Assessing the European Commission’s E-Evidence Proposals on Ten Human Rights Criteria

Earlier this week, CDT described and made initial observations to the E-Evidence Directive and Regulation. We also issued a list of 10 human rights criteria that the E-Evidence proposals should meet. With the draft text of both now published, we have assessed each against the criteria.. 

1. Legality: Data demands must be connected to a crime published in a statute that gives sufficient detail to give an accused person notice that her actions are unlawful.

This criterion is partially met because European Production Orders and European Preservation Orders authorised in the Regulation may only be issued for criminal proceedings relating to a criminal offence for which a legal person may be held liable or punished in the issuing State.  Whether the Member State’s criminal code provides sufficient notice to a person that user actions are unlawful depends on the text of the code, and the Regulation sets no requirements in this regard.

2. Judicial Authorisation: Data demands must be authorised by an independent entity – preferably judicial in nature – that is independent from the prosecutorial function.

This criterion is fully met for Production Orders for content and transactional data. The Regulation provides that judicial authorisation is necessary for Production Orders seeking this data.  However, prosecutors can issue Production Orders for access and subscriber data, and they can issue Preservation Orders for all types of data, without judicial authorisation.

3. High Probability: There must be a high degree of probability: (i) that a crime has been, is being, or will be committed; and (ii) that evidence of the crime would be revealed by the compelled disclosure.

If this criterion is met, it is met implicitly. The Regulation could, but does not explicitly require a high degree of probability that a crime has been committed and that the information sought will reveal evidence of the crime.  Issuing authorities are required to assess necessity and proportionality before issuing orders, and decisions of the European Court of Human Rights call for “reasonable suspicion” and even “probable cause,” as part of such assessments.  

4. Particularity: Demands should be limited to seeking only data relevant to the crime and should specify the device, account, or person to whom the data demanded relates.

This criterion seems to have been met. The Regulation provides that Production Orders must include, among other things, the persons whose data is being requested, except where the sole purpose of the order is to identify a person. Annex I prompts the issuing authority to specify device and account identifiers.  

5. Least Intrusive Means: If less intrusive mechanisms could readily be used to obtain the information necessary to prosecute the case, they should be used instead.

This criterion has not been met explicitly. The issuing authority has to demonstrate that the Production Order is necessary and proportionate, but how it meets that threshold is not clear. There may be different thresholds applicable in different Member States that justify including explicit language in the Regulation on this matter. As a general point, it should not be the case that standards are lessened across Member States.   

6. Seriousness: Demands should be limited to serious crimes only, which can be articulated by type of crime (e.g. terrorism) and maximum sentence.

This criterion has been partially met. The Regulation permits Production Orders for content and transactional records only for cyber crimes, fraud and counterfeiting of non-cash means of payment, child pornography and child sexual abuse and exploitation, and terrorism, as well as in investigations of any other crime for which the maximum penalty is at least three years in custody. These are serious crimes or crimes that cannot be investigated effectively without electronic evidence. However, these limitations do not apply to Production Orders for access and subscriber data, and they do not apply to Preservation Orders.  

7. Notice: Users must be notified that their information has been sought or obtained.  Notice can be delayed in limited circumstances to protect the integrity of an investigation.  Provider notice should be permitted, but is no substitute for required notice from the government.

The confidentiality provisions of the Regulation in Article 11 may deprive persons whose data is being sought of notice of a Production Order in many circumstances. The Regulation authorises issuing authorities to gag a provider receiving a Production Order when notice to the person to whom the data pertains would obstruct the criminal proceedings.  It does not require issuing authorities to provide notice to such person, except in the case where the provider is gagged. Notice can be delayed to avoid obstructing the criminal proceedings. National measures implementing Article 13 of the Law Enforcement Data Protection Directive (2016/680) will determine whether individuals are notified in cases where the provider is not gagged.

8. Minimisation: Only information necessary to the investigation can be retained, and excess information must be destroyed or returned.

This criterion has not been met explicitly. The Regulation does not include provisions on data minimisation. The GDPR (2016/679) and the Law Enforcement Data Protection Directive (2016/680) have provisions on minimisation. It is necessary to consider whether such provisions should be added to the Regulation.

9. Transparency: Publication of numbers of data demands made and granted, and types of offences specified.

This criterion has not been met. Article 19 obliges Member States to maintain comprehensive statistics and report them to the EC annually.  However, it does not oblige the EC to publish this information. This criterion would be met if this obligation was imposed. It would also be essential that Data Protection Authorities have full access to the data and can assess the use of the instrument, to verify whether privacy rules are respected.

10. Redress: There must be a process through which a person whose rights are interfered with because these criteria were not met can obtain redress.

The right to redress is addressed in Article 17, which provides that the person whose data was obtained, as well as suspects and accused persons, “shall have the right to effective remedies against a [Production Order] in the issuing State, without prejudice to remedies available under Directive (EU) 2016/680 and Regulation (EU) 2016/679.”  We will consider whether these remedies are sufficient and may provide further suggestions on this point.

Conclusion

Some of the human rights protections set out above have not been fully met, or are only met implicitly. We believe that improvements in the text are necessary to provide these protections. We look forward to working with the EC, the Council, and the Parliament to ensure that the human rights criteria that we have set forth are more fully and clearly met, and to make other improvements as well.