Private Life, Personal Data Protection and the Role of Service Providers: The EU e-Evidence Proposal

Corhay, Marine

doi:10.15166/2499-8249/477

Available on ORBi since
26 April 2022

Article (Scientific journals)

Private Life, Personal Data Protection and the Role of Service Providers: The EU e-Evidence Proposal

Corhay, Marine

2021 • In European Papers- A Journal on Law and Integration, 6 (1), p. 441 - 471

Peer reviewed

Permalink
https://hdl.handle.net/2268/289965

DOI
10.15166/2499-8249/477

Files Send to Details Statistics Bibliography Similar publications

Files

Full Text

EP_eJ_2021_1_11_Articles_SS1_6_Marine_Corhay_00477.pdf

Publisher postprint (412.56 kB)

All documents in ORBi are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink Twitter Linkedin

Details

Keywords :

electronic evidence; cross-border access to electronic evidence; data protection; private life; law enforcement; fundamental rights; European Commission; European Parliament; service providers

Abstract :

[en] In April 2018, the Commission adopted a proposal for the collection of electronic evidence in criminal matters (the so-called e-Evidence Proposal). This proposal pursues the ambition to create an EU-wide legal framework for the collection of electronic evidence in the field of criminal procedure and establishes a new criminal justice paradigm at the EU level: direct cooperation between judicial authorities and service providers. This new type of cross-border cooperation raises important issues, two of which will be addressed in this Article. The first issue concerns the impact of this new criminal justice paradigm on the right to protection of personal data and the right to respect for private life. This Article will provide an assessment of the options presented by the EU institutions (Commission, Council and European Parliament) to safeguard these rights. The second issue relates to the role of private actors, i.e., service providers. This Article will discuss the protective functions assigned to service providers in the Commission's proposal and highlight some of the problematic aspects related to it.

Disciplines :

European & international law

Author, co-author :

Corhay, Marine ; Université de Liège - ULiège > Cité

Language :

English

Title :

Private Life, Personal Data Protection and the Role of Service Providers: The EU e-Evidence Proposal

Publication date :

June 2021

Journal title :

European Papers- A Journal on Law and Integration

eISSN :

2499-8249

Publisher :

European Paper

Special issue title :

Towards European Criminal Procedural Law - Second Part

Volume :

Issue :

Pages :

441 - 471

Peer reviewed :

Peer reviewed

Data Set :

10.15166/2499-8249/477

Statistics

Number of views

29 (2 by ULiège)

