Abstract
The European Investigation Order (EIO) was supposed to offer a comprehensive solution to cross-border gathering of evidence within the area of freedom, security and justice replacing a patchwork of instruments and providing for one single standardised order for all types of evidence. However, not even a year since the deadline for its implementation had passed, the Commission proposed an instrument that would be applicable for electronic evidence: European Production Order (EPO). This initiative was born from an increasing frustration in gathering this type of evidence and the conviction that the EIO is not suitable for that purpose. The need for digital evidence (according to the estimate of the EU Commission, 85% of criminal investigations require electronic evidence) is a direct consequence of the place information and communication technology has taken in everyday life. However, electronic evidence differs in a number of ways from ‘real-life’ evidence rendering current legal framework extremely impractical for law enforcement. One of the major obstacles that law enforcement authorities encounter is the fact that the data they need are often stored abroad or by a foreign service provider. Both instruments were conceived because of the need to gather evidence across borders; however, the transnational component is different (evidence being abroad vs. service provider being foreign). Both instruments subject ‘European citizens to the investigative machinery of any other Member State’, however, in a different way. If the e-evidence package is adopted, it will create a dual system of cross-border gathering of evidence, with different philosophy, procedure, enforcement and protective framework. The goal of this article is to analyse and compare two different models of acquiring evidence that these two instruments offer as well as to delimitate their (non-exclusive) scope. The concluding part will provide a reflection on the systemic consequences of this duality of instruments and of introducing the EPO model in particular.
Keywords
Introduction
With the right to liberty as the paramount human freedom, the application of the mutual recognition principle to requesting persons for criminal proceedings or execution of sentence was conceived relatively early and the framework decision (FD) on European Arrest Warrant has been functioning for almost two decades already. Applying it to cross-border gathering of evidence has been a much tougher nut to crack. 1 The European Evidence Warrant (EEW) was adopted only in 2008 and its scope was limited. Eventually the European Investigation Order Directive (EIOD) was adopted in 2014 and it was supposed to offer a comprehensive solution. But already before it entered into force, the Commission opened the discussion on a potential instrument that would offer an alternative legal framework for electronic evidence.
This debate resulted in the proposal of the Commission issued in April 2018 of a package consisting of a regulation and a directive aiming at creating a legal framework allowing law enforcement in one member state to directly request service providers in another member state to produce or preserve data (European Production Order – EPO). 2 While the regulation is the main instrument of the package, the directive should ensure that service providers in the EU designate representatives entitled to receive and comply with the orders. The Council issued a general approach in December 2018 3 and it is now for the EU Parliament to formulate its position.
Both instruments were conceived because of the need to gather evidence across borders; however, the transnational component is different (evidence being abroad vs. service provider being foreign). Both instruments subject ‘European citizens to the investigative machinery of any other Member State’, 4 however, as it will be shown below, in a very different way. If the e-evidence package is adopted, it will create a dual system of cross-border gathering of evidence, with a different philosophy, procedure, enforcement and protective framework. 5
The goal of this article is to analyse and compare the two different models of acquiring evidence that these two instruments offer as well as to delimitate their (non-exclusive) scope. The concluding part will provide a reflection on the systemic consequences of this duality of instruments and of introducing the EPO model in particular. 6
European Investigation Order
The European Investigation Order (EIO) was not the first attempt to address the problem of cross-border evidence gathering at EU level. The European Convention on mutual assistance in criminal matters of 29 May 2000 provided a framework based on the traditional MLA approach. To this, two mutual recognition instruments were added: first, the FD on freezing orders was adopted in 2003, 7 and then the FD on the EEW in 2008. 8 Since the entry into force of the latter, the legal instruments of cross-border preservation and exchange of evidence were meant to be: freezing orders and EEW for existing evidence and MLA letters rogatory for the investigative measures not concerning the latter. 9
This combination of instruments was necessarily complicated and hence impractical. More importantly, some member states did not even proceed with the implementation of the EEW FD. 10 Already a year after the adoption of the EEW FD, the Stockholm programme declared that a new comprehensive solution had to be found. 11 While the Commission proposed in a Green Paper a new approach including admissibility of evidence, 12 some member states went around it by proposing the EIOD. The latter was silent on the issue of admissibility. The latter approach won and the EIOD was adopted on 3 April 2014.
The Directive replaces the patchwork of instruments providing for one single standardised order for all types of evidence, with two exceptions: setting up of or gathering evidence within joint investigation teams, 13 and cross-border surveillance provided for in the Convention implementing the Schengen Agreement. 14 The EIO is based on mutual recognition with orders circulating between and executed by competent authorities with a number of non-mandatory grounds for refusal. The EIOD also replaces the Directive on freezing, but only as regards freezing of evidence, but not regarding confiscation, which is being dealt with by another – also comprehensive – instrument. 15
The Directive was adopted after a significant debate centred mainly around fundamental rights issues and admissibility of evidence. 16 While the instrument provides for a unified framework, it does not attempt to unify or harmonise the law of evidence, leaving fully in the hands of the member states decisions on the conditions for issuance, competent authorities for particular types of measures and remedies. Despite not being so revolutionary, the implementation period was fairly long – more than 3 years. 17
An EIO is a judicial decision to have specific investigative measure(s) carried out in another MS with the objective to obtain evidence. 18 Thus, and contrary to the EEW, the focus of the decision is the measure and not particular pieces of evidence, the obtaining of the latter being the purpose of the measure. This of course does not preclude the measure from relating to evidence that is already in the possession of the competent authorities. The EIO may be issued for any kind of investigative measure, with the two exceptions mentioned above.
