Electronic evidence (‘e-evidence’) plays a central role in the fight against crime both online and offline. But the goal of ensuring access to such evidence must be reconciled with the need for protecting data privacy and other fundamental rights. The European Union is in the process of adopting a regulatory framework for e-evidence. It needs to strike the right balance both in substance and in scope of application.
The necessity of providing law enforcement with access to electronic evidence (“e-evidence”) is obvious. Both online and offline crimes frequently leave electronic traces that can be crucial to investigation of those crimes, conviction of those responsible and protection of the innocent.
At the same time, it is equally obvious that there must be clear and strict limitations placed on such access. Furthermore, as important fundamental rights – most prominently privacy rights and the right to a fair trial – are at play in any situation of law enforcement getting access to e-evidence, law makers must take great care to ensure rights-respecting solutions.
This necessary balancing of rights and interests paints a picture of great complexity. And we’re speaking so far in a domestic context. When we discuss the need for law enforcement to have cross-border access to e-evidence, that complexity is multiplied. We then also need to take into account the facts that:
- Not all states respect human rights; and
- Amongst the states that do respect human rights, it is commonly the case that they strike different balances between competing human rights.
Against this background, it is a brave move for the European Union to embark on the journey towards a comprehensive framework for law enforcement access to e-evidence. Be that as it may, such a development is a necessity for effective law enforcement. Indeed, the EU is far from alone in seeking to make progress in this field. For example, the Council of Europe is working on a “Second Additional Protocol to the Convention on Cybercrime on enhanced cooperation and disclosure of electronic evidence”, the United Nations Office on Drugs and Crime (UNODC) has developed a Data Disclosure Framework and the US now has its Clarifying Lawful Overseas Use of Data (CLOUD) Act, impacting when and how law enforcement in other states can access e-evidence held by US companies.
The Substance
The EU’s proposed framework consists of a Directive and a Regulation. Briefly, the overall effect of the proposed Directive is to lay down harmonized rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings. It establishes rules on certain service providers’ legal representation in the Union for purposes of receipt of, compliance with and enforcement of decisions and orders issued by competent authorities of the member states for the purposes of gathering evidence in criminal proceedings.
The Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (the Regulation) complements this by putting in place a scheme under which service providers – including foreign service providers – are obligated to designate a legal representative in the Union. It ensures that e-evidence (such as emails, messages and text in apps) and potentially identifying information about perpetrators is preserved and can be directly accessed through service providers or their legal representatives in other member states.
These measures – while supportive of law enforcement activities – are also meant to guarantee strong protection of fundamental rights, including safeguarding the right to protection of personal data, and to provide legal certainty for businesses and service providers. The proposed safeguards are both internal (i.e. some of them stem from the text) and external (i.e. resulting from the context in which both proposals must be read). For instance, Article 5 of the Regulation imposes conditions for issuing a European Production Order such as necessity and proportionality. While European Production Orders to produce subscriber data or access data may be issued for all criminal offences, stricter conditions apply when such an order is sought in relation to transactional data or content data. It should also be mentioned that the Regulation – as is commonly the case with instruments such as this – distinguishes between different types of data. However, the Regulation’s rather traditional approach to the classification of data types represents a missed opportunity to modernise this data classification.
With the proposed legislation, the EU also aims to address the challenge of legal certainty for businesses and service providers. Article 5(5) of the Regulation outlines types of information that a European Production Order must include. The amendments proposed by the Parliament go even further in that they suggest that national authorities “shall not issue domestic orders with extraterritorial effects for the production or preservation of electronic information that could be requested on the basis of this Regulation.”
Views on whether the proposed e-evidence instruments provide adequate safeguards differ. For example, European Digital Rights (EDRi) expressed concerns about the lack of involvement for the “affected state” and the insufficient involvement of the executing state (see here regarding notification issues in general), as well as the lack of safeguards against fishing expeditions and deficiencies in mutual trust and EU judicial cooperation.
Geographical Scope of Operation
It is clear that EU instruments may have considerable direct and indirect effects outside the European Union. The EU’s General Data Protection Regulation (GDPR) is the best illustration. In light of that, a short discussion about the geographical scope of the proposed acts is merited.
Assessing the impact of the proposed approach on actors outside the EU requires a better understanding of several key concepts. First, the definition of the type of service providers caught by these instruments is broad. It covers any natural or legal person that provides one or more of several types of services, including Internet domain name and IP numbering services, certain electronic communications services and information society services “for which the storage of data is a defining component of the service provided to the user” (e.g. social networks, online marketplaces and other hosting service providers).
Second, the jurisdictional scope of the proposed legal framework applies to service providers “offering services” in the Union or a member state. While this sounds broad, offering services in a member state (or in the Union) means enabling legal or natural persons in a member state to use the service and “having a substantial connection to the Member State” in question. At first glance, this approach fits neatly within the jurisprudential framework for jurisdiction that, instead of focusing on territoriality, as was previously common, stresses the relevance of a substantial connection between the matter and the state seeking to exercise jurisdiction, that state’s legitimate interest in the matter and whether the exercise of jurisdiction is reasonable given the balance between the state’s legitimate interests and other interests. However, a closer examination of the recitals of the Commission proposal and the Parliament’s proposal reveal that: “such a substantial connection to the Union shall be considered to exist where the service provider has an establishment in the Union, or, in the absence of such an establishment, based on the existence of a significant number of users in one or more Member States, or the targeting of activities towards one or more Member States”.
Consequently, we are really dealing with a “targeting test” like those of the GDPR and the consumer protection provisions of the Brussels I bis Regulation. It incorporates all the uncertainties, blemishes and warts typical of a targeting test, and clearly has the potential to cater to far-reaching jurisdictional claims that have little to do with any truly “substantial connection”.
Third, it is encouraging to see rather sophisticated interest balancing clearly articulated in the proposed e-evidence instruments, notably Articles 15 and 16 of the Regulation. They aim to ensure comity with respect to the sovereign interests of third countries, to protect the individuals concerned, and to address conflicting obligations on service providers by creating a mechanism for judicial review in cases of clashes of legal obligations stemming from the laws of third states (Proposal for Regulation, Recital 47). These provisions instruct the court to weigh a number of elements in an interest-balancing exercise designed to ascertain the strength of the two involved jurisdictions’ connections, the parties’ respective interests in obtaining or preventing disclosure of the data and the possible consequences for the service provider of having to comply with the Order (Proposed e-evidence Regulation, Recital 52).
Bigger Questions
The proposed e-evidence framework – if adopted – will create an influential and important structure with far-reaching implications. Many issues require further attention, and there are distinct differences between the Commission’s proposal and the one advanced by the Parliament.
However, the discussion about the proposed framework raises the important question of how to deal with potential overlaps and highlights the need to coordinate with other overlapping or otherwise related initiatives. One solution is to require that big players such as the EU undertake “scalability assessments” to determine the impact of their proposed approach on other parts of the world as well as the consequences of other states adopting the same approach.