Number of downloads

6 (1 by ULiège)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

Bibliography

1 European Commission Non-paper of 7 December 2016, Progress Report following the Conclusions of the Council of the European Union on Improving Criminal Justice in Cyberspace data.consilium.europa.eu.
2 Proposal COM(2018) 225 final of the European Commission of 17 April 2018 for a Regulation of the European Parliament and the Council on European production and preservation orders for electronic evidence in criminal matters (hereafter proposed Regulation).
3 Proposal COM(2018) 226 final of the European Commission of 17 April 2018 for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings (hereafter proposed Directive).
4 See, among others, V Franssen, ‘The European Commission's e-Evidence Proposal: Toward an EU-wide Obligation for Service Providers to Cooperate with Law Enforcement?‘ (12 October 2018) European Law Blog europeanlawblog.eu; M Cole and T Quintel, ‘Transborder Access to e-Evidence by Law Enforcement Agencies: A First Comparative View on the Commission's Proposal for a Regulation on European Preservation/Production Order and Accompanying Directive’ (University of Luxemburg Law Working Paper Series 10-2018); S Tosza, ‘The European Commission's Proposal on Cross-Border Access to e-Evidence' (2018) The European Criminal Law Association's Forum 212; G Robinson, ‘The European Commission's eEvidence Proposal' (2018) European Data Protection Law Review 347.
5 Proposal COM(2018) 225 final 1 of the European Commission of 17 April 2018 for a Regulation of the European Parliament and the Council on European production and preservation orders for electronic evidence in criminal matters, Explanatory Memorandum (hereafter Explanatory Memorandum); V Franssen, A Berrendorf and M Corhay, ‘La collecte transfrontière de preuves numériques en matière pénale. Enjeux et perspectives européennes' (2019) Revue Internationale de Droit Pénal 1; M Stefan and G González Fuster, ‘Cross-Border Access to Electronic Data Through Judicial Cooperation in Criminal Matters - State of the Art and Latest Developments in the EU and the US' (2018) CEPS Paper in Liberty and Security in Europe n. 07.
6 V Franssen, ‘The European Commission's e-Evidence Proposal: Toward an EU-wide Obligation for Service Providers to Cooperate with Law Enforcement?' cit.
7 Ibid.
8 See, among others, S Tosza, ‘Cross-Border Gathering of Electronic Evidence: Mutual Legal Assistance, Its Shotcomings and Remedies' in V Franssen and D Flore (eds), Société numérique et droit pénal. Belgique, France, Europe (Larcier-Bruylant 2019) 269; T Christakis, ‘E-Evidence in a Nutshell: Developments in 2018, Relations with the CLOUD Act and the Bumpy Road Ahead' (14 January 2019) Cross-border Data Forum www.crossborderdataforum.org; Explanatory Memorandum cit. 7.
9 See, for instance, arts 46bis (production order for traffic and location data) and 88bis (production order for identification data) of the Belgian Code of Criminal Procedure and the UK Investigatory Powers Act 2016.
10 These legislations or practices have substantial extraterritorial effects, affecting the sovereignty of other States. For an analysis of recent Belgian legislation and case-law see V Franssen, ‘The Belgian Internet Investigatory Powers Act - A Model to Pursue at European Level?' (2017) European Data Protection Law Review 534; V Franssen and M Corhay, ‘La fin de la saga Skype: les fournisseurs de services étrangers obligés de collaborer avec la justice belge en dépit des possibilités techniques et de leurs obligations en droit étranger, Note sous Cass. 19 février 2019' (2019) Revue de Droit Commercial Belge 1014; P De Hert, C Parlar and J Thumfart, ‘Legal Arguments Used in Courts Regarding Territoriality and Cross-Border Production Orders: From Yahoo Belgium to Microsoft Ireland' (2018) New Journal of European Criminal Law 326.
11 Ibid.
12 Explanatory Memorandum cit. 2; European Commission Non-paper of May 2017, Improving CrossBorder Access to Electronic Evidence: Findings From the Expert Process and Suggested Way Forward 2.
13 The e-evidence proposal does not apply to purely national service providers which only have customers in one Member State and non-EU service providers which do not offer services in the EU. See art. 3(2) a contrario of the proposed Directive.
14 Explanatory Memorandum cit. 5. Real-time interception of communication is not covered by the eevidence proposal.
15 The proposed Regulation targets specific subcategories of service providers that exceed the scope of application of the traditional telecommunication providers and aims at including internet access services, internet-based services enabling inter-personal communications such as Voice over IP, instant messaging and e-mail services. It also covers cloud and other hosting services and digital marketplaces. See art. 2(3) of the proposed Regulation. Services for which the storage of data is not a defining component are not covered by the proposal. However, providers of internet domain names and IP numbering services are relevant because they “can provide traces allowing for the identification of an individual or entity involved in criminal activity”. See Explanatory Memorandum cit. 14.
16 Art. 3(1) and (2) of the proposed Directive.
17 V Franssen, ‘The European Commission's e-Evidence Proposal: Toward an EU-wide Obligation for Service Providers to Cooperate with Law Enforcement?' cit.
18 Art. 3(5) of the proposed Directive. To that end, the host Member State will have to enact rules on the basis of which the representative can be held liable for non-compliance. See art. 3(8) of the proposed Directive.
