Lost in Notification? Protective Logic as Compared to Efficiency in the European Parliament’s E-Evidence Draft Report

1)  Setting the Scene

a) Time accelerated for E-Evidence

2020 should be an important year for E-Evidence in the European Union (EU).

Taking into consideration the significant legal challenges from the globalization of criminal evidence and considering that traditional instruments for cross-border cooperation such as Mutual Legal Assistance Treaties (MLAT) are too slow and cumbersome, the European Commission proposed, on 17 April 2018, “E-Evidence”, a legislative package that basically constitutes the European equivalent of the Cloud Act and aims, in a similar way, to streamline cooperation with service providers and supply law enforcement and judicial authorities with expeditious tools to obtain e-evidence, while also ensuring protection of fundamental rights.

Despite difficult negotiations among EU Member States, the EU Council of Ministers succeeded in adopting on December 7, 2018 its “general approach” on E-Evidence.”[1]

Since then, the ball has been in the European Parliament’s court. The Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament spent most of the year 2019 in drafting seven working documents on the topic. On 8 November 2019, however, an important development took place: the LIBE Committee’s Rapporteur MEP Birgit Sippel released her draft Report on the E-Evidence draft Regulation. This Report (hereafter: “Sippel’s Report”), as well as the amendments proposed by the different political groups, are due to be discussed in LIBE starting on January 9, 2020. A full plenary vote of the European Parliament could take place in the following weeks. This will open the way for the next steps of the EU legislative procedure (described for instance here and here and here) which should ultimately lead to a compromise between the EU institutions.

 

b) 267 amendments (and lots of tensions)

Things will not be easy, nonetheless.

Already in 2018, the publication of the Council’s “general approach” on E-Evidence, led to a storm of reactions by NGOs, the industry, members of the European Parliament (MEPs) and at least seven EU States, including Germany, who opposed the Council’s draft. The Netherlands, for instance, denounced the Council’s text for being adopted “too fast” and stated that it “opened the way for abuse by EU countries that lack sufficient guarantees over the rule of law and fundamental rights”.[2] In an article published with the Cross-Border Data Forum a year ago and entitled E-Evidence in a Nutshell:  Developments in 2018, Relations with the Cloud Act and the Bumpy Road Ahead I presented an overview of the major features of the Council’s draft and the principal points of contention.

Sippel’s Report constitutes a huge departure from both the Council’s general approach and from the initial Commission’s proposal. It presents… 267 amendments to the Commission’s proposal aiming to modify not only every single article in the Commission’s and the Council’s drafts, but also some important mechanisms and pillars of these drafts.

While this time the NGOs’ and the industry’s first reactions have been generally positive, as we will see later, Sippel’s Report has provoked a strong reaction by the Commission which led to an unusual institutional confrontation at the EU. More precisely, the Commission was accused of circulating to a selective list of stakeholders and MEPs (but not to the E-Evidence Rapporteur herself) a Non-Paper highly critical of Sippel’s Report and claiming that the amendments suggested by the Rapporteur will have a major impact on the efficiency of E-Evidence. This, in turn, led to a strong reaction by the chairman of the Parliament’s LIBE Committee, Juan Fernando López Aguilar, and Birgit Sippel herself, who wrote to Justice Commissioner Věra Jourová to complain about the Commission’s Non-Paper: “From an EU institutional point of view, such a practice by the Commission … raises serious questions as to the principle of sincere cooperation between the institutions,” their letter read. They also protested about the lack of transparency on the Commission’s side and the inclusion in the Non-Paper of factual errors about the content of Sippel’s Report.[3] Following this, the Rapporteur also addressed a letter to her MEP colleagues intending to “clarify” the “misundertandings” appearing in the Non-Paper and to defend the efficiency of her approach.

 

c) Objectives of this paper and outline

The objective of this paper will be to present the major features and mechanisms of Sippel’s Report and to enquire the extent to which the legal regime proposed by the Rapporteur could strike the right balance between necessary protections and efficiency.

Along with other scholars, I believe that a “good” legal regime of access to E-Evidence should meet cumulatively the four following requirements:

1. 1. Fulfill legitimate law enforcement requests for data necessary to the investigation of serious crimes through mechanisms which are not too burdensome or time-consuming;
   2. Protect and promote privacy and human rights as essential to new legal approaches including through the introduction of all necessary checks and balances against risks of abuse;
   3. Provide a workable regime for the companies holding data of interest to law enforcement, including the smallest ones, while giving them the possibility to protect their customers and users against erroneous or abusive orders;
   4. Safeguard the Internet by resisting calls to localize data and splinter the Internet.[4]

As it will be shown in the reminder of this paper, there is no doubt about the fact that Sippel’s Report adequately fulfils objectives (ii), (iii), and (iv). But what about objective number (i)? The Commission has strongly challenged the efficiency of Sippel’s proposals – and, especially, the double notification mechanism which lies at the core of the logic of Sippel’s protective regime. The Rapporteur defended her proposal claiming that strong protections can be compatible with the quest for efficiency.

This paper will try to assess the extent that each is right. Part 2 will present in a general way the basic features of Sippel’s Report and will show the big divergences between her approach and the approaches of the Commission or the Council. The two following parts will then focus on the major strategic mechanisms suggested by Sippel, namely notification to the “affected State” (Part 3) and notification to the “executing State” (Part 4). For each one of them we will apply the protection v. efficiency test based on the four criteria presented above.

