In April 2018, the European Commission published a “Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters”.^[1] The reason for this new piece of legislation is easily explained: As most of the communication unfolds online nowadays, these data pools are a great object of desire for (investigative) authorities across all member states.^[2] This was one of the reasons for the creation of the European Investigative Order (EIO)^[3] in 2014. However, this mechanism still “suffers” from two shortcomings:

• Although it is a tool that harmonises the production and preservation of evidence across the borders of Member States, it does – obviously – neither apply nor bind Online Service Providers (OSP) of communication services that are based outside the EU.
• Even between the fairly harmonised Member States, an EIO may take weeks or even months before it is returned.^[4]

The proposed e-evidence regulation (in the following: draft regulation) is supposed to solve these problems foremost by abandoning the principle of territoriality. Member State authorities shall be competent to approach service providers in and outside of the EU to hand over the evidence directly without the need of approaching locally competent authorities first. For the cases of non-compliance, the member states shall have implemented “effective, proportionate and dissuasive” sanctions:

According to Art. 2 para. 1 of the draft regulation a ‘European Production Order’ is a binding decision by an issuing authority of a Member State compelling a service provider offering services in the Union and established or represented in another Member State, to produce electronic evidence;

According to Art. 2 para. 2 of the draft regulation, a ‘European Preservation Order’ is a binding decision by an issuing authority of a Member State compelling a service provider offering services in the Union and established or represented in another Member State, to preserve electronic evidence in view of a subsequent request for production;

According to Art. 2 para. 3 of the draft regulation, ‘service provider’ means any natural or legal person that provides one or more of the following categories of services: (a) electronic communications service as defined in Article 2(4) of [Directive establishing the European Electronic Communications Code]; (b) information society services as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council for which the storage of data is a defining component of the service provided to the user, including social networks, online marketplaces facilitating transactions between their users, and other hosting service providers; (c) internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services.

The service provider does not have to be located in a EU Member State, because ‘offering services in the Union’ means: (a) enabling legal or natural persons in one or more Member State(s) to use the services listed under (3) above; and (b) having a substantial connection to the Member State(s) referred to in point (a).

As Art. 3 of the draft regulation shows, there is no material and territorial scope to be defined on a case-by-case basis (see for example Art. 2 and 3 of the GDPR). There is only a material scope defined by service providers offering services in the EU which might be of relevance in connection with criminal proceedings.

Art. 13 of the draft regulation determines that without prejudice to national laws which provide for the imposition of criminal sanctions, Member States shall lay down the rules on pecuniary sanctions applicable to infringements of the obligations pursuant to Articles 9, 10 and 11 of this Regulation and shall take all necessary measures to ensure that they are implemented. The pecuniary sanctions provided for shall be effective, proportionate and dissuasive. Member States shall, without delay, notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them.

In case the addressee does not comply with its obligations under a recognised Order whose enforceability has been confirmed by the enforcing authority, that authority shall, according to Art. 14 para. 10 of the draft regulation impose a pecuniary sanction in accordance with its national law. An effective judicial remedy shall be available against the decision to impose a fine.

I. What’s the problem?

To start with, the threshold for an evidence request is very low, which may pose a variety of dangers even amongst the Member States (1.). For another, as tempting as it may sound to “seize” data located outside the EU (meaning particularly in the US), it will come at a heavy prize (2.). And lastly, the concept of controls planned for questionable orders is ill-balanced (3.).

1. The lowest bar should never be the standard

According to Art. 4 para. 1 lit. a of the draft regulation, the “issuing authority” can be judges, courts or competent prosecutors. What is rather unexpected, is that it also names “any other competent authority as defined by the issuing State […]” (cf. Art. 4 para. 1 lit. b, para. 2 lit. b and para. 3 lit b). This means nothing other than allowing all Member States to decide, which authority should be competent to demand from any given service provider to produce or preserve data on any given data subject, as long the order relates to a criminal proceeding within the issuing state.

The production order may only be issued if it is necessary and proportionate for the purpose of the proceedings referred to in Article 3 para. 2 and may only be issued if a similar measure would be available for the same criminal offence in a comparable domestic situation in the issuing State (Art. 5 para. 2 of the draft regulation), for “all criminal offences” (Art. 5 para. 3 of the draft regulation) as long as they are “punishable in the issuing State by a custodial sentence of a maximum of at least 3 years” (Art. 5 para. 4 lit. a of the draft regulation) or related to specific offences set out in Art. 5 para. 4 lit. b of the draft regulation.

