EU: E-evidence: Council pondering issues with the "notification procedure" for cross-border data-gathering; European Data Protection Board issues opinion

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Statewatch News Online
EU
 
E-evidence: Council pondering issues with the "notification procedure" for cross-border data-gathering; European Data Protection Board issues opinion
24.10.18
Follow us: | | Tweet


As discussions continue on the proposal for a 'Regulation on European production and preservation orders for electronic evidence in criminal matters' (the e-evidence proposal, for short), Member States are currently pondering which Member States should be notified in the case of a request for cross-border evidence-gathering, and how such notifications should work.

Meanwhile, the European Data Protection Board has issued a critical opinion on the Commission's proposal that makes 18 recommendations - including for a change of legal basis and a better demonstration of the need for a new instrument on top of the European Investigation Order and the existing Mutual Legal Assistance Treaty.

Council discussion

See: NOTE from: Presidency to: Delegations: Proposal for a Regulation of the European Parliament and of the Council on European production and preservation orders for electronic evidence in criminal matters - examination of selected issues and revised text (12113/1/18 REV 1, LIMITE, 17 October 2018, pdf):

"At the latest JHA Council there was a clear majority of Member States that expressed the will to find a compromise regarding the issue of a possible notification. However the concrete elements and effect of such a notification procedure were left to the expert level for further discussion and elaboration.

Therefore the Presidency would like to get delegations views on following questions:

A. Which Member State should be notified?

(...)

B. What effect should the notification procedure have?"

See also: COR 1 (pdf)

The note also highlights the need for further discussions on Articles 5, 11 and 17 (Conditions for issuing a European Production Order, Confidentiality and user information and Effective remedies, respectively) and Article 16 (Review procedure in case of conflicting obligations).

European Data Protection Board

See: Opinion 23/2018 on Commission proposals on European Production and Preservation Orders for electronic evidence in criminal matters (Art. 70.1.b) - Adopted on 26 September 2018 (pdf)

Conclusions of the European Data Protection Board opinion:

"Based on this assessment, the EDPB wishes to address the following recommendations to the co-legislators:

1) The legal basis of the Regulation should not be Article 82 (1) TFEU.

2) The necessity of a new instrument compared to the existing EIO Directive or MLAT should be better demonstrated, including with a detailed analysis of less intrusive means with regards to fundamental rights such as amendments of these existing instruments or the restriction of the scope of this instrument to preservation orders in combination with other existing procedures to request access to the data.

3) The Regulation should provide for a longer deadline to allow the executing service provider to ensure safeguards with regards to the protection of fundamental rights can be respected.

4) The dual criminality principle should be maintained, especially if the location criteria of the data is abandoned in order to maintain the obligation to take into consideration the safeguards provided in both concerned States (the State of the requesting authority and the State where the service provider is located).

5) The scope of the Regulation should be restricted to controllers in the sense of the GDPR or it should include a provision that in the event where the service provider addressed is not the controller of the data but the processor, the latter is obliged to inform the controller.

6) The Regulation should include safeguards concerning data transfers in case the service provider would be established in a third country without adequacy decision in this field or refer to the directive 2016/680 as these safeguards will be applicable.

7) Since the mandatory designation of a legal representative differs from the GDPR, the Regulation should precise that, the legal representative designated under the e-Evidence Regulation should be distinct from the one designated under article 3 (2) of the GDPR.

8) The Regulation should contain a broader definition of electronic communication data in order to ensure that the appropriate safeguards and conditions for access to be established cover both non-content and content data.

9) The Regulation should raise thresholds for issuing orders and orders shall be issued or authorised by courts, except for subscriber data provided the definition of this category of data is drastically narrowed to very basic information allowing only to identify a person without involving access to any communication data.

10) The Regulation should restrict the access to subscriber and access data to a list of crimes strictly established or at least to “serious criminal offenses”.

11) The time limit to provide data, especially in case of emergency should be better justified in the Regulation, and the possibility to use a fast6-hour procedure should include the obligation for requesting authorities to demonstrate the emergency triggering the use of this procedure, even a posteriori, in order to allow for a control of the use of such exceptional powers.

12) The procedure allowing the production of content data without any involvement of the competent authorities of the Member State where the data subject is, should be abandoned.

13) Safeguards surrounding the issuing of European Preservation Orders should be improved in the Regulation.

14) The Regulation should at least include the minimum classic derogation that if there is substantial grounds for believing that the enforcement of an Order would result in a breach of a fundamental right of the person concerned leading the executing State to disregard its obligations concerning the protection of fundamental rights recognised in the Charter, the enforcement of the order should be refused.

15) The Regulation should foresee a broader obligation to consult the competent authorities of a third country where the service provider requested to provide data is located in case of conflict of laws in order to avoid subjective interpretations from a single court.

16) The validity and duration of preservation orders should be more linked to the production orders accompanying them.

17) The security of data transfers should be better guaranteed.

18) The verification of the authenticity of the data should be foreseen, in particular where encrypted data could be provided."

Background

Document round-up: Council discussions on European Production and Preservation Orders for electronic evidence in criminal matters (Statewatch News Online, 26 September 2018)

Search our database for more articles and information or subscribe to our mailing list for regular updates from Statewatch News Online.

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error