Cross-border access to electronic evidence in criminal matters: The new EU legislation and the consolidation of a paradigm shift in the area of ‘judicial’ cooperation

Introduction

The widespread use of online services to achieve criminal purposes that often go beyond the commission of classic cybercrimes (cyber-dependent or -enabled crimes) ¹ has stressed the urgent need for continuous modernisation and adaptation of the toolkit police and judicial authorities use at national and trans-national level. In particular, access to electronic data (also known as digital data, a term that includes distinct data categories, such as subscriber data, traffic data and content data in the field of telecommunications) ² is an integral part of the timely prevention and effective suppression of modern criminal activity. ³ This can be achieved in different ways depending on the applicable law in the jurisdiction where the electronic data is stored and the existence of bilateral or international agreements on cross-border access to electronic data or evidence in general, but also on the basis of additional parameters such as whether the data in question is open access.

In practice, however, access to electronic data by competent authorities is a fairly complicated matter. The primary reason is the length of the procedures set out in the available mutual legal assistance instruments that –despite aiming at tackling cybercrime and, thus, taking into considering the specificities of the respective criminal proceedings– were either adopted before the widespread use of cloud computing (e.g., Budapest Convention) or –although they address cross-border access to evidence in criminal proceedings– they do not include specialised rules on electronic data given their short life-cycle (e.g., European Investigation Order (hereinafter EIO) Directive). ⁴ Thus, while the EIO Directive was adopted on the basis of the principle of mutual recognition of judgments and judicial decisions ⁵ and established a channel of cooperation between the competent authorities of Member States for the purpose of carrying out investigative measures, access to electronic data is often ultimately secured through voluntary, direct cooperation between foreign service providers and national law enforcement and judicial authorities. ⁶ Being faster and less bureaucratic, ⁷ this alternative has indeed become a popular practice compared to the use of mutual legal assistance tools, although it does not always guarantee the successful outcome of the cooperation requests.

In particular, according to a Europol study, direct cooperation with foreign service providers is not regulated (at least not explicitly) in the majority of the EU Member States. ⁸ This results in different treatment of the cooperation requests submitted by national authorities depending on the location of the service provider’s establishment. Moreover, pursuant to the same study, it remains uncertain whether the data obtained by means of voluntary cooperation will be admissible as evidence before the competent national criminal courts. ⁹ The cooperation of service providers cannot be taken for granted either. There are varying reasons, including conflicting national legislations that raise questions about the legality of cooperation with foreign police and judicial authorities, the lack of resources to address an increasing number of requests as well as the lack of willingness to establish cooperation protocols for this purpose. ¹⁰

In this context, the new EU legislation on cross-border access to electronic evidence (hereinafter ‘e-evidence’) in criminal proceedings appears to be a major breakthrough. This was adopted in July 2023 after complex and lengthy negotiations ¹¹ following the release of the Commission’s Proposal in April 2018. ¹² The new rules are entailed in the Regulation (EU) 2023/1543 (hereinafter ‘the Regulation’) ¹³ and the Directive (EU) 2023/1544 (hereinafter ‘the Directive’) ¹⁴ and will enter into force in August 2026. ¹⁵ The Regulation leads to (or rather extends) a paradigm shift ¹⁶ towards facilitating direct cooperation between competent national authorities and foreign service providers operating in the EU, regardless of the location of their establishment and, thus, their direct involvement in law enforcement. At the same time, the Directive ensures that service providers offering services in the EU, without having an establishment within the EU borders, will appoint a legal representative in at least one EU Member State for the purpose of preserving and producing e-evidence in criminal proceedings.

This article provides a comprehensive overview of the key provisions of the Regulation (Section II). ¹⁷ Next, it reflects critically on the central legislative decision to regulate direct cooperation with service providers in terms of a paradigm shift that (further) promotes the privatisation of law enforcement tasks (Section III), as well as on other normative choices that seem to prioritise speed and effectiveness of criminal repression at the expense of the protection of fundamental rights (Section IV). Lastly, it discusses future challenges that arise not only from the future enforcement of this new EU legislation but also from rapid technological developments that enable, inter alia, the direct generation of evidence from information systems (Section V).

