Gathering Electronic Evidence for Administrative Investigations Exploring an Under-the-Radar Area

• Date: 02 November 2023
• Author: Prof. Dr. Stanisław Tosza
• DOI: https://doi.org/10.30709/eucrim-2023-018
• Pages: 110

I. Introduction

With the ever-increasing digitalisation of almost every aspect of human activities, any type of infringement – be it criminal or administrative – leaves digital traces, which may become crucial as evidence in punitive proceedings. Yet, access to electronic evidence is far from straightforward, as it is often in the hands of foreign service providers. Outdated rules of territoriality thus hamper law enforcement efforts, because instruments of international cooperation, such as mutual legal assistance, must be used, which complicate the procedure and render it disproportionately lengthy.¹ This is linked with the fact that often the data has to be obtained from US service providers given their market share. However, US law in principle prohibits the transfer of content data to foreign law enforcement without a decision of a US judge.² Numerous other factors of a legal and practical nature add complexity to the problem, such as encryption,³ rules on admissibility of evidence,⁴ and limitations of enforcement capacity,⁵ to name just a few.

Three major initiatives are intended to remedy this situation, although it is too early to assess their impact. First, the EU has just adopted the Regulation on European Production and Preservation Orders for electronic evidence in criminal matters, which aims at addressing the above-mentioned difficulties.⁶ Most importantly, it will allow law enforcement authorities in one Member State to compel service providers in another Member State to produce data without engaging the authorities of the latter. Second, the EU is negotiating an agreement on e-evidence with the USA, which would broaden the possibilities of US service providers to transmit data to foreign law enforcement authorities without the decision of a US judge.⁷ Third, the recently adopted Second Protocol to the Cybercrime Convention also provides for possibilities to directly request data cross-border from digital companies, even if this would apply only to limited types of data.⁸

All these initiatives open the door to direct cross-border cooperation between law enforcement authorities and service providers, which is not without controversy and creates different legal problems. Intense debate during the lengthy process of negotiating the E-evidence Regulation (and its accompanying Directive) concerned such issues as: its legal basis,⁹ the future relationship between the European Production Order and the European Investigation Order,¹⁰ the role of EU data protection law,¹¹ and the future relationship with the US legal framework.¹² The adoption of the E-evidence package will not end the debate, rather the contrary. One of the most important questions is how service providers can be gatekeepers and protectors of fundamental rights while retaining a private entity nature.¹³

Administrative law enforcement has been notably absent from these debates and initiatives. The European E-evidence Regulation will solely apply to criminal proceedings.¹⁴ Also, the Second Protocol to the Cybercrime Convention is limited to criminal investigations only.¹⁵ Yet, electronic evidence is no less crucial for punitive administrative proceedings. Although access to electronic evidence will arguably not be as broad as that for criminal investigations, due to privacy limitation concerns, it will be increasingly more difficult to miss the golden opportunity that access to evidence through service providers offers for effective investigations. Already non-content data offers insights that may be essential for providing proof of misconduct.¹⁶

An administrative investigation authority that could benefit from more extensive access to electronic evidence is the European Anti-Fraud Office (OLAF), which so far has no specific provisions on cooperation with Internet Service Providers (hereinafter: ISPs). The need to access new types of evidence is well exemplified by the recently added possibility for OLAF to request bank account information.¹⁷ However, we may find possibilities to access electronic evidence in other administrative proceedings, e.g., in financial supervision and the Market Abuse Regulation.

This article aims to sketch out the problem of gathering of electronic evidence in the context of administrative punitive enforcement and the need for research in this area. A particular focus will be placed on OLAF, its need for electronic evidence, and the lack of legal basis to request data from service providers. The article will also briefly present a recently launched research initiative to further explore this issue.

