European Investigation Order: Where the Law Meets the Technology (Law, Governance and Technology Series, 55) 3031316851, 9783031316852

Citation preview

Law, Governance and Technology Series 55

Maria Angela Biasiotti Fabrizio Turchi   Editors

European Investigation Order Where the Law Meets the Technology

Law, Governance and Technology Series Volume 55

Series Editors Pompeu Casanovas, UAB, Institute of Law and Technology UAB, Barcelona, Spain Giovanni Sartor, University of Bologna and European University Institute of Florence, Florence, Italy

The Law, Governance and Technology Series is intended to attract manuscripts arising from an interdisciplinary approach in law, artificial intelligence and information technologies. The idea is to bridge the gap between research in IT law and IT-applications for lawyers developing a unifying techno-legal perspective. The series will welcome proposals that have a fairly specific focus on problems or projects that will lead to innovative research charting the course for new interdisciplinary developments in law, legal theory, and law and society research as well as in computer technologies, artificial intelligence and cognitive sciences. In broad strokes, manuscripts for this series may be mainly located in the fields of the Internet law (data protection, intellectual property, Internet rights, etc.), Computational models of the legal contents and legal reasoning, Legal Information Retrieval, Electronic Data Discovery, Collaborative Tools (e.g. Online Dispute Resolution platforms), Metadata and XML Technologies (for Semantic Web Services), Technologies in Courtrooms and Judicial Offices (E-Court), Technologies for Governments and Administrations (E-Government), Legal Multimedia, and Legal Electronic Institutions (Multi-Agent Systems and Artificial Societies).

Maria Angela Biasiotti • Fabrizio Turchi Editors

European Investigation Order Where the Law Meets the Technology

Editors Maria Angela Biasiotti CNR-IGSG Florence, Italy

Fabrizio Turchi CNR-IGSG Florence, Italy

ISSN 2352-1902 ISSN 2352-1910 (electronic) Law, Governance and Technology Series ISBN 978-3-031-31685-2 ISBN 978-3-031-31686-9 (eBook) https://doi.org/10.1007/978-3-031-31686-9 © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Contents

Introduction: Setting the Scene on EIO and the Interaction Between Law and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maria Angela Biasiotti and Fabrizio Turchi

1

EU Legislation on EIO and Its Implementation in the Member States . . . . Alexandra Tsvetkova

5

EU Initiatives on the Implementation of the EIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alexandra Tsvetkova

13

The Challenging Path Towards the Establishment of the EU Legal Framework Regulating Cross-Border Access to Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Teresa Magno

23

Evidence Exchange Under the EIO: Technological Challenges . . . . . . . . . . . . . Fabrizio Turchi

35

e-CODEX: A Secure Infra-Structure for Cross-Border Cooperation. . . . . . Thomas Gottwald, Martin Schneider, Robert Behr, and Mathias Maurer

53

e-Evidence Digital Exchange System (eEDES). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Djamila Ben Miloud and Cristian Nicolau

69

Evidence Exchange Standard Package: An Application CASE Ontology Complied for the Preparation of the Evidence Package and Its Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gerardo Giardiello and Fabrizio Turchi

97

Legal Framework for Digital Evidence Following the Implementation of the EIO Directive: Status Quo, Challenges and Experiences in Member States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Melania Tudorica and Jeanne Mifsud Bonnici

v

vi

Contents

Data Protection and European Investigation Orders . . . . . . . . . . . . . . . . . . . . . . . . 153 Nikolaus Forgó and Emily Johnson Different Perspectives on EIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Maria Angela Biasiotti and Sara Conti Training on EIO: Overview of Training Courses in the EU . . . . . . . . . . . . . . . . . 187 Alexandra Tsvetkova Training on EIO: TREIO Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Maria Angela Biasiotti

Introduction: Setting the Scene on EIO and the Interaction Between Law and Technology Maria Angela Biasiotti and Fabrizio Turchi

Abstract The European Investigation Order (EIO) established by Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 represents a great step forward in cross-border judicial cooperation with regards to evidence gathering and exchange. The EIO allows judicial authorities to request evidence in a faster manner compared to the traditional instruments. However, the EIO is not the only pertinent legal instrument for attaining cross-border collection of evidence within the EU. Therefore, professionals need an unequivocal understanding of the situation: whether the use of an EIO is mandatory, and when evidence gathering abroad by means of an EIO is not achievable. This consideration highlights the importance of a systematic organisation of training courses in all Member States. From the technical point of view to accomplish the ambitious goal to exchange evidential material among judicial authorities in the EU Member States presupposes two essential components. First, it is fundamental having at disposal a secure communication channel for the evidence exchange and this is provided by e-CODEX, secondly, a communication tool is needed to speak to e-CODEX. This tool has been provided by the e-Evidence Digital Exchange System, developed and led by the European Commission. These technical components represent a major step forward in making judicial cooperation faster and more efficient. Within this scenario a package containing the evidential material might be exchanged as a simple attachment to any communication between the judicial authorities in the Executing and Issuing States. However, it is also crucial to use a standard for the representation of the data and metadata of the elements of evidence to streamline the process and make the investigations more effective. Standardising how cyberinformation is represented addresses the current problem of investigators when they receive relevant information from different sources in a variety of formats. This Volume collects contributions that deal with the legal perspective relating to EIO, its technological perspective and the combination of the two as essential for the successful result of the new European judicial cooperation in the criminal field.

M. A. Biasiotti · F. Turchi () IGSG/CNR, Florence, Italy e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_1

1

2

M. A. Biasiotti and F. Turchi

The European Investigation Order (EIO) established by Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 represents a great leap forward in cross-border judicial cooperation when it comes to evidence gathering and exchange. The EIO is a judicial decision issued by the judicial authority in an EU Member State to request investigative action to collect or use evidence in criminal matters carried out in another EU Member State. It is a legitimate action across the EU, but it cannot be utilised in Denmark and Ireland. The EIO is based on mutual recognition, therefore the executing judicial authority is, in principle, compelled to recognise and ensure the execution of the request from the other Member States. The investigative provisions comprise devices seizure, the hearing of witnesses, phone interceptions, secret investigations and information on banking operations. The EIO allows judicial authorities to request evidence in a faster manner compared to the traditional instruments. Moreover, it establishes stringent deadlines limiting the possibility of refusal by the executing State. The EIO has become the primary legal tool to collect trans-border evidence, substituting the traditional MLA conventions primarily used to this end so far. However, the EIO is not the only pertinent legal instrument for attaining crossborder collection of evidence within the EU. Not all EU Member States are tied/bound by the EIO Directive. Indeed, under specific conditions, the Directive does not exclude the application of other international conventions on Mutual Legal Assistance (MLA). Therefore, professionals need an unequivocal understanding of the situation: whether the use of an EIO is mandatory, and when evidence gathering abroad by means of an EIO is not achievable. In relation to some measures and provisions, different interpretations exist in the Member States, occasionally generating dispute and therefore it is key to train all the potential stakeholders [that can be involved in the process] in the use of EIO. This consideration highlights the importance of a systematic organisation of training courses in all Member States (see Chap. 11). From the technical point of view to accomplish the ambitious goal to exchange the elements of evidence among judicial authorities in the EU Member States presupposes two essential components. First, it is fundamental having at disposal a secure communication channel for the evidence exchange and this is provided by e-CODEX, e-CODEX offers a European digital infrastructure for secure crossborder communication in the field of justice (se Chap. 5). Recently in May 30th, the e-CODEX system has become the digital backbone of EU judicial cooperation in civil and criminal matters on the basis of the Regulation 2022/850. The e-CODEX system has been designed and developed for a machine-to-machine communication; therefore, it doesn’t envisage any user interface. To attain the evidence exchange within the EIO/MLA legal instruments, another primary technical component is necessary, a communication tool. This is provided by the e-Evidence Digital Exchange System (see Chap. 6), developed and led by the European Commission. It is a platform capable of managing any EIO/MLA procedures/instruments, from the e-Forms (EIO Annexes) to the whole business logic, relying on the e-CODEX structure.

Introduction: Setting the Scene on EIO and the Interaction Between Law and. . .

