Since its incorporation into the Tampere Conclusions, the issue of the admission of evidence obtained in cross-border criminal proceedings in the EU has been on the table. Article 82(2) of the Treaty on the Functioning of the European Union (TFEU) grants the European Parliament and the Council the ability to establish fundamental rules for the reciprocal admission of evidence. Common minimum standards on how evidence is to be gathered and transferred – and also on a limited set of exclusionary rules – are required to protect fundamental rights and facilitate judicial cooperation at the EU level, especially given that e-evidence introduces a cross-border element into virtually every criminal investigation and procedure. Due to the rapid digitalization of private and public spheres, as well as professional and non-professional activities, the importance of a common set of evidence standards, and in particular e-evidence standards, has increased. Furthermore, the repercussions of COVID-19 have a multiplier effect on the impact of e-evidence at the EU level, as the epidemic has caused a significant movement towards digitalization and a notable change towards the collection of e-data for security purposes (mainly geolocation, and to potentially track contacts of infected persons).
Recent legislative initiatives (Directive 2014/41/EU on the European Investigation Order (EIO) in criminal proceedings and Council Regulation (EU) 2017/1939 implementing greater cooperation on the establishment of the European Public Prosecutor’s Office, EPPO) have addressed this issue in part. However, the EIO provides no regulations governing the admissibility or rejection of evidence. The admissibility of evidence gathered in a foreign country will rely on how it was obtained and compliance with any applicable restrictions. Moreover, Article 37 of the EPPO Regulation essentially creates an inclusionary rule, leaving all possible grounds for evidence exclusion unaddressed.
As a result, there is no uniform policy among EU member states. The diversity of solutions in each Member State impedes the creation of what has been termed a “zone of free movement of criminal evidence” and may have a severe impact on the rights of defendants. In the past, Member States may have concluded that supranational standards on admissibility of evidence were not strictly required, and that, as a result, the principles of subsidiarity and proportionality for EU legislation would not be followed. However, the situation has changed dramatically over the past few decades as a result of obvious shifts in the modern “digital society.”
The Evidence Package
The European Commission proposed the “E-Evidence” legislative package (E-Evidence) on 17 April 2018 to overcome the widely discussed issues associated with the traditional instruments for cross-border gathering of electronic evidence. The main innovation of this proposal consists of allowing law enforcement in one member state to directly compel service providers in another member state to produce or preserve data. Internet service providers (ISPs) already play a significant role as gatekeepers for the data they possess, particularly in the context of voluntary cooperation. Due to restricted enforcement options, the frequently global context of data collection, and the economic clout of big ISPs, it is their decision whether or not to submit data to authorities. While the final text of the EPO Regulation is still being negotiated, I argue in this post that the proposal for the E-Evidence regulation (in all of its available versions) does not solve the problem of such “privatisation” of enforcement in the context of e-evidence collection, and I explain why this is problematic.
E-Evidence legislation has been in the legislative process for some time. While the EU Council agreed its broad strategy very swiftly, on 7 December 2018, The European Parliament’s (EP) extensive deliberations lasted over two years. On 11 November 2020, the EP delivered its Report on the draft Regulation, which differed significantly in some respects from the Council’s general approach, which was generally comparable to the Commission’s proposal.
The notification system, which establishes the criteria under which the authority originating the access request must notify the authorities in the executing member states, is one of the most contentious aspects.
For governments represented in the EU Council, making this process overly burdensome would negate the aim of the rule, but MEPs and civil society want protections for protected groups such as journalists, lawyers, and political activists. The member nations were successful in meeting the so-called “residence criterion.” In other words, if the individuals in question are residents of the member state executing the order, there is no need to notify the authorities of the executing country about the location of their data storage. If the requested information can only be used to identify a person, no notification is necessary.
In exchange, MEPs gained the notification’s suspensive effect. In the event that a law enforcement agency requests content and traffic data, the other member states will have ten days, or eight hours in the event of an emergency, to object. The suspension effect stipulates that the service provider must safeguard the requested communication but will be unable to disclose it until the deadline has passed and no rejection has been raised.
The executing member states may appeal the order if it violates the legal framework’s fundamental rights or immunities, such as press freedom. The legislature adopted the notion of dual criminality, which states that the persecuted crime must also be recognized in the country of execution.
