|
31.1.2020 |
EN |
Official Journal of the European Union |
C 32/11 |
Summary of the Opinion of the European Data Protection Supervisor on Proposals regarding European Production and Preservation Orders for electronic evidence in criminal matters
(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)
(2020/C 32/04)
In April 2018, the Commission tabled two Proposals – for one Regulation and one Directive – to establish a legal framework that would make it easier and faster for police and judicial authorities to secure and obtain access to electronic evidence in cross-border cases. Since then, the Council has adopted general approaches on the Proposals and the European Parliament issued several working documents. The European Data Protection Board issued its opinion. Related developments have taken place at international level, most notably with the launch of negotiations of an international agreement with the United States on cross-border access to e-evidence as well as work on a Second Additional Protocol to the Cybercrime Convention. With the present opinion, the EDPS wishes to provide the EU legislator with new input for the forthcoming work on the Proposals, taking into account the developments listed above.
In today’s world transformed by new technologies, time is often of the essence to enable those authorities to obtain data indispensable to carry out their missions. At the same time, even when investigating domestic cases, law enforcement authorities increasingly find themselves in ‘cross-border situations’ simply because a foreign service provider was used and the information is stored electronically in another Member State. The EDPS supports the objective of ensuring that effective tools are available to law enforcement authorities to investigate and prosecute criminal offences, and in particular welcomes the objective of the Proposals to accelerate and facilitate access to data in cross-border cases by streamlining procedures within the EU.
At the same time, the EDPS wishes to underline that any initiative in this field must be fully respectful of the Charter of Fundamental Rights of the EU and the EU data protection framework and it is essential to ensure the existence of all necessary safeguards. In particular, effective protection of fundamental rights in the process of gathering electronic evidence cross-border requires greater involvement of judicial authorities in the enforcing Member State. They should be systematically involved as early as possible in this process, have the possibility to review compliance of orders with the Charter and have the obligation to raise grounds for refusal on that basis.
In addition, the definitions of data categories in the proposed Regulation should be clarified and their consistency with other definitions of data categories in EU law should be ensured. He also recommends reassessing the balance between the types of offences for which European Production Orders could be issued and the categories of data concerned in view of the relevant case law of the Court of Justice of the EU.
Furthermore, the EDPS makes specific recommendations on several aspects of the e-evidence Proposals that require improvements: the authenticity and confidentiality of orders and data transmitted, the limited preservation under European Preservation Orders, the data protection framework applicable, the rights of data subjects, data subjects benefiting from immunities and privileges, the legal representatives, the time limits to comply with European Production Orders and the possibility for service providers to object to orders.
Finally, the EDPS asks for more clarity on the interaction of the proposed Regulation with future international agreements. The proposed Regulation should maintain the high level of data protection in the EU and become a reference when negotiating international agreements on cross-border access to electronic evidence.
1. INTRODUCTION AND BACKGROUND
|
1. |
On 17 April 2018, the Commission released two legislative Proposals (hereinafter ‘the Proposals’), accompanied by an Impact Assessment (1), including:
|
|
2. |
The proposed Regulation would co-exist with Directive 2014/41/EU regarding the European Investigation Order in criminal matters (hereinafter ‘EIO Directive’) (4), which aims at easing the process of gathering evidence in the territory of another Member State and covers every type of evidence gathering, including electronic data (5). All Member States which took part in the adoption of the EIO Directive (6) had until May 2017 to implement it in their national legislation (7). |
|
3. |
On 26 September 2018, the European Data Protection Board (8) (hereinafter ‘EDPB’) adopted an opinion (9) on the Proposals. |
|
4. |
On 7 December 2018 and 8 March 2019, the Council adopted its general approach on the proposed Regulation (10) and the proposed Directive (11) respectively. The European Parliament published a series of working documents. |
|
5. |
The European Data Protection Supervisor (hereinafter ‘EDPS’) welcomes that he has been consulted informally by the Commission services before the adoption of the Proposals. The EDPS also welcomes the references to the present Opinion in Recital 66 of the proposed Regulation and Recital 24 of the proposed Directive. |
|
6. |
On 5 February 2019, the Commission adopted two recommendations for Council Decisions: a Recommendation to authorise the opening of negotiations in view of an international agreement between the European Union (EU) and the United States of America (US) on cross-border access to electronic evidence for judicial cooperation in criminal matters (12) and a Recommendation to authorise the participation of the Commission, on behalf of the EU, in negotiations on a second Additional Protocol to the Council of Europe Convention on Cybercrime (CETS No 185) (hereinafter ‘Convention on Cybercrime’) (13). The two recommendations were the subject of two EDPS Opinions (14). Both negotiations with the US and at the Council of Europe are closely linked. |
|
7. |
In February 2019, the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament addressed similar letters to the EDPS and the EDPB to request a legal assessment of the impact of the US CLOUD Act (15) that was passed by the US Congress in March 2018, on the European legal framework for data protection. On 12 July 2019, the EDPS and the EDPB adopted a Joint Response to this request with their initial assessment (16). |
|
8. |
On 3 October 2019, the United Kingdom and the United States signed a bilateral agreement on cross-border access to e-evidence for the purpose of countering serious crime (17). It is the first executive agreement allowing US service providers to comply with requests for content data from a foreign country under the US CLOUD Act. |
This Opinion covers both Proposals, with however a main focus on the proposed Regulation. In line with the EDPS mission, it is primarily focussed on the rights to privacy and to the protection of personal data and aims to be consistent and complementary to the EDPB Opinion 23/2018, also considering the general approaches of the Council and the working documents of the European Parliament.
