The idea is old, but the concrete proposal is rather new: Whereas goods flow freely in the EU internal market and digital services are offered across borders, the competence of law enforcement authorities ends at national borders. A police authority that wants to access data in the course of its investigations – for example in a fraud case – needs to contact the authorities of the state where the data are processed. How the foreign authority deal with such a request depends on the law of the country on whose territory the servers are located. The procedures are governed by the applicable international mutual legal assistance treaties (MLAT).
Such assessment is time-consuming and does not always has the result the requested data may be released to the foreign authority. For this reason the law enforcement and security community have been lobbying since years for easier access. Ideally, authorities should have direct access to data stored abroad. On 18 April 2018, the European Commission presented a draft EU regulation on this issue. The European Production and Preservation Orders for electronic evidence in criminal matters (E-Evidence Regulation) is intended to allow law enforcement authorities of the 28 member states direct cross-border access.
Restriction of fundamental rights by fast-track legislation ?
Since then, the European Parliament and the Council of Ministers have been working on the draft. Last week, the European Parliament published a critical study on the Commission’s draft. The Austrian government recently announced the ambitious goal of concluding negotiations in the Council of Ministers by 31 December 2018, when Austria will hand over the Presidency of the Council to Romania.
This legislative fast-track procedure is explosive in several respects: In contrast to a directive, an EU regulation would be directly applicable law in the member states and would not require transposition into national law. The regulation would mean a considerable restriction of fundamental rights, as issuing orders would have to be directly followed by providers of electronic services without a public authority or a court in the host country having examined whether issuing the order would also be permissible under national law.
On the other hand, the legal systems of the member states are not harmonised. They differ with regard to punishability, the levels of punishment and constitutional safeguards. Activities which are punishable in the issuing state but not in the state in which the processing takes place can thus be subject to an obligation to produce personal data. The European Commission is even conducting two proceedings against Poland and Hungary referring to the violation of the rule of law. The initiation of such proceedings against Romania is currently under discussion because the Romanian government also wants to restrict the independence of the courts in this country.
If the E-Evidence Regulation would be adopted in its proposed version, providers of electronic services (such as cloud providers, network operators, social media, hosting and telecommunications companies) would have to follow production orders of the foreign authorities directly without the chance of carrying out a substantive examination.
Comprehensive scope of application
Production Orders may be issued for any type of offence. The requirement to provide content and transaction data only for offences punishable by a maximum term of imprisonment of at least three years in the issuing State is not likely to dispel concerns. Contrary to what the Commission’s explanations on the E-Evidence Package suggest, the three years are not a minimum penalty, but a minimum maximum penalty. A glance at the German Criminal Code shows that this criterion applies to a large number of offences and not only to serious crimes.
In Poland, for example, abortion is punishable by imprisonment for up to three years. Therefore the condition for a production order would thus be fulfilled. A Dutch or German provider would have to hand over the e-mails and traffic data to the Polish criminal prosecution authority if the latter were to investigate an abortion case, although in these countries abortion is exempt from punishment. The provider of an electronic accounting service the doctor is using could possibly also be the addressee of a corresponding production order.
This problem also becomes clear in the case of the Catalan exile politician Puigdemont, against whom a Spanish arrest warrant for “riot” had been issued. According to the decision of the Higher Regional Court of Schleswig, the offence did not constitute a comparable criminal offence under German law. The European arrest warrant issued by Spain could not be executed against him in Germany. According to the draft E-Evidence Regulation, the German providers would nevertheless be obliged to issue corresponding electronic documents if a Spanish court issues a production order, because unlike the European arrest warrant, no review by a court of the target state would be required.
Impositions on providers
The situation for providers is completely unreasonable, too: they woul be subject to obligations they cannot check in a procedure that is in accordance with the rule of law. Not only courts and public prosecutors’ offices, but any competent authority designated by the issuing state can issue a production order. In the 28 EU Member States, a very large number of authorities, possibly more than a thousand, will be given the power under national law to require companies to disclose data across borders, often without confirmation by a court. It is not even possible for companies to seriously examine whether an authority has the appropriate competence, or even whether it is an authority at all. It is true that the respective authorities are to prove that they have been validated in writing by a court or an other judicial authority. However, the draft regulation provides for it should be sufficient for the issuing authority to send a corresponding document by fax.
In view of the very short deadlines (in certain cases companies are obliged to deliver the data within six hours!), it is hardly possible for the recipient to check whether the fax and the stamp of a judicial authority contained on it is genuine, and it is not even certain whether the letter originates from an authority at all. Accordingly, there is a great risk of being taken in by a fake issuing order and transferring personal data to third parties without justification.
If a provider rejects to comply with a production order, he is threatened with considerable financial and criminal consequences. In addition, the considerable violation of the fundamental rights of the data subject brought about in this way represents a considerable liability risk for the provider for having unlawfully disclosed data.
No examination of legality in the target country
Whereas the European Investigation Order, another EU instrument introduced a few years ago, is subject to enforcement by the authorities in whose territory the processing takes place, the electronic production order is to be issued directly to the foreign provider. The E-Evidence Regulation does not provide for any substantial review by a domestic court or a domestic judicial authority. Procedural safeguards – such as the judge’s approval – might be circumvented if the law of the issuing state does not provide for such. Finally, requirements which the German Federal Constitutional Court has established, e.g. for the protection of the core area of private life, would not be guaranteed.
According to the draft E-Evidence Regulation the main responsibility for the transfer will be subject to the company to which the order is addressed – a problematic delegation to private entities. Companies have only very limited means of reviewing the legality and proportionality of a production order or of refusing to transmit the requested data. According to the draft they may only object to comply with an order if they consider that the information contained in the order indicates that it “manifestly” infringes the Charter of Fundamental Rights of the European Union or it is manifestly abusive.
It is subject to the ongoing debate if and to what extent real-time monitoring (“live interception”) shall be included in the E-Evidence Regulation in addition to the preservation and production of data already stored. But even if – as is to be expected – corresponding demands of some governments would not be supported by a majority in the European Parliament, the planned regulation would be a profound encroachment on European and national fundamental rights. It would be irresponsible to wave through such a regulation quickly without a thorough debate.