19 Explanatory Memorandum cit. 9. For the purpose of this Article, the right to protection of personal data and the right to respect for private life will be considered together. For an analysis of how the two rights collide in the jurisprudence of the Court of Justice of the EU see G González Fuster, ‘Fighting for Your Right to What Exactly? The Convoluted Case Law of the EU Court of Justice on Privacy and/or Personal Data Protection' (2014) Birbeck Law Review 263. For an overview of the differences between the two rights see C Docksey, ‘Articles 7 and 8 of the EU Charter: Two Distinct Fundamental Rights' in A Grosjean (ed), Enjeux europeens et mondiaux de la protection des donnes personnelles (Larcier 2010) 71.
20 See arts 7 and 8 of the Charter of Fundamental Rights of the European Union [2012] (hereafter EU Charter).
21 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereafter General Data Protection Regulation or GDPR).
22 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (hereafter Law Enforcement Directive).
23 Explanatory Memorandum cit. 9.
24 Read as follows: “Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others”.
25 Council of the European Union, General Approach 10206/19 on the Regulation of the European Parliament and of the Council on European production and preservation orders for electronic evidence in criminal matters (hereafter General Approach).
26 European Parliament (LIBE Committee), Report A9-0256/2020 on the Proposal for a Regulation of the European Parliament and of the Council on European production and preservation orders for electronic evidence in criminal matters (hereafter European Parliament Report). Prior to the adoption of the Report, on 24 October 2019 the LIBE Committee presented a Draft Report entailing 267 amendments to the Commission's proposed Regulation. See European Parliament (LIBE Committee), Draft Report PR\1191404 on the Proposal for a Regulation of the European Parliament and of the Council on European production and preservation orders for electronic evidence in criminal matters (hereafter European Parliament Draft Report). The LIBE Committee's Rapporteur is MEP Birgit Sippel.
27 Art. 2(7) of the proposed Regulation: “data pertaining to: (a) the identity of a subscriber or customer such as the provided name, date of birth, postal or geographic address, billing and payment data, telephone, or email; (b) the type of service and its duration including technical data and data identifying related technical measures or interfaces used by or provided to the subscriber or customer, and data related to the validation of the use of service, excluding passwords or other authentication means used in lieu of a password that are provided by a user, or created at the request of a user”.
28 Art. 2(8) of the proposed Regulation: “data related to the commencement and termination of a user access session to a service, which is strictly necessary for the sole purpose of identifying the user of the service, such as the date and time of use, or the log-in to and log-off from the service, together with the IP address allocated by the internet access service provider to the user of a service, data identifying the interface used and the user ID”.
29 Art. 2(9) of the proposed Regulation: “data related to the provision of a service offered by a service provider that serves to provide context or additional information about such service and is generated or processed by an information system of the service provider, such as the source and destination of a message or another type of interaction, data on the location of the device, date, time, duration, size, route, format, the protocol used and the type of compression, unless such data constitutes access data”.
30 Art. 2(10) of the proposed Regulation: “any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional data”.
31 The Convention on Cybercrime refers to subscriber information, traffic data and content data. See Council of Europe, Convention on Cybercrime adopted in Budapest on 23 November 2001, ETS n. 185, arts 1(d), 18(3) and 21.
32 See art. 2 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereafter ePrivacy Directive); art. 2(2)(a), Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (hereafter Data Retention Directive). This Directive was annulled by the Court of Justice.
33 V Franssen, ‘The European Commission's e-Evidence Proposal: Toward an EU-wide Obligation for Service Providers to Cooperate with Law Enforcement?' cit.
34 See e.g., case C-207/16 Ministerio Fiscal ECLI:EU:C:2018:788 para. 51 (hereafter Ministerio Fiscal).
35 Explanatory Memorandum cit. 14.
36 Ibid. 16; V Franssen, ‘The European Commission's e-Evidence Proposal: Toward an EU-wide Obligation for Service Providers to Cooperate with Law Enforcement?' cit.
37 Art. 4(1) of the proposed Regulation.
38 Ibid. art. 5(3).
39 Ibid. see art. 4(2)(a) and (b).
40 Ibid. art. 5(4); Explanatory Memorandum cit.18.
41 Joined cases C-293/12 and C-594/12 Digital Rights Ireland Ltd and Seitlinger and Others ECLI:EU:C:2014:238 (hereafter Digital Rights Ireland'. This judgment annulled the data retention directive. For an analysis see O Lynskey, ‘The Data Retention Directive Is Incompatible with the Right to Privacy and Data Protection and Is Invalid in Its Entirety: Digital Rights Ireland' (2014) CMLRev 1789.
42 Joined cases C-203/15 and C-698/15 Tele2 Sverige AB and Watson and Others ECLI:EU:C:2016:970 (hereafter Tele2 Sverige).