3

These technical components represent a major step forward in making judicial cooperation faster and more efficient. Within this scenario a package containing the elements of evidence could be exchanged as a simple attachment to any communication between the judicial authorities in the Executing and Issuing States. However, it is also crucial to use a standard for the representation of the data and metadata of the elements of evidence to streamline the process and make the investigations more effective, in particular when it comes to complicated criminal cases where it is key to find correlation among different cases or extract data from the same inspection. Investigators have an increasing need to share digital evidence between different organisations and analysis tools. But today’s investigators are hindered by a variety of independently developed and incompatible formats used to store digital evidence. Problems arise when dealing with different disk image formats, and the difficulties are exacerbated when dealing with diverse kinds of evidence, such as network logs and the contents of mobile devices. Without standards that are both open and technically sound, the risk is that evidence may be lost, cases may be compromised, and innocent people may be improperly convicted–or guilty parties let free. The lack of a generally accepted format for storing all forms of digital evidence is hampering the development of digital forensics as a scientific discipline, and may result in compromised or lost evidence, and significant judicial consequences. To perform digital investigations effectively, there is a pressing need to harmonise how information relevant to cyber-investigations is represented and exchanged. The standard CASE (see Chap. 4) provides a structured specification for representing information that are analysed and exchanged during investigations involving digital evidence. CASE enables the merge of information from different data sources and forensic tool outputs to allow more comprehensive and cohesive analysis. Standardising how cyber-information is represented addresses the current problem of investigators when they receive relevant information from different sources in a variety of formats. An investigation generally involves many different tools and data sources, effectively creating separate store-room of information. Manually pulling together information from these various data sources and tools is timeconsuming, and error prone. Further the standardisation issue another more general problem must be addressed in the short period, both from the technical view and the legal view. The issue is related to the digital exchange of large file regardless if they contain elements of evidence or not. The goal is to overcome the limited attachment sizes authorised by current communication tools and the most promising solution is to adopt a decentralised architecture. From a legal point of view should be the simplest option because a legal basis would be required at national level only. From a technical point of view each Member State should be responsible for managing their own cloud space, where to temporary store any large file and from which, the other Member State involved in the communication process, could download the requested resource at the end of the procedure. The next years will be crucial for a more comprehensive digital cross-border criminal procedure but the current legal and technical scenarios give great hopes for the future.

4

M. A. Biasiotti and F. Turchi

This Volume collects contributions that deal with the legal perspective relating to EIO, its technological perspective and the combination of the two as essential for the successful result of the new European judicial cooperation in the criminal field. The first part of the volume is dedicated to the collection of contributions by various experts dealing with the “legal perspective” linked to the EIO; the second part is devoted to the collection of contributions dealing with the “technological perspective”; finally the third part collects contributions on practice and experiences related to the implementation and digital implementation of the EIO directive.

EU Legislation on EIO and Its Implementation in the Member States Alexandra Tsvetkova

Abstract The EIO Directive is the core instrument for gathering evidence in the EU. It streamlined the process of obtaining evidence in criminal matters and imposed strict time limits for the implementation of the procedure. However, despite the efforts of the Member States, there are still significant differences that prevents the alignment of the professionals’ practices and full conformity with the EIO Directive’s principles throughout the EU. The present Chapter offers a glimpse to the difficulties in implementing the Directive.

1 Introduction Directive 2014/41/EU of the European Investigation Order in criminal matters1 (‘EIO Directive’) was adopted on 3 April 2014 and established a single judicial cooperation instrument called the European Investigation Order (EIO). The EIO is to be issued or validated by a judicial authority of a Member State (‘the issuing State’) for the purpose of having one or several specific investigative measure(s) carried out in the State executing the EIO (‘the executing State’) to obtain evidence, including electronic evidence, in accordance with the Directive. This instrument may also be applied to obtain evidence that are already in the possession of the competent authorities of the executing State. As from 22 May 2017, the EIO Directive replaced existing frameworks for gathering of evidence that applied between the Member States bound by the

1 Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters, OJ L 130, 01.05.2014, pp. 1–36.

A. Tsvetkova () LIBRe Foundation, Sofia, Bulgaria e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_2

5

6

A. Tsvetkova

Directive, namely the 2000 EU Mutual Legal Assistance Convention2 and its protocol, Framework Decision 2008/978/JHA on the European evidence warrant3 and Framework Decision 2003/577/JHA on the freezing of evidence,4 along the corresponding provisions of the European Convention on Mutual Assistance in Criminal Matters of the Council of Europe of 20 April 1959, as well as its two additional protocols, and the bilateral agreements concluded pursuant to Article 26 thereof, and the Convention implementing the Schengen Agreement.5 Member States, bound to the EIO Directive, shall execute an EIO based on the principle of mutual recognition and within the legislative framework rendered; however, after 22 May 2017, Member States may conclude or continue to apply bilateral or multilateral agreements or arrangements with other Member States only insofar as the latter further strengthen the aims of the EIO Directive and contribute to simplifying or further facilitating the procedures for gathering evidence and provided that the level of safeguards set out in the EIO Directive is respected. Recital 25 notes the horizontal scope of the EIO Directive as it is to be applied to all investigative measures, aimed at gathering evidence, at all stages of criminal proceedings, including during the trial phase; nevertheless, it does not cover the setting up of a joint investigation team.6 The gathering of evidence within such a team requires specific rules and existing instruments continue to apply to this type of investigative measure, as provided in Article 13 of 2000 EU Mutual Legal Assistance Convention and in Council Framework Decision 2002/465/JHA,7 other than for the purposes of applying, respectively, Article 13(8) of the Convention and Article 1(8) of the Framework Decision. 2 Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union, OJ C197, 12.07.2000, pp. 3–23. 3 Council Framework Decision 2008/978/JHA of 18 December 2008 on the European evidence warrant for the purpose of obtaining objects, documents and data for use in proceedings in criminal matters, OJ L 350, 30.12.2008, p. 72. 4 Council Framework Decision 2003/577/JHA of 22 July 2003 on the execution in the European Union of orders freezing property or evidence, OJ L 196, 20.08.2003, p. 45. 5 Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders, OJ L 239, 22.09.2000, pp. 19–62. 6 A joint investigation team (JIT) is an advanced tool used in international cooperation in criminal matters, comprising a legal agreement between competent authorities of two or more States for the purpose of carrying out criminal investigations. JITs are typically made up of prosecutors, law enforcement officials and judges. They are established for a fixed period, between 12 and 24 months on average, that is considered necessary to reach successful conclusions to the investigations. Further information, guidance and advice on the setting up and operation of joint investigation teams is provided in Eurojust (2021) Joint Investigation Teams: Practical Guide. ISBN: 978-92-9490-581-9. https://www.eurojust.europa.eu/publication/jits-practicalguide. Accessed 18 Dec 2022. 7 Council Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams, OJ L 162, 20.06.2002, pp. 1–3.

EU Legislation on EIO and Its Implementation in the Member States

7

2 EIO Directive’s Scope Pursuant to Article 2(c) of the EIO Directive, an ‘issuing authority’ could be a judge, a court, an investigating judge, or a public prosecutor8 competent in the case concerned; or any other competent authority as defined by the respective issuing State which, in a specific case, is acting in its capacity as an investigating authority in criminal proceedings with competence to order the gathering of evidence in accordance with national law. The issuing of an EIO may also be requested by a suspected or accused person, or by a lawyer on his/her behalf, within the framework of applicable defence rights in conformity with the respective national criminal procedures. Furthermore, as per Article 2(d) of the EIO Directive, ‘executing authority’ refers to an authority having competence to recognise an EIO and ensure its execution in accordance with the EIO Directive and the procedures applicable in a similar domestic case. Before an EIO is transmitted to the executing authority, it shall be validated regarding its conformity with the conditions set out by the EIO Directive, e.g., those under Article 6(1), by a judge, court, investigating judge or a public prosecutor in the issuing State. In cases where the EIO is validated by a judicial authority, the latter may also be regarded as an issuing authority for the purposes of transmitting the EIO. The EIO focuses on the investigative measure to be carried out during criminal investigations. Based on its knowledge of the details of the investigation concerned the issuing authority decides which investigative measure is to be used. If the indicated measure does not exist under the executing authority’s national law or would not be available in a similar domestic case, the executing authority is allowed to use another type of investigative measure, whenever possible. Availability refers to occasions where the indicated investigative measure exists under the law of the executing State but is only lawfully available in certain situations. The executing authority may also make use of another type of investigative measure, implying less interference with the fundamental rights of the person concerned, if it would achieve the same result as the investigative measure indicated in the EIO. The investigative measures within an EIO should be proportionate, adequate, and applicable to the criminal investigation in hand. The issuing authority is responsible to establish whether the evidence sought is necessary and proportionate for the purpose of the proceedings, whether the investigative measure chosen is necessary and proportionate for the gathering of the evidence concerned, and whether, by 8 In its judgement of 8 December 2020, in Case ‘Staatsanwaltschaft Wien vs A. and Others’, C584/19 PPU, ECLI:EU:C:2020:1002, the Court of Justice of the European Union ruled that the concepts of ‘judicial authority’ and ‘issuing authority’ as per the EIO Directive include the public prosecutor’s office of a Member State, regardless of any relationship of legal subordination that might exist between that public prosecutor or public prosecutor’s office and the executive of that Member State and of the exposure of that public prosecutor or public prosecutor’s office to the risk of being directly or indirectly subject to orders or individual instructions from the executive when adopting an EIO.