In additional to the general framework, some measures are singled out, such as hearing by video- or telephone conference, gathering information on bank and other financial accounts or operations, controlled deliveries or covert investigations. No special rules are foreseen for production orders, but these are clearly included. However, a special chapter on interception of telecommunications provides a few additional rules regarding these measures (Arts 30 and 31 EIOD).
An EIO may be issued in criminal proceedings (Art. 4 (a) EIOD), but not only. Three other contexts are foreseen:
(b) in proceedings brought by administrative authorities in respect of acts which are punishable under the national law of the issuing State by virtue of being infringements of the rules of law and where the decision may give rise to proceedings before a court having jurisdiction, in particular, in criminal matters; (c) in proceedings brought by judicial authorities in respect of acts which are punishable under the national law of the issuing State by virtue of being infringements of the rules of law, and where the decision may give rise to proceedings before a court having jurisdiction, in particular, in criminal matters; and (d) in connection with proceedings referred to in points (a), (b) and (c) which relate to offences or infringements for which a legal person may be held liable or punished in the issuing State.
19
However, for points (b) and (c), the executing state may refuse execution if the measure would not be authorised under its law in a similar domestic case. 20
It is for national law to decide which authority is competent for which measure (Art. 6 (1). The EIOD contains two catalogues of competent issuing authorities. The first is closed and contains judges, courts, investigating judges and public prosecutors. These authorities may issue an EIO if the national law entitles them to that. The second catalogue is open and contains
any other competent authority as defined by the issuing state which, in the specific case, is acting in its capacity as an investigating authority in criminal proceedings with competence to order the gathering of evidence in accordance with national law.”
However, the EIO issued by these authorities must be validated by the authorities from the first catalogue regarding the fulfilment of conditions of issuance. 21 While this validation procedure (general judicial reservation, Justizvorbehalt 22 ) should prevent the use of EIO without judicial control of investigative measures, it still triggers fear of overuse by the Police, if the judicial validation becomes mere rubberstamping. 23 In addition to that, if national defence rights so permit, the issuing of an EIO may be requested by an accused person or a suspect. 24
The conditions of issuing an EIO are in the first place necessity and proportionality (to the purposes of the proceedings in question). The measure must be available in the issuing state and ordered under the same conditions as would be necessary to its issuance in a similar domestic case. 25 While leaving it to the member states to legislate on these conditions, it also becomes a barrier against forum shopping. 26 Double criminality is not a condition as such; it is only an optional ground for refusal. In the context of interception of telecommunications, Art. 30 (4) requires the issuing authority to indicate ‘the reasons why it considers the indicated investigative measure relevant for the purpose of the criminal proceedings concerned’, which is normally not necessary.
Unless the executing authority decides to invoke one of the grounds for refusal, it shall recognise the EIO and execute it ‘in the same way and under the same modalities’ as if it concerned a national measure. It shall ‘comply with the formalities and procedures expressly indicated by the issuing authority’ unless they are contrary to the fundamental principles of law of that member state. 27 In principle then, it is the law of the issuing member state that governs the measure, which should ensure its later admissibility. 28
The order should be treated and executed with the same celerity and priority as in a similar domestic case and if possible take into account requests of the issuing authority in that respect. Two concrete deadlines are foreseen for the order: for the decision on the recognition or execution no later than 30 days after the receipt and for the execution 90 days following the taking of the decision. 29 These deadlines are not absolute. The deadline for execution or recognition may be extended by 30 days; as to the delay for the execution (or the specific requests of the issuing authority in that respect), if it is not possible to comply with these deadlines, the executing authority shall consult with the issuing authority to find appropriate timing. 30 It is also possible to postpone the recognition or execution of the EIO because of the interests of an ongoing criminal investigation or prosecution. 31 It is for the executing state to decide what is the reasonable delay in that case.
The EIO offers the executing authorities a number of grounds for refusal, which can be summarised into the following points:
– immunity or privilege or rules on determination and limitation of criminal liability relating to freedom of the press and freedom of expression in other media;
– issues of national security interests, protection of the source of information or secrets of intelligence activities;
– ne bis in idem;
– territoriality (offence committed outside the territory of the issuing State and wholly or partially on the territory of the executing State)
– fundamental rights issues
– lack of double criminality (limited to certain offences)
– measure not available under the law of the executing state for this offence, because its use is restricted to certain offences. 32
Besides the last ground, the executing state may not, in principle, refuse the order because it would not have been authorised in a similar domestic case. However, this ground is available exceptionally for interception of communications. 33
Before invoking one of the refusal grounds (except the ones regarding the types of proceedings or double criminality), the EIOD obliges the executing authority to enter into dialogue with the issuing authority including potentially requesting additional information. 34
Instead of executing the requested measure, the executing authority may undertake a different investigative measure in two situations. Firstly, if this other measure is less intrusive, but may achieve the same result. Secondly, if the requested measure is not available at all or would not be available in a similar domestic case. Some enumerated investigative measures always have to be available under the law of the executing state, for instance: ‘the identification of persons holding a subscription of a specified phone number or IP address’. 35 Despite the overall mutual recognition philosophy, the possibility to make the assessment whether a less intrusive measure could be used creates a possibility for a verification of the order’s proportionality and necessity by the executing authority.
