Mass hacking and fundamental rights: a missed opportunity for the CJEU?

Hugo Partouche, Attorney-at-law (avocat) at the Paris Bar, and Chloé Berthélémy, Senior Policy Advisor, EDRi

 

Photo credit: hacker-silhoutte, via Wikimedia commons

 

*A first version of this article was published in French by Actualité Juridique (AJ) Pénal, Dalloz Revues here.

 

On 30 April 2024, the Court of Justice of the European Union (CJEU) published its decision in the ‘EncroChat’ case.

 

The case emerged from recent European police cooperation operations against organised crime, involving the mass interception of encrypted communications by means of spyware (‘hacking’). They enabled the collection, for EncroChat alone, of millions of messages associated with 32,000 users in 122 countries, including nearly 4,600 in Germany, and leading to more than 6,500 arrests and 3,800 legal proceedings in the Union.^[1]

 

The Berlin Regional Court (the ‘Berlin court’) referred questions to the CJEU, asking whether a German European Investigation Order (‘EIO’) concerning the transmission of data collected by French investigators using hacking techniques was compatible with fundamental rights.

 

The Court's response is based primarily on the principle of mutual trust, which guarantees the effectiveness of European judicial cooperation.^[2] Unfortunately, it carefully avoids linking this decision to its case law on the rights to privacy and data protection in criminal matters developed since the entry into force of the EU Charter of Fundamental Rights (the ‘Charter’).

 

Thus, the Court considers that EU law is of very little assistance to the fundamental rights issues at stake, since the transmission of data between two Member States in the context of an EIO is subject only to the rules applicable to a similar procedure within the issuing State (here, Germany). Similarly, the proportionality of an EIO is analysed solely in light of the law of the issuing State, particularly with regard to the evidence that should be considered sufficient to order such a measure. This question is considered to be distinct from the debate on the integrity of the data before the court hearing the case, which alone is capable of assessing whether the defence is able to comment effectively on the evidence – which is an ability that EU law prescribes.^[3]

 

    1. The EncroChat investigation

 

‘EncroChat’ was a closed network of encrypted communications using modified telephones, used for organised crime, whose servers were in France. In April 2020, the French authorities set up a joint investigation team with the Netherlands, under the aegis of Eurojust, with the support of Europol, and obtained a judicial authorisation to install Trojan horse software on the servers and then directly on the terminals (the phones). The investigators informally announced via Europol's messaging system (SIENA) that they were going to intercept data located beyond their own territory. The German criminal police (BKA) expressed an interest in the data.

 

On the basis of this information, the Berlin court took the view that the investigation should be seen as a single European project with the aim of dismantling the EncroChat service and enabling criminal proceedings to be brought against all European users in their respective countries. It supports this analysis using a variety of indicators: the cooperation between France and the Netherlands starting in 2018, the support of Eurojust and Europol, the development of a complex interception technique, the prior knowledge of the German authorities that the interception would extend over its territory and, above all, the opening in 2020 of an ‘empty shell’ procedure by the Frankfurt public prosecutor's office, intended to receive information on German users, who would then be prosecuted in separate procedures on the basis of information accessed from Europol’s servers.

 

Furthermore, the technical characteristics of the hacking^[4] are not known because the method used is classified as a French national defence secret.^[5] A large part of the file is also being kept confidential by the German public prosecutor's office, which refused to inform the Berlin court of what information had actually been shared between national authorities before the interception measure was launched.^[6] Lastly, numerous errors have been identified in the data (message senders, time stamps, etc.).^[7]

 

2. The limited added value of the judgment on the data protection jurisprudence

 

According to the Berlin court, the course of the investigation suggests that the transmission of the data motivated the collection and not vice versa. With concerns, the referring court suggested that the EIO Directive could not, in such circumstances, separate collection and transmission and that only an independent court could review the proportionality of the latter. However, in the Court's view, the distinction between transmission and collection is clear and the EIO Directive is to be interpreted literally in that it subjects the admissibility of an EIO for the purposes of transmission solely to the law of the issuing State (§92), so that a German public prosecutor may be regarded as competent (§77).

 

The Court did not take the opportunity offered to draw on its own case law relating to Directive 2002/58, known as the ‘ePrivacy’ Directive, interpreted in the light of the Charter (in the context of mass data retention). (See, for example, the judgments in Prokuratuur and La Quadrature du Net and others). Indeed, the retention of and access to telecommunications data are both data processing operations involving serious interference with the fundamental rights to respect for private life and to the protection of personal data. This means that they are subject to EU law criteria, independently of national rules, in particular with regards to the control of proportionality and to the competent authority.

 

The Berlin court noted that the infringement of rights was even more serious in the EncroChat case because of the collection of the content of communications, which is considered sensitive, the long collection period, the massive and indiscriminate nature of the targeting without any specific and individualised suspicion and the immediate collection by law enforcement authorities without any action on the part of the service provider.