 

2)  Basic features of Sippel’s Report

In order to understand the gap between Sippel’s Report, the Commission’s initial proposal and the Council’s general approach it is useful to present here very briefly a few major amendments suggested by the LIBE Rapporteur.

1. 1. Generally speaking, the Report takes into consideration all the criticisms addressed to the Council’s and the Commission drafts and proposes major changes. It adopts a highly protective approach by introducing important checks and balances against the risks of abuse of fundamental rights.
   2. It introduces a meaningful notification mechanism permitting EU Member States to exercise their traditional protective functions and ensure the respect of fundamental rights on their territory. The Report provides for notification to both the “executing State” (i.e. the State of the service provider) and the State of residence (“affected State”), when the latter is known to be different from the “issuing” and the “executing” State.
   3. The Notification mechanism is not toothless anymore (as in the Council’s version – see infra 3(c)). The executing State can object with several grounds of refusal available, including protection of human rights, privileges and immunities.
   4. The Report is not founded in ‘absolute’ mutual trust (as the Commission’s version) but on the idea that efficiency arguments should not override the need to protect fundamental rights. It claims, nonetheless, that efficiency will not be significantly affected because the timeframe proposed by the Commission can be respected with much stronger safeguards if each actor plays its own role.
   5. Statistics are not always relevant, but it is interesting to note that the Report mentions Human Rights 31 times – up from 17 in the Council’s draft. The meaningful notification system is presented as a huge step forward to allow that the rights of affected persons are guaranteed by the executing State and, where applicable, the affected State. Others amendments include:
      • Notice-by-default for persons targeted by orders issued under the Regulation (unless there is a non-disclosure order validated by a court to avoid jeopardizing the specified investigation). This is in contrast with the downgrade operated by the Council and the lacuna in the Commission’s draft discussed here.
      • A rejection of the new data categories introduced by the Commission (“access” and “transactional” data) and return to what is presented as “clear data categories (based on existing EU and national legislation and in line with CJEU case law)”,[5] namely: “subscriber”, “traffic” and “content” data.
      • Due regard for issues such as respect of ne bis in idem principle, dual criminality considerations, privileges and immunities, including protections for medical and legal professions, freedom of press and freedom of expression.
      • Limitations to the use of data obtained, including rules on (in)admissibility of evidence & erasure of data obtained in breach of Regulation.
      • Much greater concern for effective legal remedies not only in the issuing but also in the executing State in accordance with national law, including the possibility to challenge the legality of the order.
   6. The Report proposes a more appropriate role for service providers. The logic is that the responsibility of protecting human rights should not be shifted from States to service providers, but recognizes that the latter may be able to provide critical information relevant to the assessment of the necessity and proportionality of orders as long as they are not solely responsible for this process.
   7. While logically providing for sanctions if service providers do not cooperate, the Report abandons the hugely punitive sanctions of the Council (“2% yearly turnover”) which could have a chilling effect on providers’ incentive to challenge abusive orders.
   8. The Report also introduces an immunity from liability provision for service providers for any consequences resulting from compliance with a European Production Order (EPO), subject to other data protection obligations.
   9. The Report seems to partially resolve a concern raised by service providers, academics and others, regarding when an EPO should be used instead of domestic procedures. Both the Commission and Council’s approaches created uncertainty and raised the possibility that member states could resort to use of domestic measures, potentially in cross-border scenarios, but Sippel’s Report seems to clarify that Union measures should always be used in cross-border scenarios. Service providers have expressed concern that, without clarifying language, the Commission and Council’s approach would have created a backdoor, allowing member states the opportunity to simply ignore the E-evidence legislation altogether and use domestic measures which could lead to fragmentation and conflicts of law. Sippel’s amendment 83 would delete language preserving use of a domestic backdoor (“without prejudice to the powers of national authorities to compel service providers established or represented on their territory to comply with similar national measures”). However, there is no affirmative requirement that would require Member States to use the E-Evidence mechanisms over national measures in cross-border cases.
   10. On conflict of laws, interestingly, the Report does not go back to the elaborated mechanism proposed by Commission and abandoned by the Council (explained here) but provides for a reasonable mechanism based on the appreciation of both the issuing and the executing State’s authorities.
   11. A major amendment is that the Report proposes to merge the two instruments proposed by the Commission (a Regulation and a Directive) into a single one. The Rapporteur advances several arguments to justify this, including the concern that by introducing a separate Directive (which will oblige service providers to designate a legal representative in the Union) the Commission might have the hidden intention to “also use it for other future instruments”. “In that regard, argues the Rapporteur, “the proposed Directive overreaches its goal and raises serious issues with its legal basis, namely the Articles 53 and 62 TFEU”.[6]

Several of these basic features have been challenged by the European Commission.

• • For instance, the Commission strongly opposed the suggested suppression of the proposed Directive, considering that this would deprive the whole E-Evidence package of its added value, especially as far as third country service providers are concerned. The Commission emphasized that the legal basis for the Regulation (Art.82(1)) TFEU cannot be used to compel service providers from third States to designate a legal representative in the Union. As a result, a different legal instrument, with a different legal basis, is necessary.
  • Similarly, the Commission insisted that its proposed new category of “access data” (as opposed to traffic or transactional data) is extremely important in order to enable law enforcement authorities (LEAs) to identify the subscriber of a service at the early stages of the investigation – and should thus not be deleted as suggested by the Rapporteur.