Besides these obligations, the EIOD does not provide – unsurprisingly – any way of forcing the executing state refusing to execute the EIO to do so. The only potential reaction is triggering the procedure for non-implementation of a directive, which will be of little use for a concrete request. 36
The EIOD does not provide for concrete remedies but stipulates that ‘legal remedies equivalent to those available in a similar domestic case’ must be applicable. It limits the possibility to question the ‘substantive reasons’ for issuing the EIO to actions brought in the issuing state. 37
The EIO may also be issued for freezing evidence. The Directive contains one provision in that respect regarding the deadlines and questions of whether the items in question should be kept. As to the time limits, the EIOD backtracks on the celerity of the procedure offered by the FD on freezing orders which required in principle immediate execution, 38 and the competent authorities were supposed to ‘decide and communicate the decision on a freezing order as soon as possible and, whenever practicable, within 24 hours of receipt of the freezing order’. 39 The same deadline is kept as to the latter aspect, but no deadline for execution is given. Hence the general rule for all the EIO applies: the authorities should act with the same celerity and priority as for a similar domestic order and comply with the 90-day extendable deadline.
European Production and Preservation Orders
Background and e-evidence proposal
The European Production and Preservation Orders (they will be called EPO when analysed together and if only one of them is meant: EPdO and EPsO, respectively) 40 have been conceived out of a similar need to gather evidence cross-border and frustration that the current framework is not sufficiently workable. Nonetheless, the reasons for this frustration had a different source, linked with technological developments that clashed with traditional legal concepts such as territoriality and jurisdiction, and the need to have access to digital evidence which has been growing exponentially. 41
This need is a direct consequence of the place information and communication technology has taken in everyday life. It is a truism to say that with everyday human life having increasingly digital existence, the need for electronic evidence is increasing with the same pace. However, electronic evidence differs in a number of ways from ‘real-life’ evidence rendering the current legal framework extremely impractical for law enforcement.
First of all, digital evidence is held on servers owned by service providers. Service providers are often foreign, and given the dominance of the market by major service providers (Google, owning also YouTube; Facebook, owning also Instagram and WhatsApp; Microsoft owning also Skype; Apple and Amazon) most often American. Data may be managed by subsidiaries of these companies headquartered in Europe. The picture is even more complicated as servers may be stored in data centres potentially located in yet another country. For instance, Facebook’s enormous data centre is located in Luleå, Sweden. 42 Yet, investigation and prosecution is confined to national borders and if it goes beyond it, instruments of international cooperation must be used. These are time-consuming and cumbersome. 43
Secondly, the territorial approach to the jurisdiction to enforce – that is, based on the location of data – is not only impractical, but also in the process of becoming technologically outdated, given the growth in use of cloud computing. 44 Furthermore, data might be transferred in a way where data are not stored on a single server, hence subsequent requests cannot be fulfilled. 45 Lastly, the investigation authorities depend much more significantly on cooperation of service providers also for practical reasons. While a raid on a company that refuses to produce requested documents would be a viable possibility, a raid on a data centre would not bring similar (if any) results, unless disproportionally significant forces are used to find the necessary data, potentially including heavy decrypting capacities, if that was possible at all. 46
To overcome these problems, law enforcement has tended to resort to voluntary cooperation or abandoning the territorial approach. The former, consisting in sending requests to service providers to which they are not obliged to respond, lacks an enforcement mechanism and framework of protection of rights for persons affected. The example of the abandoning of territoriality was delivered by Belgium, first in case law and then in its code of criminal procedure, through which it extended obligations of cooperation to service providers offering services targeting Belgian citizens, regardless of the location of data or the service’s headquarters. 47 Yet, this approach puts a strain on the service providers as they may find themselves in a conflict of legal obligations, if the legal framework related to their headquarters or location of data forbids them to provide thus requested data. 48
The increasing need to obtain data for criminal investigation combined with these difficulties and the volatility of data creates the need to find a solution which would facilitate this process. The EIO may serve to acquire electronic evidence, but it is claimed that for that its deadlines are too long and create risk that data disappears or is altered in the meantime. 49 Nor can it resolve the question of territoriality. 50 Hence, even before the EIO date of implementation passed, the EU Commission was requested by the Council to begin a reflection on a solution to these problems. 51 This resulted in two non-papers 52 and further documents, including a thorough impact assessment. 53 The key question of the debate was whether to introduce an instrument which would be limited to allowing service providers to provide data requested by the authorities of a member state different than the one where they are established, but without compelling them to do so (it would already tear down barriers of national legislation forbidding it), or whether the orders would be mandatory. 54
The latter approach won. The Commission’s proposal introduces a mandatory order which – if the proposal is adopted – competent authorities in one member state address to service providers in another one, in principle without engaging authorities in that member state. Furthermore, it abandons territoriality as the principle deciding where orders are to be addressed. According to this new system, the service providers would be obliged to designate at least one legal representative in the EU for the ‘receipt of, compliance with and enforcement of’ these orders. 55 Failure to do so would mean that the authorities may send the order to any establishment of the service provider in the EU. 56 These duties affect all service providers ‘offering services in the Union’. 57 This concept does not mean that every service accessible from the EU falls into the scope of the directive and regulation, but it is fairly broad. In particular, the location of data is without importance for deciding whether the request may be issued and to which place it should be addressed.
This approach may put service providers in conflict with legislation outside of the EU, in particular the American one, as explained below. The conflict may be even graver – potentially – as the regulation permits to request for data of non-EU citizens. The regulation addresses the question of conflict of legal obligations. The practical success of EPO depends also on whether it is done in a satisfactory way, as numerous legal conflicts of significant providers may jeopardise the use of the orders.