8

A. Tsvetkova

means of issuing the EIO, another Member State should be involved in the gathering of that evidence. Similar assessment procedure should be carried out as part of the EIO validation required under the EIO Directive. Even if an EIO is validated on the issuing side, its recognition or execution may still be refused in the executing State under limited circumstances, such as essential national security interests or respect for fundamental rights; however, no other grounds than the ones stated in Article 11 of the EIO Directive may apply. In any case, the executing authority is entitled to opt for a less intrusive investigative measure as indicated above. The EIO Directive sets strict time limits for recognition or execution of an EIO, thus it establishes firm deadlines for gathering the evidence requested. Pursuant to Article 15(1) of the EIO Directive, the recognition or execution of the EIO may be postponed in the executing State, only if the EIO execution might prejudice an on-going criminal investigation or prosecution, until such time as the executing State deems reasonable, or in cases where the objects, documents, or data concerned are already being used in other proceedings, until such time as they are no longer required for that purpose. The EIO Directive sets specific provisions for certain investigative measures (Article 22-32 of the EIO Directive), along additional safeguards on the protection of the rights of the defence (Articles 1(3), 6 and 14), confidentiality (Article 19) and data protection (Article 20). The EIO Directive provides standard forms for completing an EIO (Annex A), confirming its receipt (Annex B) and sending a notification about the interception of telecommunication on the notified Member State’s territory (Annex C). • When seeking to have investigative measures carried out in another Member State, the issuing authority must transmit the EIO in the form set out in Annex A to the EIO Directive. The EIO should contain all relevant information as prescribed by the form, to enable the executing State to recognise and execute the EIO. Furthermore, the EIO should be translated into the official language of the executing State or into any other language, indicated by the executing State (Article 5(3) of the EIO Directive). • The confirmation of the receipt of an EIO, set out in Annex B (Article 16(1) of the EIO Directive) is to be completed and sent out by the executing authority within a week of the EIO receipt. • The notification under Annex C (Article 31(2) of the EIO Directive) is used when the interception of telecommunications is authorised by the competent authority of one Member State (the ‘intercepting Member State’) and the subject of the interception is in another Member State (the ‘notified Member State’) from which no technical assistance is needed to carry out the interception. In such a case, the intercepting Member State must notify the competent authority of the notified Member State of the interception by using this form.

EU Legislation on EIO and Its Implementation in the Member States

9

3 Transposition in Member States’ Law Pursuant to Article 36(1) of the EIO Directive, the European Member States were obliged to transpose it into their national legal systems within 3-year timeframe. The Directive applies to all Member States bound by it. Ireland and Denmark did not take part in the adoption of the EIO Directive and are not bound by it or subject to its application. By 22 May 2017 each Member State was to notify EC of the authorities which, in accordance with its national law, were competent according to Article 2(c) and (d) of the EIO Directive in cases when this Member State was in the position of the issuing State or the executing State; the languages accepted for an EIO, as referred to in Article 5(2), and the information regarding the designated central authority or authorities under Article 7(3), if applied by the Member State. However, transposing the EIO Directive took longer than expected. At the expiry of the transposition period, only ten Member States had notified the European Commission (EC) on appropriate measures to (shortly) finalise the process in the following weeks, if not yet finalised. In July 2017, EC initiated infringement procedures, in accordance with Article 258 TFEU, against thirteen Member States, namely Austria, Bulgaria, Croatia, Cyprus, the Czech Republic, Greece, Luxembourg, Malta, Poland, Portugal, Slovakia, Spain, and Sweden, for failing to notify EC on the respective measures towards transposing the Directive. By September 2018, with the adoption of corresponding provisions by Luxembourg, all Member States bound by the EIO Directive had notified on their national transposing measures.9 The analysis of the notified measures provided by the European Judicial Network in criminal matters has not identified any significant missing elements subject to transposition. The withdrawal of the United Kingdom (UK) from the European Union (EU), known as Brexit, took effect at 23:00 31 January 2020 GMT (00:00 CET). The Withdrawal Agreement specified that the transition period lasted until 23:00 31 December 2020 GMT (00:00 CET) after which the UK was no longer a member of the EU but remained a member of the single market and customs union. During the transition period, UK continued to be subject to EU rules. During the Brexit negotiations, UK proposed “retaining an efficient and secure evidence exchange in cross-border criminal investigations on the basis of the EIO”.10 However, as of the end of the transition period, the EIO Directive and the 2000 Convention and related Protocol on Mutual Assistance in Criminal Matters no longer apply to the

9 European Judicial Network in criminal matters (2017). Status of implementation of the EIO Directive per State, Last review on 17 November 2022. https://www.ejn-crimjust.europa.eu/ejn/ EJN_Library_StatusOfImpByCat.aspx?CategoryId=120. 10 Government of the United Kingdom (2018). The future relationship between the United Kingdom and the European Union. https://assets.publishing. service.gov.uk/government/uploads/system/uploads/attachment_data/file/786626/ The_Future_Relationship_between_the_United_Kingdom_and_the_European_Union_120319. pdf. Accessed 13 Sep 2021.

10

A. Tsvetkova

UK. An EIO can no longer be issued to obtain evidence located in the UK or to obtain evidence located in EU Member States for use in UK criminal investigations or proceedings. EIOs received before transition deadline are processed as such. EIOs received after the deadline are processed as mutual legal assistance (MLA) requests unless the requesting state objects. In this regard, MLA requests between the EU Member States and the UK are based on cooperation through the European Convention on Mutual Assistance in Criminal Matters of the Council of Europe of 20 April 1959 and its two additional protocols, as supplemented by provisions agreed in Title VIII of the EU-UK Trade and Cooperation Agreement.11 Concerning the approach of the Member States on transposing the corresponding provisions, there are States where the national transposition legislation includes a list of measures falling outside the scope of the EIO Directive; other Member States used soft law instruments rather than binding legal obligations to be enforced before a court. This has led to practical issues in interpreting certain measures and provisions long-term. Review of key provisions of the EIO Directive also shows differences between Member States that create legal and administrative difficulties during the instrument’s implementation across EU.12 Example can be given with the competent authorities and central authorities appointed under the Directive.13 In most of the Member States, the competent issuing authorities are public prosecutor’s offices, investigative judges and courts. However, there is a Member State where only courts are competent to issue EIOs (namely, Cyprus). In another case, the Member State appointed its fiscal authority considering its rights and responsibilities as a public prosecutor’s office. Limited number of Member States designated competent investigating authorities in accordance with Article 2(c)(ii) of the EIO Directive (e.g., Greece, Finland, Poland); even less appointed their administrative authorities as issuing authorities in administrative offence proceedings (e.g., Austria, Germany). In such cases, the EIO Directive requires the EIO to be validated for conformity with the conditions under the Directive by a judge, court, investigating judge or a public prosecutor in the issuing State. Typically, the validating role is given to prosecutors, investigating judges or courts. However, there is one Member State that has not appointed a validating authority for EIOs issued by an administrative authority in administrative offence proceedings.14

11 Trade and cooperation agreement between the European Union and the European Atomic Energy

Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part, OJ L 444, 31.12.2020, pp. 14–1462. 12 Guerra and Janssens (2019). 13 European Judicial Network in criminal matters (2021) Competent authorities, languages accepted, urgent matters and scope of the EIO Directive. Last review on 20 September 2021. https:// www.ejn-crimjust.europa.eu/ejn/EJN_RegistryDoc/EN/3115/0/0. Accessed 18 Dec 2022. 14 European Commission (2021) Report from the Commission to the European Parliament and the Council on the implementation of Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters, COM

EU Legislation on EIO and Its Implementation in the Member States

11

Most Member States duplicated the list of issuing authorities into a list of executing ones. Few added to that list law enforcement or administrative authorities recognising and executing EIOs in a number of specific cases (e.g., Belgium, Cyprus, Finland, Latvia, Slovenia). Many Member States, in pursue of Article 7(1) of the EIO Directive, appointed a central authority; however, different powers apply. While some central authorities only assist with administering the transmission and receipt of EIOs (e.g., Finland, Lithuania), others are responsible for dealing with all incoming EIOs (e.g., Latvia). There are also central authorities entrusted with additional powers such as preliminary checks on the conformity of the documents received or for refusing an EIO under certain conditions. These differences lead to significant problems with identifying the competent authorities across Member States that can receive a specific request for judicial cooperation. While this issue has been addressed with the development of an interactive catalogue of competent authorities, compiled with data provided by the Member States,15 other specificities are not that straight forward. While the scope of the EIO Directive is quite broad, there is a variety of measures within a criminal proceeding that are not related to evidence gathering and fall outside the framework, as established by the Directive. This puts the practitioners in a situation where they use different instruments in parallel which often complicate the EIO procedure. Another level of complexity is due to the way Member States transposed Article 3 of the EIO Directive. A few of them added further exceptions such as collection of criminal records data, legal assistance in serving procedural documents, etc. Also, certain measures are treated differently across jurisdictions. For example, in pursue of Recital 9, the EIO Directive should not apply to crossborder surveillance as referred to in the Convention implementing the Schengen Agreement;16 however, Member States are divided in their position to define these instruments as judicial or police cooperation and only a few have explicitly excluded cross-border surveillance from the scope of application of the EIO within their national legislation. Chapter 8 explores the implementation of the EIO Directive commenting on a variety of teething problems and providing analysis of selected EU Member States’ experiences. Explicit clarifications on the scope of the EIO Directive are often requested by practitioners, particularly with regards to the term ‘corresponding provisions’ in light of the much needed but not yet delivered explicit list of provisions that should be replaced by the EIO Directive.17 A recent report by the European Union Agency

(2021) 409, p. 4. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021DC0409. Accessed 18 Dec 2022. 15 See also Chap. 3 on the EU initiatives on the implementation of the EIO. 16 Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States, OJ L 190, 18.07.2002, pp. 1–20. 17 European Judicial Network (2017) Note of Eurojust and EJN on the meaning of “corresponding provisions” and the applicable legal regime in case of delayed transposition of the EIO Directive. https://www.ejn-crimjust.europa.eu/ejn/EJN_RegistryDoc/EN/3112/0/0. Accessed 13 Sep 2021.