Key legislative choices in the context of the Regulation (EU) 2023/1543

The model of direct cooperation with service providers and the intensification of the privatisation of law enforcement

The decision of the EU legislator to formalize the previously voluntary, direct cooperation between the competent national authorities and foreign service providers aims to address criticism regarding the efficacy of existing mutual legal assistance instruments and, particularly, the EIO. Nonetheless, it is important to highlight that the EIO Directive is not applicable neither in Denmark, which does not participate in judicial cooperation in criminal matters at all, nor in Ireland, which reserves the right from participating in such instruments, as was the case with the EIO. Indeed, Ireland’s decision has significantly influenced the realm of e-evidence, given that many of the most influential tech companies’ European subsidiaries (e.g., Meta, Microsoft, Google) are located within the Irish jurisdiction. ⁷⁵

The model of direct cooperation entails a significant limitation on the national sovereignty of the enforcing State, where the service provider has an establishment. This limitation may comply with the Lotus principle inasmuch as it derives from an international treaty, ⁷⁶ but remains a considerably broad self-limitation in the field of cross-border judicial cooperation in criminal matters at both EU and Council of Europe’s level. ⁷⁷ In particular, it is worth noting the use of an EU Regulation as a legislative instrument, which significantly constrains the national legislator’s discretion in the realm of judicial cooperation, ⁷⁸ and art. 82 (1) of the Treaty on the Functioning of the EU (hereinafter ‘TFEU’), which serves as the central provision of primary EU law concerning judicial cooperation among Member States in criminal matters, as the legal basis for establishing a channel of direct cooperation with service providers. ⁷⁹

Pursuant to art. 82 (1) TFEU, the principle of mutual recognition serves as the basis of judicial cooperation in criminal matters at EU level. Although this provision does not ascribe a concrete meaning to the concept of mutual recognition, nor does it state that the latter necessarily refers to cooperation between national public authorities, it does certainly refer to judicial cooperation, a term that does not suggest the involvement of private parties. ⁸⁰ Indeed, the principle of mutual recognition was ‘born’ in a different regulatory framework, that of European economic law; thus, it is often argued that it should be interpreted in a flexible way and that, in this context, there is room for taking into consideration the latest technological developments, including but not limited to the growing importance of cross-border access to e-evidence. ⁸¹ The adoption of such a view would ignore, however, the different ideological identity of European criminal law compared to European economic law, as in the case of the latter the application of the principle of mutual recognition enables the free movement of persons, goods and services, whereas in the case of the former it entails significant restrictions on civil liberties. ⁸² Besides this, this restrictive function is performed in a context that does not ensure a prior, comprehensive approximation of national legislations on procedural issues, including, inter alia, the protection of defence rights, considering that the Directives adopted on the basis of the Roadmap for strengthening procedural rights of suspected or accused persons in criminal proceedings have not fully addressed this regulatory aspect. ⁸³ In any event, it should be noted that –prior to the legislative initiative taken by the EU legislator to improve cross-border access to e-evidence– domestic legal approaches have already been fragmented regarding issues related not only to the necessary link to each national legal order for adopting investigative measures with cross-border effects but also to the procedural guarantees available to individuals affected by such investigative measures. ⁸⁴ That said, there has already been an important (but far from being unusual) discrepancy between the gradual expansion of investigative measures and the protection of suspects or accused persons. The Regulation does not address this matter inasmuch as it does not delve into the exercise of the affected individuals’ defence rights ⁸⁵ with the exception of granting the suspect or the accused person the right to request the issuing of an EPO or an EPO-PR within the framework of applicable defence rights. ⁸⁶