Special safeguards against alleged infringement of basic rights have been added to orders refused by member states whose rule of law has been officially brought into question by the activation of EU procedures, such as Hungary and Poland at present.
Political problem that is yet to be resolved
Unresolved from a political standpoint is whether the executing member states ‘may’ or ‘shall’ oppose the order if one or more reasons for rejection are discovered. The Parliament favors the latter formulation because legislators want to guarantee that these precautions are applied effectively.
In accordance with the GDPR, the EU’s data protection regulation, the order must be sent to the data controller, the entity that determines why and how the data is processed. The authorities will only refer directly to the data processor, the organization that processes the data on behalf of the controller, in exceptional circumstances. The co-legislators of the EU only agreed in principle to the establishment of a common European exchange, an EU-wide platform for issuing orders that would guarantee the secrecy and legitimacy of the orders to service providers.
While the interinstitutional meeting, or trilogue in jargon, resulted in significant progress on a number of key issues, according to two knowledgeable sources, the gaps between the co-legislators may still be too substantial to be resolved at the technical level. The French negotiators were under significant political pressure to find an agreement before the end of their Presidency on Friday, and on Thursday they even requested a new political trilogue. However, the European Parliament could not meet such a short deadline.
Private actors and potential conflicts of interest
In light of the preceding, the E-Evidence package will establish a new connection between law enforcement agencies and ISPs, regardless of the establishment of the mandatory notification system. These are expected to become extended arms of law enforcement, replacing national authorities in the tasks of receiving, complying with, and reviewing orders. ISPs will unavoidably become more of a public authority than a private actor, although lacking the characteristics of public authorities, such as accountability, impartiality, and independence.
This shift of public responsibilities to ISPs, as envisaged by the E-Evidence package, is not novel in European law, but rather conforms to a pattern that has intensified over the past few years. Indeed, private players’ participation in crime prevention has increased. This tendency is exemplified by the AML regulatory framework: private actors, particularly banks and financial institutions, are required to create risk prevention measures and report to competent authorities in order to avoid money laundering or terrorism funding. In this sense, the E-Evidence proposal codifies a quantum leap in the role of private actors: not only are they involved in crime prevention, but they are also required to play an active (proactive) role in enforcement by directly responding to requests from a law enforcement authority and evaluating the validity and legitimacy of these requests.
This role poses various questions. ISPs, as private actors, are entities that are profit-driven and answerable to their owners or stakeholders. These traits have (at least) a double bearing on their ability to fulfill this public function. First, ISPs will make decisions based on their commercial interests. In fact, unlike public actors, when ISPs must choose between competing ideals, they do so at the risk of punishment for noncompliance or reputational damage, which may have a direct impact on their financial interests. Moreover, even if private actors present themselves as acting for the greater good, they will only engage in this manner if it serves their financial interests. The commercial reasoning also influences the accountability and duty of ISPs. A democratic system of accountability controls value judgments in the public realm; private firms (i.e. ISPs) are answerable to their owners first and foremost.
Lastly, additional practical issues relating to the implementation of such power may arise due to the potential for ISPs to abuse their authority. For instance, what about ISP personnel who are offered bribes to influence the judgments they execute? This sort of corruption, however, no longer affects the private sphere, as it is not a violation of the entity’s duty. This circumstance more closely resembles public corruption but is not covered by the applicable regulations.
There appears to be a need for cooperation between law enforcement agencies and ISPs, given the latter possess information that may be crucial to criminal investigations. This new interaction between public bodies and commercial players cannot be governed by the current regulatory system. Consequently, legislative intervention is required, and the E-Evidence package has the ability to eliminate one of the most significant barriers facing contemporary criminal investigations. However, a more complete framework is required to ensure that the rights of impacted individuals are adequately protected and that their fate is not contingent on the commercial interests of private enterprises.
The issue of the public duty of ISPs is not confined to the collection of electronic evidence. Similar issues and arguments can be raised in relation to online content control and the Digital Services Act discussion (DSA). The challenges in negotiating both legislative proposals (E-Evidence and DSA) highlight how difficult it is to manage a domain in which private players wield so much effective enforcement capacity and de facto adjudicative authority. To guarantee the fairness of the procedures and the correct protection of the fundamental rights of the affected parties, however, a precise set of boundaries is required. If shared adjudication is to be recognized, a significantly more robust structure must be established to protect the rights of those affected.