43 Digital Rights Ireland cit. para. 26. The Court refers to the “data necessary to trace and identify the source of a communication and its destination, to identify the date, time, duration and type of a communication, to identify users' communication equipment, and to identify the location of mobile communication equipment, data which consist, inter alia, of the name and address of the subscriber or registered user, the calling telephone number, the number called and an IP address for Internet services”.
44 Ibid. para. 27.
45 Tele2 Sverige cit. para. 99. Emphasis added.
46 Ibid. para. 125.
47 The Court notes that in the Data Retention Directive, art. 1(1) simply refers to serious crime as defined by each Member State in its national law. See Digital Rights Ireland cit. para. 60.
48 Tele2 Sverige cit. para. 118.
49 M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' (September 2018) www.europarl.europa.eu 40.
50 Ibid.
51 Explanatory Memorandum cit. 17.
52 European Digital Rights (EDRi), ‘Recommendations on Cross-Border Access to Data - Position Paper on the European Commission's Proposal for a Regulation on European Production and Preservations Orders for Electronic Evidence in Criminal Matters' (12 April 2019) edri.org 21, (hereafter EDRi, Position Paper on the European Commission's Proposal for a Regulation on European Production and Preservations Orders for Electronic Evidence in Criminal Matters); M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' cit. 40.
53 Art. 463 of the Belgian Criminal Code for a simple theft, without threat nor violence (“vol commis sans violences ni menaces”).
54 Statement by Judge Marko Bošnjak of the European Court of Human Rights during the European Parliament e-evidence hearing of 27 November 2018 hwww.europarl.europa.eu (2:08:00-2:19:25) (hereafter EP e-evidence hearing); M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' cit. 40. Böse considers that in its core, the threshold as defined in art. 5(4) of the proposed Regulation incorporates the exception from the double criminality requirement contained in art. 11(1)(g) of Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters (hereafter EIO Directive) which read as follows: “Without prejudice to Article 1(4), recognition or execution of an EIO may be refused in the executing State where: the conduct for which the EIO has been issued does not constitute an offence under the law of the executing State, unless it concerns an offence listed within the categories of offences set out in Annex D, as indicated by the issuing authority in the EIO, if it is punishable in the issuing State by a custodial sentence or a detention order for a maximum period of at least three years”. Emphasis added.
55 Ministerio Fiscal cit. paras 26(2) and 17. The Spanish Criminal Code provides that “serious offences are those which the law punishes with a serious penalty" (art. 13(1)) and "serious penalties shall be: [...] b) imprisonment for a period of more than five years” (art. 33(2)). Art. 579(1) of the Spanish Code of Criminal Procedure provides that access to telephone and telematic communications data which have been retained by service providers may be provided, inter alia, for intentional offences punishable by a maximum penalty of at least three years' imprisonment.
56 Ministerio Fiscal cit. para. 48.
57 Ibid. para. 19.
58 Ibid. para. 20.
59 Ibid. para. 21.
60 Ibid. para. 22.
61 Ibid. para. 26.
62 Ibid. para. 51.
63 Ibid. paras 56-57.
64 Ibid. para. 58.
65 Ibid. para. 59.
66 Ibid. para. 60. Emphasis added.
67 Ibid. para. 61.
68 Ibid. para. 62. Emphasis added.
69 Ibid. para. 63.
70 The Chair of the European Data Protection Board, Andrea Jelinek, is of the opinion that “the lowest threshold providing for the possibility for law enforcement authorities to request access to subscriber and access data for any criminal offence builds on an ‘a contrario' reading of the case law of the CJEU”. European Data Protection Board (EDPB), Opinion 23/2018 on Commission proposals on European Production and Preservation Orders for Electronic Evidence in Criminal Matters of 26 September 2018 edpb.europa.eu 14(art. 70.1.b) (hereafter EDPB, Opinion 23/2018).
71 Explanatory Memorandum cit. 15.
72 The European Data Protection Supervisor is of the opinion that “this data category seems artificial and to have as only objective to attach lower requirements to the production of such data, similar to those attached to the production of subscriber data”. See European Data Protection Supervisor (EDPS), Opinion 7/2019 on Proposals regarding European Production and Preservation Orders for Electronic Evidence in Criminal Matters of 6 November 2019 edps.europa.eu para. 21 (hereafter EDPS, Opinion 7/2019).
73 Ibid. para. 22.
74 M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' cit. 20; European Parliament (LIBE Committee), 6th Working Document (B) DT\1181408 on the Proposal for a Regulation on European production and preservation orders for electronic evidence in criminal matters - Safeguards and remedies 5 (hereafter EP (LIBE Committee), 6th Working Document (B)).
75 Digital Rights Ireland cit. para. 27; Tele2 Sverige cit. para. 99.
76 AG Saugmandsgaard 0e emphasizes that the establishment of a link between the seriousness of the interference found and the seriousness of the reason that could justify the interference is in line with the principle of proportionality. See case C-207/16 Ministerio Fiscal ECLI:EU:C:2018:300, opinion of AG Saugmandsgaard 0e, para. 82.
77 Case C-746/18 Prokuratuur ECLI:EU:C:2021:152 para. 17.
78 Ibid. para. 19.