Moreover, some other amendments appearing in Sippel’s Report might appear problematic for law enforcement:

• • First, Sippel’s report provides that European Production Orders requiring production of content or “traffic” data (which includes the “access” data category introduced by the Commission) “may only be issued for criminal offenses punishable in the issuing State by a custodial sentence of a maximum of at least 5 years”. This is 2 years more than the threshold in the Commission’s and Council’s drafts (“3 years”) and means that, for these categories of data, EPOs can only be issued for the most serious crimes.[7]
  • A second example is that Sippel’s Report extends the timeline for application of the draft Regulation from six months after its entry into force (provided in the Commission’s proposal) to three years. This means that, in the best case, E-Evidence will not be applicable until the end of 2023. While it makes a lot of sense to provide for the necessary time in order to implement a new and complex system as E-Evidence (the Council itself proposed a deadline of 24 months in its general approach), three years might appear too long for law enforcement people. This, in turn, raises the risks that some Member States might enact in the meanwhile national laws to enable access of their law enforcement authorities to e-evidence (through extraterritorial or data-localisation measures) leading to fragmentation and unwelcome complications.

Leaving aside these particular considerations, as well as some other issues raised by the Report, which should be rather easily fixed during the discussions, the remaining parts of this paper will focus on what is by far the most important protective mechanism appearing in Sippel’s Report, namely the double notification requirement (notice to both the executing and “affected state”).

 

3)  Notification to the Affected State: Applying the Protection v. Efficiency Test

a) A big novelty: notification to the “affected State”

The major single improvement introduced by Sippel’s Report is undoubtedly the introduction of the concept of the “affected State” defined as:

““the Member State of permanent residence of the affected person, where the identity of that person is already known to the issuing authority and where the State of permanent residence of the person is neither the issuing nor the executing State”.[8]

The Report provides that, “where it is clear that the person whose data is sought is residing neither in the issuing State nor the executing State”, the issuing State has an obligation to address the EPO[9] to the authorities of the affected State simultaneously with its transmittal to the service provider (and the executing State, as we will see in Part 4 below). If the affected State considers that there is a problem with the EPO (for instance violation of immunities or privileges under its domestic law or violation of the human rights of the data subject), it will not have the possibility to “object” as such to the EPO, but can inform the authorities of the executing State. The latter, in turn, will have the possibility to object to the execution of the EPO based on the problem of lawfulness raised by the affected State.

To understand the importance of this novelty, one has to go back to the drafts proposed by the Commission and the Council.

 

b) The absence of any kind of notification in the Commission’s proposal

The Commission’s Proposal completely ignored the country of residence of the data subject. It also declined to introduce any kind of mechanism of automatic notification, reserving only a limited role of review for the enforcing Member State (i.e. the Member State where the service provider is established). Two mechanisms appear in the Commission’s proposal:

• • A possible consultation at the time of issuing the order. Article 5(7) provides that the issuing authority “has to seek clarification” before issuing an EPO, “including by consulting the competent authorities of the Member State [where the service provider is established]” if it has reason to believe that: (i) transactional or content data requested is protected by immunities and privileges granted under the law of the Member State where the service provider is addressed, or (ii) its disclosure may impact fundamental interests of that Member State such as national security and defence.
  • A possible refusal to enforce the EPO by the enforcing Member State. Article 14(2) allows the Member State where the service provider is established to refuse to enforce an EPO if it considers “that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence”. However, this mechanism only intervenes at the later stage of enforcement of an EPO. It also has other limits, notably that it can only be used if the service provider refuses to comply with the Order. If the service provider complies with an Order, the enforcing Member State might not even be made aware of the EPO, let alone be able to object.

c) The Council’s approach: a toothless notification to the enforcing Member State (not the affected Member State)

During the debates in the Council of the EU several States requested to go beyond these proposals of the Commission and to introduce a notification mechanism to other Member States concerned by a European Production Order. This led to “a big divergence of opinions” among EU Member States which I discussed in a previous article where I argued in favour of a notification mechanism and explained why such notification should be given to the affected State rather than the enforcing Member State (where the service provider is established). While the Council finally introduced a notification mechanism, the result was pretty much disappointing. As I explained in detail in another article, the Council’s notification mechanism is limited and toothless and was coupled with a downgrade of safeguards and oversight measures initially appearing in the Commission’s proposals. Indeed, according to the Council:

• • Notification should only be given to the enforcing Member State;
  • Notification should only be given when the issuing authority “has reasonable grounds to believe that the person whose data are sought is not residing on its own territory”;
  • Notification should only be given when the EPO concerns content data and not transactional data (or metadata);
  • The notification “shall not have suspensive effect on the obligations” of the service provider to respond to an EPO. This means that, even if the enforcing State eventually has a strong negative reaction, the service provider may already have provided the data to the issuing State;

 

d) Notification to the “affected State” is highly protective

Notifying the Member State of residence of the person whose data are sought, as proposed by Sippel’s Report, is much more protective than the mechanisms proposed in the Commission’s and the Council’s draft.

