Criminal justice in cyberspace – More of everything?

Event report

[Read more session reports and live updates from the EuroDig 2019]

Moderated by Ms Tatiana Tropina (Senior Researcher, Max Planck Institute for Foreign and International Criminal Law) and Ms Irina Drexler (Project Assistant, Cybercrime Programme Office of the Council of Europe), the session aimed to discuss aspects of criminal justice in cyberspace from the perspective of applicable regulations, access to evidence and human rights, public-private co-operation, and technical aspects of investigations.

Mr Markko Kunnapu (Advisor to the Ministry of Justice of Estonia, Member of the Cybercrime Convention Committee Bureau) stated that Mutual Legal Assistance (MLA) frameworks had been developed decades ago and were not designed to address electronic evidence. Therefore, in order to meet the current challenges and technological developments, new frameworks are needed. The EU’s E-evidence proposal, which consists of a regulation and a directive, aims to provide a binding legal framework that would enable EU law enforcement authorities to obtain data from service providers located in other countries. The Council of Europe has also been discussing the Second Additional Protocol to the Budapest Convention on Cybercrime.

Mr Paolo Grassia (Director of Public Policy, European Telecommunications Network Operators’ Association (ETNO)) stressed that territorial jurisdiction is the key concept at the core of collaboration of ETNO members with authorities, as it guarantees there are security channels in place, that a legal order is based on the legal basis, and that it respects the fundamental rights of the concerned users. With the E-evidence proposal, a telecom operator would be exposed to orders from 27 or 26 other EU member states, and it would have to put in place secure channels of communication, accreditation, and standards with 26 or 27 member states, which is unfeasible. ETNO’s stance is that the national authorities act as an intermediary between the foreign authorities and the operators, so that the operators remain sure that the requests they receive are validated according to their legal standards by national authorities. Grassia also stated that government-to-government co-operation in obtaining electronic evidence is crucial.

Ms Acadia Senese (Legal Counsel, Law Enforcement & Information Security, Google) stated that the E-evidence proposal is a significant step forward in creating a harmonious framework across the EU. However, Senese noted that the current text of the proposal contains a severe penalty for non-compliance to disclose data, creating disincentives for companies to question the validity, sufficiency or propriety of the law enforcement request. She also noted that the E-evidence proposal creates a mechanism by which the issuing authority can go directly to a service provider outside of its jurisdiction, which eliminates the role of the central authority in the receiving jurisdiction to check the validity of the request. This could be solved by robust notification measures. Contrary to the current text of the E-evidence proposal, Google thinks that providers sending a notice to users should be the norm because users are in the best position to evaluate whether any of their fundamental rights or privileges are unlawfully implicated by the request. Senese also stated that criminal justice instruments that involve government to government interaction are preferred.

Mr Stanislaw Tosza (Assistant professor, Utrecht University) briefly explained the concept of mutual recognition, which he described as a step forward from mutual legal assistance, meaning that one member state in principle recognises the validity of a decision of another member state. The E-evidence proposal disengages national authorities, and service providers receive orders directly, which they may comply with in order to avoid sanctions or damaging their reputation. This makes the service providers guardians of fundamental rights, instead of member states.

Mr Philipp Amann (Head of EC3 Strategy, European Cybercrime Centre (EC3)) stated that for law enforcement it is important to have the means to be effective and efficient while respecting the fundamental principles of proportionality, necessity, and legality. He underlined that privacy, security, and safety are not a zero-sum game and that they have to go hand in hand. If law enforcement and judiciary are excluded and the discussion solely focuses on privacy, the ‘security and safety’ part of the equation is missing. Amann also highlighted some of the future challenges such as 5G technology, encryption, and big data volumes.

By Andrijana Gavrilović