 

However, the CJEU refuses to follow this reasoning and to transpose its own criteria in the data protection field to a transfer of data between law enforcement authorities. For the Court, the logic of European judicial cooperation takes precedence over the protection of privacy when the competent authority is dealing with another judicial authority and not with a telecommunications operator.^[8] As a result, there is a risk of a significant disparity between the levels of protection and guarantees afforded to different data processing operations during a cross-border telecommunications interception operation.

 

The laundering of EncroChat data from its original controversial method of collection is of importance in the current debate at EU level on the (illegal) use by several Member States of spyware such as Pegasus and Predator, and their compliance with EU law. The technical characteristics and practical impact on privacy of the Trojan Horse software used to target EncroChat bear many similarities to these contentious spywares. The European Data Protection Supervisor is even of the view that they threaten the very essence of the right to privacy and would therefore be contrary to EU law. As modern state hacking techniques became ever more intrusive, the adequacy of current European instruments for police and judicial cooperation to preserve fundamental rights can be reasonably put into question.

 

It is also regrettable that the conditions under which EncroChat data is stored by the national authorities and by Europol are not mentioned. Such storage constitutes an autonomous infringement of fundamental rights. This question is all the more relevant as the 2022 reform of Europol's mandate allows the agency to derogate exceptionally from its own data protection rules to process large datasets (e.g. data collected in bulk) and authorises the long-term storage of investigative data. This enables Europol and investigating authorities to regularly draw on databases without, however, having to demonstrate the existence of concrete evidence of individualised suspicions, or to comply with the requirements of necessity and proportionality.

 

3. Minimum review of proportionality and right to a fair trial

 

To assess the proportionality of the EIO measure, the Berlin court asks the CJEU to assess the related infringements of procedural rights.^[9]

 

With regard to the right to privacy, the Berlin court held that in order for an EIO ordering the transmission of data to satisfy the conditions of necessity and proportionality set out in the EIO Directive, it is not sufficient to have evidence of multiple offences committed by unidentified persons.

 

The Court replied that: ‘By using the terms “under the same conditions” and “in the context of a similar national procedure”, Article 6(1)(b) of Directive 2014/41 [the EIO Directive] makes the determination of the precise conditions required for the issuing of a European investigation order depend solely on the law of the issuing State’. It concludes that, if the law of the issuing State makes the transmission of data subject to the existence of concrete indications that the person being prosecuted has committed serious offences or to the admissibility of the evidence, the adoption of an EIO is subject to those same conditions. It can be inferred from the request for preliminary ruling that the Berlin court holds that very position, whereas other German courts don’t.

 

With regard to the right to a fair trial, the Berlin court asked the Court of Justice whether the principle of proportionality precluded the issuing of an EIO where the integrity of the data obtained could not be verified because of the confidentiality of the technical bases, and the defence might not, for that reason, be able to comment effectively on that data in subsequent criminal proceedings. The Court replied that it follows from Article 4 of the EIO Directive that the necessity and proportionality of the measure are to be assessed in the light of the law of the issuing State. The Court explains that if the transmission of evidence were to appear either disproportionate or not in conformity with the framework of the ‘similar’ national proceedings, the consequences would be those of national law (§103).

 

However, and it may be one of the most important contributions of this judgment to the many ongoing EncroChat proceedings across Europe, the Court reasserts that if a party ‘is unable effectively to comment on evidence which is capable of having a preponderant influence on the assessment of the facts, that court must find that there has been a breach of the right to a fair hearing and exclude that evidence in order to avoid such a breach.’ (§105).

 

Unfortunately, the CJEU refuses to outline an enhanced control, whether substantive or procedural (§89), in the area of technically complex cross-border investigative measures. It limits the control on this point to the question of judicial review of compliance with fundamental rights provided for in Article 14 of the EIO (§§101 et seq.).

 

However, the Berlin court’s questions seemed particularly relevant on two fronts. First, it follows from the Court's case-law that the practical ease of an interference is not sufficient to make it proportionate.^[10] Secondly, the limitation of a Charter right, while presumed proportionate, ‘may prove to be disproportionate if the criteria governing it are imprecisely drafted and if they do not lay down genuinely objective and controllable conditions’.^[11] These concepts are not used in the judgment.

 

The Court's reasoning, however unsatisfactory in its minimalism, is not surprising: it seizes every opportunity to defend the principle of mutual trust rather than to seek in the Charter the elements for a full review of the implementation of judicial cooperation tools. And for good reason: that is the inherent logic of these tools.

 

However, the complexity of the EncroChat investigation had given the opportunity to the Court to develop its case law. The Court started applying in the Aranyosi and Caldararu case what some commentators have described as the principle of acquired mutual trust rather than blind mutual trust,^[12] particularly with regard to the risk of forum shopping.

 

4. Wilful blindness to the risk of forum shopping?

 

In the Court's view, the singular structure of the investigative measures does not present any particularity of relevance to the EIO Directive.

