19 May 2021
Forthcoming legislation on "e-evidence" would ease the cross-border gathering and transfer of data for use in criminal proceedings. Member states and MEPs must include fundamental rights protections in the rules , says a letter published today and signed by media and journalists' organisations, civil society groups, professional organisations and technology companies.
Provisions in the text allowing "direct cooperation" between law enforcement authorities and private companies holding data that those authorities are seeking "risks infringing data protection laws and criminal procedure laws as well as contradicting the sovereignty of the targeted countries."
The letter demands that judicial authorities in the state where the requested data is located be involved in the process, to ensure that national legal requirements are upheld and legal certainty is assured, and to protect the immunities and privileges of professionals such as doctors, lawyers and journalists.
The letter also demands that a "production or preservation order for any type of data should require a judicial review and validation only by a court or an independent administrative authority," in line with the jurisprudence of the European Court of Human Rights, and that a secure data exchange system be set up to ensure data protection and security.
The full text of the letter is below, or available here as a PDF.
Trilogue negotiations on the e-evidence proposal
European media and journalists, civil society groups, professional organisations and technology
companies call on decision makers to protect fundamental rights
Dear European Parliament’s Rapporteur and Shadow Rapporteurs,
Dear Members of the Working Party on Cooperation in Criminal Matters (COPEN),
We, the undersigned organisations, are writing to you to underline how fundamental rights protection in the E-Evidence Regulation must continue to remain a priority during the ongoing trilogues negotiations. Whereas we recognise the importance of enabling targeted access to data by law enforcement authorities for the purposes of criminal investigations, we believe stronger safeguards need to be included in the operational part of the draft Regulation.
We regret that none of the negotiating positions has fully taken into account our concerns, as outlined in our previous joint statement.1 In particular, we believe the following issues deserve further discussion and revision from a fundamental rights and media freedom perspective:
• Articles 7, 8a, 9, 10, 10a: Need to ensure a legal, systematic and meaningful involvement of the executing Member State
It is our view that “direct cooperation” with private companies poses serious risks of violating human rights law by undermining key fundamental rights principles, including media freedom. In particular, when it does not require the notification and confirmation of the country where the company is located and/or where the data subject resides. Direct cooperation in a cross-border collection of personal data risks infringing data protection laws and criminal procedure laws as well as contradicting the sovereignty of the targeted countries.
This is why we fully support the European Data Protection Supervisor’s opinion of 6 November 2019 [pdf], calling for a “greater involvement of judicial authorities in the executing Member State” and the requirements that “they should be systematically involved as early as possible in this process, have the possibility to review compliance of orders with the Charter and have the obligation to raise grounds for refusal on that basis.”
The notification and validation of the executing Member State would ensure that:
From this perspective, we encourage the Council to take into account the Parliament’s approach to these issues, which we consider an absolute prerequisite for the protection of media freedom and fundamental rights. Furthermore, the notification and active confirmation should apply to the production of all data categories and provide for strict deadlines for the executing Member State. To ensure that evidence is swiftly secured, the suspensive effect of a notification mechanism should not apply to preservation orders – thus allowing to freeze the data as soon as possible until the compliance review is over.
• Article 10a: Protect lawyers, doctors and journalists
The confidentiality of lawyer-client communications and special protections persons may have in their capacity as doctor or journalist should be duly taken into account when reviewing the legality of an order. Likewise, the issuing State should consider the national security interests of the affected Member State – where it is distinct from the issuing and executing States and the person’s residence is known. This is especially relevant if the other Member States’ rules are different or even incompatible with the rules of the investigating authorities’ own domestic investigation.
Moreover, the recognition of rules related to “freedom of the press and freedom of expression in other media” should be recognised as a ground for refusal for the enforcement of an order. In addition, it should be clarified in recital 35 that all journalistic activities are covered by immunities and privileges.
• Article 4: Ensure that orders are subject to judicial authorisation
In Tele2 Sverige and Watson and Others, the Court of Justice of the European Union (CJEU) ruled that “it is essential that access of the competent national authorities to retained data should, as a general rule, be subject to a prior review carried out by a court or independent administrative body, except in cases of validly established urgency.” Also, the European Court of Human Rights has repeatedly pointed out the importance of an ex-ante review by a court or another independent authority and expressed a clear preference for a judge.2Thus, to set the proposed Regulation in line with both the CJEU3 and the European Court of Human Rights case law, we believe that the issuance of a production or preservation order for any type of data should require a judicial review and validation only by a court or an independent administrative authority.
• Article 11: Inform the affected person as soon as possible that the interference occurred
The person whose data is sought should be informed without undue delay and restriction that their personal data has been subject to an order. It is a fundamental element supporting the rights to a fair trial and to access effective remedies recognised by the jurisprudence of the CJEU that should not be restricted, even in the absence of ensuing criminal proceedings and unless otherwise decided by a court.
• Article 7a: Ensure the authenticity, security and efficiency of data exchanges
We recommend that the E-evidence proposal is accompanied by a secure central data exchange system between service providers and authorities in order to guarantee the security and integrity of data transfers and allow the service provider to verify the authenticity of an order. This would minimise the risk of severe data breaches of highly sensitive information, such as by exploitation of the cross-border data disclosure framework by cybercriminals who could commit identity theft (by impersonating competent authorities) or other cybercrime.4 Considering that several Member States have already successfully implemented such a data exchange system, it is indispensable to ensure interoperability of these systems in order to avoid that service providers would have to simultaneously implement parallel data exchange systems. Otherwise, it would create substantial burdens especially for small and medium-sized enterprises and service providers would find it extremely challenging to comply with the short deadlines established in the Regulation. Where service providers already have a secure system for data transmission in place, such a system could be used instead as long as their systems enable the identification and authentication of sender and receivers and ensure data integrity.
To conclude, we call on the negotiators to build a predictable, accountable legal structure for access to personal data across borders that does not undermine existing fundamental rights protection standards.
We look forward to cooperating with you in the subsequent steps of the negotiations and remain at your disposal should you have any questions.
Association for Proper Internet Governance (APIG)
Association of European Radios (AER)
Bundesverband Digitalpublisher und Zeitungsverleger e. V. (BDZV)
Committee to Protect Journalists (CPJ)
Council of Bars and Law Societies of Europe (CCBE)
Digitale Gesellschaft e.V.
eco – Verband der Internetwirtschaft
European Broadcasting Union (EBU)
European Digital Rights (EDRi)
European Federation of Journalists (EFJ)
European Internet Services Providers Association (EuroISPA)
European Magazine Media Association (EMMA)
European Newspaper Publishers' Association (ENPA)
European Publishers Council (EPC)
Internet Service Providers Austria (ISPA)
Iuridicium Remedium, z.s.
Mailfence – ContactOffice Group sa
News Media Europe
Tutanota – Tutao GmbH
Verband Deutscher Zeitschriftenverleger (VDZ)
Wikimedia (Free Knowledge Advocacy Group EU)
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.