EU: Lack of EU data retention law "a matter of concern" for Member States

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

The issue of a "common legal framework" for telecoms data retention is resurfacing at EU level in discussions on the "effective collection, sharing and admissibility of e-evidence" and "the needs of effective criminal justice in the digital age."

On 4 November the Presidency of the Council of the EU (currently held by Luxembourg) sent a note on "collecting e-evidence in the digital age - the way forward" (pdf) to national officials involved in the Council's CATS Committee, in order to prepare for an early December debate amongst national justice ministers that will "provide political guidance on the way forward."

The note:

"[O]utlines certain areas related to the collection, sharing and admissibility of e-evidence that might be required considered in order to identify possible deficiencies and to determine whether further action is needed, possible or feasible."

Five main issues are highlighted for discussion.

Data retention and data loss

In April 2014 the European Court of Justice (ECJ) annulled the EU's 2006 Data Retention Directive (DRD) on the grounds that its requirements for telecoms companies to retain customers' communications data for law enforcement purposes disproportionately interfered with the rights to respect for private and family life and data protection, and "lacked sufficient procedural safeguards for the protection of data," in the words of the Presidency's note.

As shown in a report by Eurojust (the EU's judicial cooperation agency), the legal effects of the judgement have been significant:

"The transposing law of the DRD has been struck down in at least eleven Member States [Austria, Belgium, Bulgaria, Germany, Lithuania, Netherlands, Poland, Romania, Slovenia, Slovakia, UK]. Amongst these, nine countries have had the law invalidated by the Constitutional Court [those that haven't are Lithuania and the UK].

"In fourteen Member States [Czech Republic, Denmark, Estonia, Spain, Finland, France, Croatia, Hungary, Ireland, Luxembourg, Latvia, Malta, Portugal, Sweden] the domestic law on data retention remains in force."


Some Member States "have already adopted or are in a process of preparing new legislation on data retention," and other EU legislation permitting national data retention schemes remains in force (the "e-Privacy directive").

However, the Presidency's note highlights:

"[T]he absence of a common legal framework on data retention at Union's level has been outlined as a matter of concern that created a situation of legal uncertainty for a number of Member States."

The Commission reaffirmed in September that it has been "very clear" that it is "not coming forward with any new initiatives on Data Retention."

Nevertheless, discussions will continue at EU level: "Eurojust will continue to work on data retention and will organise a workshop on 10 December 2015 on this topic, that will also be a core issue for the Consultative forum on 11 December 2015."

Places unknown

Another key issue highlighted in the Presidency's note is "cloud" storage, where data can be "on one server or distributed over several servers or being moved between servers in varying locations."

Thus:

"[T]he underlying principle of territoriality, which determines the establishment of jurisdiction in criminal proceedings, seems to lose relevance and raises challenges for the effective conduct of the criminal proceedings."

It may be possible for data to be unwittingly retrieved from foreign computers by law enforcement agents who are not "aware of it or in cases where it is unclear in which territory the information system is located."

In a legal sense this is considered "without consent", but there are no European rules on the issue: "The handling and use of the data retrieved this way is governed in accordance with national legislation and… varying standards of procedural guarantees."

The Presidency asserts that there is a need to:

"[Revisit] the rules governing the establishment of jurisdiction [of investigation], as well as examining alternatives to the MLA [mutual legal assistance] process, to address situations where the location of the data is unknown."

Evidence without borders?

Gathering e-evidence is a "time-sensitive issue" and because "the electronic data are very often located in a foreign jurisdiction, the competent national authorities need to make use of the available tools for international cooperation, i.e. requesting mutual legal assistance (MLA)."

This is often a slow process and the Presidency highlights three issues to be considered: procedural changes, cooperation with the private sector and the dominant role of the US in the globe's digital infrastructure.

States could consider speeding up the gathering, preservation and transfer of evidence with "a standardised, simplified and possibly electronically transmissible and acceptable MLA request form."

There could be different procedures for different types of data, based on ease of access: "In many jurisdictions, requirements for access to subscriber data tend to be lower than for traffic data, while the most stringent regime applies to content data."

Further changes could include "expedited procedures for transferring the evidence under certain conditions," and:

"[F]urther strengthening of the cooperation networks, including those of judicial authorities… In this respect the role of Eurojust and Europol/EC3 [the European Cybercrime Centre] should be also considered."

Private information

Problems between states are compounded by the lack of a "common legal framework" for cooperating with the private sector, in particular "when it comes to obtaining access to data held by foreign service providers," says the Presidency.

In some Member States there is no legal basis for "a domestic production order to be sent to a private entity abroad," and in any case the company may not be willing or able to comply with it.

If foreign service providers do voluntarily provide data, it may not be admissible in court due to being obtained outside the MLA framework; it is also possible for companies to "violate data protection rules of one State if they disclose data to the authorities of another State."

The American factor

The central role of US-based corporations and infrastructure in the functioning of the Internet has caused problems for European authorities trying to obtain data related to criminal investigations or court cases, because: "US legislation requires an assessment of the requests against the so-called 'probable cause' standard," which:

"[L]imits the interventions of the competent authorities only to those strictly necessary for the specific investigation. Therefore, it is very likely that an MLA request is refused by the US authorities because it does not fulfil the 'probable cause' justification requirement."

The Presidency considers that "strengthening the EU-US dialogue with a view to enhancing the common understanding on requirements that should be fulfilled in the MLA process" would be beneficial, but other observers are more sceptical about the possibility for change.

For example, a July 2015 report considered the MLA arrangements between the UK and US:

"To date, there seems little likelihood that the mutual legal assistance treaty process will be substantially streamlined, since the legal requirements and traditions of partner countries are usually long-established and necessarily important to the country concerned."

Admissibility in court

The Presidency notes that "awareness raising, information sharing, exchange of good practice and targeted training might be considered" in order to better understand rules relating to the admissibility of e-evidence.
Referring again to the Eurojust report on data retention, the paper says cross-border cases between states with different legal systems may lead to the authorities having "to secure and gather evidence according to the requirements of foreign judicial systems."

Fundamental rights and the rule of law

The Presidency's paper says there should be "a careful balancing of the needs of the criminal justice systems in cyber-related proceedings... against the established fundamental rights principles. This is a challenging task."

There is a need for:

"Effective procedural safeguards, data protection guarantees, full respect for rule of law is the common platform on the basis of which any policy initiatives and practical solutions to enhance the effective conduct of criminal proceedings should be built."

Whether Member States' justice ministers will agree when they meet in December remains to be seen.

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error