It is true, however, that the cooperation with private bodies is far from unprecedented. The EU anti-money laundering (hereinafter ‘AML’) legal framework is perhaps the most representative example, considering that a significant number of due diligence duties has been imposed on private actors (the number of which has been increasing geometrically after each amendment of the AML Directives), known as obliged entities, raising questions as to the privatisation of decisions that pertain to and impact on the administration of criminal justice. ⁸⁷ There are several other examples one may point out, such as the existence of whistle-blowing mechanisms in the private and the public sector, the operation of criminal compliance departments within private companies ⁸⁸ or the so-called internal investigations to name a few. ⁸⁹ This is a gradual paradigm shift that has also been confirmed by more recent initiatives of the EU legislator regarding the prevention of the dissemination of terrorist content online ⁹⁰ and the monitoring of content that is made available on digital platforms ⁹¹ – with the service providers being invited to take key law enforcement related decisions, including the timely removal of illicit content online. Thus, they assume, among others, the task of striking the ‘right’ balance between the freedom of expression of the users of their services and other rights and interests, such as public security. ⁹²

In this context, it becomes apparent that the newly adopted EU legislation on cross-border access to e-evidence extends the scope of the aforementioned paradigm shift, which has already gone beyond the narrow limits of self-regulation and touched upon the sphere of the exercise of public duties, including judgments on legality, proportionality, protection of fundamental rights and so on. It has been the Commission’s Proposal that first introduced the idea of privatisation of mutual legal assistance, including provisions pursuant to which the service providers would even be entrusted with the duty of examining whether the EPO at hand would manifestly violate the CFR or be manifestly abusive ⁹³ – under the threat of sanctions to be imposed in case of non-compliance with the duties arising from the receipt of an enforceable order. ⁹⁴ This scenario was not included into the Council’s General Approach to the Regulation, ⁹⁵ while the European Parliament also proposed the withdrawal of the provisions that set out sanctions as part of the amendments it voted for in December 2020. ⁹⁶ Ultimately, the Regulation only provides for the notification of EPOs to obtain traffic data (excluding that intended solely to identify the user) or content data to the enforcing authority, which may invoke one of the grounds for refusal listed in art. 12, including the case of a manifest breach of a relevant fundamental right as set out in art. 6 TEU and in the CFR. This inevitably suggests that, in all other cases, it is the service provider that is expected to act as the ‘first filter’ for any such breaches and, accordingly, to deny the execution of the respective EPO or EPO-PR, in order to trigger the mechanism of art. 16 of the Regulation. However, if the enforcing authority reaches the opposite conclusion, namely that there has been no breach and that the order should have been executed in the first place, the service provider still faces the risk of being sanctioned according to art. 15 of the Regulation. This means that the service provider is confronted with the dilemma ‘compliance or punishment’, a dilemma that is also coupled with lack of expertise (in terms of assessing in which cases the issuing of an EPO or EPO-PR violates fundamental rights), tight deadlines and a large number of orders to be executed. ⁹⁷ At the same time, the ‘other cases’, in which the enforcing State has little to no chance to intervene due to the lack of notification, may involve requests originating from an issuing State that seeks to identify vulnerable individuals, such as whistle-blowers or journalists who may be investigating a scandal of political corruption in the same State. ⁹⁸

This regulatory framework is compounded by the inherent ‘nature’ of service providers as private entities driven by corporate interests. ⁹⁹ Private companies may often take initiatives for the sake of public interests (e.g., corporate social responsibility initiatives), when this also (or primarily) serves their public image or corporate agenda, but this does not mean that the exercise of public power can, nor should, be entrusted to them. On the contrary, the latter requires impartiality and independence, virtues that are often not in line with business interests, the pursuing of which may even suggest compliance with a potentially abusive EPO or EPO-PR, in order to avoid sanctions. This is particularly the case inasmuch as pecuniary sanctions have an adverse impact not only on the corporate budget, but also entail reputational damage and further financial losses, if, for instance, the refusal to comply with a certain order is publicly perceived as a cover-up of the offence under investigation. Furthermore, value judgments that fall within the public sphere are linked to a democratic system of accountability, while corporate staff is accountable to the company’s shareholders and owners. In this context, the risk of abuse of power and the emergence of phenomena of corruption associated with the transfer of public power to the private sector is equally important.