79 First, the referring court asked whether access to traffic and location data by State authorities constitutes an interference so serious that it must be restricted to the purpose of fighting serious, regardless of the period to which the retained data to which the State authorities have access relate. Second, the Supreme Court of Estonia asked if, in case the amount of data refered to in its first question is not large (both in terms of the type of data and in terms of its temportal extent), the associated access interference could be justified for any crime.
80 Prokuratuur cit. para. 23.
81 Ibid. para. 22. Emphasis added.
82 Case C-746/18 Prokuratuur ECLI:EU:C:2020:18, opinion of AG Pitruzzella, paras 81 and 82.
83 For an analysis of this case see S Rovelli, ‘Case Prokuratuur: Proportionality and the Independence of Authorities in Data Retention’ European Papers (European Forum Insight of 11 June 2021) www.euro-peanpapers.eu 199.
84 Prokuratuur cit. para. 28.
85 Ibid. para. 33.
86 Ibid. para. 39.
87 Ibid. para. 45.
88 Ibid. para. 34.
89 Case C-623/17 Privacy International ECLI:EU:C:2020:790.
90 Joined cases C-511/18, C-512/18 and C-520/18 La Quadrature du Net and Others ECLI:EU:C:2020:791.
91 La Quadrature du Net and Others cit. para. 168.
92 See F Coudert and F Verbruggen, ‘Conservation des données de communications électroniques en Belgique: un juste équilibre?‘ in V Franssen and D Flore (eds), Société numérique et droit pénal - Belgique, France, Europe (Larcier-Bruylant 2019) 245; F Verbruggen, S Royer and H Severijns, ‘Reconsidering the Blanket Data-Retention-Taboo, for Human Rights’ Sake?' (1st October 2018) European Law blog europeanlawblog.eu.
93 See Ministerio fiscal, opinion of AG Saugmandsgaard 0e, cit. para. 38.
94 Prokuratuur cit. para. 31.
95 Art. 6(2) and (3)(d) of the proposed Regulation.
96 Besides AG Saugmandsgaard 0e, in his opinion in Ministerio fiscal, acknowledged that the requested access did not constitute a serious intereference and one of the reasons behind this assertion was that the transmission of the data was sought as a targeted measure, i.e., access by the competent authorities and for the purposes of a criminal investigation. See Ministerio Fiscal, opinion of AG Saugmandsgaard 0e cit. para. 37.
97 See Tele2 cit. para. 112; Prokuratuur cit. para. 30; La Quadrature du Net and Others cit. para. 168.
98 See La Quadrature du Net and Others cit. para. 168. For an analysis of La Quadrature du Net and Others and Privacy International see J Sajfert ‘Bulk Data Interception/retention Judgments of the CJEU - A Victory and a Defeat for Privacy' (26 October 2020) European Law Blog europeanlawblog.eu.
99 EDPB, Opinion 23/2018 cit. 12; art. 4(1) General Data Protection Regulation.
100 See art. 5(1) General Data Protection Regulation cit. and art. 4(1) Law Enforcement Directive cit.
101 EDPB, Opinion 23/2018 cit. 6.
102 Art. 10(1) of the proposed Regulation.
103 Ibid. art. 10(2).
104 Ibid. art. 10(3).
105 Regarding information sharing between private actors and public authorities see N Purtova, ‘Between the GDPR and the Police Directive: Navigating Through the Maze of Information Sharing in PublicPrivate Partnership'(2018) International Data Privacy Law 52.
106 See C Jasserand, ‘Subsequent Use of GDPR Data for Law Enforcement Purpose - The Forgotten Principle of Purpose Limitation?‘(2018) European Data Protection Law Review 152; C Jasserand, ‘Law Enforcement Access to Personal Data Originally Collected by Private Parties: Missing Data Subjects’ Safeguards in Directive 2016/680?' (2018) Computer Law & Security Review 163.
107 La Quadrature du Net and Others cit. para. 103; Privacy International cit. paras. 47-48.
108 See P Vogiatzoglou and J Bergholm, ‘Privacy International & La Quadrature du Net: The Latest on Data Retention in the Name of National and Public Pecurity - Part 3' (27 October 2020) CiTiP Blog www.law.kuleuven.be.
109 Tele2 Sverige cit. para. 120; Digital rights Ireland cit. para. 62.
110 Art. 4(1) and (3) of the proposed Regulation.
111 See case C-625/19 Openbaar Ministerie (Swedish Public Prosecutor's Office) ECLI:EU:C:2019:108; joined cases C-566 and C-626/19 Parquet Général du Grand-Duché du Luxembourg and de Tours ECLI:EU:C:2019:1077; case C-627/19 Openbaar Ministerie (Public Prosecutor, Brussels) ECLI:EU:C:2019:1079.
112 Prokuratuur, opinion of AG Pitruzzella, cit. para. 104.
113 Ibid. para. 129. His opinion is puzzling. One can legitimately question the reasons justifying that a prosecutor satisfying the requirements for issuing a European arrest warrant, potentially resulting in the deprivation of someone's liberty, would not qualify as an independent administrative body in the area of the protection of personal data.
114 Prokuratuur cit. para. 51.
115 Ibid. para. 52.
116 Ibid. paras 54-55.
117 See art. 2(7) to (10) of the General Approach cit.
118 Ibid. see arts 5(3), 5(4)(d) (production orders) and 6(2) (preservation orders).
119 Ibid. see art. 4(5) read in conjunction with arts 4(1)(a) and (3)(a).
120 The article stipulates that the validation must be sought ex-post “without undue delay, at the latest within 48 hours”. When such ex-post validation is not granted, the issuing authority must withdraw the order “immediately and shall, in accordance with its national law, either delete any data that was obtained or ensure the data are not used as evidence”.
121 Amendments 91 and 92 of the European Parliament Draft Report cit.
122 Ibid. 147.
123 See art. 2(8) and (9) of the European Parliament Report cit.
124 Ibid. See art. 2(7).
125 Ibid. See arts 4(1) and 5(3).
126 See La Quadrature du Net and Others cit. para. 155.
127 Ibid. para. 152. Emphasis added. The same reasoning cannot be applied to the IP addresses of the recipient of the communication.
128 Ibid. para. 154.