To put this into perspective, a small example:

A Polish woman seeks an abortion in another EU Member State to avoid the legislation in her home country. She contacts several doctors, finally arranging an appointment with one via WhatsApp. Word gets around in her village that she is trying to terminate her pregnancy so the local police officer steps in and orders WhatsApp to produce all communication of that women within 6 hours, stating that it is a life and death matter.

Since Poland has authorised police officers – in our little example – to issue a Production Order and because abortion is punishable by a custodial sentence of up to three years, or even up to eight years (Art. 152 Polish Penal Code), in Poland WhatsApp will have to produce the “e-evidence” under this draft regulation.

That means the proposal allows Member States to force their ideas behind their national law on others. Having in mind cases of big tech escaping national competent authorities with regard to tax issues, for example, this might be a good idea. However, the last couple of years have shown that the Member States are not all equal when it comes to the rule of law.^[5] Forcing lower standards onto other states puts fundamental rights at risk and would demonstrate a stark contrast between the European Ideal and its reality.

2. EU and US: Do ut des or an eye for an eye?

Under the draft regulation states are required to “tolerate” that their companies are subject to foreign search warrants without the need of complying with their national law. This would create diplomatic problems, which could be resolved by offering the other side to “tolerate” their search warrants too. Having in mind the abandoned principle of territoriality, this offer would not be limited to EU Member States but include deals with the USA as well. That means, if the EU wishes to have a legal tool to “tap into” the data pools held by the US tech giants, they will have to be willing to grant US investigators similiar access to EU data pools.^[6]

It is a fact that the European Commission is negotiating a deal with the US on how to exchange data as a “useful addition”^[7] to the draft regulation that is not even existing and has met harsh critique^[8]. It also remains to be seen how the conflicts with the Schrems-II-ruling^[9] of the European Court of Justice (ECJ) will be solved. The ECJ had ruled that the “privacy shield” between the US and the EU cannot be upheld because of the possible violations of the GDPR on the US side.^[10]

What is most disturbing is that the greatest problem in obtaining evidence from service providers is less the unwillingness from their side to respond to (founded) queries but rather the improper approach by the authorities.^[11]

Already in 2018 a great number of data requests based on existing local law (partially in combination with the Budapest Convention^[12]) was sent to the tech companies via “the good old ways”. 

fig. 1: Number of EU law enforcement data requests in 2018 to major providers (source: Europol^[13])

These requests had an average success rate of 66%.^[14]

fig. 2: Success rate of data requests to major online service providers in 2018 (source: Europol^[15])

The above figure should show that it is possible to achieve a high success rate and that the problem cannot just be the service provider simply ignoring the request. As mentioned before, the problem is more on the side of the issuers. Most of them admit that they have never been trained in what, how or even where they should issue their request.^[16]

So the answer to the problem, as the SIRIUS report finds itself, is rather a proper training of the authorities’ personnel^[17] and for the service providers to publish guidelines on how to obtain the requested data from them.^[18] Thereby making the draft regulation superflux.

3.  Who controls the states’ investigators?

The draft regulation, however, does not provide that authorities in the home state of the service provider should be heard or even informed prior to the issuing of an Order. But then, who controls the legality of the Order? Of course, the issuing authority will have its own means of quality control. But since the investigator is hardly the right person to control his own actions the service providers are designated by the draft regulation to be the ones to control the legality of an Order. Should the service provider have any issues with an Order then it should be  addressed towards the competent authorities (Art. 9 para. 5 of the draft regulation).

Private companies are generally not competent in controlling state actions, especially observing the handling of “Fundamental Rights” (sic! Art. 9 para. 5 of the draft regulation). Under the draft regulation, private companies are “allowed” to “oppose” the Order should the formal criteria (i.e. competent authority) not be met (Art. 14 para. 4. purs. of the draft regulation). It imposes on them the burden to be able to decide within a maximum of ten days (Art. 9 para. 1 of the draft regulation) and, in “emergencies”, within six hours (Art. 9 para. 2 of the draft regulation), whether the Order meets the legal requirements. That puts the service provider in a dilemma situation: If the service provider wrongfully decide to comply, it will likely be subject to claims by the data subject. However, should it wrongly refuse, it will likely face sanctions (Art. 13 of the draft regulation).

As mentioned, affected companies located in a third country do have the right to object an Order under Art. 15 of the draft regulation.  It is up to them to inform the issuer about the national laws. According to Art. 15 para. 2 of the draft regulation, the reasoned objection shall include all relevant details on the third country law, its applicability to the case at hand and the nature of the conflicting obligation; it cannot be based on the fact that similar provisions concerning the conditions, formalities and procedures of issuing a Production Order do not exist in the applicable law of the third country, nor on the only circumstance that the data is stored in a third country. The deadlines named above apply via Art. 15 para. 1 and 9 para. 5 of draft regulation.

