E-Evidence: Data Protection vs. Criminal Law
The European Commission presented a new package of measures to expand the “Security Union”. The aim is to further restrict terrorism and crimes that take place on the Internet. Part of this package of measures is the e-Evidence Regulation (or e-Evidence Directive). Read here about the status of the negotiations on E-Evidence, which amendments are currently under consideration, and what problems data protectionists see with e-Evidence.
The International Cooperation of Judicial Authorities
The judiciary, like many other areas, is regulated nationally. Each EU member state has its own criminal law and law enforcement agencies. Cross-border crimes currently result in very long processing times when it comes to securing evidence in another country. The EU Ministers of the Interior (JHA Council) therefore support the great desire to significantly shorten the current Mutual Legal Assistance Treaties (MLAT).
Another problem exists due to the different legal provisions in the EU and the USA. In the European Union, special data protection exists through the General Data Protection Regulation (GDPR). In the US, on the other hand, the CLOUD Act gives law enforcement authorities extended access to data. Because of the international interconnectedness of data traffic and the globally operating cloud storage providers, problems arise due to the different legal practices.
The European Union and Electronic Evidence
The fact that authorities want better access to electronic evidence and that data protectionists consistently oppose this is a familiar pattern. Nevertheless, it is worth taking a closer look at the situation within the European Union.
Increasing digitalization in everyday life is leading to an ever-growing number of data trails. For example, it is not just our phones that collect information about us. A variety of smart devices create information that can be helpful in solving crimes. Think, for example, of electronic door locks, residential surveillance cameras or smart-home speakers. Investigators should have more data available to them every year. Instead, they say that because of encryption fewer and fewer crimes can be solved.
EU E-Evidence: The Basic Ideas
E-Evidence introduces a so-called Production Order. It can be issued by a member state and must then be executed in the member state where the evidence is stored. This is referred to as the state who imposes the order and the state who executes the order.
According to this Production Order, four categories of data can be requested as part of investigations:
- Subscriber Data: Identity and address data of customers, which services have been booked and how payment is made, i.e., inventory data.
- Access Data: Metadata on the specific use of a service: date and time, IP address, user ID.
- Transactional Data: Metadata on the type of use of services: sender and recipient of e-mails, geolocation of end devices, protocols used.
- Content Data: Stored content data, i.e. text, image, sound or video.
Those affected – in the sense of being obliged to hand over information – would primarily be cloud storage providers. But telecommunications companies and social networks would also have to hand over information on EU citizens at the request of foreign authorities. It is still open whether financial service providers could also be forced to hand over data through e-evidence.
Problems With the Criminal Law
A major problem in investigative cooperation within the European Union is the 27 different criminal laws of the member states. What is permitted in one country is punishable by several years' imprisonment in another. Differences exist, for example, in abortion rights, Holocaust denial, and in the classification of professional secrets. Various restrictions are provided for here, but the current version still poses major risks.
Even without e-Evidence, there have already been conflicts in the areas mentioned. Especially about member states that have problems with the rule of law (Poland and Hungary), the creation of new, powerful legal remedies is an explosive issue. There is a risk that courts from these countries will prosecute journalists, activists, and opposition figures in other countries.
Problems With the Verification of Legality
In the current version of e-Evidence, the process of a Production Order is described in such a way that the examination of the legality of the order is carried out by the company (cloud provider, telecommunications provider, social network) that receives the order. This would force these private-sector companies to perform tasks that are reserved for government agencies.
The EU Parliament sees a completely different path here: the surrender order should first be examined in the executing state to determine whether it is a politically motivated investigation. If the procedure were changed to this effect, fundamental rights such as freedom of expression and freedom of the press could be effectively protected against reprisals from abroad.
Tom Jenissen, Digitale Gesellschaft e.V., comments:
The protection of professional secrets, especially journalists, is insufficiently developed. Even if Parliament gets its way, no European minimum standards for the release of such data will be introduced. Instead, a complicated system of different levels of protection is envisaged, depending on the legal systems of the executing states and/or the countries in which the data subject resides, the practicality of which is highly doubtful.
The proposal of the EU Parliament could make it possible to protect the secrets of professional secrecy holders and persons with immunity. Neither is addressed in the Commission's current draft. The Parliament also proposes a platform to handle data exchange for law enforcement purposes. This could be the interface between the authorities of the member states.
A notification obligation is also to be added to check legality. Here, the EU Parliament sees a need to catch up, because such an obligation is currently not provided for. But to create equality of arms in a legal dispute and give suspected persons the opportunity to defend themselves, they must be informed that personal information and files have been requested.
Sergey Lagodinsky, Member of the European Parliament (Bündnis 90/Die Grünen) summarizes the situation in a technical discussion like this:
People think this is just a minor detail in the criminal procedure. [But] this is about data and how easy it would be for a prosecutor from abroad whom you don’t even know and in a procedure, you don't even know to get your data obtained automatically without your home country authorities even having a glance at them or doing anything against that.
E-Evidence: Regulation or Directive?
The EU Commission originally planned E-Evidence as a directive. Parliament is now calling for it to become a regulation. The latter would have the advantage that the member states would have no leeway in implementation.
The next step is the so-called “trilogue” negotiations between the European Parliament, the Council of the European Union and the European Commission, in which the final version of e-Evidence will be elaborated. The status of the procedure can be seen here.
What you need to know now
Currently, e-Evidence is still in draft status. Parliament now can push through its demands in several rounds of negotiations. EU civil rights activists are optimistic that the protection of fundamental rights will be considered in the next versions. But to be on the safe side, you should definitely check whether your data is sufficiently protected in the cloud, i.e. with end-to-end encryption.