1. 1. First, the Member State of residence would be able to exercise its traditional protective functions concerning the human rights of the targeted individual. It should be recalled that, under Human Rights treaties each State has not only a right, but also an obligation “to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognized in [these treaties], without distinction of any kind” (see, for instance, art. 2 of the ICCPR). If the country of residence is not even aware (as in the Commission’s or the Council’s draft) of the fact that a foreign government interferes with the right to privacy (or other human rights) of the persons residing on its territory, it will be unable to exercise its traditional protective functions. For instance, the State might act to protect particularly vulnerable groups such as journalists, lawyers, whistle-blowers, political dissidents, etc. when it considers that an EPO targeting such persons is abusive or otherwise problematic from a human rights point of view.
   2. Moreover, such a notification mechanism facilitates the introduction and implementation in E-Evidence of the dual criminality principle, strongly requested by authorities such as the European Data Protection Board (see here, pp. 6-8): the Member State of residence could raise objections if the EPO relates to acts that are not considered as an offence under its national law.
   3. Notice to the Member State of residence would also help protect the sovereign prerogatives and fundamental interests of the Member State where these persons reside, such as the national security of the Member State of residence (if, for instance, the targeted person is an agent of the receiving Member State), trade secrets (if the target is a business executive) or other essential interests.
   4. The affected State will have much more powerful incentives to proceed to such a control than the enforcing State. If, for instance, Poland or Hungary request the content data of a German person residing in Germany, it could be rather strange to provide notification only to Ireland (as proposed by the Council) just because the service provider (for instance Facebook or Google) is established in Ireland. Germany would have, in such a case, a much stronger interest and motivation in reviewing the EPO in order to assess if it conflicts with the fundamental rights of its residents or privileges and immunities and fundamental State interests protected by its domestic law. Ireland would have less interest in doing so.
   5. The greatest merit of Sippel’s proposed mechanism of notification to the affected State is to bring the targeted individual back into the equation. All persons have a legitimate expectation that the country where they reside will protect their human rights. The protection offered by the country of residence will permit to avoid violations of human rights for which remedies do not always seem very effective or satisfactory. It should be recalled that, under the Commission’s proposal, individuals must pursue remedies before the courts in the issuing state, even if they are located in another state (Art. 17).[10] This means that, for instance, in the example mentioned above, if Germany is unable to exercise its protective functions, the German person will have as only remedy to go to the foreign issuing State’s tribunals in order to challenge the legality of the EPO.
   6. In an ideal system of notification the affected State should have the possibility to object to an abusive or unlawful EPO. This is not the case in Sippel’s Report which is nonetheless based on another protective logic: Sippel’s idea is that, normally, the executing State, once informed about a problem by the affected State, should object on its behalf. It might be better and clearer nonetheless to give directly to the affected State the possibility to object, instead of channeling such objections through the executing State.

 

e) What about efficiency?

It is clear from the above that the notification to the affected State will greatly enhance the human rights and other protections of E-Evidence. The Commission, nonetheless, challenged this proposal claiming that it would be too burdensome. This claim could be wrong as the mechanism of notification to the affected State should be able to pass the protection v. efficiency test proposed in Part 1 of this article. Here is why:

1. 1. Let’s emphasize from the outset that the notification to the affected State should only concern the most intrusive for human rights forms of data, namely content and transactional data (to use the Commission’s categories). It would be an error to introduce into the notification regime subscriber or access data, as the Rapporteur seems to suggest.
   2. If this is accepted, notice to the affected State will introduce huge safeguards while maintaining the advantages and efficiency of the “paradigm shift” proposed by the Commission and this for the following reasons:
      1. First, notification of the affected State, where applicable, would remain entirely inside the timeframe proposed by the Commission and the Council. The service provider will still have the obligation to provide the requested content and transactional data within the 10-day time limit (or 6 hours in cases of emergency – 24h in Sippel’s report): both the executing and the affected State are considered to have given a tacit consent if they do not object during these timeframes.
      2. Interestingly, the timeframes of the procedure could even be accelerated in Sippel’s proposal, in comparison with the Commission’s or the Council’s drafts. Indeed, if the executing and the affected State consent earlier than the 10-day time limit, the service provider will be able to provide the data immediately to the issuing State.
      3. Efficiency is affected much less than commonly assumed, because in most cases the investigating/issuing authority seeks data on its own residents.  According to a major service provider,[11] in more than 93% of cases, the individual whose data was requested, was in the same country as the investigating authority.[12] Conversely, only around 7% of law enforcement requests involve targets located in a different Member State. In contrast to a Mutual Legal Assistance Treaty request, which requires notice to a different country in 100 % of cases, the “affected state” provision would apply in less than 7% of cases.
   3. The “impossibility” arguments raised by the Commission do not seem convincing either. Service providers usually can locate the “affected State”, using a series of techniques such as geolocation, IP addresses, subscriber data, etc. They could help the issuing authority in this respect and this will allow them to better protect their customers and users. If the country of residence of the targeted person cannot be determined despite the reasonable efforts of the issuing authority or service provider, then there would be no obligation to notify. This is clear in amendments 48 and 130 of Sippel’s Report.
   4. By far the most important argument of the Commission seems to be that “notification to the affected State will go far beyond what exists under current mutual recognition and legal assistance instruments”. Let’s discuss it more in detail:
      1. Of course, the Commission is right that current MLA mechanisms do not provide as such for “notification to the affected State”. But this argument must be nuanced in the light of how exactly MLA protections traditionally work.
      2. Let’s remind first that in the traditional MLA systems, human rights and other sovereign interests are protected through a series of “grounds for refusal of assistance” available for the executing State receiving an MLA request. Article 11 of the 2014 European Investigation Order Directive (“EIO Directive”) is an example of this, providing for a series of “grounds for non-recognition or non-execution”. MLA systems thus involve two types of States: the State issuing the MLA request and the executing State, which is the State able to undertake the necessary actions on its territory and to provide the requested evidence.
      3. What the Commission’s argument seems to neglect is that, in the “physical” world, the “executing” State is often at the same time the “affected” State. Consider, for instance, if Polish authorities request from Germany (as an “executing” State under an MLA mechanism), search and seizure of property or other “physical” investigative measures undertaken in Berlin.  In this example, Germany, as part of the MLA process, can exercise its traditional protective functions and refuse such a request if it considers that this would violate privileges and immunities under German Law or human rights of persons present on its territory and targeted by the MLA request.
      4. The big change that digital evidence brought to the MLA system is that the “affected State” is henceforth typically different from the “executing State.” The MLA request for e-evidence is addressed to the country where the service provider is established (such as Ireland), which is most often different from the country where the suspect and his physical property are located (such as Germany in the example above). In fact, in the “digital” world, the “executing” State is rarely the “affected” State.
      5. From this point of view, the introduction in the E-Evidence package of the concept of the “affected State”, as Sippel suggests, will permit to “adapt” in an appropriate way in the digital world protections that already existed traditionally “in the physical world” under MLA systems.
      6. The huge question, in reality, is whether “affected States” around Europe will accept to organize themselves in order to ensure this “responsibility to protect” in relation to access to digital evidence. Indeed, while the burden for affected States should be low[13] and the “protecting human rights/sovereign interests benefit” for them and their populations should be high, law enforcement people involved in the e-evidence negotiations do not always seem to realize the importance of this mechanism and do not necessarily declare themselves willing to retain these important protective functions.
      7. This is strange, as they have already accepted a very similar mechanism of notification for the “affected State” within the EIO system. More precisely, Article 31 on the EIO Directive, introduces an obligation of the intercepting Member State to notify the “Member State where the subject of the interception is located” when no technical assistance (and thus involvement of the “affected” Member State) is needed. If States thus consider that it is necessary to notify the “affected State” in cases of wiretap and interception of data, it would be logical to consider that it is also necessary to notify the “affected State” in cases of access to stored communication data and to introduce such similar protections in E-Evidence.

As a conclusion to this analysis it seems that the notification to the affected State introduced by the E-Evidence LIBE Rapporteur (and applied only to content and transactional data as suggested in this paper) will greatly enhance the human rights and other protections of the legal regime while introducing a relatively low burden to the law enforcement authorities of the States involved. Given that the vast majority of cross border demands do not involve data subjects in a different country of residence than the issuing State, this system will only concern a small portion of cases, where more thorough consideration and the involvement of the affected State are actually warranted. Furthermore, this system of notification will not delay access to data by the law enforcement authorities of the issuing State as the timeframe will remain the same. It seems then that, all things considered, such a solution would find the right balance between the interest of the issuing authority to access quickly digital evidence in order not to hinder criminal investigations and the need for adequate safeguards to protect other values.

 

4)  Notification to the Executing State: Applying the Protection v. Efficiency Test

Things are more challenging concerning the mechanism of notification to the executing State also put forward in Sippel’s Report. Let’s suggest from the outset three necessary amendments to the Rapporteur’s proposals:

• • First, as stated above (3(e)), it would be an error to introduce into the notification regime subscriber or access data. Notification to the executing State, should only concern content and, eventually[14], transactional data.
  • Second, the definition of the “executing State” in amendment 98 seems problematic. This amendment intends to replace the term “Enforcing State” by “Executing State” and redefine it to say that it is “where the electronic information is processed by the data controller”. While many service providers are the controllers of data in respect to European users/customers, some do not process this data in Europe. While maintaining the term “executing State” makes sense under Sippel’s logic, it would be necessary to delete the phrase “where the electronic information is processed…”.
  • Third, it would be much more appropriate to turn the executing State’s obligation to object to an order into a right, by replacing the word “shall be refused” in amendment 161 to “may be refused”, as in the EIO Directive or MLATs.

Assuming that these modifications are made, could Sippel’s system of notification to the “executing State” pass the protection v. efficiency test?

 

a) Protections

While notification to the “affected State” (if the State of residence of the person whose data is sought is other than the issuing State) makes real sense for the reasons explained above, notification to the executing State seems less compelling. Imagine a crime committed in France. The victim is French, the suspect is a French person and resident. What is the point of obliging France to notify Ireland only because the service provider of the suspect is established in Ireland or has his legal representative there?

Despite the lesser relevance of notification to the executing State, whose link to a criminal case is often very weak, it seems that this idea is strongly imprinted in the mind of the different stakeholders. As we have seen (in Part 3) both the Commission and the Council, while ignoring the concept of the “affected State”, recognized the need to involve the executing State, either through a system of “consultations” and refusal to enforce (the Commission) or through a system of notification (the Council). This attitude directly derives from the MLAT logic which gives to the executing State not only the capacity to examine a data production request but also to oppose it. Moreover, notification to the executing State seems to respond to the demand of some EU States who “want to ensure that their laws are not violated” or even wish to “keep an eye on what is going on in their data centers and with their service providers”.