According to Art. 15 para. 3 of the draft regulation the issuing authority shall review the Production Order on the basis of the reasoned objection. If the issuing authority intends to uphold the Production Order, it shall request a review by the competent court in its Member State. The execution of the Order shall be suspended pending completion of the review procedure.

Therefore, a third country addressee depends on a foreign country’s court which decides on the basis of a legal situation described in a paper produced within a few hours or days. The same applies for conflicting obligations according to Art. 16 of the proposed e-evidence regulation.

In any case, the small time window argues against a genuine right. Given the demanded “effective, proportionate and dissuasive” sanctions that may follow a refusal, it is less of a right but more of a fig-leaf. In particular, when having in mind that a third country company depends on the understanding of a foreign country’s court.

II.  What is the status quo?

On 7 December 2020, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament has voted^[19] on its Report thereby commenting and amending the Council’s proposal.^[20]

Following the Rapporteur’s Lead (Birgit Sippel) the LIBE Committee has demanded among others to expand the emergency deadline to 16 hours, to have different procedures in place for Orders issued by states that are facing Art. 7 (European Treaty^[21])-proceedings (due to a violation of the rule of law) and to inform the state where the service provider is situated prior to the issuing of the Order and to give that state the right to oppose.^[22]

However, the LIBE Committee remains silent on the subject of confidentiality privileges: In the time of territoriality, a piece of evidence was unavailable if it fell under special confidentiality rules (attorney, medical, journalist privilege) at the location of its production. That piece of evidence was (usually) unusable if it fell under such rules under the regime of the presiding court. The draft regulation would give up this concept. The LIBE Committee is content to only point out that it is important to respect the local rule of confidentiality.

Irrespective of the legal situation, exchanging evidence between member states already happens through E-Codex.^[23] As of now, this platform is only a research project to enable the “actual exchange” of evidence between the Member States. However, it may create a factual basis which, in the worst case, the laws will adapt to.

III.  What should be done?

The draft regulation should be abandoned. It is not necessary and will cause more problems than it will solve. By taking this step “forward” the EU would actually take three steps back. The greatest problems as identified, i.e. time and skills for issuing investigation orders, can be solved by a better allocation of resources and training of authority personnel including the improvement of language skills.^[24] The draft regulation will neither improve this situation nor the results.

V

V

^[1]  2018/0108 (COD), available at: https://eur-lex.europa.eu/resource.html?uri=cellar:639c80c9-4322-11e8-a9f4-01aa75ed71a1.0001.02/DOC_1&format=PDF (29.12.2020).

^[2]  2018/0108 (COD), Explanatory Memorandum, p. 1.

^[3]  Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters, OJ L 130, 01.05.2014.

^[4]  Fanta: Amazon für Ermittlungsbehörden, 10.07.2019, available at: https://taz.de/Datenabfrage-per-Mausklick/!5606069/; Spiegel: Deutschland wird überstimmt, Barley warnt vor Missbrauch, 07.12.2018, available at: https://www.spiegel.de/netzwelt/web/e-evidence-verordnung-eu-staaten-billigen-regeln-zu-elektronischen-beweismitteln-a-1242555.html (all 28.12.2020).

^[5]  Spiegel: Deutschland wird überstimmt, Barley warnt vor Missbrauch, 07.12.2018, available at: https://www.spiegel.de/netzwelt/web/e-evidence-verordnung-eu-staaten-billigen-regeln-zu-elektronischen-beweismitteln-a-1242555.html (28.12.2020).

^[6]  Fanta: e-Evidence: Bundesregierung fürchtet um Journalisten und Klimaaktivisten, 08.07.2019, available at: https://netzpolitik.org/2019/e-evidence-bundesregierung-fuerchtet-um-journalisten-und-klimaaktivisten/; Monroy: US-Behörden wollen Telekommunikation in Europa abhören, 28.05.2019, available at: https://netzpolitik.org/2019/us-behoerden-wollen-telekommunikation-in-europa-abhoeren/ (all 28.12.2020).

^[7]  Response from the German Ministry for Consumers to a parliamentary inquiry dated 21.11.2019, p. 4, available at: https://www.heise.de/downloads/18/2/7/9/9/6/0/7/hunko.pdf.

