Author: Marine Corhay
In November 2022, the Commission announced that a political agreement between the European Parliament and the Council had been reached to strengthen cross-border access to digital evidence. The announcement comes after more than four years of the Commission’s release of the e-evidence proposal in April 2018, and following intense discussions and debates (see here, here and here). To the EU institutions’ defence, the instrument is nothing short of revolutionary.
It pursues the ambition to create an EU-wide legal framework for the collection of electronic evidence in the field of criminal procedure and institutionalise a new criminal justice paradigm: direct cooperation between judicial authorities and the private sector (service providers). Unlike other forms of cooperation in criminal matters regulated by EU law which involve the cooperation between judicial authorities of different Member States – like the European Arrest Warrant and the European Investigation Order – the original e-evidence proposal substitutes the traditional executing Member States by a private actor.
This article will be published in two parts. Part 1 will provide a brief description of the instrument proposed by the Commission – explaining how it departs from traditional mutual recognition instruments and mutual legal assistance (MLA) agreements – and highlight some of the concerns raised by relevant stakeholders, i.e. EU institutions, law enforcement authorities, service providers, and civil society. Part 2 will be devoted to the role of service providers and how this issue has been addressed by the EU institutions.
Overview of a paradigm shift
The Commission’s e-evidence proposal is composed of two interlinked instruments: a Regulation on European production and preservation orders, and a Directive containing harmonized rules on the appointment of legal representative. The Regulation creates binding European Production orders (EPOs) and Preservation orders (EPsOs) for stored data. EPOs enable judicial authorities of the issuing Member State to require a service provider located in another jurisdiction to produce certain data while EPsOs allow for the preservation of data until a subsequent EPO is issued. Both orders are to be addressed to the service provider’s legal representative outside the issuing Member State.
The proposed Directive obliges European service providers that offer services in more than one Member State, as well as non-European service providers which are active on the EU market, to appoint a legal representative in at least one Member State. The legal representative will function as the EU-wide legal contact person for national competent authorities. Because the order will be directly addressed to a service provider, the Member State where the legal representative is located will not be involved in the process, except in case of non-compliance of the service provider.
This a fundamental shift from traditional mutual recognition instruments which require cooperation between two judicial authorities. As emphasized here and here, the e-evidence proposal departs from the principle of mutual recognition by circumventing the judicial authority in the Member State where the order is addressed. This paradigm shift will result in service providers, i.e. a private actor, being tasked with responsibilities typically assigned to the judicial authorities of a Member State, including assessing the validity of the order and its compliance with the Charter. In that sense, the e-evidence proposal is fundamentally different from the European Investigation Order (EIO) which require the order to be circulated between and executed by competent authorities (for a comparison between the two instruments see here). The competent authority receiving the order performs the necessary checks and assesses it against several grounds for refusal. While the EIO was meant to offer a comprehensive solution to cross-border gathering of evidence, it was not tailored specifically for the collection of electronic evidence which resulted in some significant shortcomings.
Direct cooperation between law enforcement authorities (LEAs) and private actors is not a new phenomenon. Law enforcement authorities have been collaborating with national telecom operators for several decades. However, given the cross-border nature of the internet, and unlike traditional telecommunications, information and communications technologies (ICTs) can be provided from anywhere in the world by global players such as Facebook, Microsoft and Google. When evidence is located abroad, or rather when a service provider is located outside the EU, LEAs have to resort to MLA, a procedure which has been deemed too slow and cumbersome for the collection of electronic evidence. Such a procedure does require a Member State to send a formal request to the country of the service provider who will assess the request and transform it into a domestic order in order to obtain the data from the service provider. Once the authority has received the data it will then transmit it to the Member State who requested it (for an illustrative example see here).
Therefore, the main objective of the e-evidence proposal is to bypass these intermediate steps, providing a direct route to access service providers and the data they detained and/or control.
Stakeholders’ views and concerns
EU institutions: The EU Commission’s proposal is a response to the Council of the EU’s call for specific measures to improve cooperation between Member States and service providers in obtaining digital evidence. According to the EU Commission, its proposal adapts cooperation mechanisms to the digital age while maintaining a high standard for law enforcement requests, hence ensuring the protection of fundamental rights (see Explanatory Memoradum, p.1).
It took the Council of the EU about a year to agree on a General Approach and most Member States seemed primarily focused on the instrument’s efficiency. The Council deleted the human rights clause from grounds upon which service providers are permitted to refuse to execute production orders and from the list of grounds upon which service providers may oppose the enforcement of an order. Consequently, the responsibility to protect fundamental rights lies solely with the issuing State. This goes even further than the Commission’s approach and the General Approach has raised harsher criticisms than the Commission’s Proposal.
