently under review by the Council, as well as the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), which has a hearing scheduled for this in November.

Last week, Statewatch released key EU Council documents on E-Evidence negotiations. These documents include Member States comments on E-Evidence and a revised text of the E-Evidence Regulation, presented to delegates by the Austrian Presidency on 19 September 2018, which is based on previous discussions within the Council and which proposes some substantial changes in relation with the Commission’s initial draft.

While this revised text contains several interesting elements, the objective of this article will be to focus on a specific issue which lies at the heart of important controversies between EU Member States. This issue concerns the role that Member States (MS) can play in the process of reviewing a data production Order (EPO – see below) issued by another MS – if they consider that such an Order affects their fundamental interests, privileges and immunities protected by their domestic legal systems or the fundamental rights of their citizens. The revised text circulated by the Austrian Presidency seems to weaken the (already weak) protections provided in this respect by the Commission’s initial draft. This could create complications and enlarge the gap with the LIBE Committee, already skeptical, it seems, in relation to E-Evidence.

This post argues that giving the possibility to affected MS to review a data protection order (EPO) and object to it could be a useful measure for all involved stakeholders. This will permit to maintain some of the important protective functions that MS can exercise under the current mutual legal assistance mechanisms and thus render the “paradigm shift” (direct access to data) proposed by E-Evidence more acceptable. This will also permit to build more robust safeguards for cross border access to data in the EU in the interest of all MS, service providers and the individuals concerned. Such an evolution could be more productive and reassuring than betting in the hypothetical existence of “a high level of mutual trust” among all EU MS as the Council seems to do in the circulated revised draft.

I. Background: The basic tools of E-Evidence

In April 2018, the EU Commission introduced an important legislative package called “E-Evidence”, a kind of a European “Cloud Act” aimed at facilitating access to electronic evidence by European police and judicial authorities. E-Evidence seeks to provide an alternative to existing tools of mutual legal assistance by enabling law enforcement authorities (LEAs) in one MS to preserve and obtain stored data directly from online service providers located in or represented within a second MS.

More specifically, the legislative package contains two texts: a draft Directive and a draft Regulation.

The draft Directive sets forth the necessity for the appointment of a legal representative for every online service provider that is “established” in or has a “substantial connection” to at least one EU Member State. That representative must have the capacity to accept and comply with orders to produce evidence in criminal proceedings from LEAs in any MS.

The draft Regulation refers to four categories of data, namely “subscriber”, “access”, “transactional” and “content” data; the last two benefiting from an enhanced system of conditions and guaranties. The Regulation sets out a comprehensive scheme to facilitate LEAs’ access to these four categories of data through two new legal instruments, the European Production Order (EPO) and the European Preservation Order (EPrO). In the case of an EPO, providers will be compelled, subject to certain exceptions and limitations, to produce the data directly to the issuing Member State authorities within specific time constraints (10 days in regular cases as opposed to just six hours in emergency situations).

II. Conflict of Laws and the Role of the Third State in the EU Commission’s Proposal

Articles 15 and 16 of the draft Regulation provide for two different review procedures in case service providers addressed with an EPO consider that compliance with the European Production Order would be in conflict with the applicable laws of a third country.

Article 15 establishes a “Review procedure” in case of conflicting obligations based on the “protection of fundamental rights of individuals” or “fundamental interests of a third country related to national security or defense”. It provides that, if the addressee considers that such a conflict of laws exists, it shall inform the issuing authority of its reasons for not executing the EPO. If the issuing authority intends to uphold the EPO, it shall request a review by the competent Court within that Member State. If the competent Court finds that there is no conflict (either because the third country’s law does not apply, or because it does not prohibit disclosure of the data requested, or because it manifestly seeks to protect other interests than the ones mentioned above), then the Order will be upheld. If, on the other hand, the Court finds that there is a conflict, it has an obligation to “transmit all relevant factual and legal information as regards the case, including its assessment, to the central authorities in the third country concerned”. The third country is then entitled to object to the Order within a timeframe of a maximum of 35 days, in which case the Court shall lift the Order.