5. CONCLUSIONS
|
70. |
The EDPS supports the objective of ensuring that effective tools are available to law enforcement and judicial authorities to investigate and prosecute criminal offences in a world transformed by new technologies. At the same time, the EDPS would like to ensure that this action is fully respectful of the Charter and the EU data protection acquis. The proposed Regulation would require the storage and communication of personal data inside and outside the EU between Member States’ competent authorities, private entities and in some cases third countries’ authorities. It would entail limitations on the two fundamental rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the Charter. To be lawful, such limitations must comply with the conditions laid down in Article 52(1) of the Charter and notably meet the necessity condition. |
|
71. |
The EDPS first considers that other alternatives that would provide greater safeguards while achieving the same goals should be further assessed. |
|
72. |
Second, the EDPS takes note that the proposed Regulation already includes a number of procedural safeguards. However, the EDPS is concerned that the important responsibility of reviewing compliance of EPOC and EPOC-PR with the Charter is entrusted to service providers and recommends involving judicial authorities designated by the enforcing Member State as early as possible in the process of gathering electronic evidence. |
|
73. |
The EDPS recommends ensuring further consistency between the definitions of categories of electronic evidence data and existing definitions of specific categories of data under EU law and reconsidering the category of access data, or to submit the access to these data to similar conditions to those for accessing the categories of transactional data and content data. The proposed Regulation should lay down clear and straightforward definitions of each data category in order to ensure legal certainty for all stakeholders involved. He also recommends amending the proposed definition of the category of subscriber data in order to further specify it. |
|
74. |
He further recommends reassessing the balance between the type of offences for which EPOs could be issued and the categories of data concerned, taking into account the recent relevant case law of the CJEU. In particular, the possibility to issue an EPO to produce transactional data and content data should be limited to serious crimes. Ideally, the EDPS would favour the definition of a closed list of specific serious criminal offences for EPOs to produce transactional data and content data, which will also increase legal certainty for all stakeholders involved. |
|
75. |
The EDPS also makes recommendations aiming at ensuring the respect for data protection and privacy rights while achieving a speedy gathering of evidence for the purpose of specific criminal proceedings. They focus on the security of the transmission of data between all stakeholders involved, the authenticity of orders and certificates and the limited preservation of data under an EPO-PR. |
|
76. |
Beyond the general comments and main recommendations made above, the EDPS has made additional recommendations in this Opinion regarding the following aspects of the Proposals:
|
|
77. |
Finally, the EDPS is aware of the broader context in which the initiative has been tabled and of the two Council Decisions adopted, one regarding the Second Additional Protocol to the Convention on Cybercrime at the Council of Europe and one regarding the opening of negotiations with the United States. He asks for more clarity on the interaction of the proposed Regulation with international agreements. The EDPS is eager to contribute constructively in order to ensure consistency and compatibility between the final texts and the EU data protection framework. |
Brussels, 6 November 2019.
Wojciech Rafał WIEWIÓROWSKI
Assistant Supervisor
(1) Commission Staff Working Document: Impact Assessment, SWD(2018) 118 final (hereinafter ‘Impact Assessment’), available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=SWD%3A2018%3A118%3AFIN
(2) Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters, COM(2018) 225 final.
