Electronic Evidence Collection in Cases of the European Public Prosecutor’s Office Legal Framework, Procedures, and Specifics

• Date: 11 October 2023
• Author: Alexandru Frunza-Nicolescu
• DOI: https://doi.org/10.30709/eucrim-2023-016
• Pages: 104

I. Introduction

The European Public Prosecutor’s Office (EPPO) is the independent public prosecution office of the European Union responsible for investigating, prosecuting, and bringing to judgment crimes against the financial interests of the EU.¹ Like for any other national criminal justice authority, EPPO’s success in investigating and prosecuting crime relies on the lawful, effective, and efficient collection of evidence.

The perpetrators of offences falling within EPPO’s jurisdiction often make use of the Internet and information and communication technologies (ICTs) in the course of organising and committing their crimes, laundering the crime proceeds, or hiding the traces of their offences.

In general, computer data of any type or form can contain relevant traces of criminal activity. Thus, in order to prove that a crime has been committed, to identify the money laundering processes and the crime proceeds, and to bring the perpetrators to justice, the EPPO has to preserve, collect, assess, and make use of e-evidence in the investigations it carries out. Given the current architecture of the Internet and the significant number of Internet, social media, or communication services provided by companies located in foreign jurisdictions, e-evidence in many cases falls outside the territorial jurisdiction of the EPPO.²

Collecting cross-border e-evidence from foreign jurisdictions can be very challenging for any EU national judicial authority due to the scale and quantity of devices, users, and victims, the technical challenges like encryption or anonymisation, as well as territoriality and jurisdictional aspects.³ Such collection requires knowledge and subsequent use of a variety of legal frameworks, procedures, cooperation networks, and technical arrangements. The structure, organisation, and legal framework of the EPPO – an EU indivisible body operating as a single office with a decentralised structure⁴ – adds an additional layer of specific requirements to those already existing for traditional national criminal justice authorities.

In EPPO cases, e-evidence might be located, controlled, or stored in different jurisdictions, including: the jurisdiction of (1) the Member State of the handling⁵ European Delegated Prosecutor (handling EDP); (2) the Member State of the assisting European Delegated Prosecutor (assisting EDP);⁶ (3) a non-participating Member State;⁷ (4) a party to the Council of Europe (CoE) Budapest Convention on Cybercrime,⁸ including Denmark; (5) the EPPO non-participating Member State Ireland; and 6) any other third country not covered by scenarios one to five. In a seventh scenario, e-evidence might be controlled by foreign Internet and media service providers that can, in specific situations, share it directly with foreign criminal justice authorities on a voluntary basis, which is particularly true for providers based in the US. Each of these seven scenarios with their different rules, procedures, and mechanisms will be examined in the respective subsections of Section II. Section III. will be dedicated to the legality of transfers to third countries taking into account the relevant data protection rules in the EPPO Regulation before some concluding remarks in Section IV. The following analysis is based on the current legal framework and does not address the future legal framework on cross-border e-evidence collection following the entry into force of lined-up but not yet applicable EU and international instruments in the next few years, such as the EU e-evidence package⁹ or the Second Additional Protocol to the Budapest Convention¹⁰. Neither will the article address in detail the issue of the competent jurisdiction over the computer data required by EPPO (i.e., questions regarding the determination of data location, storage place of data, location of the controller, location or nationality of data owner, etc.). The author rather assumes that the location of the data is established if the competent jurisdiction to be addressed by the EPPO in its request for computer data is to be considered.

II. Case Scenarios 1 Scenario 1: e-evidence located within the territorial jurisdiction of the handling EDP

Computer data relevant for EPPO investigations might be located in the territory of the Member State participating in the EPPO of the handling EDP. In this case, the EDP will make use of the legal provisions, procedures, and technical arrangements available at national level, similar to any other criminal justice authority from his/her state. All 22 Member States participating in the EPPO are parties to the Budapest Convention on Cybercrime and have implemented the relevant provisions of the Convention in their criminal procedural law, thus insuring a certain harmonised level of procedural measures on computer data. These include: expedited preservation of stored computer data (Art. 16), production order (Art. 18), search and seizure of stored computer data (Art. 19), real-time collection of traffic data (Art. 20), and interception of content data (Art. 21). Based on the national provisions, the handling EDPs may order or request the issuing of the order (if judicial authorisation is required) for expedited preservation and/or production of computer data and ask the technical support to facilitate access to this data.