Lastly, the choice to promote direct cooperation between competent public authorities and private service providers, which, among others, reflects a trend towards harmonisation of EU and US (Clarifying Lawful Overseas Use of Data (CLOUD) Act) legislative approaches to this matter, ¹⁰⁰ implies a clear departure from the mutual trust lessons as encapsulated in the CJEU jurisprudence on the EU Framework Decision on the European Arrest Warrant (hereinafter ‘EAW’), particularly regarding detention conditions in European prisons and the independence of the judiciary. ¹⁰¹ The strengthening of the service providers’ role, coupled with the lack of notification to the enforcing State as a general rule, translates to a ‘quantum leap’ of mutual trust that has already been shaken when enforcing the EAW Framework Decision. ¹⁰² In that sense, it has been no coincidence that the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (hereinafter ‘LIBE Committee’) proposed tightening the conditions for execution of the orders issued by states investigated under art. 7 TEU. ¹⁰³ Notwithstanding the above, the notification system as set out in the Regulation leaves little room for the enforcing authority to intervene, effectively turning service providers into de facto guardians of fundamental rights. ¹⁰⁴

[Further] Rule-of-law deficiencies in the Regulation (EU) 2023/1543

The formulations adopted in the final text of the Regulation and the normative choices those reflect are problematic on multiple levels, particularly if one compares them to the amendments proposed by the LIBE Committee before the beginning of the trilogue negotiations. ¹⁰⁵ This is because they put a clear emphasis on crime repression and the effectiveness of law enforcement, a choice that comes at a price: poor protection of fundamental rights. ¹⁰⁶ There is, however, a clear exception to this overall trend, namely the express recognition of the right of suspected or accused persons to request the issuing of an EPO or EPO-PR. ¹⁰⁷

First, as regards the conditions for issuing an EPO or EPO-PR, there is an ultimately incomplete link between these significantly invasive investigative measures and ‘more serious criminal offences’. ¹⁰⁸ Such a link is only reserved for EPOs to obtain traffic data (excluding that requested solely for the purpose of user identification) or content data either through the harmonisation criterion or through the mechanism of minimum maximum penalties (in this case, set at three-year custodial sentence). In practice, this means that, pursuant to the harmonisation criterion, an EPO may be issued in case of illegal access to information system, an act that, under certain circumstances, national law may deem to be not worthy of punishment. ¹⁰⁹ Based on the criterion of the penalty threshold, in several jurisdictions, the same measure may become available for crimes, such as simple theft. ¹¹⁰ The Regulation may reinstate the double jeopardy requirement as a ground for refusal, but its drafters (like those of the Commission’s Proposal) seem to oversee that the minimum maximum penalty limitation emerges from exceptions to the double jeopardy requirement. ¹¹¹ Birgit Sippel, the rapporteur appointed by the European Parliament, attempted to overcome such challenges in the report she drafted, proposing a limit of 5-year custodial sentence. ¹¹² However, this solution is not necessarily optimal given the incomplete harmonisation of criminal sanctions across the EU Member States. ¹¹³

Next, regarding the proportionality conditions for issuing an EPO or EPO-PR, the Regulation did not adopt the LIBE Committee’s proposal concerning the equalisation of those conditions for both EPOs and EPOs-PR. ¹¹⁴ In fact, it was proposed to further strengthen proportionality conditions by setting out –in binding provisions– that there must be sufficient reasons to believe that a criminal offence has been committed and that this is sufficiently serious to justify the production or the preservation of electronic data, as well as that the latter is relevant to the investigation of the offence at hand and is related to specific individuals directly connected thereto. This would have clearly left cases where the offence under investigation is about to be committed or could be committed in the future outside the Regulation’s scope. ¹¹⁵