Article 16 establishes a “Review procedure” in case of conflicting obligations based on “other grounds” than the ones mentioned in article 15. The procedure is much different here: the competent Court has no obligation in this case to notify the authorities of the third State of a potential conflict of laws. Furthermore, it has no obligation to dismiss the Order if it concludes that there is such a conflict of laws. Article 16 gives a discretion to the Court in this respect, while setting out the factors to be considered in determining whether to uphold or withdraw the Order.

It is, thus, clear that article 15 provides for a review mechanism which allows, should the several conditions be met, affected third States to exercise their protective functions in relation with human rights and/or to protect their own State interests by preventing the execution of an EPO.
By referring to conflict of laws “of a third country” these two articles do not make a distinction between MS of the EU (other than the issuing authority) and non-EU States. Indeed, this is the only review mechanism provided by the draft Regulation authorising a service provider to challenge an EPO on the basis of a conflict of laws, and during the discussions in the Council several MS read these articles in conjunction with articles 5(7)i , 9ii and 14iii of the draft Regulation. This, however, is a source of confusions. It would be better, we believe, for the final Regulation, to clearly distinguish between situations concerning EU MS only, and situations involving non-EU States. Not only is the logic distinct, but the legal regime in the two set of relations is also different: relations between MS are governed by European Law while relations with non-EU States are governed by International Law. For instance, during its next meeting (11/12 October 2018) the EU Council is set to mandate the EU Commission to negotiate an agreement with the USA on facilitating the access to E-Evidence. Such an agreement could deal directly with the necessary mechanisms to resolve and raise any conflicts of law between the USA on the one hand and the EU and its MS on the other.

As a conclusion, in the following analysis we will only focus on the necessary review mechanisms between EU MS. The ideas that will be presented may or may not be relevant to the legal regime aimed at resolving conflicts of laws with non-EU States, but this is another story.

III. Weakening the Review Procedure in the Revised Draft Submitted to the EU Council

The documents recently published by Statewatch show a clear willingness on behalf of some States to “downgrade” the review procedure in case of a conflict with the laws of a third country, laws that prohibit disclosure of the data in question on the grounds that this is necessary to protect the fundamental interests of this third country or the fundamental rights of the individuals living in this country.

As a matter of fact, the revised text presented by the Presidency to members of the Council on 19 September 2018, which is based on previous discussions within the Council, includes an amendment aiming to delete article 15 from the Commission’s proposal and, instead, to propose a single article (currently 16) on the “Review procedure in case of conflicting obligations”. In simple words, the revised draft would make two key changes:

– It would substantially reduce the influence that the authorities in the third country can have in the process. The revision would create no obligation to inform them in case of problem anymore – as was provided for by article 15(5) of the Commission’s proposal. Instead, the revision would provide just a possibility for the reviewing Court to “seek information from the competent authority of the third country taking into account Directive 2016/680, in particular its Chapter V and to the extent that such the transmission does not obstruct the relevant criminal proceedings”.

– It would delete the obligation [15(6) of the Commission’s proposal] of the competent Court of the issuing country to dismiss the Order if the central authorities in the third country object on the basis of an existing conflict of laws. The Court of the issuing country instead would simply have discretion to dismiss the Order after weighing all relevant factors.

In other words, the original proposal would allow, should some conditions be met, affected third States to exercise their protective functions in relation with human rights and/or to protect their own state interests by objecting to the execution of an EPO. The new proposal basically eliminates this power of third States.

