Hugo Partouche, Attorney-at-law
(avocat) at the Paris Bar, and Chloé Berthélémy, Senior Policy Advisor,
EDRi
Photo credit: hacker-silhoutte,
via Wikimedia
commons
*A first version of this article
was published in French by Actualité Juridique (AJ) Pénal, Dalloz Revues
here.
On 30 April 2024, the Court of
Justice of the European Union (CJEU) published its decision
in the ‘EncroChat’ case.
The case emerged from recent
European police cooperation operations against organised crime, involving the
mass interception of encrypted communications by means of spyware (‘hacking’).
They enabled the collection, for EncroChat alone, of millions of messages
associated with 32,000 users in 122 countries, including nearly 4,600 in
Germany, and leading to more than 6,500 arrests and 3,800 legal proceedings in
the Union.[1]
The Berlin Regional Court (the
‘Berlin court’) referred questions to the CJEU, asking whether a German
European Investigation Order (‘EIO’) concerning the transmission of data
collected by French investigators using hacking techniques was compatible with
fundamental rights.
The Court’s response is based
primarily on the principle of mutual trust, which guarantees the effectiveness
of European judicial cooperation.[2]
Unfortunately, it carefully avoids linking this decision to its case law on the
rights to privacy and data protection in criminal matters developed since the
entry into force of the EU Charter of Fundamental Rights (the ‘Charter’).
Thus, the Court considers that EU
law is of very little assistance to the fundamental rights issues at stake,
since the transmission of data between two Member States in the context of an
EIO is subject only to the rules applicable to a similar procedure within the
issuing State (here, Germany). Similarly, the proportionality of an EIO is
analysed solely in light of the law of the issuing State, particularly with
regard to the evidence that should be considered sufficient to order such a
measure. This question is considered to be distinct from the debate on the
integrity of the data before the court hearing the case, which alone is capable
of assessing whether the defence is able to comment effectively on the evidence
– which is an ability that EU law prescribes.[3]
1. The EncroChat investigation
‘EncroChat’ was a closed network
of encrypted communications using modified telephones, used for organised
crime, whose servers were in France. In April 2020, the French authorities set
up a joint investigation team with the Netherlands, under the aegis of
Eurojust, with the support of Europol, and obtained a judicial authorisation to
install Trojan horse software on the servers and then directly on the terminals
(the phones). The investigators informally announced via Europol’s messaging
system (SIENA) that they were going to intercept data located beyond their own
territory. The German criminal police (BKA) expressed an interest in the data.
On the basis of this information,
the Berlin court took the view that the investigation should be seen as a
single European project with the aim of dismantling the EncroChat service and
enabling criminal proceedings to be brought against all European users in their
respective countries. It supports this analysis using a variety of indicators:
the cooperation between France and the Netherlands starting in 2018, the
support of Eurojust and Europol, the development of a complex interception
technique, the prior knowledge of the German authorities that the interception
would extend over its territory and, above all, the opening in 2020 of an
‘empty shell’ procedure by the Frankfurt public prosecutor’s office, intended
to receive information on German users, who would then be prosecuted in
separate procedures on the basis of information accessed from Europol’s
servers.
Furthermore, the technical
characteristics of the hacking[4]
are not known because the method used is classified as a French national
defence secret.[5]
A large part of the file is also being kept confidential by the German public
prosecutor’s office, which refused to inform the Berlin court of what
information had actually been shared between national authorities before the
interception measure was launched.[6]
Lastly, numerous errors have been identified in the data (message senders, time
stamps, etc.).[7]
2. The limited added value of
the judgment on the data protection jurisprudence
According to the Berlin court,
the course of the investigation suggests that the transmission of the data
motivated the collection and not vice versa. With concerns, the referring court
suggested that the EIO
Directive could not, in such circumstances, separate collection and
transmission and that only an independent court could review the
proportionality of the latter. However, in the Court’s view, the distinction
between transmission and collection is clear and the EIO Directive is to be
interpreted literally in that it subjects the admissibility of an EIO for the
purposes of transmission solely to the law of the issuing State (§92), so that
a German public prosecutor may be regarded as competent (§77).