In that respect, it is important to note the negotiations that the EU is conducting with the US for an agreement under the recently enacted CLOUD (Clarifying Lawful Overseas Use of Data) Act. In principle, US legislation (Electronic Communications and Privacy Act 1986) forbids its service providers to share content data with foreign law enforcement outside of the MLA procedure (non-content data may be shared voluntarily). 58 The CLOUD Act would lift this so-called blocking provision provided that the United States signs an agreement with the country in question based on the assessment of that country’s rule of law and privacy protection. 59 For the consistency of the area of freedom, security and justice (AFSJ), it is of paramount importance to have one EU-US agreement in that respect instead of a fragmented patchwork of different agreements and member states not (yet) having it. By introducing one instrument of cross-border exchange of electronic evidence at the EU level, the EU should become a preferred partner of the United States. 60
The Regulation (EPOR) contains also the possibility to preserve data in view of subsequent request for production of thus preserved data not only via an EPdO but also mutual legal assistance or an EIO. 61
At this point, there exist two versions of the text: the original Commission proposal and the Council’s general approach. While the latter version aims at solving a number of problems, the fundamental elements of the order’s design remain the same. The article will signal instances where the two versions differ. It is important to note already at this point that the draft regulation contains an express provision that it does not preclude the use of EIO. 62
European Production Order
‘“European Production Order” means a binding decision by an issuing authority of a Member State compelling a service provider offering services in the Union and established or represented in another Member State, to produce electronic evidence’. 63
The term electronic evidence is also defined by the EPOR, but in a less direct way. It should be understood as evidence stored in electronic form by or on behalf of a service provider at the moment of reception of the order and consisting of one of the four categories of data: subscriber, access, transactional and content data. Each of these categories is defined in Art. 2 EPOR as well. It seems an unfortunate legislative technique to define electronic evidence with the requirement of having it available by the service providers at the time of order’s receipt. It is more a question of application of the instrument than a question of what is or is not digital evidence. This aspect will be relevant for delineating the scope of EPO and EIO.
The answer to the question of who may issue an EPdO depends on the type of data being sought. Judges, courts or investigating judges may issue orders for any type of data. The prosecutors’ competence in that respect is limited to subscriber or access data, as these categories are perceived as less intrusive and hence do not require the same level of ex ante scrutiny. 64 Furthermore, and similarly to EIO, ‘any other competent authority […] acting in its capacity as an investigating authority in criminal proceedings with competence to order the gathering of evidence in accordance with national law’ may also issue an EPO, but the latter must be validated by an authority entitled to issue it in its own right. 65
The EPO may be issued only for criminal proceedings and – in the version of the Council – also for the execution of custodial sentences. 66 In that sense, the EPO has a narrower (than EIO) scope of application. The General Approach adds also that the Regulation should not apply if the purpose of gathering digital evidence would be to provide mutual legal assistance to another member state or a third country. 67 The orders may also be issued in proceedings against legal persons, similarly to the EIO. 68
While the recipient of an EIO is a competent authority, the recipient of the EPO is a service provider offering services in the Union and established or represented in another member state and the EPO is limited to data pertaining to services as described below. 69 It is worth paying closer attention to the definition of service provider as the data may only be sought through EPO if there is a provider to which it may be addressed. If there is none, EIO remains the only option.
A service provider can be a natural or a legal person and is otherwise defined by services it offers which can be:
– electronic communication services,
– information society services,
– Internet domain name and IP numbering services. 70
The details of definitions of both categories are divergent between the original version and the general approach. In practice, the first two categories comprise such services as Skype, WhatsApp, Amazon, Dropbox and mailing services. 71 As to the last category, it makes reference to the providers of Internet infrastructure services who hold data that may be of high relevance for identifying persons of interest. 72 The General Approach excludes financial services referred to in Art. 2(2)(b) of Directive 2006/123/EC.
Providers of services described above fall into the scope of the draft regulation only if they are offering services in the Union and are established or represented in another member state. From the perspective of legislative technique, this is a cumbersome way of explaining relatively basic premises of the regulation. 73 The regulation defines what it means to offer services in the Union: it means to enable legal or natural persons in at least one member state to use services described above and having a substantial connection to that or these member state(s) (Art. 2 (4)). So the regulation does not only apply to the service providers established in the Union, but it is enough that they offer services in the Union. It follows the philosophy that profiting from these services in the Union creates also obligations towards law enforcement in the same geographical area and also creates a level playing field between the providers in terms of obligations and avoiding an easy to use gap in law enforcement. 74
However mere accessibility of the service from the Union cannot be a sufficient criterion, as this would make every provider in the world fall into the scope of the provisions of this regulation. In the simplest situation, the substantial connection element results from the fact that the service provider has an establishment in at least one member state. In the absence of that connection, it can be established ‘on the basis of the existence of a significant number of users in one or more Member States, or the targeting of activities towards one or more Member States’. 75 As to the latter criterion, the Explanatory Memorandum gives examples of factors determining that the service provider targets its services towards a member state: use of a language or currency of that state, or providing local advertising. While this does not seem problematic, the former criterion may lead to a more troublesome result: if a service becomes very popular with a significant number of EU users, without it being a particular intention of the service provider, it may make it fall into the scope of the regulation.
Furthermore, the service provider has to be established or represented in another member state of the Union, as otherwise it would be a purely domestic situation, which is excluded from the scope of the draft regulation. It stems (only!) from the definitions of the EPdO and EPsO, respectively, that the order cannot be used in a national context. However, what is omitted from the regulation is the question of how to determine when the data are held by or on behalf of a service provider established or represented outside of the issuing member state. That in turn may lead to the use of this instrument to obtain data, when the national criteria are more difficult to meet than those in the regulation.
To issue an EPO, a number of conditions must be fulfilled. The first two resemble the EIO. First of all, ‘a similar measure would be available for the same criminal offence in a comparable domestic situation in the issuing State’. Secondly, the order must be necessary and proportionate for the purpose of the proceedings for which it is being issued.