12

A. Tsvetkova

for Criminal Justice Cooperation18 places these problems among the ten most relevant issues identified in the first years of implementation of the EIO Directive. Gaps related to the clarity of the EIO content, certain differences between national legal systems regarding types of proceedings and investigative measures, the correct and restrictive interpretation of the grounds for non-execution, the time limits and the misuse of ‘urgency’ references, the transmission of relevant information within the different phases of the EIO procedure and execution coordination, language issues, etc. have been recursively identified by both professionals and judicial cooperation authorities and are currently a subject to various EU initiatives towards aligning the practices between Member States. Chapter 3 provides for an overview of the EU initiatives on the implementation of the EIO.

Reference Guerra JE, Janssens C (2019) Legal and practical challenges in the application of the European investigation order. In: Summary of the eurojust meeting of 19–20 September 2018. Eucrim 2019/1, pp. 46–52. https://doi.org/10.30709/eucrim-2019-003

Eurojust (2020) Report on Eurojust’s casework in the field of the European Investigation Order. ISBN: 978-92-9490-502-4. https://www.eurojust.europa.eu/publication/report-eurojust-caseworkeuropean-investigation-order. Accessed 13 Sep 2021. 18 Ibidem.

EU Initiatives on the Implementation of the EIO Alexandra Tsvetkova

Abstract European Commission continuously assesses, takes appropriate measures to ensure conformity with and supports the implementation of the EIO Directive across EU, alongside the European Judicial Network, Eurojust and a number of research and academic organizations across EU. The present Chapter focuses on the EU initiatives and tools for conformity and effective application of the EIO Directive.

1 Initiatives for Conformity and Effective Application European Commission (EC) continuously assesses, takes appropriate measures to ensure conformity with and supports the implementation of the EIO Directive across EU. In line with the enforcement strategy set out in Communication from the Commission on better results through better application,1 EC investigates with priority cases, among others, where Member States have incorrectly transposed EU directives. In addition, Article 37 of the EIO Directive obliges the European Commission to report to the European Parliament and the Council of the European Union on the application of the Directive, including with regards to its impact on the cooperation in criminal matters and the protection of individuals and the execution of the provisions on the interception of telecommunications in light of technical developments. The EIO Implementation Report,2 originally due in May 2019, was

1 European Commission, Communication, EU law: Better results through better application, COM (2016) 8600, OJ C 18, 19.01.2017, pp. 10–20. 2 European Commission (2021), Report from the Commission to the European Parliament and the Council on the implementation of Directive 2014/41/EU of the European Parliament and

A. Tsvetkova () LIBRe Foundation, Sofia, Bulgaria e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_3

13

14

A. Tsvetkova

published in July 2021 and evaluates the state of play of the implementation of the EIO Directive’s main provisions and key elements by the Member States. The conclusions of the report are to serve as a basis for future legislative changes to support and/or complement the EIO Directive. Such future rules are already discussed with respect to the introduction of swift procedures reflecting the specifics of electronic evidence and addressing the urgent and increased needs of practitioners.3 The Council of the European Union, in its Conclusions of June 2016 on improving criminal justice in cyberspace,4 called on the European Commission to consider and make recommendations on how to adapt, where appropriate, existing standardised forms and procedures to request the securing and obtaining of electronic evidence. In January 2020, guidelines on how Member States’ officials to fill in the standard forms were published, to facilitate the mechanism for the execution of cross-border investigative measures set out by the EIO Directive both in practice and during any relevant teaching activities, and to reduce the financial and administrative burden linked to the judicial cooperation procedure.5 These guidelines have been designed based on the work of an ad hoc expert group of representatives of Eurojust, the European Judicial Network in criminal matters and the European Judicial Cybercrime Network, set up by the European Commission. The guidelines do not have any impact on the substantive content of the EIO Directive, and they have no legislative effect; their use is on a strict voluntary basis. Further to that, the European Commission works closely with Member States to master the implementation of the EIO Directive by overcoming legal and administrative shortcomings6 and aligning their practices. These efforts include organization of experts’ meetings to support Member States in the application of the EIO Directive in practice7 and promotion of the effective EIO Directive application

of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters, COM (2021) 409. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021DC0409. Accessed 18 Dec 2022. 3 Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters, COM/2018/225 final—2018/0108 (COD). Available via EUR-Lex. https://eur-lex.europa.eu/legal-content/EN/ TXT/PDF/?uri=CELEX:52018PC0225&from=EN. Accessed 18 Dec 2022. Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, COM/2018/226 final. Available via EUR-Lex. https://eur-lex.europa.eu/ legal-content/EN/TXT/?uri=COM:2018:226:FIN. Accessed 18 Dec 2022. 4 Council of the European Union (2016), Conclusions of the Council of the European Union on improving criminal justice in cyberspace, ST 10097 2016. https://data.consilium.europa.eu/doc/ document/ST-10007-2016-INIT/en/pdf. Accessed 18 Dec 2022. 5 Council of the European Union (2020), Guidelines and editable pdf version of the forms annexed to Directive 2014/41/EU of 3 April 2014 regarding the European Investigation Order in criminal matters, ST 5291 2020. https://data.consilium.europa.eu/doc/document/ST-5291-2020-INIT/en/ pdf. Accessed 18 Dec 2022. 6 Guerra and Janssens (2019). 7 A total of three meetings have taken place in 2016 and 2017.

EU Initiatives on the Implementation of the EIO

15

via raising awareness, training, and development of practical tools for practitioners, mainly through the financial support of the Justice Programme8 and the Connecting Europe Facility.9 In several consecutive turns, EC funds projects promoting judicial cooperation in criminal matters and contributing to the effective and coherent application of EU mutual recognition instruments in criminal matters, including via electronic means. Notable examples10 can be given with: • ‘Improving reliability and security of Mutual Legal Assistance (MLA) transmission procedures to enhance efficiency of judicial cooperation in criminal matters’ Project, Grant Agreement 723196, that aimed to modernise existing MLA processes in the framework of existing European Union and Council of Europe legal instruments and to deliver a comprehensive feasibility assessment and draft regulations leading—in the long term—to the creation of a reliable and secure platform for the transmission of formal MLA exchanges in criminal matters; • ‘Electronic Xchange of e-Evidences with e-CODEX’ Project (in short, EXEC), Grant Agreement 785818, which enabled the participating Member States to exchange EIO forms and related e-evidences fully electronically through existing national back-end solutions or the e-Evidence Digital Exchange System (eEDES), provided by the European Commission (see Chap. 7 for the eEDES details). Later, EXEC II, Grant Agreement 2019-EU-IA-0092, was funded as a follow-up project of both EXEC and EVIDENCE2-e-CODEX projects. It provided for a set of activities for participating Member States and organisations to set up and participate in eEDES, including e-CODEX, for the electronic exchange of messages, integrate the system with national solutions; • ‘EVIDENCE2e-Codex Linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe’ Project, Grant Agreement 766468, pre-piloting the EVIDENCE proposal and achievements11 relying on the e-CODEX (e-Justice 8 Regulation (EU) No 1382/2013 of the European Parliament and of the Council of 17 December 2013 establishing a Justice Programme for the period 2014 to 2020. OJ L 354, 28.12.2013, pp. 73–83. Regulation (EU) 2021/693 of the European Parliament and of the Council of 28 April 2021 establishing the Justice Programme and repealing Regulation (EU) No 1382/2013, OJ L 156, 5.5.2021, pp. 21–38. 9 Regulation (EU) No 1316/2013 of the European Parliament and of the Council of 11 December 2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010. OJ L348, 20.12.2013, pp. 129– 171. Regulation (EU) 2021/1153 of the European Parliament and of the Council of 7 July 2021 establishing the Connecting Europe Facility and repealing Regulations (EU) No 1316/2013 and (EU) No 283/2014, OJ L 249, 14.7.2021, pp. 38–81. 10 Information on all funded projects is available at the Funding & Tender Opportunities portal maintained by the European Commission. https://ec.europa.eu/info/funding-tenders/opportunities/ portal/screen/home. Accessed 18 Dec 2022. 11 Biasiotti et al. (2018).

