EDPB Criticises E-Evidence Proposals
On 26 September 2018, the European Data Protection Board (EDPB) adopted a critical opinion regarding the Commission proposals on European Production and Preservation Orders for electronic evidence in criminal matters.
For the proposals, see eucrim 1/2018, pp. 35-36; see also eucrim 2/2018, pp. 107-108.
The EDPB addressed 18 recommendations to the co-legislators (i.e. Council and EP), including some fundamental objections to the initiative. For example, the EDPB believes that Art. 82 TFEU cannot serve as the sole legal basis, since the proposal places its focus mainly on private entities.
Furthermore, the EDPB calls on the Commission to better demonstrate the necessity of this new instrument, which comes on top of the European Investigation Order (EIO) and the existing mutual legal assistance (MLA) schemes. In this context, the EDPB is of the opinion that the proposal waters down several safeguards provided for by the EIO and MLA treaties.
Another finding is that the double criminality requirement is a fundamental principle of international cooperation, which involves additional limitations and safeguards. The e-evidence proposal, however, completely rules out this requirement. The EDPB is against this and highlights the importance of double criminality, which allows States to refuse assistance if the same approaches are not shared with the requesting State. The EDPB further points out that abandoning the double criminality principle is of even more concern given the disappearance of other major traditional safeguards in the field of criminal law.
The EDPB cautions against the major shift in the new system, i.e. addressing private companies directly. It fears that private companies will not safeguard individual rights to the same extent as judicial authorities. Hence, the EDBP recommends the inclusion of additional grounds in the Regulation, certifying that service providers will protect individual fundamental rights; competent data protection authorities must ensure sufficient control.
Likewise, the disappearance of location criteria (i.e. competent authorities can issue orders regardless of where data are actually stored) has several legal consequences. It seems that the Commission has not fully thought them through. For instance, the EDPB is unsure which safeguards from the Directive 2016/680 protecting personal data processed by the police or judicial authorities when investigating/prosecuting crimes must also apply to private companies. Of concern in this context is, above all, possible access by authorities to data outside the European Union. The opinion of the EDPB also calls for improvements to bring the new instrument in line with the General Data Protection Regulation.
The EDPB is also critical of the new categories of data to be introduced by the e-evidence proposal. It finds that the Commission’s impact assessment and proposal did not properly substantiate the rationale for the creation of these new subcategories of personal data. It also expresses concern over the different level of guarantees related to substantive and procedural conditions for access to the categories of personal data. Practical difficulties will occur on how to categorize requested data in some cases.
The last set of recommendations deal with procedures for European Preservation and Production Orders, such as thresholds for issuing orders, time-limits, confidentiality, and user information.
Background: The European Data Protection Board (EDPB) is composed of representatives of the national data protection authorities and the European Data Protection Supervisor (EDPS). It replaced the “Article 29 Data Protection Working Party.” The EDPB contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities. It also advises the European Commission on issues of data protection as regards new legislation. Its opinions are, however, not binding.