With a substantial number of criminal activities, ranging from attacks against information systems to ‘old-school’ fraud and extortion, taking place in online settings, electronic information can be an important source of investigative leads. However, both the definition of the term ‘electronic evidence’ (e-evidence) and the relevant criminal procedural approaches continue to vary at national level. At the same time, the process of regulating cross-border access to e-evidence for law enforcement purposes at transnational level has proven equally cumbersome.
As of today, scholars and policy makers seem to agree that e-evidence is any information, whether generated by an electronic device or not, that is stored or transmitted in digital form and may have a probative value. This information (e.g., a subscriber’s name and email address, digital communication logs, content data) can be admitted as evidence in court as long as it is preserved and transmitted in a court admissible manner and in a way that meets legal requirements with respect to elements such as reliability, authenticity and integrity. Before the admissibility question arises, access to electronic information may be challenged by the fact that this is usually stored by private online service providers (OSPs). These may be based outside the investigating state’s jurisdiction, thus rendering criminal investigations of this kind international.
National law enforcement agencies (LEAs) and judicial authorities have to rely on a variety of legal instruments to ensure access to electronic information:
- At national level, direct access to electronic data may be safeguarded on the basis of coercive measures the national criminal procedural laws provide for (e.g., search and seizure) or the voluntary consent of the person who has the lawful authority to disclose the data (e.g., suspect, defendant, victim, witness).[1]
- At international level, states rely heavily on instruments of mutual legal assistance (MLA) when seeking to assist each other in collecting electronic information. Representative is the example of the Council of Europe Convention on Cybercrime (so-called ‘Budapest Convention’). Except for MLA procedures (Arts. 27–34), the latter also provides for domestic production orders to be addressed directly to foreign-based OSPs (Art. 18 (1) lit. b) regarding subscriber information, provided the requested OSP offers its services on the territory of the requesting state – with the majority of EU Member States having incorporated such orders into their national laws. This possibility is further enhanced as part of the recently adopted 2nd Additional Protocol to the Budapest Convention (Arts. 6–7), which has been open for signatures since May 2022.[2]
- Among EU countries (with the exception of Denmark and Ireland), the Directive 2014/41/EU (known as the European Investigation Order Directive (EIO Directive) serves as a ‘unified legal assistance instrument’ with respect to all investigative actions, including those aiming to collect or access already collected e-evidence. The EIO Directive establishes a channel of direct communication between judicial authorities that operates parallel to other cross-border cooperation channels established by the aforementioned MLA agreements and bilateral agreements signed either between EU Member States or between the EU itself and third countries.
This is a multi-dimensional (if not fairly complicated) legal framework that presents LEAs and judicial authorities with several challenges, as recorded systematically in the context of the SIRIUS project.[3] In the latest Situation Report (known as the SIRIUS Report) issued on 22 December 2022 as part of this project, the respondents from EU Member States indicated again how problematic the length of the MLA and the EIO process can be when seeking to access electronic information from foreign-based OSPs, and that the deadlines to issue and execute EIOs are often not respected in practice. These difficulties are coupled with, inter alia, the lack of a uniform data retention framework in criminal matters following the invalidation of the Directive 2006/24/EC (known as the Data Retention Directive) by the Court of Justice of the EU and taking into account the limited scope of the national data retention legal frameworks. This problem is further exacerbated by the lack of standardized policies on the part of OSPs regarding both data retention and cooperation with LEAs in general, and with respect to granting them access to electronic data in particular.
Against this backdrop, LEAs appear to resort to a non-regulated or at least just partially regulated means of voluntary cooperation, namely that of data disclosure requests addressed directly to OSPs. As recorded in the2022 SIRIUS Report, in 2021 63% of the requested police officers indicated direct requests as their main approach to e-evidence during criminal investigations, while judicial cooperation via MLA or EIO was indicated by only 19% of respondents. The remaining 8% indicated emergency disclosure requests as the main type of data request in police investigations. Direct requests under voluntary cooperation must comply with domestic laws and observe the policies and requirements set by the requested OSPs. Considering the lack of a comprehensive legal framework, the enforceability of such requests rather depends on the willingness of OSPs, while the transparency of this procedure and the accountability of the involved parties remain questionable.