In Sippel’s Report there is no doubt that notification to the executing State, combined with notification to the “affected State”,  offers important additional protections and guaranties, such as the following:

1. 1. The executing State can verify that service providers on its territory do not violate the laws of the country when they respond to EPOs from other States.
   2. The executing State can resolve problems of conflicts with a third country’s laws. Consider, for instance, that in the example mentioned above an EPO addressed from France to Google or Facebook to provide content data conflicts with the US Stored Communications Act and the French authorities do nothing to resolve this conflict. Sippel’s report gives the power to Ireland to refuse to execute such an EPO.
   3. The executing State can help ensure that the EPO is compatible with article 6 TEU and the Charter of Fundamental Rights of the European Union. In cases such as the example with the crime in France mentioned above there is no involvement of an “affected State”. As we have seen earlier, more than 93% of all criminal investigations have an entirely “domestic” character. Introducing the executing State into the equation means that there will be another State than the issuing State capable of reacting if there is a human rights problem.
   4. The executing State could play a particularly important role if the EPO has been issued by a country where there are rule of law problems. If, for instance, in Member State X there are serious doubts about the independence of the judiciary and fears that the government might use EPOs to get data about political opponents, the executing State could exercise due diligence and refuse the execution of such orders.
   5. In the absence of notification to the executing State, protection against abuse would be dependent solely on the service provider challenging the request, as provided for in the Commission’s proposal, which went as far as investing service providers with the task of controlling whether an EPO “manifestly violates the Charter”. However, this has been viewed by some as an inappropriate role for the private sector and/or insufficient in terms of a State’s obligation to safeguard human rights.
   6. Sippel’s proposal gives on the contrary a much more appropriate role to service providers. The responsibility of respecting human rights remains with the States concerned (issuing, executing and, if relevant, affected State), but service providers can “flag” problems to them. From this point of view it would be helpful if the draft could more clearly empower service providers to inform the States involved when they consider that an order is erroneous, unlawful, overbroad or otherwise abusive or problematic.
   7. Notification to the executing State also allows to implement additional protections such as the dual criminality principle.
   8. The involvement of the executing State is also critical, in Sippel’s system, in order to permit to raise a ground for refusal on behalf of the affected State which, as we have seen earlier, cannot object as such but can only inform the executing authority about a problem.
   9. Last, but not least, in Sippel’s mind, the involvement of the executing State is absolutely necessary in order to give a solid legal basis to E-Evidence. Article 82 TFEU, invoked by the Commission, is based on the notion of cooperation between two judicial authorities. In contrast to that, the proposal of the Commission would allow the issuing authority to directly address service providers in cross-border situations without involving the authorities of another EU State (unless in the rare cases when a service provider refuses to execute and the EPO is sent for enforcement to the State where the service provider is established). Sippel considers that this is a particularly fragile legal basis that might not resist a control by the Court of Justice of the European Union. Her proposal permits to definitely resolve this problem. She introduces the concept of the “executing” State (instead of “enforcing” State in the Commission’s draft) which will be automatically involved in all EPOs thanks to this system of notification and which will be considered as having recognized automatically the EPOC unless if it raises a ground for refusal.

 

b) Efficiency

The remarks made above (Part 3(e2)) remain, here also, entirely relevant: the notification to the executing State should not affect, in Sippel’s system, the timeframe of the whole procedure initially proposed by the Commission. If the executing State does not object it will be considered as having given a “tacit consent” and the serviced provider will be required to give the data to the issuing State at the expiration of the 10-day time limit (or 6 hours in cases of emergency – brought to 24h by Sippel).

The problem of efficiency should thus not be assessed in terms of timeframes, but instead in terms of burden.

Contrary to the notification to the affected State which, as shown earlier, should concern less than 7% of all criminal investigations, the notification to the executing State is, in Sippel’s proposal, automatic and would thus concern all EPOs. This could create a pretty burdensome notification system. However, let’s examine more carefully the situation from the two sides:

From the point of view of the issuing State, this will require to systematically address all EPOs to both the service provider and the authorities of the executing State. This should not be excessively burdensome: in most cases the issuing State will need to translate the EPO anyhow to the language of the country where the service provider is located, so there should be no further burden of translation. Addressing simultaneously the EPO to the service provider and the designated authorities of the executing State should be rather easy (a simple cc. would be enough if the secured platform of transmission is configured in a way to enable this[15]).

From the point of view of the executing State, on the contrary, this would create undoubtedly a burden which could be more or less heavy depending on how the system is implemented.

The burden could become unbearable for the authorities of the executing State if they were required to examine each single EPO and “take positive action” each time (for example by expressly “recognizing” each order). This would be the equivalent to going back to an MLAT logic (although an improved one and based on a fast-track procedure). One might expect that countries like Ireland, hosting several service providers, would oppose such a bureaucratic and burdensome system.