16

A. Tsvetkova

Communication via Online Data Exchange) Platform12 for the specific purposes of allowing the secure and trusted exchange of digital evidence among European Member States in the EIO and MLA context; • ‘Judicial Cooperation in Criminal Matters and Electronic IT Data in the EU: Ensuring Efficient Cross-Border Cooperation and Mutual Trust (JUD-IT)’ Project, Grant Agreement 766467, focused on identifying (a) promising practices on the application of the EIO and the European Mutual Legal Assistance Treaties for the use of digital data in criminal investigations and procedures, and (b) ways forward to promote judicial cooperation in criminal matters based on mutual trust, EU rule of law and fundamental rights; • ‘European Investigation Order—legal analysis and practical dilemmas of international cooperation—EIO-LAPD’ Project, Grant Agreement 831623, deepening the pool of knowledge on the EIO Directive and facilitating its legal and practical implementation, as well as improving practical coordination between the EIO Directive and pre-existing instruments of MLA; etc. Furthermore, projects on EIO and EIO-related trainings are funded to support the implementation of the EIO Directive on both national and EU levels. Of particular interest is the ‘TRaining on European Investigation Order’ Project, Grant Agreement 882068, that aims to develop and pilot an all-round cross-border training on the EIO implementation to foster the use and successful exchange of EIO forms and evidence across EU, tailoring the content to cross-border specifics (investigative measures, cooperation, procedures, safeguards, data protection compliance, etc.) and providing tutorials on the technical aspects of the EIO implementation and the use of eEDES. For a detailed description of training on EIO, see Chaps. 12 and 13.

2 e-Evidence Digital Exchange System Significant EC resources are invested in the development of the already mentioned above e-Evidence Digital Exchange System. The eEDES is to be used by Member States to securely exchange EIOs in digital format in compliance with the requirements set out in the EIO Directive.

12 e-CODEX has been developed (‘e-CODEX—e-Justice Communication via Online Data Exchange’ Project, Grant Agreement 270968, 2010-2016) and maintained (via Me-CODEX I Project, Grant Agreement 721334, 2016-2018, and Me-CODEX II Project, Grant Agreement JUST/CEF-TC-2018-CSP-ECODEX-01, 2019–2021) with EU financial support by a consortium of Member States. EC adopted on 2 December 2020 a Proposal for a Regulation on a computerised system for communication in cross-border civil and criminal proceedings (e-CODEX system) and amending Regulation (EU) 2018/1726, COM/2020/712 final, which aims to entrust the further development and maintenance of e-CODEX to the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) as of 2023. Further reference on the development background, overall implementation and use cases, and up-to-date status quo can be found at https://www.e-codex.eu/. Accessed 18 Dec 2022.

EU Initiatives on the Implementation of the EIO

17

The purpose of the system, as originally foreseen by the EU Council Conclusions of June 2016 on improving criminal justice in cyberspace, was to serve as a secure EU-wide solution for communicating electronic requests and responses concerning e-evidence and the corresponding procedures, including optional use of automated translation of such requests, as well as for their tracking and tracing. The European Commission set up an expert working group with legal and technical representatives from each Member State and the General Secretariat of the Council of the European Union, with the task to discuss, review and agree on the future system’s requirements, use cases and technical specifications. The expert group established, among other aspects, that the initial scope of eEDES would be EIO/MLA exchanges between competent authorities. eEDES adopts a decentralised architecture, meaning that all software components and databases are installed and run by each Member State, thus no data exchanged is stored or managed centrally. In particular, the system enables the end user to access a reference implementation portal, in the respective national language, or develop a national implementation effectively allowing EU judicial authorities to complete digital EIO and MLA forms, sign them with electronic signatures, send and receive them as a message, and attach documents to these messages when needed. The system relies on a central database of competent authorities, complied with data provided by the Member States.13 However, it should be noted that the system is designed only for communication and exchange of measures and data among EU judicial authorities and does not support direct cross-border transmission of information between national authorities and respective service providers. The national installations of the reference implementation portal are to be interconnected through a secure information channel. eEDES uses e-CODEX as the platform for secure transmission of data. The latter consists of a package of software components that enables the connectivity between national systems, allowing its users (competent judicial authorities, legal practitioners, and citizens) to electronically send and receive documents, legal forms, evidence, or other information in a swift, secure, and reliable manner. Further to that, eEDES reuses

13 Further information on the efforts in this direction is reflected, among others, in the ‘Criminal Court Database’ (CCDB) Project, Grant Agreement 101004748. While most Member States are to use the eEDES reference implementation backend system provided by the European Commission for the exchange of EIOs and Mutual Legal Assistance forms in criminal proceedings electronically. In order to enable users to identify the competent executing authorities in other Member States, the European Commission establishes a Criminal Court Database that works similarly to the already existing European Court Database for civil matters. The initial data for the Criminal Court Database is provided by the European Commission. However, keeping the Criminal Court Database up to date and adding data for electronic addressing, which cannot be provided by other data sources, requires additional and constant efforts by the Member States. The CCDB project aims to implement the automated provision of the required data by a total of nine Member States.

18

A. Tsvetkova

several IT building blocks developed and maintained by EC: the EU User Interface, eDelivery,14 EU Login,15 eSignature,16 eTranslation,17 and ISA eDocuments.18 eEDES was officially launched in December 2019, with limited functionalities, during a one-day event under the umbrella of the expert working group and is further developed ever since not only with respect to the EIO/MLA procedures, but also with regards to other judicial instruments. EC continuously supports the implementation of the system at national level and its subsequent operation, including with financial support through the Justice Programme and the Connecting Europe Facility. EC also provides relevant technical documentation and support for both installing and deploying the system, delivers and/or supports ad hoc training on the administration and the use of eEDES, and maintains a multilingual demo website accessible to all competent authorities upon request that enables practitioners to use the IT systems for training and evaluation purposes. In its December 2020 Communication on the digitalisation of justice,19 the European Commission encouraged the Member States to connect to and use eEDES considering its further expansion. For a detailed description of the secure infrastructure for cross-border cooperation e-CODEX, see Chap. 6; on the functionality and features of eEDES with regards to the dealing with EIOs and MLAs in a secure and digital manner, see Chap. 7. Following some practical delays due to COVID-19 pandemic, eEDES was successfully launched in production mode with full functionality in April 2022. The number of Member States joining the exchange of EIO and MLA forms via eEDES increased throughout the year and eEDES is expected to cover all EU Member States in 2023.

14 eDelivery is a content-agnostic building block, developed and maintained by the European Commission, that provides technical specifications and standards, installable software, and ancillary services to allow projects to create a network of nodes for secure digital data exchange. 15 EU Login is the European Commission’s user authentication service. It allows authorised users to access a wide range of Commission web services and websites, using a single email address and password. EU Login implements the single sign-on functionality. 16 eSignature is a set of free standards, tools and services that help public administrations and businesses accelerate the creation and verification of electronic signatures that are legally valid in all European Member States. 17 eTranslation is an automated translation tool available to translate text excerpts or complete documents. 18 The e-Documents building block provides solutions to handle electronic documents in a way that ensures cross-border interoperability and data security and integrity, in line with the European interoperability programs (ISA) requirements. 19 European Commission, Communication, Digitalisation of justice in the European Union—A toolbox of opportunities, COM (2020) 710 final. Available via EUR-Lex. https://eur-lex.europa. eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0710&from=EN. Accessed 18 Dec 2022.

EU Initiatives on the Implementation of the EIO

19

3 Judicial Cooperation The European Judicial Network in criminal matters (EJN) has been working on facilitating the practical application of the EIO Directive well before its transposition deadline on 22 May 2017. EJN has created a knowledge hub containing the most relevant information and tools for the practical application of the EIO Directive and compendium of practices, and provides regular support to practitioners through its national Contact Points. The latter are legal practitioners, with a deep knowledge of their legal systems and experience in drafting requests for mutual legal assistance or other requests for legal assistance. Pursuant to Article 7(4) of the EIO Directive, the issuing authority is allowed to transmit EIOs via the telecommunications system of the European Judicial Network.20 To facilitate this, EJN delivered a key instrument with regards to the recognition and execution of an EIO: the Judicial Atlas,21 which allows the identification of competent authorities across Member States that can receive a specific request for judicial cooperation and provides a fast and efficient channel for the direct transmission of requests according with the selected measure. eEDES refers to the Judicial Atlas database for localising the competent authority applicable to a case in question and is expected to integrate its features in one of the next releases of the system. Furthermore, EJN works closely with the European Commission and the European Union Agency for Criminal Justice Cooperation (Eurojust) on delivering information and publishing of documents to inform both practitioners and policymakers of the main difficulties encountered in the practical application of the EIO Directive on the basis of both their Contact Points’ experience and casework and dedicated efforts to review and study the EIO implementation in EU.22 Such efforts refer to assisting European and national training facilities with regards to continuous training of judicial and legal professionals; conducting national and regional EJN meetings to disseminate information and raise awareness of the EIO; drafting guidelines and handbooks to provide guidance to practitioners on how to interpret and apply the EIO Directive and the national legislation implementing it; and studying recurrent issues regarding the practical application of the EIO.

20 Joint Action 98/428/JHA of 29 June 1998 adopted by the Council on the basis of Article K.3 of the Treaty on European Union, on the creation of a European Judicial Network, OJ L 191, 07.07.1998, p. 4, repealed by Council Decision 2008/976/JHA of 16 December 2008 on the European Judicial Network, OJ L 348, 24.12.2008. pp. 130–134. 21 Available at https://www.ejn-crimjust.europa.eu/ejn/AtlasChooseCountry/EN. 22 European Judicial Network (2017) EIO Conclusions—48 and 49th EJN Plenary meetings 2017 in Malta and Tallinn. https://www.ejn-crimjust.europa.eu/ejn/EJN_RegistryDoc/EN/3098/0/ 0. Accessed 18 Dec 2022. European Judicial Network (2018) EJN Conclusions 2018 on the European Investigation Order. https://www.ejn-crimjust.europa.eu/ejn/EJN_RegistryDoc/EN/3096/83/0. Accessed 18 Dec 2022. European Judicial Network (2019) EJN Conclusions 2019 on the European Investigation Order. https://www.ejn-crimjust.europa.eu/ejn/EJN_RegistryDoc/EN/3127/97/0. Accessed 18 Dec 2022.

