Last week, there was a development in Europe which will affect us, whether we leave the EU or not. The EU’s Council of Ministers agreed to give two negotiating mandates to the European Commission in order to improve cross-border access to electronic evidence in criminal investigations.
One of them is an EU matter which may have limited impact, depending on Brexit – that is with the United States. But the second mandate relates to the Second Additional Protocol to the Council of Europe ‘Budapest’ Convention on Cybercrime. Since we will remain a member of the Council of Europe after Brexit, it will eventually apply to us.
The Budapest Convention is the only binding international instrument on cybercrime, viewed as a model of international cooperation, and covering over 60 countries. It entered into force on 1 July 2004. The UK ratified it in 2011 (nearly 10 years after signing it), and it was implemented here as from 1 September 2011.
The Convention already has one additional protocol (on the criminalisation of acts of a racist and xenophobic nature committed through computer systems). Now this second additional protocol is expected to cover the following topics: obtaining access to electronic evidence, enhancing mutual legal assistance and setting up joint investigations.
The European Commission explains in a background note why the protocol is a priority. Electronic evidence is needed in around 85% of criminal investigations, and in two-thirds of these there is a need to obtain evidence from online service providers based in another jurisdiction. Currently, the largest service providers have their headquarters in the U.S. The number of requests to the main online service providers continues to increase, and grew by 84% in the period 2013-2018.
The Council of Bars and Law Societies of Europe (CCBE), which represents all European lawyers through their member bars, has become accustomed over the last year to lobby on e-evidence matters. That is because in April of last year, the European Commission proposed EU instruments on e-evidence: a Regulation on European Production and Preservation orders for electronic evidence in criminal matters, and a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings (together known as the e-evidence proposals).
The purpose was to speed up the process for securing and obtaining e-evidence stored and/or held by service providers in another jurisdiction. We can all understand why an improved process might be needed, but the CCBE has concerns, which extend also to the new international negotiations that the European Commission is now about to undertake with the US and in the Council of Europe.
These concerns cover safeguards for people whose data is accessed, including, among other safeguards, rights to protection of personal data, to an effective remedy and to a fair trial, covering also the presumption of innocence and a right of defence.
For instance, one of the CCBE’s principal detailed concerns with the EU instruments is that the proposed regulation on production and preservation orders introduces a mechanism through which the established systems of judicial assistance are bypassed, and the protection of fundamental rights is delegated partly or in full to private parties.
Similarly, the CCBE is concerned that the establishment of direct cooperation mechanisms between law enforcement authorities and service providers, as foreseen in the new Second Additional Protocol to the Budapest Convention, will not be a satisfactory alternative to judicial cooperation between cross-border law enforcement authorities. It sees direct cooperation between law enforcement authorities and service providers as more a means for law enforcement authorities to compel compliance by service providers without proper judicial oversight – rather than as a mechanism for co-operation between willing parties. Judicial authorities in the host state of the service provider will, effectively, be cut out of the process. They will be in no position to undertake a legality check of requests for judicial cooperation emanating from the authority of another member state.
There is also the vital matter as to whether the evidence is likely to be covered by lawyer-client confidentiality. The process of checking whether such evidence exists is cut out of the new process, too.
Given that there is always a danger of e-evidence being destroyed when the data controller becomes aware that an investigation is taking place, the CCBE believes that direct cooperation between law enforcement authorities in one jurisdiction and service providers in other jurisdictions be restricted to the obtaining of preservation orders alone. The rest should proceed through new provisions in a Mutual Legal Assistance Treaty between states.
In other words, new technology does throw up the need for new laws, but that does not mean that pre-existing citizens’ safeguards should be thrown out at the same time, just because it makes the process easier.