^[8]  https://www.heise.de/newsticker/meldung/E-Evidence-EU-Verhandlungsfuehrerin-will-Cloud-Daten-besser-absichern-4591779.html ;https://www.spiegel.de/netzwelt/web/e-evidence-verordnung-eu-staaten-billigen-regeln-zu-elektronischen-beweismitteln-a-1242555.html (28.12.2020).

^[9]  EU Court (Great Chamber) CASEC-311/18, ruling of 16.07.2020; ECLI:EU:C:2020:559.

^[10]  EU Court (Great Chamber) CASEC-311/18, ruling of 16.07.2020; ECLI:EU:C:2020:559.

^[11]  Europol: SIRIUS EU Digital Evidence Situation Report 2019, 20.12.2019, p. 23 purs., available at: https://www.europol.europa.eu/sites/default/files/documents/sirius_eu_digital_evidence_report.pdf (28.12.2020).

^[12]  Convention on Cybercrime (Budapest, 23.11.2001), European Treaty Series – No. 185, available at: https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680081561 (28.12.2020)

^[13]  Europol: SIRIUS EU Digital Evidence Situation Report 2019, 20.12.2019, p. 12, available at: https://www.europol.europa.eu/sites/default/files/documents/sirius_eu_digital_evidence_report.pdf (28.12.2020).

^[14]  Europol: SIRIUS EU Digital Evidence Situation Report 2019, 20.12.2019, p. 13, available at: https://www.europol.europa.eu/sites/default/files/documents/sirius_eu_digital_evidence_report.pdf (28.12.2020).

^[15]  Europol: SIRIUS EU Digital Evidence Situation Report 2019, 20.12.2019, p. 13, available at: https://www.europol.europa.eu/sites/default/files/documents/sirius_eu_digital_evidence_report.pdf (28.12.2020).

^[16]  Europol: SIRIUS EU Digital Evidence Situation Report 2019, 20.12.2019, p. 16, available at: https://www.europol.europa.eu/sites/default/files/documents/sirius_eu_digital_evidence_report.pdf (28.12.2020).

^[17]  Europol: SIRIUS EU Digital Evidence Situation Report 2019, 20.12.2019, p. 27, available at: https://www.europol.europa.eu/sites/default/files/documents/sirius_eu_digital_evidence_report.pdf (28.12.2020).

^[18]  Europol: SIRIUS EU Digital Evidence Situation Report 2019, 20.12.2019, p. 26, available at: https://www.europol.europa.eu/sites/default/files/documents/sirius_eu_digital_evidence_report.pdf (28.12.2020).

^[19]  European Parliament: eMeeting for Committees – LIBE, 07.12.2020, available at: https://emeeting.europarl.europa.eu/emeeting/committee/en/agenda/202012/LIBE?item=ILIBE(2020)1207_1EN-6&lang=en (28.12.2020).

^[20]  Report on the proposal for a regulation of the European Parliament and of the Council establishing the conditions for accessing other EU information systems for ETIAS purposes and amending Regulation (EU) 2018/1240, Regulation (EC) No 767/2008, Regulation (EU) 2017/2226 and Regulation (EU) 2018/1861 (COM(2019)0004 – C8-0024/2019 – 2019/0002(COD)), available at: https://www.europarl.europa.eu/doceo/document/A-9-2020-0255_EN.html (28.12.2020).

^[21]  Treaty on European Union (2012/C 326/01), available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:12012M007 (28.12.2020)

^[22]  Fanta: eEvidence-Parlament will etwas mehr Schutz bei behördlichen Datenzugriffen in Drittstaaten, 08.12.2020, available at: https://netzpolitik.org/2020/eevidence-parlament-will-etwas-mehr-schutz-bei-behoerdlichen-datenzugriffen-in-drittstaaten/ (28.12.2020).

^[23]  Krempl: E-Evidence: EU und Deutschland schaffen Fakten beim Austausch von Cloud-Daten, 02.12.2019 https://www.heise.de/newsticker/meldung/E-Evidence-EU-und-Deutschland-schaffen-Fakten-beim-Austausch-von-Cloud-Daten-4602302.html ; e-CODEX: General Introduction to e-Codex, available at: https://evidence2e-codex.eu/p/p/r/project-e-codex-in-a-nutshell-2020-01-661.pdf (all 28.12.2020).

^[24]  Europol: SIRIUS EU Digital Evidence Situation Report 2019, 20.12.2019, p. 25, available at: https://www.europol.europa.eu/sites/default/files/documents/sirius_eu_digital_evidence_report.pdf (28.12.2020).