Considering this along with the rest of the draft Regulation, it can be understood that:

– The authorities of the issuing State will be the only ones to decide whether there is or not a conflict of laws involving the protection of fundamental rights of the individuals concerned or the fundamental interests of the other MS related to national security or defence;

– There will be no obligation of notification to the other MS concerned;

– The judicial authorities in the MS affected will not be involved in any way in the process;

– The authorities of the affected MS will not, in principle, be able to object to the execution of an EPO in order to protect the human rights of their citizens or their own fundamental interests. The only exception to this is one possibility provided exclusively to the MS where the addressee of the EPO is established and to which the EPO is transmitted for enforcement: Article 14(2) of the draft Regulation gives the possibility to such a MS to refuse to enforce an EPO if it considers “that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence”. But, beyond the fact that this mechanism only intervenes at the late stage of enforcement of an EPO, it has other limits including that it can only be used if the addressee does not comply with the Order. This means that if the addressee decides, for one reason or another, to comply with an Order affecting the fundamental interests of another MS or the fundamental rights of its citizens, the affected MS might not even be made aware of that fact, let alone be able to object.

In a policy document distributed to the Council’s members, the Austrian Presidency explains that:

Given the specific operational needs and technical aspects related to the access to e-evidence, many Member States welcomed the proposed development, underlining the need for an efficient and expeditious practical solution that is based on mutual trust”. (emphasis added).

In the remainder of this article, nonetheless, we will argue that the “mutual trust” argument should not be considered enough to exclude the involvement of a MS other than the issuing State in the process of reviewing an EPO.

IV. Why this is Problematic

The revised draft text of the EU Council, which almost entirely excludes MS other than the issuing State from the reviewing process (with the exception of article 14(2)), is problematic from several points of view.

The draft Regulation builds on the principle of mutual recognition (Article 82(1) of the Treaty on the Functioning of the European Union – TFEU) and, as mentioned in the 11th recital of the draft, “can only work on the basis of a high level of mutual trust between the Member States”. However, mutual trust does not mean blind trust. Mutual trust is just an ideal, an objective to attain between MS, and cannot be interpreted as giving a carte blanche to the authorities of the issuing State, while simultaneously excluding any reviews by the affected MS. Here are 7 reasons why:

1)  First, it must be highlighted that Article 89 TFEU acknowledges that there should be “conditions and limitations under which the competent authorities of the Member States referred to in Articles 82 and 87 may operate in the territory of another Member State” and that any extraterritorial action should be undertaken “in liaison and in agreement with the authorities of that State”. This advocates in favor of a capacity of the authorities of the affected MS to review EPOs and to have the power to object to it.

2)  Second, other similar instruments based upon the principle of mutual recognition do not hesitate to recognize that States other than the issuing State have a say in the matter. A characteristic example is that of the European Investigation Order (EIO) Directive, which provides for several grounds of refusal at the disposal of the Member States that recognize and execute an EIO.

3)  Third, while the logic of the draft regulation and the Council’s revised text seem to be based on the necessity to have European-wide uniform standards regarding when data can be accessed, this is just an objective to be attained, not a reflection of the reality. The European Economic and Social Committee (EESC) recently pointed out that “there are often different answers at national level to questions relating to the conditions for access to data during criminal proceedings and who decides on this access”. It could, thus, be logical to allow the affected MS to review an EPO, in order to assure that its execution will not violate their domestic legal requirements.

4)  Fourth, the principle of mutual recognition of judgments and judicial decisions (art. 82 TFEU) does not prohibit allowing affected MS to review (and even to oppose) an EPO issued by another MS in order to protect their own fundamental interests and the fundamental rights of their citizens and residents.

5)  Fifth, as stated above, the exception provided by Article 14(2) is not sufficient in this respect, as it intervenes at far too late a stage and only in cases where the service provider refuses to comply with an EPO.