129 Art. 5(3) of the European Parliament Report cit.
130 Art. 5(4) of the European Parliament Draft Report cit. stipulates that EPOs for these categories “may only be issued for criminal offences punishable in the issuing State by a custodial sentence of a maximum sentence of at least five years”. One can ask whether this new threshold could have led to a race to more severe penalties at national level in order to fall within this requirement.
131 Art. 5(4) of the European Parliament Report cit.
132 Amendment 106 of the European Parliament Draft Report cit.
133 Art. 4(1)(a) and (3)(a) of the European Parliament Report cit.
134 M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' cit. 43.
135 Ibid. 39.
136 S Tosza, ‘The European Commission's Proposal on Cross-Border Access to e-Evidence' cit. 214.
137 Arts 5(2) and 6(2) of the European Parliament Report cit.
138 See European Digital Rights (EDRi), ‘EU “e-Evidence” Proposals Turn Service Providers into Judicial Authorities' (17 April 2018) edri.org; EuroISPA, ‘e-Evidence: EuroISPA Adopts Position Paper' (3 July 2018) www.euroispa.org; Council of Bars and Law Societies of Europe (CCBE), ‘Recommendations on the Establishment of International Rules for Cross-Border Access to Electronic Evidence' (28 February 2019) www.ccbe.eu 3, (hereafter CCBE, Recommendations on Cross-Border Access to Electronic Evidence); M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' cit. 41.
139 Expression used by M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' cit. 41.
140 Art 7(1) of the proposed Regulation. If a designated legal representative does not exist or does not comply with its obligations, the order may be addressed to any establishment of the service provider in the Union. See art. 7(2) to 7(4) of the proposed Regulation.
141 Ibid. art. 8(1).
142 Ibid. art. 9(1).
143 Explanatory Memorandum cit. 3.
144 See art. 1(1) EIO Directive cit.
145 Art. 14(4)(f) and. 14(5)(e) of the proposed Regulation.
146 See Ibid. art. 14(6).
147 Under art. 14(2) of the proposed Regulation, “the enforcing authority shall without further formalities recognise a European Production Order or European Preservation Order transmitted in accordance with paragraph 1 and shall take the necessary measures for its enforcement, unless the enforcing authority considers that one of the grounds provided for in paragraphs 4 or 5 apply or that the data concerned is protected by an immunity or privilege under its national law or its disclosure may impact its fundamental interests such as national security and defence”. Emphasis added. The issuing State transfers the order to the State where the service provider has its representative (the enforcing State) in order for the latter to take measures to enforce the order.
148 M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' cit. 41. In the context of the European arrest warrant, a refusal to execute for violation of fundamental rights has long been a hard bone of contention. The Framework Decision on the European arrest warrant (EAW) does not include a ground for refusal based on fundamental rights. At first, the Court of Justice leaned towards law-enforcement demands despite fundamental rights considerations. However, more recently, the Court seems to have restored the balance between the protection of fundamental rights and the effectiveness of the instrument by allowing States to refuse the execution of an EAW based on human rights grounds. On this topic see L Mancano, ‘A New Hope? The Court of Justice Restores the Balance Between Fundamental Rights Protection and Enforcement Demands in the European Arrest Warrant System' in A Weyembergh and C Briere (eds), The Needed Balances in EU Criminal Law. Past, Present and Future (Hart Publishing 2018) 285; J Ouwerkerk, ‘Balancing Mutual Trust and Fundamental Rights Protection in the Context of the European Arrest Warrant' (2018) European Journal of Crime, Criminal Law and Criminal Justice 103.
149 See, for instance, Opinion 23/2018 cit. 17; Opinion 7/2019 cit. para. 42; Recommendations on CrossBorder Access to Electronic Evidence cit. p. 3; European Parliament (LIBE Committee), 3rd Working Document (A) DT\1176298, Execution of EPOC(-PR)s and the role of service providers 4-5, (hereafter EP (LIBE Committee), 3rd Working Document (A)).
150 See United Nations, International Covenant on Civil and Political Rights of 23 March 1976, art. 2.
151 EP (LIBE Committee), 3rd Working Document (A) cit. 5; see Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedoms (European Convention on Human Rights) of the 4 November 1950, art. 1.
152 See T Christakis, ‘Lost in Notification? Protective Logic as Compared to Efficiency in the European Parliament's e-Evidence Draft Report' (7 January 2020) Cross-Border Data Forum www.crossborderdata-forum.org. He emphasizes that this is a big difference compared to the physical world where the executing State is often at the same time the affected State. For instance, when State A resorts to mutual legal assistance in order to request from State B an investigative measure that will be executed on its territory (e.g. search and seizure of property), the affected State (State B) is also the executing State. State B can exercise its protective functions and refuse to execute such a request if that State considers that this would violate the human rights of the person present on its territory and targeted by the request.
153 See T Christakis, ‘E-Evidence in the EU Parliament: Basic Features of Birgit Sippel's Draft Report'(21 January 2020) European Law Blog europeanlawblog.eu.