Thirdly, the issuance of EPO may be limited depending on the offence under investigation. This limitation does not concern orders issued for subscriber or access data. However, an EPdO to produce transactional or content data may only be issued for offences ‘punishable in the issuing State by a custodial sentence of a maximum of at least 3 years’ or offences enumerated in the acts to which the Regulation makes reference. The latter group is composed of offences harmonised by EU instruments in specific fields such as terrorism, fraud, sexual abuse and sexual exploitation of children and child pornography, attacks against information systems. 76
The version of the Council adds another condition aimed at solving problems related to the immunities and privileges and to rules on determination and limitation of criminal liability relating to freedom of press and freedom of expression. If an order concerns transactional data and there are reasonable grounds to believe that the person whose data are sought is not residing on the territory of the issuing state and the data are protected by the rules of one of the kinds enumerated here, the issuing authority shall first seek clarification on these issues from the competent authorities of a member state concerned. If it results that the order could impact fundamental interests of the other state, these circumstances should be taken into account while issuing the order (including abstaining from its issuance) in the same way as if these rules were part of national law. 77
Regarding the same problem but for orders concerning content data, the Council added the mandatory notification of a competent authority of the member state concerned. Upon reaction of that authority
the issuing authority shall take these circumstances into account in the same way as if they were provided for under its national law and shall withdraw or adapt the Order where necessary to give effect to these grounds if the data were not provided yet.
78
Transmission, reaction, enforcement
The key innovation of the regulation is in its cross-border transmission. Instead of being addressed to the competent authority in another member state, it is addressed directly to the service provider, and more concretely to its legal representative. The EPOR together with the Directive provide for a number of rules aimed at guaranteeing that the transmission reaches the service provider, including sanctions for not designating a representative and the possibility to address the order to any establishment of the service provider. 79
The order is transmitted to the service provider (i.e. the representative) in form of a certificate (signed and certified). 80 The certificates are to be transmitted ‘by any means capable of producing a written record allowing the addressee to establish its authenticity’. 81 This expression was tightened by the General Approach of the Council stressing that the certificate has to be transmitted ‘in a secure and reliable way’. This formulation, which may be potentially less stringent than national law of some MSs, opens the possibility of including technical means, that is, platforms or other appropriate digital channels, to fasten and smoothen the transmission of requests. These platforms may be established by service providers; some have already established them. 82 The platform may also be provided by the public sector: it is under construction by the EU Commission for EIO and MLA requests; 83 such a platform exists for exchanging data in cross-border civil procedures (eCodex). 84
It is important to differentiate between the order and the certificate. The certificate contains standardised – to avoid mistakes – content necessary for the service provider to react to the order. However, the full content of the order, in particular the reasoning regarding necessity and proportionality or other details of the case, is not to be transmitted to avoid negative impact on the case. The latter will be accessible in due course by the suspect and may be subject to applicable challenges. 85
The default reaction of the ISP should be transmission of the requested data, also directly to the issuing authority (again without any intervention of the authority of the state of the ISP). This should be done within 10 days from the receipt of the order or earlier if requested, and in emergency cases within 6 h. 86 These are much shorter deadlines than the ones provided by the EIO.
The ISP may find itself in a situation of impossibility to comply with an order. For these cases, the regulation provides for dialogue, aiming at furnishing necessary clarification to the ISP or withdrawing the order. This is in particular the case if the order is incomplete, contains manifest errors or does not contain sufficient information to execute it or in cases of de facto impossibility. However, the issuing authority has the upper hand: at no point does the regulation force the issuing authority to withdraw the order. 87
Non-compliance with the order may trigger two types of consequences: sanctions and enforcement procedure. As to the sanctions, the regulation leaves it to the member states to provide necessary rules in that respect. Interestingly, at no point does the regulation say which state should be responsible for imposing and enforcing it. This would mean that the rules of transnational ne bis in idem would apply, leaving uncertainty for the service provider in question. Furthermore, the Council added a clause expecting the member state to ensure the possibility to impose a sanction of up to 2% of the total worldwide annual turnover. 88 If accepted, such a sanction could theoretically be imposed for one instance of refusal to provide data of one email account in a case of a simple offence that fulfils the threshold of potential 4 years’ imprisonment. This may raise eyebrows as it appears not really proportional and in case of big providers would result in extremely huge amounts.
The enforcement procedure turns an EPO into a much more classical mutual recognition instrument and in that sense more similar to EIO. The issuing authority may transfer the order to a competent authority in the enforcing state (nota bene, not executing state as in the case of an EIO), who should recognise and enforce the order. Also as in a classical mutual recognition, a number of grounds of refusal may be invoked by the enforcing authority. However, they look very different than the ones in the EIOD or in the EAW FD. They are mainly related to the problems with issuance of the order (the service not covered by the regulation, non-competent authority or offence out of the scope of application of EPOR) or impossibility of executing the order by the provider. 89 These grounds may be invoked also by the service provider, but the enforcing authority has the last say and may disregard this objection. 90 The Council added to this list grounds related to the issue of privileges and immunities as well as freedom of press and expression. These may not be invoked by the service provider.
