24 October 2018
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Statewatch News Online
E-evidence: Council pondering issues with the "notification procedure" for cross-border data-gathering; European Data Protection Board issues opinion
Follow us: | | Tweet
Meanwhile, the European Data Protection Board has issued a critical opinion on the Commission's proposal that makes 18 recommendations - including for a change of legal basis and a better demonstration of the need for a new instrument on top of the European Investigation Order and the existing Mutual Legal Assistance Treaty.
See: NOTE from: Presidency to: Delegations: Proposal for a Regulation of the European Parliament and of the Council on European production and preservation orders for electronic evidence in criminal matters - examination of selected issues and revised text (12113/1/18 REV 1, LIMITE, 17 October 2018, pdf):
"At the latest JHA Council there was a clear majority of Member States that expressed the will to find a compromise regarding the issue of a possible notification. However the concrete elements and effect of such a notification procedure were left to the expert level for further discussion and elaboration.
Therefore the Presidency would like to get delegations views on following questions:
A. Which Member State should be notified?
B. What effect should the notification procedure have?"
See also: COR 1 (pdf)
The note also highlights the need for further discussions on Articles 5, 11 and 17 (Conditions for issuing a European Production Order, Confidentiality and user information and Effective remedies, respectively) and Article 16 (Review procedure in case of conflicting obligations).
European Data Protection Board
Conclusions of the European Data Protection Board opinion:
"Based on this assessment, the EDPB wishes to address the following recommendations to the co-legislators:
1) The legal basis of the Regulation should not be Article 82 (1) TFEU.
2) The necessity of a new instrument compared to the existing EIO Directive or MLAT should be better demonstrated, including with a detailed analysis of less intrusive means with regards to fundamental rights such as amendments of these existing instruments or the restriction of the scope of this instrument to preservation orders in combination with other existing procedures to request access to the data.
3) The Regulation should provide for a longer deadline to allow the executing service provider to ensure safeguards with regards to the protection of fundamental rights can be respected.
4) The dual criminality principle should be maintained, especially if the location criteria of the data is abandoned in order to maintain the obligation to take into consideration the safeguards provided in both concerned States (the State of the requesting authority and the State where the service provider is located).
5) The scope of the Regulation should be restricted to controllers in the sense of the GDPR or it should include a provision that in the event where the service provider addressed is not the controller of the data but the processor, the latter is obliged to inform the controller.
6) The Regulation should include safeguards concerning data transfers in case the service provider would be established in a third country without adequacy decision in this field or refer to the directive 2016/680 as these safeguards will be applicable.
7) Since the mandatory designation of a legal representative differs from the GDPR, the Regulation should precise that, the legal representative designated under the e-Evidence Regulation should be distinct from the one designated under article 3 (2) of the GDPR.
8) The Regulation should contain a broader definition of electronic communication data in order to ensure that the appropriate safeguards and conditions for access to be established cover both non-content and content data.
9) The Regulation should raise thresholds for issuing orders and orders shall be issued or authorised by courts, except for subscriber data provided the definition of this category of data is drastically narrowed to very basic information allowing only to identify a person without involving access to any communication data.
10) The Regulation should restrict the access to subscriber and access data to a list of crimes strictly established or at least to serious criminal offenses.
11) The time limit to provide data, especially in case of emergency should be better justified in the Regulation, and the possibility to use a fast6-hour procedure should include the obligation for requesting authorities to demonstrate the emergency triggering the use of this procedure, even a posteriori, in order to allow for a control of the use of such exceptional powers.
12) The procedure allowing the production of content data without any involvement of the competent authorities of the Member State where the data subject is, should be abandoned.
13) Safeguards surrounding the issuing of European Preservation Orders should be improved in the Regulation.
14) The Regulation should at least include the minimum classic derogation that if there is substantial grounds for believing that the enforcement of an Order would result in a breach of a fundamental right of the person concerned leading the executing State to disregard its obligations concerning the protection of fundamental rights recognised in the Charter, the enforcement of the order should be refused.
15) The Regulation should foresee a broader obligation to consult the competent authorities of a third country where the service provider requested to provide data is located in case of conflict of laws in order to avoid subjective interpretations from a single court.
16) The validity and duration of preservation orders should be more linked to the production orders accompanying them.
17) The security of data transfers should be better guaranteed.
18) The verification of the authenticity of the data should be foreseen, in particular where encrypted data could be provided."
Document round-up: Council discussions on European Production and Preservation Orders for electronic evidence in criminal matters (Statewatch News Online, 26 September 2018)
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.