The Court did not take the
opportunity offered to draw on its own case law relating to Directive
2002/58, known as the ‘ePrivacy’ Directive, interpreted in the light of the
Charter (in the context of mass data retention). (See, for example, the
judgments in Prokuratuur
and La
Quadrature du Net and others). Indeed, the retention of and access to
telecommunications data are both data processing operations involving serious
interference with the fundamental rights to respect for private life and to the
protection of personal data. This means that they are subject to EU law
criteria, independently of national rules, in particular with regards to the
control of proportionality and to the competent authority.
The Berlin court noted that the
infringement of rights was even more serious in the EncroChat case because of the
collection of the content of communications, which is considered sensitive, the
long collection period, the massive and indiscriminate nature of the targeting
without any specific and individualised suspicion and the immediate collection
by law enforcement authorities without any action on the part of the service
provider.
However, the CJEU refuses to
follow this reasoning and to transpose its own criteria in the data protection
field to a transfer of data between law enforcement authorities. For the Court,
the logic of European judicial cooperation takes precedence over the protection
of privacy when the competent authority is dealing with another judicial
authority and not with a telecommunications operator.[8]
As a result, there is a risk of a significant disparity between the levels of
protection and guarantees afforded to different data processing operations
during a cross-border telecommunications interception operation.
The laundering of EncroChat data
from its original controversial method of collection is of importance in the
current debate at EU level on the (illegal) use by several Member States of
spyware such as Pegasus and Predator, and their compliance with EU law. The
technical characteristics and practical impact on privacy of the Trojan Horse
software used to target EncroChat bear many similarities to these contentious
spywares. The European Data Protection Supervisor is even of the view that they
threaten the very essence of the right to privacy and would therefore be
contrary to EU law. As modern state hacking techniques became ever more
intrusive, the adequacy of current European instruments for police and judicial
cooperation to preserve fundamental rights can be reasonably put into question.
It is also regrettable that the
conditions under which EncroChat data is stored by the national authorities and
by Europol are not mentioned. Such storage constitutes an autonomous
infringement of fundamental rights. This question is all the more relevant as
the 2022 reform of Europol’s mandate allows the agency to derogate
exceptionally from its own data protection rules to process large datasets
(e.g. data collected in bulk) and authorises the long-term storage of
investigative data. This enables Europol and investigating authorities to regularly
draw on databases without, however, having to demonstrate the existence of
concrete evidence of individualised suspicions, or to comply with the
requirements of necessity and proportionality.
3. Minimum review of
proportionality and right to a fair trial
To assess the proportionality of
the EIO measure, the Berlin court asks the CJEU to assess the related
infringements of procedural rights.[9]
With regard to the right to privacy,
the Berlin court held that in order for an EIO ordering the transmission of
data to satisfy the conditions of necessity and proportionality set out in the
EIO Directive, it is not sufficient to have evidence of multiple offences
committed by unidentified persons.
The Court replied that: ‘By using
the terms “under the same conditions” and “in the context of a similar national
procedure”, Article 6(1)(b) of Directive 2014/41 [the EIO Directive] makes the
determination of the precise conditions required for the issuing of a European
investigation order depend solely on the law of the issuing State’. It
concludes that, if the law of the issuing State makes the transmission of data
subject to the existence of concrete indications that the person being
prosecuted has committed serious offences or to the admissibility of the
evidence, the adoption of an EIO is subject to those same conditions. It can be
inferred from the request for preliminary ruling that the Berlin court holds
that very position, whereas other German courts don’t.
With regard to the right to a
fair trial, the Berlin court asked the Court of Justice whether the principle
of proportionality precluded the issuing of an EIO where the integrity of the
data obtained could not be verified because of the confidentiality of the technical
bases, and the defence might not, for that reason, be able to comment
effectively on that data in subsequent criminal proceedings. The Court replied
that it follows from Article 4 of the EIO Directive that the necessity and
proportionality of the measure are to be assessed in the light of the law of
the issuing State. The Court explains that if the transmission of evidence were
to appear either disproportionate or not in conformity with the framework of
the ‘similar’ national proceedings, the consequences would be those of national
law (§103).