Interestingly, the Council deleted a ground of refusal – already more limited than the EIO equivalent – based on manifest violation of the Charter or of the order being manifestly abusive. It is certain that the Council wanted to make sure that ISPs cannot invoke that reason (which was possible in the previous version). However, lack of this ground may not prevent the enforcing authorities from invoking it. Article 1 (2) EPOR says that ‘[t]his Regulation shall not have the effect of modifying the obligation to respect the fundamental rights and legal principles as enshrined in Article 6 of the TEU’. It provides for a similar clause as the one in Art. 1 (3) of the EAW FD, which was the basis for the decision in Aranyosi/Căldăraru 91 and more recently in Minister for Justice and Equality v LM. 92
The list is limited to these grounds. In particular, the list does not include double criminality, ne bis in idem or questions of necessity and proportionality. Furthermore, as the instrument is a regulation, the member state certainly cannot add any further grounds in their national legislation. 93
Conflicting obligations and remedies
The EPOR contains a chapter called ‘Remedies’. Yet, only a small part of it is devoted to the remedies regarding affected persons and formulates the obligation of the member states to provide for effective remedies for persons whose data were sought. 94 Most of the chapter, however, contains rules aimed at addressing situations in which compliance with the order would create conflict with law of a third country.
If such conflict exists, the service provider shall inform the issuing authority providing reasons for objecting to the order, in particular all relevant details on the law in question and the nature of the conflicting obligations. 95 The mere fact that similar provisions regarding production orders do not exist in the third country in question or that the data are stored in a third country is not sufficient to raise this objection. In that sense, the proposal parts with the traditional territoriality principle, which links jurisdiction with the place where the data are stored. 96 As mentioned already above, this is in line with current trend which for reasons of technological developments (e.g. cloud computing) and impracticality of this solution tend to abandon this approach.
The issuing authority is obliged to review the order in view of the objection and if it intends to uphold it, the order shall be reviewed by a court in the member state of the issuing authority. In principle, even if it comes to the conclusion that a conflict of laws exists, the court is not obliged to withdraw or lift the order, but it has to make an assessment based on a number of criteria, such as a balancing act of fundamental rights and interests, the degree of connection of the case or of the service provider to the third country, the interests of the issuing state and the potential consequences for the service provider of complying with the order.
A very interesting discrepancy exists between the Commission and the Council proposals as regards conflicts of laws where the laws of a third country prohibit disclosure of the data for reasons of necessity to protect the fundamental rights of the individuals concerned or to protect the fundamental interests of that country related to national security or defence. The Council would prefer to treat this category in the same way as any other conflict of laws, thus applying the rules described above. But the original proposal of the Commission offered a different procedure, within which, if the court finds that the conflict with the law of that kind exists, it should address an authority in the third country. If the latter confirms the conflict, the order must be lifted. In case of the authority not reacting even after a reminder within fairly short deadlines provided, the order is upheld, which would put the service provider in an uncomfortable situation as lack of reaction might be caused by bureaucratic slowness and not necessarily shield the provider from sanctions. The proposal of the Council results in that in no scenario EU authorities would be bound to lift the order resulting in the conflict of law, potentially increasing the number of uncomfortable situations for service providers.
Comparison
The two instruments present significant similarities. They are two instruments with the same or similar purpose: gathering evidence using mutual recognition of orders of other member states. They have the same legal basis: Art. 82 (1) TFEU. Yet, while EIO is a classical mutual recognition instrument, the EPO is more controversial as it subtracts, in the regular course of events, the involvement of an authority on the receiving end of the order. In that sense, one may question whether there is still any recognition since there is no authority to actively recognise the order. 97 The involvement of judicial or equivalent authorities happens only if the service provider refuses to comply with the order. Before that we can only speak about a sort of tacit recognition.
The procedure of enforcement presents some similarities as to the conditions to issue the orders. They have to be scrutinised in view of necessity and proportionality as well as regarding availability of similar measures in national law to avoid forum shopping. Furthermore, both instruments may be issued for gathering evidence for proceedings against legal persons regardless of whether in the member state where the order is to be executed legal persons are subject to criminal liability.
But besides these resemblances, the two instruments present fundamental differences.
The need for the EIO stems from the free movement of persons and abolition of borders. 98 The reason for EPO is different, namely lack of borders in cyberspace. It is not the population that moves, but services are placed in other countries than their users. There may be need for an EPO in a purely domestic case, with perpetrators, victims, place of commission and investigating authorities all from one locality, just because the data that are needed happen to be in possession of a service provider from another member state.
In consequence, the EPO focuses much more on the relationship between the authorities seeking electronic evidence and the service providers having it. This aspect creates the major difference between the two systems. The EPO goes in the first place to the service provider who should respond to it by delivering the requested data without engaging local authorities who could exercise some checking function from the perspective of national interest or fundamental rights. Limited possibilities in that respect have been proposed by the Council with the notification procedure. However, outside of it, the primary responsibility for checking the order will lie with the service providers. Recital 46 says: ‘Service providers should not be held liable in Member States for prejudice to their users or third parties exclusively resulting from good faith compliance with an EPOC or an EPOC-PR’. The Council deleted the word ‘exclusively’ and added that the responsibility for the legality of the order is with the issuing authority. Furthermore, in that version, the Regulation does not offer grounds for the service provider to refuse the order, except for reasons of practical impossibility. Any refusal for potentially good but other reasons will have to be done under threat of sanctions for non-compliance. Yet, the service providers will probably perform checks anyway. The case of the San Bernardino shooter is an excellent example when a service provider prefers to send a message to the clients: ‘we protect your data’ even at a risk of sanctions (and it was a terrorism case, where little sympathy could have been expected from the public towards the privacy of the deceased perpetrator). 99 Yet the logic is a different one than that of state authorities with duties to protect its citizens from violations of fundamental rights. The service providers are motivated by business concerns and their foremost duty is towards shareholders. So they will arguably respond negatively to abusive orders if that is more profitable/less damaging than complying with it. 100
This is not at all the case for EIO even when requiring cooperation of private actors. The EIO always passes through the hands of a competent authority entitled to perform necessary checks. In particular, EIO contains a significant list of grounds for refusal, including the fundamental rights one. The latter has been deleted by the Council in the e-evidence Regulation. While the proposed Regulation still contains the general fundamental rights clause (Art. 1 (2) EPOR), its use will rather be exceptional. The overall list of grounds for refusal is much shorter omitting for instance double-criminality, which is completely abandoned. That means for instance that a member state with very liberal abortion laws will have to enforce orders related to draconian anti-abortion policies. In sum, even if the enforcement phase of EPO is similar to the EIO, in essence the space for intervention of the enforcing authority is lesser than that of the executing authority of the EIO (even in the Council’s version including notification procedure). In consequence, the EPOR requires a much more significant trust between member states than classical mutual recognition instruments such as EIO or EAW.