The EU has been attempting to address this situation by means of introducing new rules that will govern direct communication between the investigative authorities of EU Member States and private OSPs at least since April 2018, namely since the release of the so-called E-evidence Proposal. This consisted of a Proposal for a Regulation on European Production and Preservation Orders for e-evidence in criminal matters and a Proposal for a Directive laying down harmonised rules on the appointment of legal representatives for this purpose. Being a predominantly efficiency-driven proposal, it was criticised on various grounds including, among others, the elimination of procedural safeguards inherent in the MLA and EIO procedures as well as the delegation of fundamental rights scrutiny to the private sector – leading scholars to talk about an emerging trend of privatisation of mutual trust in the area of EU criminal justice. Part of this criticism was addressed in the Compromise Proposal the European Parliament’s LIBE Committee adopted in December 2020, the added value of which consisted in, among other factors, reiterating the EIO safeguards and, particularly, streamlining the notification of the executing state, namely the state where the OSP is based.
The EU E-evidence Proposal has been subject to trilogue negotiations since February 2021. And it was only in November 2022, a year after the adoption of the 2nd Additional Protocol to the Budapest Convention,[4] that the European Parliament and the Council reached a provisional political agreement on the rules that should govern cross-border access to e-evidence across the EU. The agreement was consolidated on 25 January 2023. This new set of rules shall take into account the volatility and international dimension of e-evidence as well as the specificities of criminality in the digital age. While the formal adoption of these rules is still pending, the final compromise texts of the E-evidence Regulation and the Directive (20 January 2023) suggest that the means of direct cooperation will remain the same while the remedies will be enhanced compared to the initial Proposal of the Commission. This means that the new rules will provide for: a European Production Order, created to allow a judicial authority in the issuing state to request e-evidence directly from an OSP based in another Member State, that will be obliged to provide this within 10 days or 8 hours in the case of emergency, and a European Preservation Order, created to safeguard that electronic data will be preserved for the purposes of criminal proceedings until it is requested at a later time. The notification system will be modified to ensure that the executing state’s authorities will be notified in cases where the affected individual does not reside in the issuing state, or the offence in question has not been committed there and the request regards access to traffic and content data (see Art 7a (2) Final Compromise Text of the E-evidence Regulation). This will allow the executing state to invoke several grounds for refusal, including the protection of fundamental rights, following the EIO paradigm (see Art 10a Final Compromise Text of the E-evidence Regulation).
Despite the expected improvements, the notification system remains subject to (fair) criticism from civil societyto the extent that, according to the currently available information: 1) a request to access subscriber data and traffic data for the sole purpose of identifying the suspect (including, potentially, whistleblowers, investigative journalists, individuals protesting against national governments) will be excluded by the notification duty; 2) the assessment as to the residency of the affected individual will be entrusted solely to the issuing state with limited (or no) possibility to scrutinise its decision; and 3) the notification rules may be circumvented as part of the re-use of the obtained data in other proceedings or its transmission to another state.
This calls for renewed scrutiny of the soon-to-be-adopted EU laws on cross-border access to e-evidence from a fundamental rights perspective. This evaluation does not, nor should it, negate the practical importance of accessing electronic information in criminal proceedings – considering their growing investigative value in times when the rapid advancement of transformative technologies, such as artificial intelligence, has revolutionised the way crime occurs and is experienced by the victims.
The TRACE consortium has already showcased new phenomenologies of illicit money flows (IMFs) across a great array of criminality, including terrorist financing, cyber extortion, money laundering by means of crypto-assets, arts and antiquities, or manipulating real estate, in the digital era. In this context, it has also stressed the importance of cooperation not only between LEAs and OSPs, but also among LEAs themselves – cooperation of this kind can be massively improved with the help of software-based solutions, provided these will pay attention to the protection of fundamental rights, including but not limited to privacy and data protection. The TRACE tools are designed to enable LEAs to make sense out of voluminous publicly available data by means of, inter alia, user-friendly knowledge graphs, and to use it for tracking IMFs. This output is expected to provide important investigative leads, thus making it necessary to reflect on how the EU Member States and their LEAs will handle this information at national and transnational level.
[1] The majority of the EU Member States have also ratified the Council of Europe Convention on Cybercrime and incorporated the provisions of Art. 32 lit. b thereof as to re-directing access to computer data stored abroad based on the voluntary consent of the person who has the lawful authority to disclose this data.
[2] To enter into force, the Protocol has to be ratified by 5 signatory States. As of today, there have been 30 signatures not followed by ratifications.
[3] The SIRIUS project is co-implemented by Europol and Eurojust, in partnership with the European Judicial Network.
[4] The EU Member States have been authorised to sign the Protocol by the Council in April 2022.
Author: Athina Sachoulidou, NOVA School of Law
