On 19 April 2024, the CJEU officially registered the second reference for a preliminary ruling in the EncroChat case: Case C-675/23 (Staatsanwaltschaft Berlin II). As the first case (C-670/22, M.N. → eucrim 3/2022, 197-198) also this case was submitted by the Regional Court of Berlin (Landgericht Berlin) in Germany.

Having lodged this second reference in November 2023, the Regional Court of Berlin sought to clarify several peculiarities of another criminal case before it in relation to the EncroChat operation. The EncroChat operation (→ eucrim 2/2021, 106) concerned the infiltration by means of Trojan software of a server managed by the encrypted phone network EncroChat in Roubaix (France). By means of the Trojan, French law enforcement authorities were able to read the chat messages of thousands of users in real time, not only those who were using the network for criminal activities. The French authorities were also able to make the hacked data available to the Member States in which the users were located. In the wake of this operation, several criminal proceedings were opened in Germany, particularly as regards drug trafficking - the criminal offence at issue before the Regional Court of Berlin. The German law enforcement authorities believed that the retrieval of data in this way sufficed for the legitimate use of the data in German criminal proceedings for the following reasons:

• They had been taken from a Europol server by the German Federal Police Office;
• An ex post authorisation via a European Investigation Order (EIO) had been issued by the General Public Prosecution Office of Frankfurt a.M.;
• The EIO had been executed by the French investigative judge overseeing the law enforcement operation.

According to the Berlin court, the circumstances of the case at issue may lead to a new interpretation of Directive 2014/41 regarding the European Investigation Order in criminal matters (EIO Directive). The questions referred were similar to those submitted in the first case C-670/22, but the Berlin court stresses that the facts of the case differ from the presumptions on which the Advocate General (AG) based her opinion in the first case (→ eucrim 3/2023, 264-265). As a result, the Berlin court asked the ECJ to also consider alternative factual situations and rule on the following:

• Whether the requirements under Art. 6 of the EIO (proportionality of the German EIO and compliance with the requirement that an EIO can only be ordered under the same conditions in a similar domestic case) have been fulfilled;
• Which consequences must be drawn for the criminal proceedings at issue in the event of breach of the EU rules.

The reference mainly highlights the following about the EncroChat operation:

• It was intentionally coordinated by European law enforcement agencies;
• It willfully also targeted the surveillance of users outside the territory of France;
• The surveillance extended to persons against whom there were absolutely no concrete suspicions for having been involved in crimes or in criminal organisations.

In essence, the Berlin court argues that the corresponding measure - an online search according to the German Code of Criminal Procedure - would never have been possible if the server had been infiltrated on German territory. Furthermore, the court sees contradictions in the AG's reasoning compared to the more stringent CJEU case law on data retention.

Note: The reference for a preliminary ruling was lodged after the AG's opinion in Case C-670/22 (M.N.) but before the ECJ's final judgment in this case on 30 April 2024 (→ separate news item).