However, the burden could be much less important for the executing State if the whole system was based on the premise that its authorities will not need to systematically examine each EPO. The idea would be that the executing authorities will “need to do nothing, unless if…”. This “unless if…” could mainly include situations where:

1. 1. A service provider “flags” to the executing State’s authorities an important problem with the EPO showing that it is unlawful, overbroad or otherwise abusive;
   2. An affected State informs the authorities of the executing State that the EPO violates privileges and immunities or the human rights of one of its residents or raises national security concerns;
   3. There is a conflict of laws issue with a third country that needs to be resolved and the issuing State refuses to do so;
   4. There is a systematic problem with the rule of law (for example the independence of the judiciary) in the issuing State which might require the authorities of the executing State to exercise due diligence so that the EU Charter of fundamental rights will not be violated.
   5. Or there is another particular situation requiring attention.

If the “do nothing unless if…” understanding of the system is adopted, the notification mechanism might remain manageable for the executing State[16] and the overall bureaucracy would be less important than the one existing today under the MLAT system. The whole idea would thus be that there will be a “guardian of the Temple” in case of trouble, but this guardian will not need to check and clear all persons entering the Temple.

 

5)  Conclusion

Sippel’s Report is the result of much work and thinking. The analysis here shows reasons for a number of modifications and adjustments. The Report includes nonetheless important ideas and mechanisms that appear useful for the future negotiations on E-Evidence.

Sippel’s version of E-Evidence is far more protective for human rights than the Commission’s or the Council’s drafts. Thanks to this protective approach Sippel succeeded in making the “paradigm shift” introduced by E-Evidence acceptable to fundamental rights experts (and likely very hard to challenge tomorrow in European courts).  NGOs and other stakeholders who were firmly opposed to E-Evidence, pleading instead for an improvement of MLA mechanisms (such as the European Investigation Order), suddenly seem to consider that E-Evidence could be compatible with strong human rights protections. “Has Sippel MEP been successful at repairing the unrepairable?”, asks for instance EDRi.

There is also little doubt about the fact that Sippel’s version of E-Evidence is much better for service providers than the Council’s or the Commission’s drafts. Sippel’s report provides a workable regime for service providers and legal certainty while relieving them from liability issues. Without transforming them to legal assessors of fundamental rights (as the Commission did), Sippel’s system gives the possibility to service providers to protect their customers and users and to flag eventual problems to States who remain, nonetheless, the traditional guardians of human rights. Sippel removes the chilling effect of the Council’s sanctions and uses instead service providers as important helpful players in the process of protecting human rights. When the Council of the EU adopted its draft, the Business Software Alliance denounced a “disappointing text” that “risks undermining the protection of citizens and enterprise data across Europe”. In contrast, the BSA, “welcomed” the European Parliament’s e-Evidence draft report, considering that it “introduces much clearer liability rules for companies complying with the Regulation, strengthens the fundamental rights protections of EU citizens, and ensures that cooperation between law enforcement agencies and technology providers is fostered and balanced”.

If Sippel’s Report is “good for human rights” and “good for service providers”, the big question is whether it might also become acceptable for law enforcement authorities. The double notification mechanism introduced by Sippel does not affect the timeframes proposed initially by the Commission and the Council for the production of data (10 days in normal situations, 6 hours – extended to 24h by Sippel – in cases of emergency). However, these notification mechanisms create a bureaucratic burden and additional responsibilities for the issuing State, the executing State and the affected State. Will these States accept to play the “responsibility to protect” role envisioned for them by Sippel? More generally, the whole challenge will be to find, during the trilogues, a compromise that will permit to introduce into E-Evidence the necessary protections and safeguards without, nonetheless, making the future instrument unattractive to LEAs – because otherwise they might opt for national (and more problematic) alternatives.

The “paradigm shift” introduced by E-Evidence seems necessary as MLATs are too slow and cumbersome. It should nonetheless come with all adequate safeguards and remedies to protect citizens and companies against overreach and misuse of these new powers. Members of the European Parliament will now need to determine how to strike the right balance between necessary protections on the one side and efficiency/burden/responsibilities for law enforcement on the other.

One option at this time would be to endorse Sippel’s protective logic and the system of double notification while seeking adjustments to make this system less burdensome for the States concerned, and especially for the executing State. The notice to the executing state should indeed be understood not to require a systematic review by the executing state, to make the burden of receiving notice manageable.

A second option would be to create a system of a single notification, preferably to the affected State that has the strongest interest in protecting its residents. For the reasons exposed in this and previous articles I believe that notification to the affected State, combined with some additional protections (such as the possibility given to service providers to challenge problematic orders and the possibility given to the executing State to refuse enforcement if there is indeed a problem), would be more protective and less burdensome than notification to the executing State.

---

Theodore Christakis (@TC_IntLaw) is Professor of International Law at the University Grenoble Alpes. He is the Director of the Centre for International Security and European Studies, co-Director of the Grenoble Alpes Data Institute and Chair on the Legal and Regulatory Implications of Artificial Intelligence in MIAI, Grenoble Alpes. He is a Member of the Institut Universitaire de France and of the French National Digital Council and a Senior Fellow with the Cross-Border Data Forum.

The author will like to thank all the persons who contributed comments to a previous draft of this article, and especially Karine Bannelier, Vanessa Franssen, Ken Propp and Peter Swire. The views expressed in this article are entirely the author’s.

[1] A “general approach” is a document intending to accelerate the procedure by giving the Parliament an idea of the Council’s position on the legislative proposal submitted by the Commission.