 

Although it acknowledges that the data was collected on behalf of Germany and on its territory, the Court does not explain why it completely rules out the risk that Germany might have opportunistically subcontracted the collection to France where data interception is less regulated. In the Court's view, the EIO Directive does not take into account the location of the data collection (§98). This allows the Court to not assess the risk of forum shopping, that implies taking advantage of the difference in rules between collection and transmission in the State where the data are collected (here, Germany).

 

In those circumstances, it is particularly surprising that the judgment states, without giving any reasons, that ‘in the present case, it does not appear that the purpose or effect of the collection and transmission, by means of a European Investigation Order, of the evidence thus collected was such circumvention, which it is for the referring court to ascertain’ (§97). The Court is ruling on a point that it considers to be outside its purview.

 

However, the Berlin Court was rather clear about the genuine risk of circumvention, particularly since it would have been more logical for an EIO to have been issued prior to collection and, in such a case, the authorisation of an independent court would have been required under German law (on the basis of the CJEU judgment of 16 December 2021, Spetsializirana prokuratura (Traffic and location data)). The referring court therefore finds itself on the receiving end of a paradoxical answer to its question.

 

The Court's ambivalence stems from its overreliance on the principle of mutual recognition in this context. This principle, which is itself based on mutual trust, justifies that the referring court is not authorised to review the validity of the procedure by which an EIO was issues to the executing State for the purpose of transmission (§§99-100). This was the Advocate General's position, according to whom the ‘interception took place independently of the EIOs at issue’ (paras 15-16 of the opinion).

 

As said, however, it was specifically questioned in cases where mutual trust, instead of merely facilitating cooperation between two States, serves as a screen for opaque police strategies. No control over such strategies and their impact on fundamental rights would therefore come directly from EU law, despite the fact that EU law has been able to act as a bulwark against the protection of privacy in relation to new technologies.

 

Could it be that the Court has missed its appointment with complex and new technical issues destined to change the economics of European judicial cooperation?

---

[1]https://www.europarl.europa.eu/RegData/etudes/ATAG/2022/739268/EPRS_ATA(2022)739268_EN.pdf  The spyware made it possible to intercept their traffic and location data, as well as the content of communications, including those stored on the devices prior to the operation. Given the massive scale of the data extraction, many lawyers have publicly questioned the lawfulness of the data interception measures, as well as the reliability and admissibility of the resulting evidence: https://www.computerweekly.com/news/252526497/Dutch-lawyers-raise-human-rights-concerns-over-hacked-cryptophone-data

       https://www.fairtrials.org/articles/news/encrochat-hack-fair-trials-denounces-lack-of-transparency-and-oversight/

[2]The Court has vigorously defended this principle because of its role in European integration, allowing only exceptional circumstances to derogate from it. See also: https://www.eurojust.europa.eu/20-years-of-eurojust/recent-jurisprudence-cjeu-judicial-independence-and-european-arrest-warrant

[3]Note D. Berlin, La Semaine Juridique Edition Générale n° 19, 13 May 2024, act. 606.

       Note V. Barbault, Lexis « EncroChat : précisions de la CJUE sur la transmission et l'utilisation de preuves dans les affaires pénales transfrontalières »

[4]But also the storage, allocation and filtering of data by the French authorities or by Europol.

[5]French law provides minimal control over hacking measures, as demonstrated by Decision no. 2022-987 QPC of April 8, 2022 (M. Saïd Z. ), dealing in particular with the provisions of article 706-102-1 of the French Code of Criminal Procedure, and a ruling by the French Supreme Court (Cour de cassation) on the nullity of interception and capture operations carried out on the basis of this same text, as well as on the failure to include the master procedure in the proceedings (Crim. October 11, 2022, no. 21-85.148).

[6]The Berlin Court explains that this opacity explains a divergent decision by the Federal Court of Justice on March 2, 2022.

[7]For a technical analysis of the practical impossibility of effectively commenting on the data and possible errors: V. R. Stoykova, Encrochat: The hacker with a warrant and fair trials?, Forensic Science International: Digital Investigation 46 (2023) 301602

[8]H. Christodoulou, Issuance of a European investigation order for the transmission of telecommunications data possessed by the executing State: sufficiency of the prosecutor's control, CJEU Apr. 30, 2024, aff. C-670/22, Dalloz Actualité, 31 May 2024

[9]It is regrettable that the Berlin Regional Court did not use Article 52(1) of the Charter, which is intended to verify that the infringement of a fundamental right does not affect the essence of that right, which in principle takes precedence over the examination of the necessity and proportionality of the interference.

[10] P. Gilliaux, Droit général des droits fondamentaux de l’Union européenne, Bruylant, 2024, §770

[11]Ibid. §784.  In this respect, by submitting such a complex investigative technique to the Court for the first time, the Encrochat case could have provided an opportunity to reinforce the standard of equality of arms by abandoning the idea that it is sufficient for the defendant to be able to "comment" on information from investigations carried out by foreign authorities.

[12] V. Mitsilegas, Trust (2020) German Law Review 69. This consideration is not, however, absent from the decision, which recalls that the presumption of respect for fundamental rights in the executing State is rebuttable (§99).