154 Amendment 100 of the Draft Report. However, the affected State will not have the ability to object orders (see infra).
155 This issue was raised by Judge Marko Bošnjak of the European Court of Human Rights during the EP e-evidence hearing.
156 See ECtHR Matthews v United Kingdom App n. 24833/94 [18 February 1999] para. 32.
157 ECtHR Bosphorus Hava Yollari v Ireland App n. 45036/98 [30 June 2005] para. 156.
158 Ibid.
159 Statement by Judge M Bošnjak, EP e-evidence hearing. It has been stated in Avotins v Latvia regarding art. 6 of the Convention and concerned the functioning of the EU system of mutual recognition of judgments in civil and commercial matters. See ECtHR Avotins v Latvia App n. 17502/07 [23 May 2016] para. 116. This jurisprudence was confirmed later on in a number of instances. In the context of the EAW, see ECtHR Pirozzi v Belgium App n. 21055/11 [17 April 2018].
160 It is beyond the scope of this Article to determine whether service providers should and could play a role in the protection of fundamental rights. This question will be addressed over the next few years by the present author in her thesis.
161 According to art. 8(3) of the proposed Regulation, the certificate for production orders will contain the information listed in art. 5(3)(a) to (h) of the proposed Regulation which does not include the grounds for the necessity and proportionality of the measure. For preservation orders, under art. 8(4) of the prosed Regulation, the certificate will contain the information listed in art. 6(3)(a) to (f) which does not include the grounds for the necessity and proportionality of the measure.
162 EDRi, ‘Position Paper on the European Commission's Proposal for a Regulation on European Production and Preservations Orders for Electronic Evidence in Criminal Matters' cit. 20.
163 Explanatory Memorandum cit. 21.
164 See art. 9(5)(2) of the proposed Regulation.
165 Art. 9(1) of the proposed Regulation states that service providers “shall ensure that the requested data is transmitted”. Art. 10(1) states that the service provider “shall, without undue delay, preserve the data requested”.
166 Ibid. art.14(4).
167 Ibid. art. 14(5).
168 Ibid. art. 14(4) (f) and (5)(e).
169 Ibid. art. 14(6).
170 See art. 9(5) of the General Approach cit.
171 Ibid. art. 14(4) and (5).
172 See C Berthelemy, ‘EU Council's General Approach on "e-Evidence": From Bad to Worse' (19 December 2018) edri.org; at least seven EU States, including Germany, opposed the Council's draft. The Netherlands, for instance, denounced the Council's text for being adopted "too fast" and stated that it "opened the way for abuse by EU countries that lack sufficient guarantees over the rule of law and fundamental rights". See T Christakis, ‘Lost in Notification? Protective Logic as Compared to Efficiency in the European Parliament's e-Evidence Draft Report' cit.
173 EP (LIBE Committee), 6th Working Document (B) cit. 3. The Rapporteur noted that "taking over the same wording as the EIO seems to be even more important in order to overcome the current patchwork of clauses from different EU mutual recognition legal instruments and CJEU case-law. Even though it has become clear over time that a clear fundamental rights clause is essential for guaranteeing fundamental rights obligations, the practice has rather been to introduce different clauses for each mutual recognition instrument, with a clear intention by some to limit it or render it inapplicable".
174 For EPsOs, art. 10(1) of the proposed Regulation provides that upon receipt of the certificate, “the addressee shall, without undue delay, preserve the data requested”.
175 See art. 9(1) and (2) of the proposed Regulation. An emergency case is defined as a situation where there is an imminent threat to life or physical integrity of a person or to a critical infrastructure. See Explanatory Memorandum cit. 19.
176 Opinion 23/2018 cit. 6; Opinion 7/2019 cit. para. 62; EDRi, ‘Position Paper on the European Commission's Proposal for a Regulation on European Production and Preservations Orders for Electronic Evidence in Criminal Matters' cit. 5. The EDPS and EDRi recommended to make the six hours deadline for emergency cases a preferred time-limit rather than a mandatory one. See Opinion 7/2019‘ cit. para. 65; EDRi, ‘Position Paper on the European Commission's Proposal for a Regulation on European Production and Preservations Orders for Electronic Evidence in Criminal Matters’ cit. 5.
177 M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' cit. 41.
178 EuroISPA, ‘Position Paper on the Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters' (June 2018) www.euroispa.org 2.
179 For an overview of the number of requests from law enforcement authorities received by Microsoft, for instance, see www.microsoft.com.
180 See art. 12 of the General Approach cit.
181 Art. 12 of the European Parliament Report provides that “where so claimed by the service provider, the issuing State shall reimburse the justified costs borne by the service provider and related to the execution of the European Production order or the European Preservation Order”.
182 M Böse, ‘An Assessment of the Commission's Proposals on Electronic Evidence' cit. 41.
183 Pecuniary sanctions shall also be applicable to infringements of the obligations pursuant to art. 11 of the proposed Regulation which relates to the confidentiality of production and preservation orders.
184 T Christakis, ‘Lost in Notification? Protective Logic as Compared to Efficiency in the European Parliament's e-Evidence Draft Report' cit.; EDPS, ‘Opinion 7/2019‘, cit., para. 66; EDRi, ‘Position Paper on the European Commission's Proposal for a Regulation on European Production and Preservations Orders for Electronic Evidence in Criminal Matters’ cit. 17.