20

A. Tsvetkova

Eurojust provides support and advice to national authorities across the full life cycle of the EIO, from drafting to the execution phase. The Agency performs a bridge-making role in facilitating the communication between judicial authorities regarding potential issues and questions arising from the execution of EIOs, namely questions regarding the scope and suitability of the EIO, the non-recognition or refusal of the EIO by the executing State, the need for timely involvement and intervention in the event of urgent cases, and the application of specific investigative measures. Further to its role in the practical facilitation of the EIOs, Eurojust promotes knowledge-sharing and best practice about their use. Such measures include organisation of expert meetings and workshops and publication of reports informing on best practice and key findings.23 The most recent one is the November 2020 Report on Eurojust’s casework in the field of the European Investigation Order,24 which is based on the analysis of cases addressing EIO that are registered at Eurojust between May 2017 and May 2019, and the respective input from the Eurojust National Desks. One important conclusion refers to the need to further clarify the scope of the EIO Directive along the scope and meaning of several crucial concepts such as the interception of telecommunications, the temporary transfer to the issuing state, the speciality rule or cross-border surveillance, etc. Other important aspects concern the correct and restrictive interpretation of the grounds for non-execution, the opportunities for speeding up the execution of EIOs, language issues, and so on. Eurojust initiated the publication of information on the application of the EIO as part of its annual report25 assessing the new cases coordinated through Eurojust that include EIOs, both bilateral and multilateral. The analysis discusses a variety of aspects of the EIO as well as the different phases in the EIO life cycle. Considering the large number of cases, the publication of such reviews is likely to continue. Better understanding of the current landscape of mutual legal assistance instruments and the perspectives and challenges offered by the EIO Directive is also delivered by the European Judicial Training Network (EJTN). Established in 2000, it is the principal platform and promoter for training and exchange of knowledge of the European judiciary, representing the interest of judges, prosecutors, and judicial

23 Eurojust (2017), Joint Note of Eurojust and the European Judicial Network the meaning of “corresponding provisions” and the applicable legal regime in case of delayed transposition of the EIO Directive. https://www.ejn-crimjust.europa.eu/ejn/EJN_RegistryDoc/EN/3112/0/0. Accessed 18 Dec 2022. Eurojust (2019), Joint Note of Eurojust and the European Judicial Network (EJN) on the practical application of the European Investigation Order. ISBN: 978-92-9490-300-6. https://www.eurojust.europa.eu/sites/default/files/Publications/Reports/2019-06-Joint_Note_EJEJN_practical_application_EIO.pdf. Accessed 18 Dec 2022. 24 Eurojust (2020), Report on Eurojust’s casework in the field of the European Investigation Order. ISBN: 978-92-9490-502-4. https://www.eurojust.europa.eu/sites/default/files/2020-11/ 2020-11_EIO-Casework-Report_CORR_.pdf. Accessed 18 Dec 2022. 25 Eurojust (2021), Eurojust Annual Report 2020. ISBN: 978-929490-536-9. https://www.eurojust.europa.eu/sites/default/files/Documents/pdf/ 2021_04_14_eurojust_annual_report_2020_final.pdf. Accessed 18 Dec 2022.

EU Initiatives on the Implementation of the EIO

21

trainers across Europe. It regularly conducts trainings to raise awareness among practitioners on practical questions that may arise regarding rights and obligations of the issuing and executing Member States under the EIO Directive. Such trainings typically facilitate the use of the EIO in practice when asking for some investigative measures in another Member State with examples and exercises on the standard forms. The key role of EJN and Eurojust is also discussed. See also Chaps. 12 and 13 on EIO training across EU.

References Guerra JE, Janssens C (2019) Legal and practical challenges in the application of the European investigation order. In: Summary of the eurojust meeting of 19–20 September 2018. Eucrim 2019/1, pp. 46–52. https://doi.org/10.30709/eucrim-2019-003 Biasiotti MA, Mifsud Bonnici JP, Cannataci J, Turchi F (eds) (2018) Handling and exchanging electronic evidence across Europe. Law, governance and technology series, vol 39. Springer, Berlin. https://doi.org/10.1007/978-3-319-74872-6

The Challenging Path Towards the Establishment of the EU Legal Framework Regulating Cross-Border Access to Digital Evidence Teresa Magno

Abstract This article examines the most relevant steps of the legislative process towards the adoption of a legal framework of the European Union regulating crossborder access to electronic evidence. The point of departure is constituted by the origins and the main features of the Commission’s proposal for a regulation of the European Parliament and of the Council on European production and preservation orders for electronic evidence in criminal matters and the accompanying proposal for a directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings. The most relevant and controversial aspects of the General Approach of the Council on both draft instruments are outlined to provide an overview of the stands of the institution and the European Parliament Position’s is analysed to better understand its divergent approach to and critical views on the proposed legislation. Considerations on hurdles and challenges of the ongoing interinstitutional negotiations are presented to further highlight the complexity of the legislative process.

1 The Origins of the Electronic Evidence Package In April 2018 the European Commission issued the “Proposal for a Regulation of the European Parliament and of the Council on European production and Preservation orders for electronic evidence in criminal matters” and the accompanying “Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of

The opinions and views expressed belong to the Author and do not engage the Agency where she works. T. Magno () Eurojust, The Hague, The Netherlands e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_4

23

24

T. Magno

gathering evidence in criminal proceedings” that formed the so-called electronic evidence package.1 The background of this proposal is in the fight against terrorism. Namely, the bomb attacks on the 22nd of March 2016 in Brussels highlighted the security risk Europe was facing. It became clear that electronic evidence was of paramount importance to effectively prevent, investigate and prosecute serious organised crime and terrorism-related offences and consequently it had to be obtained more quickly.2 The attacks came as a reminder of the need for an ambitious EU security policy able to live up to the scale of the threats. The delivery of the European agenda on security was already under way but it was called for a redoubling of the efforts to have it implemented without any further delay.3 Thus, on the 9th of June 2016, the Justice and Home Affairs Council adopted the “Conclusions on the improvement of criminal justice in cyberspace and on the European Judicial Network on Cybercrime” that stressed the increased importance of the timely gathering of electronic evidence in criminal proceedings, especially with regard to the fight against terrorism. On the same line, the European Council further called for the adoption of EU legislation and on the 20th of November 2017 asked the Commission to make a legislative proposal on electronic evidence by early 2018.4

2 The Scope of the Electronic Evidence Proposal and Its Main Features The proposed electronic evidence package consists of a regulation on the European production and preservation orders for electronic evidence in criminal matters and in a directive laying down harmonised rules on the appointment of legal representatives for gathering evidence in criminal proceedings. The European production order is conceived as a binding decision by an issuing authority of a member State compelling a service provider to produce electronic

1 See “Proposal for a Regulation of the European Parliament and of the Council on European production and Preservation orders for electronic evidence in criminal matters and the accompanying Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings” COM(2018) 225 final and COM(2018) 226 final. 2 http://www.consilium.europa.eu/en/press/press-releases/2016/03/24-statement-on-terroristattacks-in-brussels-on-22-march. 3 See “Communication from the Commission to the European Parliament, the European Council and the council delivering on the European Agenda on Security to fight against terrorism and pave the way towards an effective and genuine Security Union” COM/2016/0230 final. 4 See “Council Conclusions on the Joint Communication to the European Parliament and the Council: Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” JOIN/2017/0450 final.

The Challenging Path Towards the Establishment of the EU Legal Framework. . .

25

evidence, whereas the European preservation order is conceived as a binding decision by an issuing authority of a member State compelling a service provider to preserve electronic evidence in view of a subsequent request for production. These instruments may be issued and served in criminal proceedings to secure and gather electronic evidence stored or held by service providers in a different jurisdiction. Both orders have to be issued or have to be validated by a judicial authority of a member State after individual evaluation of proportionality and necessity in the given case. They may be used in any phase of the criminal proceedings from the pre-trial stage until the judgement. The proposed legal framework is based on the principle of mutual recognition of judgements and judicial decisions5 and aims to create direct interaction with service providers to access electronic evidence. Namely, both instruments are conceived to be served on providers of electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries, or on their legal representatives where they exist. All service providers would have to comply with the same rules, regardless of the location of the data and their headquarters, as long as they offer services on the European Union market.6 The proposed legal framework is to permit the preservation and the gathering of electronic evidence that consists only in stored data. Namely, real-time interception of telecommunications is not covered. Judicial orders to be addressed directly to service providers based in another member State refer only to four categories of data: subscriber data, access data, transactional data and content data. It has to be remarked that while the order to produce subscriber and access data may be issued for any criminal offence, the order to produce transactional or content data may only be issued for criminal offences punishable in the issuing State by a custodial sentence of a maximum of at least 3 years, or for specific crimes which are referred to in the proposal and where there is a specific link to electronic tools and offences covered by the terrorism directive 2017/541/EU. According to the legislative proposal, the issuing and validation of European production order for transactional and content data due to their more sensitive character require review by a judge, whereas European production order for subscriber and access data may be issued and validated by competent prosecutors. These orders are to be transmitted through a European production order certificate or a European preservation order certificate. The templates for both certificates

5 The relevant legal basis is Article 82(1) of the Treaty on the Functioning of the European Union. The mentioned provision provides that measures may be adopted in accordance with the ordinary legislative procedure to lay down rules and procedures for ensuring recognition throughout the Union of all forms of judgments and judicial decisions. 6 The judicial orders are binding for service providers offering their services in the European Union with the exception of those based in a single Member State and operating exclusively on the territory of that specific Member State. See Recital 16 of the proposed Regulation; Art. 1 of the proposed Directive.

