Download PDF file: Cable Europe Position Paper on Electronic Evidence
Cable Europe members recognise the importance of law enforcement in cross-border criminal matters. Nevertheless, the Commission’s proposed regulation on e-Evidence raises a number of concerns related to the fact that, for the first time, a foreign “authority” (anywhere in the EU) would be entitled to directly address binding requests (“Orders”) to an operator established in another Member State.
Cable Europe’s specific concerns relate to the following issues.
Definitions (“access data”, “transactional data”). It is difficult to distinguish the proposed definitions of “access data” and “transactional data”. According to the eEvidence proposal, both include “electronic communications meta data” within the meaning of the ePrivacy draft regulation. We consider that the proposed definitions lack clarity which will make it difficult to determine which rules under the eEvidence regulation will apply.
Authority authorised to issue “Orders” (“issuing authority”). According to the draft regulation, an “issuing authority” could be any competent authority as defined in the issuing Member State. However, Cable Europe considers that only courts/judges should be able to issue such orders. Neither prosecutors nor the police or other authority should be able to do so, despite the validation procedure that is foreseen by the draft regulation (validation by a court, a judge, an investigating authority and in some cases, by a public prosecutor). Issuing an order should be a genuine court decision. Furthermore, in a cross-border context an operator has not the ability to check whether the requesting party is entitled to ask for the information and whether it is a valid order (coming from a competent authority and not from a fraudster). At national level some of our members have detailed procedures to avoid these types of situations. Similar procedures at EU level are needed.
Time-frames. We consider that the proposed time-frames to transmit the data to the issuing authority (at the latest, within 10 days upon receipt of the European Production Order, and in emergency cases, at least within 6 hours upon receipt) are too short, especially during weekends and bank holidays. In emergency cases, 6 hours may also be too short especially where extensive research in our members’ systems needs to be made. A possible solution could rely on a requirement to provide the data “as soon as possible”.
The absence of a definition of “Criminal Matters”. The experience around the application of the EU Data Retention Directive, which has been declared invalid by the Court of Justice of the EU (CJEU), has shown that relying on national laws to determine what was “serious crime” under that directive, was not the right way forward. Once again, in the draft regulation, the EU legislator does not define the range of criminal offences for which Orders could be issued (with the exception of Production Orders for transactional or content data). Instead, this will depend on what is punishable as a criminal offence in the Member Sate of the issuing authority. However, differences at national level could ultimately require an operator to execute an “Order” in relation to an offence which in his Member State is not considered a criminal offence but may even impact constitutional guarantees and fundamental rights (for example, cases of slander or libel v freedom of expression).
Absence of local checks. Article 9 on the execution of the European Production Order Certificate (EPOC) foresees non-execution based on a “manifest violation” of the EU Charter of Fundamental Rights or on the “manifestly abusive” nature of the EPOC. No other grounds for non-execution by an operator are foreseen, such as, non-execution as a result of the (un)lawfulness of the EPOC under the national law of the Member State where the operator is addressed (for example, “ordre public”). Also, article 10 on the execution of the European Preservation Order Certificate (EPOC-PR) does not even refer to the “manifest violation” of the EU Charter of Fundamental Rights or to the “manifestly abusive” nature of the EPOC – PR. Furthermore, articles 14§4 and 14§5 foresee very limited grounds for opposing the enforcement of a EPOC and a EPOC-PR.
In extreme cases, an operator could be required, under the draft regulation, to execute politically motivated “Orders”. This is certainly not the intention behind the proposed rules.
In extradition requests, the rule is that extradition is only possible when the act committed is a criminal offense in both countries. The recent example of the extradition of Carles Puigdemont from Germany to Spain is telling. A German high court has decided that extradition could only be based on the charges of misuse of public funds and not for the crime of rebellion (as also sought by Spain). A possible solution in the context of e-evidence could involve a similar approach.
More generally, in order to prevent possible abuses of the regulation, a thorough justification of the “Order” (including the absence of alternative means to gather the requested evidence) should also be provided, in the absence of which, the service provider should be allowed to oppose execution and enforcement.
Absence of a compensation mechanism. Article 12 of the draft regulation foresees that a service provider may claim reimbursement of costs from the issuing Member State if this is provided by the national law of the issuing Member State (for domestic orders in similar situations). However, it should at least be possible for a service provider to claim reimbursement if such possibility exists in the Member State where the “Order” is addressed. Furthermore, it is particularly important that compensation is not claimed abroad, which would be particularly burdensome in case of large numbers of requests. In any case, there should be a mechanism in place to ensure that reimbursement takes place (ultimately, by allowing the service provider to hold back the production of the data – while ensuring its preservation).
Unclear relationship with data retention obligations. The draft regulation is based on the assumption that the data is already stored by the service provider. The recitals of the draft regulation explain that the future rules will apply to the data that has already been stored by the service provider at the time of receipt of a EPOC or EPOC – PR. They also explain that the proposed rules do not stipulate general preventive measures or data retention obligations but relate to concrete investigations.
However, the status of the data retention obligations currently in place at national level – following the invalidation of the EU Data Retention Directive by the CJEU – is unclear. Some Member States have taken steps to amend their national laws while others have not. The service provider may well not hold the data requested by the issuing authority.
The proposed regulation should not lead to a de facto retention obligation. Cable operators are not opposed to providing electronic evidence when they are lawfully in possession of the requested information, and the request and disclosure of that information is made in accordance with data protection and privacy laws, including any court orders. Our members would however stand fierce against any obligation to provide information that would require them to override EU fundamental rights as well as Union or national laws.
About Cable Europe
Cable Europe is the trade association that connects leading broadband cable TV operators and their national trade associations throughout the European Union. The regulatory and public policy activities of Cable Europe aim to promote and defend the industry’s policies and business interests at European and international level. The European cable industry provides high speed broadband internet, TV services, and telephony to more than 65.8 million homes in the European Union. www.cable-europe.eu
 Proposed regulation on European Production and Preservation Orders for electronic evidence in criminal matters (COM/2018/225 final – 2018/0108 (COD)).