Notwithstanding the above, it has been the notification system that became the ‘apple of discord’ during the trilogue negotiations. ¹¹⁶ The solution adopted in the Regulation should be considered as a clear improvement compared to the fast-track system advocated by the Commission, under which the enforcing State would be involved practically only in case of non-compliance of the service provider, ¹¹⁷ as well as to the solution proposed by the Council, namely the solution of notifying the enforcing State (without suspensive effect) only in case of EPOs to obtain content data and only where the issuing State would have reasonable grounds to believe that the person concerned does not reside within its territory. ¹¹⁸ However, the current solution is clearly inferior in terms of safeguards compared to the European Parliament’s intervention, as part of which it was proposed to notify the enforcing State in case of both EPOs (irrespective of the data requested for production) and EPOs-PR, in order to enable it to raise grounds for refusal in a timely manner – with the suspensive effect of the notification varying depending on the type of the order and the type of the data requested. ¹¹⁹

The notification duty introduced in art. 8 (1) of the Regulation, being a compromise solution, is of central importance to the extent that the issuing State cannot always be expected to exercise the same diligence to effectively protect the rights of those residing outside its territory (particularly where national interests dictate the need to access specific evidence), nor it can always be expected to know whether there are parallel criminal proceedings in another Member State to which there will be no notification. ¹²⁰ Similarly, however, the enforcing State cannot be expected to actively support the prosecution of an act that is not typified as a crime in the national legal order, particularly in those cases that touch upon the value code of a legal order (e.g., criminalisation of abortion). ¹²¹ Nonetheless, the ‘exception to the exception’ envisaged in art. 8 (2) of the Regulation coupled with the criterion of residence strengthens unilaterally the position of the issuing State, considering that it is upon the latter to determine the place of residence. ¹²² The same State, however, has expressed –from the outset– its interest in the execution of the order in question by means of issuing it. ¹²³

Next, regarding the addressees of EPOs and EPO-PRs, Birgit Sippel submitted the most comprehensive proposal for the protection of the affected individual, a proposal including the notification not only of the enforcing State but also of the so-called affected State, where the affected individual resides (provided this is not the issuing State, nor the enforcing State). ¹²⁴ This proposal was rejected at European Parliament’s level, as it was considered to have a negative impact on the efficiency of the overall procedure. ¹²⁵ Instead, the negotiating forces focused on achieving the objective of the (at least partial) involvement of the enforcing State. However, the affected individual may have limited to no connection to the State, ¹²⁶ where the service provider may happen to be established due to a favourable tax regime. It should also be borne in mind that, in reality, a Member State, such as Ireland, where a large number of service providers have an establishment, will not be able to monitor closely the range of orders executed on its territory. Besides this, other Member States may hesitate to scrupulously monitor the execution of orders of purely national nature, which do not anyhow involve or affect their nationals. Thus, notifying the affected State could be crucial for the protection of the persons residing within its jurisdiction and, possibly, its national interests, should, for instance, an EPO be issued to investigate a political offence. In any event, to ensure that the efficiency of the procedure remains intact, the notification of the affected State could take place within the same time framework set by the Regulation for the execution of EPOs. ¹²⁷ Lastly, it should be noted that in case that the affected State differs from the issuing State, the exercise of the right to effective legal remedies requires seeking legal advice in and getting familiar with a foreign jurisdiction. ¹²⁸

The significant concentration of powers in the issuing State becomes apparent in the light of the legislative choices in two additional areas: the user information pursuant to art. 13 and the exercise of the right to effective legal remedies pursuant to art. 18 of the Regulation. The Commission’s Proposal set out the possibility of not informing the affected individual if requested by the issuing authority, ¹²⁹ while the Council advocated a stricter position: the rule of non-informing the affected individual unless explicitly requested by the issuing authority. ¹³⁰ Instead, the LIBE Committee proposed a model of by-default provision of information (for both EPOs and EPOs-PR), from which the service provider could only refrain on the basis of a duly justified judicial order that would specify the duration of the confidentiality duty and would be subject to periodical review. ¹³¹ The Regulation adopts the Commission’s view on this matter and, thus, strengthens the position of the issuing State by favouring the ‘loose’ safeguard of the ‘short justification’ in case of choosing to delay, limit or even refrain from providing information over the ‘duly justified judicial order’, a solution that could set clear limits on the circumvention of the issuing State’s power to refrain from informing the affected individual.