26

T. Magno

are to be found in the Annex I and II of the proposed regulation. The certificate will contain all the necessary information to be sent to the service providers in a standardised form and will allow an easy identification of the data. It will not contain the reasoning on the necessity and proportionality of the order nor any additional details of the investigation. These tools may only be issued if a similar measure is available in a comparable domestic situation in the issuing State and the sought evidence is relevant in the framework of the specific investigation or proceedings. The order has not to be broader that needed and has to be proportionate for the purposes of the investigation. The ordinary issuing procedure foresees the direct transmission of the order from the issuing authority to the service providers and its legal representatives. The recipient would execute it and send the data back directly to the issuing authority or via its legal representatives. It has to be highlighted that the service provider is obliged to answer to the European production order certificate within ten days or, in case of emergency, six hours, which constitutes an extraordinary reduction of the deadlines foreseen until now for similar judicial cooperation instruments and mutual legal assistance procedures. Only in case of non-compliance by the service provider, the authority of the State where the addressee of the order is located is involved in serving and executing it. Indeed, a specific procedure for enforcement is foreseen by the proposed regulation.7 Upon receipt of the order, the certificate and the form sent by the service provider to the issuing authority containing the outline of the reasons of the impossibility to comply, the executing authority—if there are no grounds for non-enforcement—should recognise the order within five working days and compel the service provider to comply within a given deadline. Three different scenarios may than occur: 1. the service provider complies with the decision and provides the data to the enforcing authority who will transmit it to the issuing authority within two working days; 2. the service provider objects to the execution; the executing authority evaluates the arguments of the objection and either enforces the order or asks for supplementary information to the issuing authority; 3. the enforcing authority assesses that the order is not to be recognised nor enforced. Before rendering this decision, the enforcing authority has to consult with the issuing authority who should reply within five working days. Since the orders are binding instruments, the service provider has to cooperate and faces pecuniary sanctions in case of non-compliance. The applicable fine is to be provided for by the national law of the enforcing authority and an effective judicial remedy has to be available against the decision imposing the sanction.

7 See

proposed Regulation Art. 14.

The Challenging Path Towards the Establishment of the EU Legal Framework. . .

27

3 The Legislative Process in the Council: The General Approaches In December 2018, the Council adopted its general approach on the regulation and in March 2019 its general approach on the directive. The Council aligned its position on the scope of the electronic evidence package with the one of the European Commission. The negotiations in the Council took place based on the two separate and complementary legal acts that is to say the draft regulation and the draft directive. Member States sustained the structure and purpose of the electronic evidence package and agreed upon having two different instruments with two different legal bases. Namely, the draft regulation was proposed with the legal basis of Article 82(1) TFEU, which allows establishing rules to facilitate judicial cooperation among member States, whereas the draft directive was proposed with the legal bases of Articles 53 and 62 TFEU, which allow adopting measures to harmonise rules on establishing and providing services in the Union. The Council agreed with the introduced obligation for all service providers offering services in the Union to appoint a legal representative since this rule would contribute to ensuring a level playing field between payment service providers and remove obstacles to their freedom as established in Article 56 TFEU.8 It has to be remarked that the draft directive was discussed in the Council as a necessary complement to the draft regulation. The appointment of legal representatives was considered essential to ensure the applicability of the regulation to the service providers. Several factors were considered at this regard such as the necessity to make sure that clear rules apply to all service providers offering goods or services in the Union, the need to avoid possible loopholes and the concern that service providers offering goods or services in the Union may not have any establishment in the Union. Hence, the directive was assessed as the most suitable instrument in order not only to harmonise the requirements to be imposed on service providers and their legal representatives, but also to establish a clear legal framework for access to evidence held by such providers. The directive would also ensure that all service providers providing services within the EU, irrespective of their establishment, could be contacted by the competent authorities of the member States and be served with production and preservation orders through their legal representatives. The Council agreed with the Commission’s proposal on: (a) the creation of European production and preservation orders that can be issued to obtain or preserve electronic evidence regardless of the location of the data;

8 See “Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings—General approach” in E-evidence package: Council agrees its position on rules to appoint legal representatives for the gathering of evidence—Consilium (europa.eu).

28

T. Magno

(b) the transmission exclusively of the related certificates by the issuing authority directly to the service provider or its legal representatives; (c) the possibility to resort to these instruments for any category of data-subscriber, access, transactional and content—with a higher threshold foreseen for the latter two categories; issuing of orders for transactional and content data only in investigations and proceedings for crimes punishable in the issuing country by a maximum sentence of at least three years, or for specific serious crimes;9 (d) the exclusion of real time interception of communications from the scope of the proposed legislation; (e) the direct service of orders to providers in the executing state; (f) the limitation of the intervention of the executing authority to the following cases: the sought data refer to persons not residing in the territory of the executing State; (g) the withdrawal of immunities or privileges; (h) the transfer of orders and certificates to the executing authority if the service provider does not comply and the provided reasons are not accepted by the issuing authority; (i) the mandatory deadline of ten days for the execution of a production order and of 6 hours in case of validly established emergency cases;10 (j) the introduction of sanctions for service providers if they do not comply with an order.11 Council made also changes to the Commission proposal. Due to their relevance, the following ones have to be underlined: 1. the introduction of the principle of speciality according to which the requested data may not be used for purposes other than those for which they were obtained, except to prevent an immediate and serious threat to public security of the issuing state or its essential interests, and for the proceedings for which a production order could have been issued; 2. the creation of a notification system for orders for content data in cases when the issuing authority believes the person whose data are sought is not residing on its own territory. This notification aims at informing the enforcing state and giving it an opportunity to flag whether the data requested is protected by immunities and privileges; or subject to rules on determination and limitation of criminal liability related to freedom of expression/press; or its disclosure may affect

9 See Arts. 5 (3) and 6 (2) of the Council’s General Approach: European Production Orders to produce subscriber data or access data may be issued for all criminal offences and for the execution of a custodial sentence or a detention order of at least 4 months. 10 The Council added the additional possibility, in case the order pertains to subscriber and access data, to be—under certain conditions—sent without prior validation from the competent judicial authority; in this case, ex-post validation will have to be sought as soon as possible and within 48 hours. 11 According to the Council’s position, it is to consider the possibility to impose pecuniary sanctions of up to 2% of total worldwide annual turnover of the preceding financial year.

The Challenging Path Towards the Establishment of the EU Legal Framework. . .

29

fundamental interests of the State. The issuing authority shall take into account these circumstances and consequently, it shall not issue or shall adapt the order. The notification does not have a suspensive effect. Notwithstanding the different position on several proposed rules, both the Commission and the Council appear to conceive the European production and preservation orders as new cooperation instruments that are based on a high level of mutual trust12 and cannot be considered as mutual recognition instruments per se. On the directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, the Council agreed with the Commission on the criteria for defining the location of the legal representatives that is to say they shall be in one of the member States in which the service provider is established or offers services. In addition, according to the Council’s general approach, legal representatives, who should have sufficient resources and powers to perform their tasks, may be used for gathering types of evidence other than electronic evidence, and namely for receiving other requests such as European investigation orders.13

4 The Legislative Process in the European Parliament: The Position The e-evidence proposal was assigned to the Civil Liberties, Justice and Home Affairs Committee (hereinafter referred to as LIBE) within the European Parliament. In November 2019, the LIBE committee released the draft report on the proposed legislative package which was supposed to be in the agenda for voting in March 2020 but, due to the COVID-19 the pandemic, LIBE committee meetings were cancelled. Discussions resumed in late 2020 and LIBE committee adopted on 7th December 2020 its report on the proposed regulation (by 35 votes in favour, 22 against and 7 abstentions) together with the decision to open interinstitutional negotiations (55 votes in favour, 7 against and 2 abstentions). The negotiation mandate was confirmed in plenary on 16th December 2020. More than eight hundred amendments to the electronic evidence proposal were introduced. Numerous significant changes on the scope and application of the

12 See Recital 11 of the proposed Regulation and of the Council’s general approach: The mechanism of the European Production Order and the European Preservation Order for electronic evidence in criminal matters can only work on the basis of a high level of mutual trust between the Member States, which is an essential precondition for the proper functioning of this instrument. 13 In order to facilitate the access to LEAs and the judiciary, according to the Council’s position, a full list of legal representatives shall be made publicly available mainly but not only, via the European Judicial Network on criminal matters.