6) Sixth, even if “a high level of mutual trust” existed today between EU MS (which does not seem to be the case as we will see below), this would still not be enough in order for the issuing State to effectively protect the fundamental interests of other MS, the immunities and privileges existing in their legal systems or the fundamental human rights of their citizens in an adequate manner. Indeed, it is rather logical to fear that the authorities of the issuing State (and its competent Courts under the review mechanism of article 16) will prioritize the interests of the issuing State over any foreign interests. If, for example, the judicial authorities of the issuing State consider that access to data stored in another MS is critical in order to resolve an important criminal case (for example related to terrorism) directly affecting the national security or public order of the issuing State, to what extent would the existence of a conflict of laws with another MS revealed during the review mechanism of article 16 be enough to convince them to dismiss the Order?

7)  Last, but not least, it must be highlighted that behind the illusion of existence of “a high level of mutual trust between the MS”, the reality is a mounting concern regarding the human rights record of some MS. In July, the European Commission launched legal action against the Polish government over allegations that the changes regarding the way judges are appointed in the country undermine the independence of its Courts. A few weeks ago, the EU Parliament asked EU MS to determine, in accordance with Treaty Article 7, whether Hungary is at risk of breaching the EU´s founding values. In this context it is only logical to believe that MS will seek to maintain their protective functions considering that their own domestic systems offer more human rights safeguards than those of some other MS issuing EPOs.

It is, therefore, rather clear that the principle of “mutual recognition” is not synonymous to “blind trust” and does not “give a carte blanche” to the issuing MS. By significantly weakening the review procedure and the role of the third MS in this review, the revised draft presented by the Presidency follows the wrong direction.

Indeed, several States like Germany, Finland and Sweden had expressed, in their written comments, also published by Statewatch, their great concerns even in relation to the original (more protective) EU Commission proposal, strongly requesting an enhanced role for the authorities of the MS of the service provider. According to Finland, “it would indeed seem reasonable that these authorities are notified of the order at the same time when the order is sent to the provider”, adding that “the national authorities of the member state of the service provider should, after having carefully assessed the notification, be able to reject the order if, for example, the order concerns a measure that would not be available in a similar national case or if the execution of the order would be against the fundamental principles of that Member State”.

The revised draft also seems to follow the opposite direction from the recommendations of a Study commissioned by the European Parliament’s LIBE Committee and carried out by Martin Böse, Professor of Criminal Law, Criminal Procedure and International and European Criminal Law at the University of Bonn. In this study, published a few days ago, Prof. Martin Böse heavily criticises the “re-allocation of protective functions” in favour of the issuing State and recommends to significantly strengthen – not weaken – the role of the enforcing MS.

It is also to be expected that the draft, as it now stands, will cause reactions within the European Parliament’s LIBE Committee enlarging (instead of narrowing) the gap that seems to exist between the Council and the Parliament on the issue of E-Evidence. It is no secret that Birgit Sippel, a German social democrat MEP who is the rapporteur for E-Evidence, as well as some other MEPs, have already expressed their scepticism towards the initial draft regulation and the lack of oversight by the receiving Member’s State judiciary. If only the Council could move towards the direction of enhancing (instead of weakening) the protections and safeguards for MS and individuals alike of the initial proposal, this could help move towards the direction of a compromise and speed-up progress on the adoption of E-Evidence.

V. Conclusion: Following Germany’s, Finland’s and Sweden’s good proposals?

In a note circulated to members on 26 September 2018, the Austrian Presidency highlights that some delegations “voiced various concerns and suggested introducing an obligation to provide an opportunity for another Member State to assess the order and object to it, via a notification procedure”. The Presidency notes that “two different solutions for such a notification procedure were extensively discussed among experts: notification to the Member State of the service provider or its legal representative; or notification to the Member State of the person whose data were sought”.

The Presidency continues by emphasizing that “as this issue underpins the essence of the proposal, it should be clarified for the smooth progress of the negotiations”. It asks States to decide if they wish to “confirm the approach as set out in the draft Regulation” or “to modify that approach by introducing a notification system”, in which case they should decide “which State should be notified (the enforcing State or the State of the affected person )”. The Presidency concludes that: “Given the progress made so far and with a view to ensure a timely conclusion of the negotiations by December, the Presidency invites Ministers to consider as a compromise a solution where the notification is provided for information to the authorities of the respective Member State”.

