The Council, Parliament and Commission reached a political agreement on Tuesday evening (29 November) on new legislation allowing law enforcement authorities to obtain electronic evidence stored in another Member State.
The Electronic Evidence Regulation (Electronic evidence) aims to facilitate cross-border criminal investigations by establishing a cooperation mechanism enabling European police forces to obtain evidence stored in electronic form by a service provider such as a courier or e-mail service based in a other State member of the EU.
The tentative deal, which still needs to be ratified by MEPs and EU governments, has sparked controversy. On the one hand, member countries have requested a reduction in administrative formalities to promote rapid investigations. On the other hand, MEPs insisted on the need to put in place stronger safeguards against abuse.
Last June, the French Presidency of the Council of the EU tried to conclude an agreement but exceeded the limits of its mandate. Subsequently, the Czech Presidency resumed consultations with national ministers after securing a revised mandate from EU ambassadors last week, as EURACTIV had anticipated.
“Besides the obvious benefits for law enforcement authorities, we should not forget that direct cooperation between law enforcement authorities of one Member State and the service provider of another Member State also entails risks”said Birgit Sippel, the European Parliament’s main rapporteur on the dossier.
“This is why Parliament insisted on the protection of fundamental rights. »
The Electronic Evidence Regulation empowers judicial authorities to issue European Production Orders to request electronic evidence from a service provider established in another State member of the EU. The time allowed is ten days in normal circumstances and eight hours in an emergency.
The other tool provided by the legislation is the European Preservation Order, which allows a judge to order a service provider to retain data relating to a suspect which may be requested at a later date.
A politically sensitive point was whether the Member State issuing the injunction had to inform the authorities of the recipient country.
For MEPs, this notification is necessary because the issuing country might not know whether the person concerned belongs to a protected category such as journalists, lawyers or doctors. On the other hand, national governments consider that the notification mechanism goes against the objective of the regulation, which aims to speed up the cross-border collection of evidence.
The compromise consisted in agreeing on a “residency criteria”that notification should only take place on the double condition that the issuing Member States have reasonable grounds to believe that the person in question resides in their territory and that the criminal offense has been committed or will be committed in their jurisdiction.
In addition, it is necessary to define what residency is. The issuing authority will have a wide discretion to determine what are “reasonable grounds”but to do this, it must first check whether the person concerned is registered as a resident in another pay member of the block. Other elements may also be taken into account, such as the fact that the person has a bank account or a vehicle registration certificate.
Reasons for refusal
Following the notification, the authorities of the country hosting the service providers could invoke grounds for refusal. These relate to potential violations of fundamental rights, such as the freedom of the press. However, this part of the text will have to be finalized on a technical level.
Another controversial element was whether the host country should have the obligation or the mere possibility of formulating such grounds for refusal. According to information from EURACTIV, this point constituted a red line for the two co-legislators, as it was likely to result in ambiguous terms which could be interpreted in both directions.
Suspensive effects and deletion of data
Once the authorities of the host country have been informed, MEPs called for the notification to suspend the obligation for the service provider to comply with the injunction. However, the Member States have obtained that the suspensive effect only applies to ordinary cases, and not to cases of urgency.
If the grounds for refusal are invoked after the transmission of the data to the law enforcement authorities, the government of the executing Member State will have to indicate whether the data must be deleted or can be used under certain conditions.
Data Controllers and Processors
In line with the EU General Data Protection Regulation (GDPR), the legislation requires law enforcement agencies to distinguish between cases where the service provider is not the actual data controller, but processes the data on behalf of the controller.
Member States consider, however, that this distinction would place an unnecessary burden on investigation services, as it will not be immediately clear whether an organization is a controller or a mere processor.
How to resolve these ambiguous situations will probably be clarified at the technical level. At the same time, service providers can always indicate to law enforcement authorities that they are not the data controller.
Decentralized computer system
The injunctions will be lodged through a decentralized IT system which will be hosted by the European Commission.
Member States will be responsible for keeping it up to date.
[Édité par Anne-Sophie Gayet]