II. Need for Electronic Evidence

The distinctiveness of electronic evidence – contrary to more traditional sources of evidence – is that it can be obtained through a third party: the service provider. This feature is unique: even if access to written letters was possible as a criminal procedural measure, the traditional postal service neither had regular access to the content of the letters they delivered nor did they regularly gather metadata on these letters. In contrast, email service providers do both. Starting from the possibility to acquire data from telecommunication providers,¹⁸ access to data from different kinds of ISPs has become crucial for successful investigations in recent years.

Data in possession of ISPs may be a treasure trove for enforcement authorities. The nature of cyberspace clashes with the limitations of enforcement, however, which hinder access to the data. While data can flow unhindered, at least in principle, law enforcement remains confined to national borders as prescribed in the seminal Lotus judgment.¹⁹ In its conventional reading, the principle of territoriality mandates that if the data being sought is stored outside of the country of investigation, then instruments of cross-border cooperation need to be used, which renders access much more time-consuming, costly, and cumbersome.²⁰ This duality – attractiveness of electronic evidence gathered from third parties and inaptness of principles governing enforcement in cyberspace – characterises this field and has triggered a number of legislative and jurisprudential initiatives.

Over the past several years, the debate over access to electronic evidence gained prominence as regards access to data for criminal investigations. The laws of criminal procedure allowed the authorities to access this data, while providing the framework for protecting suspects’ procedural safeguards. However, if the service provider was located in another country or the data was stored abroad, law enforcement was supposed to resort to instruments of cross-border cooperation: the European Investigation Order (EIO) within the EU’s area of freedom, security and justice and mutual legal assistance (MLA) outside this area, in particular regarding content data from US companies.²¹

The necessary paperwork for MLA and the length of the procedure, compulsory even in purely local cases, garnered frustration on the part of law enforcement, leading to the use of voluntary cooperation with ISPs and to a reinterpretation of the principle of territoriality.²² As to the latter, Belgium for instance decided to treat foreign providers actively targeting Belgian clients as if they were national providers. In two famous cases concerning Yahoo and Skype, these companies found themselves obliged to produce data according to a Belgian order, although the law of the place where they were headquartered (USA and Luxembourg, respectively) prohibited them from doing so.²³

The ensuing discussion resulted in the adoption of the EU’s E-evidence package (composed of a Regulation and a Directive), which offers a much faster way to gather electronic evidence in criminal proceedings. While the Regulation (hereinafter: EPOR) creates the new instruments of the European Production and Preservation Orders, the Directive is meant to ensure that there is at least one potential addressee for the newly created orders per each service provider entering the scope of the EPOR. The main premise of the Regulation is that competent authorities are entitled to issue binding requests to service providers offering services within the EU regardless of their place of establishment or the physical location of the data. Law enforcement authorities in one Member State will now be allowed to issue orders that are directly transmitted to private actors in a different Member State and which have to be executed without any involvement of the authorities of that Member State (with a number of limited exceptions).²⁴

III Electronic Evidence in Administrative (Punitive) Investigations

It is a truism that the nature of administrative proceedings is different from that of criminal proceedings. Administrative decisions do not carry the stigma and moral reproach of criminal law punishments, and instruments of administrative law are less intrusive overall. They also serve different objectives and are not focused on prevention, retribution, or reparation in the same way as criminal enforcement; most of all, they are meant to ensure compliance with the regulatory legal framework.²⁵ However, punitive administrative proceedings may be sufficiently punitive to justify being treated as a “criminal charge” according to the Engel jurisprudence.²⁶

In order to be effective, administrative authorities need to have efficient and modern tools at their disposal to gather evidence for these proceedings, with electronic evidence gathered from ISPs wielding increasing influence over enforcement in recent years. There are four ways in which administrative authorities may acquire this type of evidence from the service providers:

First, there may be a concrete legal basis allowing them to make such requests. For example, the Market Abuse Regulation (596/2014) provides that, under certain circumstances, competent authorities shall have the power to request existing data traffic records held by a telecommunications operator...