However, and it may be one of the
most important contributions of this judgment to the many ongoing EncroChat
proceedings across Europe, the Court reasserts that if a party ‘is unable
effectively to comment on evidence which is capable of having a preponderant
influence on the assessment of the facts, that court must find that there has
been a breach of the right to a fair hearing and exclude that evidence in order
to avoid such a breach.’ (§105).
Unfortunately, the CJEU refuses
to outline an enhanced control, whether substantive or procedural (§89), in the
area of technically complex cross-border investigative measures. It limits the
control on this point to the question of judicial review of compliance with fundamental
rights provided for in Article 14 of the EIO (§§101 et seq.).
However, the Berlin court’s
questions seemed particularly relevant on two fronts. First, it follows from
the Court’s case-law that the practical ease of an interference is not sufficient
to make it proportionate.[10]
Secondly, the limitation of a Charter right, while presumed proportionate, ‘may
prove to be disproportionate if the criteria governing it are imprecisely
drafted and if they do not lay down genuinely objective and controllable
conditions’.[11]
These concepts are not used in the judgment.
The Court’s reasoning, however
unsatisfactory in its minimalism, is not surprising: it seizes every
opportunity to defend the principle of mutual trust rather than to seek in the
Charter the elements for a full review of the implementation of judicial
cooperation tools. And for good reason: that is the inherent logic of these
tools.
However, the complexity of the
EncroChat investigation had given the opportunity to the Court to develop its
case law. The Court started applying in the Aranyosi
and Caldararu case what some
commentators have described as the principle of acquired mutual trust rather
than blind mutual trust,[12]
particularly with regard to the risk of forum shopping.
4. Wilful blindness to the
risk of forum shopping?
In the Court’s view, the singular
structure of the investigative measures does not present any particularity of
relevance to the EIO Directive.
Although it acknowledges that the
data was collected on behalf of Germany and on its territory, the Court does
not explain why it completely rules out the risk that Germany might have
opportunistically subcontracted the collection to France where data
interception is less regulated. In the Court’s view, the EIO Directive does not
take into account the location of the data collection (§98). This allows the
Court to not assess the risk of forum shopping, that implies taking advantage
of the difference in rules between collection and transmission in the State
where the data are collected (here, Germany).
In those circumstances, it is
particularly surprising that the judgment states, without giving any reasons,
that ‘in the present case, it does not appear that the purpose or effect of the
collection and transmission, by means of a European Investigation Order, of the
evidence thus collected was such circumvention, which it is for the referring
court to ascertain’ (§97). The Court is ruling on a point that it considers to
be outside its purview.
However, the Berlin Court was
rather clear about the genuine risk of circumvention, particularly since it
would have been more logical for an EIO to have been issued prior to collection
and, in such a case, the authorisation of an independent court would have been
required under German law (on the basis of the CJEU judgment of 16 December
2021, Spetsializirana
prokuratura (Traffic and location data)). The referring court therefore
finds itself on the receiving end of a paradoxical answer to its question.
The Court’s ambivalence stems
from its overreliance on the principle of mutual recognition in this context.
This principle, which is itself based on mutual trust, justifies that the
referring court is not authorised to review the validity of the procedure by
which an EIO was issues to the executing State for the purpose of transmission
(§§99-100). This was the Advocate General’s position, according to whom the
‘interception took place independently of the EIOs at issue’ (paras 15-16 of
the opinion).
As said, however, it was
specifically questioned in cases where mutual trust, instead of merely
facilitating cooperation between two States, serves as a screen for opaque
police strategies. No control over such strategies and their impact on
fundamental rights would therefore come directly from EU law, despite the fact
that EU law has been able to act as a bulwark against the protection of privacy
in relation to new technologies.
Could it be that the Court has
missed its appointment with complex and new technical issues destined to change
the economics of European judicial cooperation?