Similarly, the exercise of the right to effective legal remedies has been concentrated in the courts of the issuing State, a choice that seems to ignore the experience of the execution of EAWs. On the contrary, the LIBE Committee’s proposals adopted by the European Parliament set out the possibility to challenge the legality of the EPO/EPO-PR as well as the fulfilment of the necessity and proportionality requirements before the courts of the enforcing State too. ¹³² Such a solution would ensure effective judicial protection for those individuals that do not reside in the issuing State, are not familiar with this national legal order, nor speak its language. ¹³³ In parallel, it takes into consideration the different levels of protection of the rule-of-law principles and the impact thereof on mutual trust among the EU Member States. ¹³⁴ In any event, the final wording of art. 18 (2) of the Regulation ‘[…] without prejudice to the guarantees of fundamental rights in the enforcing State’ remains rather ambiguous as regards its actual impact on the protection of the affected individuals. ¹³⁵

Lastly, according to art. 18 (4) of the Regulation, the issuing State (and any other Member State to which e-evidence has been transmitted under this Regulation) is obliged to ‘ensure that the rights of defence and fairness of the proceedings are respected when assessing evidence obtained through the [EPO]’. This provision, however, may be turned into empty words in the absence of specific regulation that takes into account the particularities of e-evidence, given, inter alia, the real risk of tampering with such evidence ¹³⁶ and the strong interference with the rights of suspects and accused persons or third parties that communicate with them, ¹³⁷ as well as in the absence of harmonised rules on the admissibility of evidence in general and e-evidence in particular. ¹³⁸ The LIBE Committee’s proposal included, instead, explicit provisions to the effect that electronic information obtained in breach of the Regulation would not be admissible before national courts; the same would apply to information obtained before a ground for refusal has been raised. ¹³⁹ None of these provisions was adopted by the drafters of the Regulation. The latter will enter into force in 2026; ¹⁴⁰ at this point, it should be assessed as to whether it achieves, among others, the goal of protecting the rights of the affected individuals – with national courts being ‘charged’ with surfacing persistent challenges and the CJEU with resolving them.

Future challenges

The EU legislator’s initiative to regulate cross-border access to e-evidence in criminal proceedings ¹⁴¹ showcases the increasing importance of the second generation of forensic evidence, which includes, inter alia, digital data. ¹⁴² Its use implies the need to ensure that citizens become familiar with the features of such evidence as well as to create the right infrastructure for processing it, coupled with the need to provide thorough training to members of law enforcement and criminal justice authorities, to ensure its reliable assessment, as well to of defence lawyers who will either make use of art. 1 (2) of the Regulation or will be called to rebut e-evidence obtained through an EPO in criminal proceedings.

However, the lack of harmonised rules on the admissibility of (e-)evidence remains a challenge, which will become more persistent in the light of the emerging third generation of forensic evidence that will be generated directly by information systems. ¹⁴³ While e-evidence includes, inter alia, content data that may be exchanged through an instant messaging application, artificial intelligence (AI)-generated evidence will include, for instance, the output of a deepfake detector that examines the authenticity of the content data mentioned above (e.g., voice mail) with the help of AI. While few jurisdictions have taken steps to regulate the use of AI-generate evidence, the EU initiatives culminated in the Proposal for a Regulation laying down harmonised rules on AI, the final text of which was adopted by the European Parliament on 13 March 2024 ¹⁴⁴ . This may have an indirect impact on the use of AI in the realm of criminal justice, but, certainly, does not focus on matters that pertain to procedural criminal law and evidence law in particular. This implies that criminal justice professionals, who are still adapting to the digital landscape, will soon be tasked with categorizing a new generation of evidence, the decoding of which largely rests in the hands of the private sector, presenting them with the great challenge to ensure the protection of fundamental rights.