The author of this article considers that this “proposal of a compromise” does not go far enough: while an automatic notification to the competent authority in the affected MS, which should take place no later than the sending of the EPO to the provider, would be a welcome evolution in relation to the existing draft, such a notification requirement should be followed by the possibility given to the MS’s competent authority to not only review the EPO, but also to object to it.

Germany, Finland and Sweden presented, within their comments, very useful proposals in this regard, explaining that the eventual objection should take place during a short deadline available for the review, and should be justified by a conflict of the EPO “with the Charter of Fundamental Rights of the European Union, rules regarding immunities or privileges, or [with] fundamental rights such as freedom of the press and expression in other media in the enforcing Member State”. They also added (see Germany’s comments) that “the procedure envisaged in Article 15 of the Regulation could be simplified by having potential conflicting obligations directly reviewed by the competent authority of the affected Member State”. And they concluded that, in their view, “as this procedure would run alongside with the ordinary one, it would not affect the effectiveness of the instrument”.

The author agrees with this approach. It is, indeed, to be expected that such an evolution could, as Sweden noted, “generate efficiency gains for all stakeholders involved”: “Costly, time consuming and legally complex assessment responsibilities would be lifted from the service providers and allow the issuing authority to correct or reconsider the order with the help of the enforcing authority, long before the enforcement phase”. States will maintain their protective functions existing within classical Mutual Legal Assistance mechanisms, while achieving the objective of providing quick, effective and direct cross border access to data. NGOs will be reassured by the fact that MS will still exercise their responsibility of effectively protecting fundamental human rights within their territories. Individuals will have more protection as they will be able to challenge both the decisions of the authorities of the issuing MS and the decisions (express or tacit approval of the EPO) of the authorities of the affected MS. In addition, as Sweden observed, “this tandem – or parallel – procedure would simplify the work of the enforcement authorities if the same order is subject to the enforcement procedure at a later stage”.

Theodore Christakis is Professor of International Law at the University Grenoble Alpes. He is the Director of the Centre for International Security and European Studies (CESICE) and the Deputy Director of the Grenoble Alpes Data Institute. He is a Member of the Institut Universitaire de France and of the French National Digital Council and a Senior Fellow with the Cross-Border Data Forum. The author would like to thank Peter Swire for his comments on an earlier version of this article. He would also like to thank Katerina Pitsoli for assisting with research. All errors mine.

i Article 5(7) states that if the issuing authority has reasons to believe that transactional or content data requested is protected by immunities and privileges granted under the law of the MS where the service provider is addressed, or its disclosure may impact fundamental interests of that MS such as national security and defence, the issuing authority has to seek clarification before issuing the EPO and not issue the EPO if it concludes that such a situation effectively exists.

ii Article 9 explains in which exceptional circumstances the addressee can refuse to execute an EPO. Relevant to the subject matter of this paper, Article 9(5b) of the EU Commission’s original draft gives the possibility to the addressee to object to the execution of an EPO and inform the competent enforcement authority in the MS of the addressee “in case the addressee considers that the [EPO] cannot be executed because based on the sole information contained in the [EPO] it is apparent that it manifestly violates the Charter of Fundamental Rights of the European Union or that it is manifestly abusive”. Interestingly, here again, the revised text of the E-Evidence Regulation, presented to delegates by the Austrian Presidency on 19 September 2018, deletes this article.

iii Article 14(2) provides that, in case the addressee does not comply with an EPO and upon receipt of an execution request, the competent authority in the enforcing MS “shall without further formalities recognise an EPO”, unless it considers that the addressee had a valid ground to oppose the enforcement “or that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence”.

iv The Austrian Presidency does not explain if the term “the State of the affected person” refers to the State of nationality of the affected person or the State where the person targeted is residing.

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.