Necessarily, these design features will have its bearing on the rights of the person affected by the measure, be they accused or suspects, or just third parties. The service providers will be the first guardians of their rights. But when assessing their potential infringements, instead of looking at them with a public eye, they will do so with the private one. In other words, business interests will guide these assessments: what is more profitable, comply with the order or resist? And even if the service providers question the orders, the possibilities of refusal of enforcing authorities will be more limited than those available to executing authorities.
The initial problem of the e-evidence question was how to get data for local investigation where only the happenstance of the data being elsewhere makes the case international. It seems reasonable to be satisfied that in such cases the state of the investigation would be also responsible for procedural fairness. The Regulation mandates the member states to provide for effective remedies leaving the details to national legislation. It remains to be seen how these remedies are elaborated. But in a system designed in this way, it is questionable if one can really speak of effective remedies where a person may be subject to investigation (including collection of the content of his or her email correspondence) in another member state, in another language, and potentially not knowing about the transfer of data.
Finally, another difference between the EIO and EPO is worth underlining. The EPO is being introduced by a regulation, while the EIO was introduced through a directive. This aspect should create more homogeneity in the system, however a number of important aspects – in particular sanctions and remedies – are left to the member states’ legislations.
Delimitation of the scope
Electronic evidence as defined by the EPOR is not the only electronic evidence there is. In fact, the EPOR applies to gathering of electronic evidence if a certain context and if a number of conditions apply. If adopted, EPOR will be the default instrument to gather this type of evidence, and its application will arguably be broad. However, there may be two types of reasons for it not to apply: geographical and questions of context or conditions of applicability of EPOR, leaving ground to EIO or even, in fewer instances, to other instruments of cooperation.
From the geographical point of view, the division of scope may/will be more complicated regarding three member states with limited participation in the AFSJ, namely Denmark, Ireland and the United Kingdom. As to the latter, it is unclear at this point what the status of this country will be. Even if it leaves the EU, it may still cooperate in some instruments belonging to the AFSJ, but speculating on that would be premature. In any case, UK firms offering services into the EU will have to designate a legal representative in the EU for the purposes of responding to EPO. The United Kingdom is part of the EIO, so if it stays in the EU, but does not opt-in to the Regulation, this will be the only instrument of cross-border exchange of evidence, including electronic evidence.
The contrary is possible as to Ireland. Ireland is not part of the EIO but seems to be willing to opt-in to the Regulation. 101 This would mean that gathering of electronic evidence under the conditions analysed above would happen according to the regulation. As to any other evidence, it would need to be gathered through means offered by the 1959 MLA Convention of the Council of Europe, as Ireland is not even part of the EU 2000 MLA Convention. 102 This creates certain imbalance in gathering of evidence regarding for instance persons who reside in Ireland, but are under investigation in other member states. Yet, this imbalance should not be exaggerated as electronic evidence regarding these persons may well be held by providers not located in Ireland. What is more important, this country is one of the most favoured by technological companies in Europe and may be chosen as the place for the EPO to be addressed. It is interesting to note that Ireland is also one of the countries, which allow their service providers to share data voluntarily with foreign law enforcement. 103 This would remain an option if this country does not opt in eventually. As Ireland is part of the FD on freezing orders, if it does opt-in to the EPOR, duality (as for all the other 25 member states fully participating in the AFSJ) would exist between freezing orders and the European Preservation Orders.
The difficulties of not being part of the regulation may well be exemplified by the case of Denmark. It is not bound by the EIOD, but it is part of the EU 2000 MLA Convention so this instrument remains the default option for gathering evidence with this country. By virtue of the annex to Protocol 22 to the TFEU, it may still become part of the Regulation, yet its record does not show much enthusiasm in joining initiatives pertaining to the AFSJ. 104 If Denmark is not part of this instrument, it will still be automatically part of the Directive. The latter is based on common market provisions of Arts 53 and 62 TFUE and the exclusion of Protocol 22 does not apply to it. This will create a peculiar situation. Denmark will be obliged to implement the Directive. Furthermore, it will be possible to declare that for the purposes of receiving requests the service provider’s seat is, say, in Copenhagen. The service provider (except purely local ones) would hence be obliged to comply with EPOs, but Danish authorities would not provide enforcement or sanctions for non-compliance. The only option would be to impose sanctions in the issuing member state. Paradoxically, the Regulation would in a way have some application on the territory of Denmark, but without participation of this country in the instrument.
This would indeed create a géométrie variable of a higher level, certainly systemically unfortunate. It would also remain a question whether Denmark could forbid (e.g. through data protection rules) local service providers from sharing data with non-Danish law enforcement outside of the MLA procedures. This could infringe the principle of sincere cooperation, yet regarding an instrument in which the member state does not participate.
The scope of application of the EPO will also be limited by the context. EPO in its current form can only be issued for criminal proceedings (and possibly for execution of certain sentences). The application of EIO is broader as it includes also two types of proceedings which do not belong to this category (see Art. 4 (b) and (c) EIOD). Electronic evidence needed for these proceedings may be gathered through EIO only.