The European Parliament has shown skepticism towards the e-evidence proposal, raising numerous significant legal concerns. In fact, its final report proposes an almost totally different instrument than the one initially envisaged by the Commission (for a comparison see here and here) and reverses the paradigm shift by returning to a traditional mutual recognition approach. The European Parliament, through the LIBE Committee and its Rapporteur, has indeed strongly opposed the outsourcing of the fundamental rights assessment to a private actor and declared highly questionable to put service providers in the position of adjudicating on citizens’ fundamental rights. The Committee has insisted on the importance of maintaining the involvement of Member States’ authorities on the receiving end of the order.
Law enforcement authorities: The e-evidence proposal comes as a solution for law enforcement authorities to the challenges new ICTs create and the ever-growing dependence on the cooperation of service providers to detect, investigate and prosecute offences. According to the latest SIRIUS report, the fact that the MLA process takes too long remains the most prominent issue LEAs face when sending requests to foreign-based service providers. While some progress have been made on the United States’ side to reform the process in order to enhance its performance in executing incoming MLAT requests, the past years have seen a dramatic increase in such requests which slowed response times.
The dissatisfaction of LEAs with the MLA process has prompted Member States to implement unilateral measures to obtain electronic evidence, such as enacting legislation requiring service providers to comply with requests from LEAs. However, the legal grounds for doing so may be questioned and national law, in practice, is not always effective (see for instance, the Yahoo case, Skype case and Microsoft-Ireland case). Besides, the existence of a great variety of national approaches creates fragmentation that generates legal uncertainty for both law enforcement authorities and service providers, as well as conflicting obligations for service providers.
Service providers: The private sector has repeatedly asked for harmonization and legal certainty (see, for instance here, here and here). While service providers are generally willing to cooperate with LEAs, their primary relationship is with their customers. Beyond the fact that the private sector is bound by the General Data Protection Regulation and the obligations it imposes, service providers have indicated that they feel a sense of responsibility for protecting and maintaining the privacy of their customers’ data. They view this as a fundamental aspect of their business model and the source of their customers’ trust in them. Microsoft and Bitkom, Germany’s digital association, have insisted on the importance of transparency towards their customers. They wish to have the ability to notify their users when their data has been requested by LEAs and such a notification does not jeopardize the investigation.
The private sector has also raised practical concerns. EuroISPA, the world’s largest association of internet service providers, warned that the timeframes for compliance with EPOs set by the Commission – ten days maximum for non-urgent requests and six hours in case of emergency – are not feasible for small and medium enterprises, especially the six hours deadline. The creation of a mandatory cooperation framework necessitates consideration of the issue of who should bear the cost of such cooperation. The lack of an adequate reimbursement system has been a subject of criticism. The Commission’s proposal (Art. 12 Regulation) states that service providers can request reimbursement of their costs from the issuing Member State if provided by the national law of that State, hence leaving the matter to be dealt with on a national level and creating uncertainty for service providers.
Some service providers have also denounced the so-called ‘privatisation of law enforcement’ (see here and here ). The role of service providers has been one of the most controversial topics in the e-evidence negotiations. This issue merits a more detail legal treatment than can be provided here and will be discussed in the second part of this article.
Civil Society: Civil society have also denounced the ‘privatisation of law enforcement’ (see, for instance, here). As noted above, this aspect will be further explored in Part 2 of this article. Civil society called on the EU institutions not to achieve efficiency at the expense of weakening fundamental rights, legal safeguards and judicial cooperation. EDRi, for instance, pleaded for a notification mechanism both to the affected Member State and the enforcing Member State in order to ensure that the fundamental rights of the person concerned by an order are protected. The organisation also demanded stronger safeguards for the issuance and execution of orders, including the introduction of the dual criminality requirement and a review by a court or an independent authority.
Reflections on developments to date
To say that the e-evidence proposal has been under consideration by EU institutions for a while would be an understatement. The negotiations have been at a standstill for an extended period and compromises have been slow to emerge. In June 2022, it was announced that significant progress had been made on key aspects of the instrument but it took the EU institutions an additional five months to reach a political agreement. Following the announcement of the agreement, some elements of the final text have been revealed by the press and the final compromise text was published by the Council of the EU on 20 January 2023.
A new model of cooperation is coming over the horizon, but practice will have to determine whether this new instrument does meet the objectives initially set by the EU Commission. How the e-evidence Regulation will further shape the role of service providers is currently uncertain. However, due to those actors’ unique position and the concerns they have raised during the negotiation process, they will irremediably continue to make decisions that will, directly or indirectly, impact the fundamental rights of their users.
Marine Corhay is a PhD candidate at the University of Liège (FRESH grantee, F.R.S.-FNRS) and a Visiting Scholar at the Information Law & Policy Centre (IALS). Her research stay is funded by the University of Liège (MoDUS grant) and the David-Constant Grant for scientific research stays abroad (Law School, ULiège).