(3) Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, COM(2018) 226 final.
(4) Directive 2014/41/EU of the European Parliament and of the Council, of 3 April 2014, regarding the European Investigation Order in criminal matters, O.J. L 130, 1.5.2014, p. 1; see Article 23 of the proposed Regulation.
(5) The EIO Directive provides for a direct cooperation between the issuing authority in a Member State and the executing authority of another Member State or, as the case may be, via the central authority(ies) appointed by the Member State(s) concerned. It aims at facilitating and speeding up this cooperation by providing for standardised forms and strict time limits and removing several obstacles to cross-border cooperation; for instance, ‘[t]he issuing authority may issue an EIO in order to take any measure with a view to provisionally preventing the destruction, transformation, removal, transfer or disposal of an item that may be used as evidenc e’ and ‘the executing authority shall decide and communicate the decision on the provisional measure as soon as possible and, wherever practicable, within 24 hours of receipt of the EI O’ (Article 32); also the execution of a EIO for the identification of persons holding a subscription of a specified phone number or IP address is not subject to the double criminality requirement (Article 10(2)(e) combined with Article 11(2)).
(6) All EU Member States except Denmark and Ireland.
(7) All participating Member States have implemented the EIO Directive in their national laws in 2017 or 2018. See the European Judicial Network implementation status: https://www.ejn-crimjust.europa.eu/ejn/EJN_Library_StatusOfImpByCat.aspx?CategoryId=120
(8) The EDPB established by Article 68 GDPR succeeded the Working Party established by Article 29 of Directive 95/46/EC, which was repealed. Similarly to the Article 29 Working Party, the EDPB is composed of representatives of the national data protection authorities and the EDPS.
(9) Opinion 23/2018 of 26 September 2018 on Commission proposals on European Production and Preservation Orders for electronic evidence in criminal matters (Art. 70.1.b) (hereinafter ‘EDPB Opinion 23/2018’), available at: https://edpb.europa.eu/sites/edpb/files/files/file1/eevidence_opinion_final_en.pdf
(10) https://www.consilium.europa.eu/en/press/press-releases/2018/12/07/regulation-on-cross-border-access-to-e-evidence-council-agrees-its-position/#
(11) https://www.consilium.europa.eu/en/press/press-releases/2019/03/08/e-evidence-package-council-agrees-its-position-on-rules-to-appoint-legal-representatives-for-the-gathering-of-evidence/
(12) Recommendation for a Council Decision authorising the opening of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters, COM(2019) 70 final.
(13) Recommendation for a Council Decision authorising the participation in negotiations on a second Additional Protocol to the Council of Europe Convention on Cybercrime (CETS No 185), COM(2019) 71 final. To date, all Member States of the EU have signed the Convention of the Council of Europe on enhanced international cooperation on cybercrime and electronic evidence and almost all of them have ratified it. Ireland and Sweden are still in the process of ratifying the Convention on Cybercrime. The Convention on Cybercrime is a binding international instrument requiring the Contracting Parties to lay down specific criminal offences committed against or by means of electronic networks in their national law and establish specific powers and procedures enabling their national authorities to carry out their criminal investigations, including for collecting evidence of an offence in electronic form. It also fosters international cooperation between the Contracting Parties. There are specific measures to address the challenges arising from the volatility of data. In this respect, the Convention provides for the expedited preservation of stored computer data. Since the transfer of the secured evidence to the requesting state is subject to a final decision on the formal Mutual Legal Assistance request, the preservation shall not be subject to the full set of grounds for refusal, in particular double criminality shall be required in exceptional cases only (Article 29).
(14) EDPS Opinion 2/2019 on the negotiating mandate of an EU-US agreement on cross-border access to electronic evidence and EDPS Opinion 3/2019 regarding the participation in the negotiations in view of a Second Additional Protocol to the Budapest Cybercrime Convention.
(15) Available at: https://www.congress.gov/bill/115th-congress/house-bill/1625/text
(16) https://edpb.europa.eu/our-work-tools/our-documents/letters/epdb-edps-joint-response-libe-committee-impact-us-cloud-act_fr
(17) https://www.gov.uk/government/publications/ukusa-agreement-on-access-to-electronic-data-for-the-purpose-of-countering-serious-crime-cs-usa-no62019