This latter aspect is linked with the speciality principle that the Council’s version of the proposal adds. If accepted, this provision will limit the use of electronic evidence, besides the proceedings for which it was gathered, to proceedings for which the EPO could have been issued or ‘for preventing an immediate and serious threat to public security of the issuing State or its essential interests’. 105
Another significant aspect, which may limit the application of EPO – in comparison to EIO – is the authority to issue an order. The main difference between the two instruments is that the regulation harmonises the question who may issue an EPO, while EIO leaves it to the member states. In this harmonised framework, the power of prosecutors to issue an EPO is limited (e.g. in respect of orders concerning transactional or content data). However, it is not excluded that national law permits the prosecutors to request data of that kind on the national level. In result, in such situations a prosecutor would be entitled to issue an EIO without a judge’s approval, while the issuance of an EPO would necessitate such approval. However, this effect may be mitigated by the potential requirement of court authorisation in the executing member state. 106
Besides these situations, competent authorities gathering electronic evidence (in the broad, non-EPOR sense) will have both instruments at their disposal (EPOR does not preclude the application of the EIOD). Yet, the application of EPO may still be limited by the fact that that this evidence must be stored by or on behalf of a service provider as defined in Art. 2 (3) of the Regulation. More importantly, this must be so at the time of reception of the order. EPdO to produce transaction or content data may only be issued for certain types of offences prescribed by the regulation. Again, the question for which offences an EIO may be issued is left for the member states, so solutions may differ in different issuing states. Hence, it would still be possible to issue an EIO for transactional or content data for offences which are out of the scope of the EPdO, if the law of a member state so allows.
Systemic consequences
If both instruments are available, it is difficult to imagine why authorities should not choose an EPO. Its procedure is simpler, the deadline for reaction much shorter and the pressure on execution much more significant with a set of concrete sanctions. And if the service provider does not provide the requested data, a procedure similar to EIO is still available, but again less cumbersome (i.e. less grounds for refusal). The first potential systemic consequence, potentially with an Orwellian reminiscence, is that this may create a tendency to generally prefer electronic evidence and increasingly build up cases around it.
Is there a good reason to single out digital evidence and provide for such a facilitated system? The standard answer is that volatility of data demands celerity. Yet not only electronic evidence may require rapid access to information. A search may be urgently necessary in a kidnapping case. And it is not so that urgency is always needed when looking for digital evidence. In the name of celerity, a significant level of protection is sacrificed that is deemed necessary otherwise. Moreover, an EPO can constitute a very significant curtailment of the right to privacy, for instance if content of private emails is concerned. Much less intrusive measures (e.g. production request for company documents) are subject to a much higher level of protection as offered by EIOD. This does not contribute to systemic coherence.
From a different perspective, one may say that the EPOR finally takes mutual recognition in particular, and the AFSJ in general, seriously. Mutual recognition has been a device facilitating transnational cooperation in criminal matters for the past 20 years, which has been designed to respond to the needs of law enforcement resulting from the design of the EU. While it proclaimed trust, it always kept ways of checking if other member states are worth that trust. EPO requires a much higher level of trust and in this sense is a quantum leap of mutual recognition.
Yet it comes without full harmonisation of procedural guarantees, remedies and other elements that could substantiate it. The EU successfully built a common data protection framework, but the approach to privacy is not the same. 107 Furthermore, some member states are under scrutiny for their potentially unsatisfactory level of the rule of law, which stalemated the execution of classical instruments of mutual recognition. 108
Finally, the EPOR creates a new relationship between law enforcement and private actors, that is, service providers, which, whether they like it or not, would become extended arms of law enforcement replacing their national authorities in the task of not only receiving and complying with but also assessing the orders. However, contrary to national authorities, they will do so at a threat of sanctions for non-compliance, making the service providers unreliable defenders of our fundamental rights. 109
Conclusions
The analysis above showed that if the EPO is applicable, it is much more attractive for law enforcement than EIO. It will thus become the preferred option for authorities probably increasing the presence of digital evidence in the file, potentially unnecessarily. At the same time, the EPOR is less protective for persons concerned. By giving electronic evidence preferential treatment, not only does the EPOR risk creating imbalance in the EU system of cross-border gathering of evidence but also giving up fundamental rights protection for the sake of celerity.
Furthermore, with EPOR the trust the member states have to have in each other’s systems in general, and authorities’ restraint in particular, is heightened to a new level: the authorities in the member state where the order is addressed being potentially completely omitted from the process and even if they intervene, they have limited grounds for opposing the order. And this development comes at a time, when mutual trust is questioned with increased intensity. 110
EPOR has also significant merits. In the first place, it breaks with the traditional and cumbersome territorial approach to the location of data and adapts to the borderless reality of the cyberspace. Secondly, if it manages to contribute to establishing a common framework of voluntary exchange of evidence with the United States, that will certainly enhance coherence of the AFSJ. Finally, one may acknowledge the potential effect of alleviating law enforcement – which is always struggling from limited resources – from the task of reception, recognition and execution of potentially numerous orders for electronic evidence. In that way, EPOR is part of a wider trend of transferring enforcement tasks to private actors.
With the EIO, the AFSJ was supposed to get a single instrument to transfer evidence across borders of its member states. 111 Just after its implementation date, and before the practice of its use is established, a new instrument threatens to shatter this holistic approach. Instead of always having recourse to an EIO, law enforcement will have to choose between EIO and EPO and wherever possible will most likely choose EPO. While all evidence was supposed to be equal within the AFSJ, electronic evidence with its significantly simplified framework becomes more equal than any other.
Footnotes
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