185 Recital 46 of the proposed Regulation: “Notwithstanding their data protection obligations, service providers should not be held liable in Member States for prejudice to their uses or third parties exclusively resulting from good faith compliance with an EPOC or an EPOC-PR”.
186 Recital 46 of the General Approach: “Service providers should not be held liable in Member States for prejudice to their uses or third parties exclusively resulting from good faith compliance with an EPOC or an EPOC-PR. The responsibility to ensure the legality of the Order, in particular its necessity and proportionality, should lie with the issuing authority”.
187 Art. 13(1a) of the European Parliament Report cit.
188 European Parliament Draft Report cit. 146.
189 Art. 7(1) of the European Parliament Report cit.
190 Amendment 130 of the Draft Report cit.
191 However, each addressee would have had different prerogatives. While the executing State could object EPOs on several grounds that include a human rights clause identical to the one contained in the EIO Directive (see Amendment 142 of the European Parliament Draft Report cit.), the affected State did not have such a capacity. The affected State could only inform the executing State if the former considers that one of the grounds for non-recognition or non-execution applies (see Amendment 146 of the European Parliament Draft Report). While this mechanism is certainly an improvement in terms of fundamental rights protection compared to the Commission's proposed Regulation and the Council General Approach one may legitimately question whether it would create negative repercussions on the efficiency of the instrument. As a matter of fact, the Draft Report has provoked a strong reaction from the Commission. The institution claimed that the amendments suggested by the LIBE Committee's Rapporteur would have a major impact on the efficiency of the e-Evidence Proposal. See T Christakis, ‘Lost in Notification? Protective Logic as Compared to Efficiency in the European Parliament's e-Evidence Draft Report' cit.
192 Théodore Christakis notes that it is not surprising that Ireland was in favor of notifying the Member State where the person whose data are sought is residing. See T Christakis, ‘E-Evidence in a Nutshell: Developments in 2018, Relations with the CLOUD Act and the Bumpy Road Ahead' cit.
193 See arts 8a(1) and 10(1a) of the European Parliament Report cit.
194 Ibid. art. 8a(2). The service provider also has the obligation to simultaneously send a copy of the data transferred for information to the executing authority.
195 Art. 8a(3) of the European Parliament Report cit.
196 Ibid. art. 8a(4). The executing authority must immediately inform the service provider and the issuing authority of its decision.
197 Ibid.
198 Ibid. see art. 10a(1)(c).
199 Ibid. art. 9(1a).
200 Ibid. art. 9(2b).
201 Ibid arts 8a(7), 9(5)(2) and 10(6).
202 EP (LIBE Committee), 3rd Working Document (A) cit. 4; EuroIspa strongly advocates against service providers becoming actors responsible for checking orders against the local or the Issuing Member State's law as well as to signal non-compliant or abusive orders. See EuroISPA, ‘Position Paper on the Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal mat-ters'cit. 1; for the Deutsche Telekom see A Petri, ‘No Law Enforcement by Private Corporations' (10 May 2018) www.telekom.com.
203 J Frank and L Cossette, ‘The e-Evidence Proposal - A Positive Step Forward’ (18 April 2018) Microsoft EU Policy Blog blogs.microsoft.com.
204 BSA | The Software Alliance, ‘BSA Welcomes Draft EU e-Evidence Legislation. Advocates for continued dialogue’ (16 April 2018) www.bsa.org.
205 EDRi, ‘Position Paper on the European Commission's Proposal for a Regulation on European Production and Preservations Orders for Electronic Evidence in Criminal Matters’ cit. 25.
206 See T Christakis, ‘“Big Divergence of Opinion” on e-Evidence in the EU Council: A Proposal in Order to Disentangle the Notification Knot’ (22 October 2018) Cross-Border Data Forum www.crossborderdataforum.org.
207 M Stefan and G Gonzalez Fuster consider that “the very rationale underlying the different provisions on the role of service providers does not, as a matter of fact, appear to be concerned with effectively replacing judicial authorities in terms of rule of law requirements, but rather with facilitating their intervention, and mitigating some possible conflicts”. See M Stefan and G González Fuster, ‘Cross-Border Access to Electronic Data Through Judicial Cooperation in Criminal Matters - State of the Art and Latest Developments in the EU and the US’ cit. 40.
208 For an overview of the basic features of the European Parliament Draft Report see T Christakis, ‘EEvidence in the EU Parliament: Basic Features of Birgit Sippel's Draft Report' cit. For an opinion on whether the European Parliament Draft Report strikes a right balance between necessary protection and efficiency see T Christakis, ‘Lost in Notification? Protective Logic as Compared to Efficiency in the European Parliament's e-Evidence Draft Report' cit.
209 See European Parliament (LIBE Committee) Draft Report on the Proposal for a Regulation of the European Parliament and of the Council on European production and preservation orders for electronic evidence in criminal matters, Amendments 268-582 (AM\1193813) and Amendments 583-841 (AM\1194325).

Files

Full Text

Send to

Details

Statistics

Bibliography

Similar publications

Your message to the ORBi team