[2] “EU Governments approve draft rules on sharing ‘e-evidence’”, Financial Times, 7 December 2018.

[3] See https://www.politico.eu/pro/politico-pro-morning-tech-e-privacys-big-day-commissioners-evaluation-google-remedies/.

[4] These are also the four goals of the Cross Border Data Forum, with whom I am a Senior Fellow: https://www.crossborderdataforum.org.

[5] Sippel’s Report, at 147.

[6] Sippel’s Report, at 146.

[7] This is in sharp contrast with the first part of the Cloud Act and the Stored Communications Act which enable access to e-evidence for all crimes. Only the second part of the Cloud Act, related to the conclusion of executive agreements, concerns “serious crimes”.

[8] See Sippel’s Report, amendment 100.

[9] The European Production Order (EPO) and the European Preservation Order (EPO-PR) are the instruments through which issuing States can request from service providers the production or the preservation of data relevant for a criminal investigation.

[10] As LIBE’s Working document 6B, of 1st April 2019 noted: “this leads to a situation in which the affected person has no effective possibility to challenge the legality, proportionality or necessity of an order before a court accessible to him or her in the State of his or her residence. This directly affects the right to a fair trial and the right of defence”. (at 6).

[11] See LIBE 3rd Working document, 13 February 2019, at 6.

[12] This percentage could be higher if one excludes requests for subscriber data. A recent Europol study showed that law enforcement authorities need to access content data in only 15% of total investigations, while they need to access traffic data (including IP addresses) in 42% of all investigations (SIRIUS EU Digital Evidence Situation Report, 20 December 2019, at 16).

[13] Some colleagues have raised with me the issue that they “can’t help but wonder if smaller EU member States will be capable of bearing the additional international burden being placed on affected states”. They emphasized that, in their experience, “most have only a handful (at best) of government lawyers capable of assessing MLAT requests, which consistently leads to bottlenecks” – and thus they might not be able to deal with the additional burden of exercising the protective functions of the “affected State” under Sippel’s proposal. However, I think that the “additional burden” for “affected States” should not be exaggerated.

First, as mentioned above, “affected States” already exercise such protective functions in cases when they are at the same time “executing States”: this includes most of MLA requests for physical evidence; requests for e-evidence when the service provider is established in their territory; and the interception cases envisioned by article 31 EIO.

Second, for the remaining cases the burden should be very low for such “smaller EU member States” with limited resources. The recent Europol study showed that the 19 smaller EU member States represent each a percentage ranging from 0,9% to… 0.0% of all EU law enforcement data requests to major service providers (and this including requests for subscriber data). If we exclude subscriber data (representing, according to the Europol study 41,7% of all requests) for which notification should not be required and then we apply the “7% figure” (mentioned supra) of cases where the concept of the “affected State” will be relevant among the total number of requests, this means that, statistically, they will be required to exercise their protective functions as “affected State” in a very limited number of cases. It is very unfortunate that the Europol (or any other existing) data do not permit to accurately calculate the number of notifications to be received by each “affected” State. However, on the basis of the existing data, it seems reasonable to believe that the 20 smallest EU member States would be notified as “affected State” no more than a few dozen times per year. The burden should thus be low and manageable for them. If one considers than during the year 2018 Facebook received and examined a total of 53,841 data requests, followed by 47,011 for Google, 43,480 for Apple and 22,919 for Microsoft (see here, at 12), it would be an insult to countries like Sweden or Austria to argue that they would be unable to examine a few dozen notifications per year in order to protect as “affected” States the human rights of their populations and their sovereign interests. In any case, a reevaluation of the system, based on real figures, could take place after the entry into force of E-Evidence in order to assess the real burden for EU Member States.

[14] The European Court of Human Rights considers that access to traffic data (or metadata) could be just as intrusive as access to content data (see the 2018 judgment in Big Brother Watch, para. 356). However, this statement was made in another context (mass surveillance). Similarly, the CJEU’s 2016 Judgment in Tele2 Sverige (para. 99) seemed to have condemned the “indiscriminate and universal collection of a very broad set of metadata” based on the national data retention laws under examination which “required an extensive subset of metadata to be collected for all subscribers for all means of electronic communication, systematically and continuously, with no exceptions” (see here). The protective function of treating content and metadata in the same way should thus be assessed in each specific context. While notification to the affected State should concern both content and transactional data (in order to adequately protect the targeted individuals), one could ask if it is also compelling to introduce the category of transactional data in the notification to the executing State. For instance, one of the justifications for such notifications is that the executing State (for example Ireland) will be able to protect service providers on its territory by opposing EPOs which conflict with foreign blocking statutes (and mainly the US Stored Communications Act – SCA). However, these blocking statutes mainly concern content data (the SCA prohibition is on communications content – although traffic data sometimes gets shoehorned into that definition). The introduction of a notification requirement for EPOs related to transactional data might thus create important additional bureaucracy to the executing State without always a tangible increase in the protective side of the legal regime. The issue requires more analysis and thinking.

[15] The EPOs will likely be transmitted on a new secure platform that is being developed for the EIO. The plan is to extend its function such that LEAs can submit demands to companies using this platform.

[16] Moreover, if notification to the executing State was only required for EPOs related to content data, this would mean that such notifications would only concern 18,1% of all cases (see Europol study, at 20).

These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.