2. Scenario 2: e-evidence located within the territorial jurisdiction of an EPPO Member State other than the one of the handling EDP

If e-evidence is located in the territory of a Member State other than the one of the handling EDP, the latter can make use of the provisions of Art. 31 EPPO Regulation. This article represents a self-standing, sui generis legal basis for cross-border investigations of the EPPO.¹¹ The handling EDP sends an order for preservation/production of data to an assisting EDP from the Member State in question, who will then implement the measure there. If judicial authorisation is required under the legislation of the Member State where the data is located, the assisting EDP must obtain prior authorisation for the execution of the order from the competent court of his/her Member State.

3. Scenario 3: e-evidence located within the territorial jurisdiction of non-participating Member States other than Denmark and Ireland

To date, five EU Member States are not yet members of the EPPO. Three of them, i.e., Hungary, Sweden, and Poland, are bound by and have transposed in their national legislation Directive 2014/41 regarding the European Investigation Order in criminal matters (EIO Directive).¹² The collection of computer data which is located in the territory of one of these three non-participating Member States by the EPPO is governed by the provisions of the EIO Directive. In turn, the EIO is defined as a judicial decision issued or validated by a judicial authority in any one EU country for the gathering of evidence in criminal matters carried out in another EU country. Thus, in practice, the handling EDP will need to issue an EIO for the preservation/production of e-evidence on the basis of the national legal framework transposing the EIO in his/her country and send it for execution to the competent authority of the non-participating Member State. In this scenario, the EIO provides the EPPO with a simpler and faster alternative to the traditional mutual legal assistance instruments for requesting evidence, which are subject to strict deadlines and limited possibilities for refusal by the executing state.

4. Scenario 4: e-evidence located within the territorial jurisdiction of a Party to the Budapest Convention on Cybercrime (including non-participating Member State Denmark)

The Council of Europe Convention on Cybercrime (Budapest Convention) is a comprehensive and coherent international agreement on cybercrime and electronic evidence in criminal matters. It includes provisions to be implemented at national level, for both substantive and procedural law, and sets the rules for international cooperation for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data, or for the collection of evidence in electronic form. To date, 68 countries are Parties to the Budapest Convention, including all EU Member States (except Ireland).

The Budapest Convention has high practical relevance for the criminal justice authorities of the Parties as it does not only concern computer-related crime, but any type of crime that requires the preservation/production of e-evidence. International cooperation in criminal matters under the Budapest Convention is regulated in Chapter III. For the preservation and collection of e-evidence, Section 2 of this Chapter (Arts. 29 to 34) is relevant, governing mutual legal assistance regarding provisional and investigative measures. The provisions include the following:

• Expedited preservation of stored computer data (Art. 29);

• Expedited disclosure of preserved traffic data (Art. 30);

• Mutual assistance regarding accessing of stored computer data (Art. 31);

• Trans-border access to stored computer data with consent or publicly available (Art. 32);

• Mutual assistance regarding real-time collection of traffic data (Art. 33);

• Mutual assistance regarding the interception of content data (Art. 34).

The Parties to the Budapest Convention can also make use of a 24/7 Network of contact points established under Art. 35. This network can facilitate the execution of preservation requests and production orders as well as provide assistance with regard to legal and technical information or locating suspects.

If data is located in a territory under the jurisdiction of a Party to the Budapest Convention, a criminal justice authority from another Party can apply the provisions of the Budapest Convention and request the preservation/collection of data directly, via the 24/7 Network, or via the authorities competent for international cooperation. While the EPPO is not a Party to the...