30

T. Magno

electronic evidence package were made. In this paragraph, only the most relevant ones will be outlined. Firstly, it has to be remarked that the position adopted by the European Parliament merges the provisions on the appointment of legal representatives in the proposal for a regulation itself and totally rejects the proposed directive. The Parliament based the proposed change on the observations that “the proposed directive would bind all EU member States to introduce a legal representative, even those not participating in the legal instruments adopted within the scope of Title V, Chap. 4, of the Treaty on the Functioning of the European Union”. Consequently, only member States participating in the proposed regulation are to be bound by the obligation as regards to the appointment of legal representatives. Hence, the Parliament introduced in the draft regulation a new Article 6a on the legal representatives. Their tasks are limited to the receipt and compliance with European production and preservation orders and no wider purposes as designed by the Commission proposal and agreed by the Council may be served. In addition, the requirement of appointing a legal representative is limited to situations where the service provider is not established in the Union or is established in a member States that is not bound by the regulation but offers services in the participating member States. In such cases, the legal representative has to be nominated in one of the participating member States where it offers its services. An additional change is related to the legal obligations of service providers already established in a participating member State since they do not have to appoint a specific legal representative because they are already liable for any breach of the applicable laws in this member State due to the location of their main establishment. The orders have to be addressed directly to the main establishment of the service provider where the data controller is located. While acknowledging the aims of the proposed regulation, the Parliament underlines that these rules have to complement the existing European Union legal framework and the new proposed instruments are based on the principle of mutual trust. At this regard, the changes made to recital 11 of the draft regulation exemplify the approach of the Parliament to this legislation. The amended recital 11 of the draft regulation reads as follows: «The mechanism of the European production order and the European preservation order for electronic information in criminal proceedings works on the condition of mutual trust between the Member States and a presumption of compliance by other Member States with Union law, the rule of law and, in particular, with fundamental rights, which are essential elements of the area of freedom, security and justice within the Union».14 Additionally, a notification procedure for both orders was introduced. Namely, the issuing State has to notify each order to the executing State where the service provider is established or, for service providers not established in the member States bound by this regulation, where its legal representative has been appointed. In

14 The

changes to the Commission’s draft made by the Parliament are in bold.

The Challenging Path Towards the Establishment of the EU Legal Framework. . .

31

particular, the European production order and the European preservation order have to be sent to both the service provider and the executing authority. According to the Parliament, the need for such a provision relies on the consideration of the fundamental responsibilities of member States to guarantee fundamental rights on their territory and of the obligations of service providers towards the State where they are established. An additional relevant change attains to the introduction of a new article on specific and limited grounds in whose presence the recognition or execution of an order has to be denied. It has to be remarked that these grounds are in line with those foreseen in the Directive 2014/41/EU on the European investigation order. A further hypothesis of notification is foreseen if the affected person is neither citizen nor resident of the issuing or executing State. In this case, the member State of permanent residence of the person should be also notified simultaneously, where possible. Thus, the affected State could be in a position to bring its doubts on the lawfulness of the order to the attention of the executing State. The deadlines provided by the Commission and the Council for the procedure would not be impacted by the notification, according to the Parliament’s position. Namely, while the notification would not have a suspensive effect for orders for subscriber data and IP addresses, the executing authority would have up to ten days or sixteen hours in emergency cases to decide on orders for traffic data and content data. Furthermore, several changes were introduced to ensure protection of the rights of the affected persons. Specifically, these modifications concern the conditions for issuing European production and preservation orders and rules on admissibility of evidence. Namely, an additional significant difference between the Commission’s proposal and the general approach of the Council on one side and the position of the European Parliament on the other attains to the definition of the categories of data. The European Parliament upheld the traditional three categories of data that is to say subscriber data, traffic data and content data, whereas, as outlined in the previous paragraphs, the general approach of the Council and the proposal of the Commission relied on the four categories of data constituted by subscriber data, access data, transactional data and content data. Notwithstanding the different terminology used, it appears that the concept of “traffic data” as elucidated by the European Parliament may encompass the category of “access data” contained in the draft proposal of the Commission15 and the Council’s general approach. The Parliament introduced also a distinction on the execution of a European production order issued for subscriber data and IP addresses for the sole purpose 15 As explained by the Commission in its proposal, the main purpose of creating a separate category of “access data” aims at ensuring that data such as those “related to the commencement and termination of a user access session to a service” as well as “the IP address allocated by the internet access service provider to the user of a service” and other “data identifying the interface used and the user ID” are subjected to the same conditions and safeguards than subscriber data when used for the same objective, i.e. for the purposes of user identification.

32

T. Magno

of identifying a person on one hand, and for traffic or content data on the other hand. In the first case, the order may be issued for all criminal offences, whereas a European production order for obtaining traffic or content data may only be issued for criminal offences punishable in the issuing State by a custodial sentence of a maximum of at least 3 years. Additional changes made by the Parliament concern the replacement of the wording ‘electronic data’ with ‘electronic information’. The reason for this modification is clearly spelled out in the explanatory statement of the draft report of the LIBE committee, where it is pointed out that the terminology chosen by the Commission—electronic evidence—could mistakenly induce to consider that the data gathered is automatically admissible as evidence in a criminal proceeding without any judicial evaluation and decision. Consequently, the more neutral definition of electronic information was preferred. Furthermore, the position of the Parliament contains a provision on the admissibility of electronic information in court proceedings. Namely, the proposed Art.11c states that evidence obtained in breach of the regulation, including if the criteria foreseen in the regulation are not fulfilled or if it has been obtained before a ground for non-recognition has been invoked is inadmissible in Court. It has to be highlighted that the Commission’s proposed legislation and the Council’s general approach do not provide for any comparable rule.

5 The Way Forward: What Shall We Expect? The negotiations between the European Parliament, the Council and the Commission on the electronic evidence package started in February 2021 under the Portuguese Presidency and are still on going at the time of writing. The electronic evidence legislative proposals are particularly contentious and the negotiations will certainly mirror the complexity of the involved issues and the divergent positions. As outlined above, the draft legislation of the Commission ensures to law enforcement and judicial authorities the timely access to electronic evidence by simplifying the procedures to be activated. However, the proposal of the Commission does not foresee any kind of judicial control over the order for obtaining electronic evidence in the executing state and does not provide for any reference to notification obligations even in case of orders for obtaining data that are more sensitive. The lack of adequate safeguards has determined strong criticism not only from the European Parliament, but also from civil stakeholder organisations such as the European Digital Rights Association16 who fear that the introduction of such a legislation will put at serious risk the rule of law and the rights of journalists, lawyers, doctors and individuals in general.

16 See “E-evidence”: Mixed results in the European Parliament—European Digital Rights (EDRi).

The Challenging Path Towards the Establishment of the EU Legal Framework. . .

33

On the other hand, the working group on electronic evidence established by the European Judicial Network17 valued the latest amendments of the Parliament to the legislative package very negatively, since they would introduce unnecessary burdensome procedures, hinder the prompt gathering of evidence and duplicate existing judicial cooperation instruments that have already proved not be adequate for the needs in subject. The months to come will tell if and how the final agreement on the legal text/s will be able to reconcile security and justice and which balance will be achieved between the different interests and rights at stake.

References Biasiotti MA, Mifsud Bonnici JP, Cannataci J, Turchi F (eds) (2018) Handling and exchanging electronic evidence across Europe. Law, governance and technology series, vol. 39. Springer, Berlin. https://doi.org/10.1007/978-3-319-74872-6 Boister N (2018) Transnational criminal law. Oxford University Press, Oxford Gialuz M, Della Torre J (2018) Lotta alla criminalità nel cyberspazio: la Commissione presenta due proposte per facilitare la circolazione delle prove elettroniche nei processi penali. Diritto penale contemporaneo 5:277–294 Mason S, Seng D (2017) Electronic evidence. Institute of Advanced Legal Studies, London Statewatch, criminal justice: European judicial network expresses concerns over parliament’s “e-evidence” position. https://www.statewatch.org/news/2021/february/eu-criminaljustice-parliament-s-e-evidence-position-under-fire-from-judicial-practitioners

17 See

the European Judicial Network e-Evidence Working Group (WG) statement.

Evidence Exchange Under the EIO: Technological Challenges Fabrizio Turchi

Abstract The European Investigation Order instrument offers a legal basis for exchanging evidence, in a digital manner, between competent authorities in different Member States of the European Union. The European directive explicitly sets out that the transfer of the evidence obtained by the executing authority shall be transferred to the issuing authority, without undue delay. The article illustrates how this goal can be accomplished using standards for the representation and the exchange of the Evidence in a cross-border scenario, having at disposal a secure platform for guaranteeing the confidentiality and the integrity of its content during the transfer.

1 Overview of the Evidence Exchange Scenario The 2014/41/EU Directive, regarding the European Investigation Order in criminal matter, sets out in the Article 13 (Transfer of evidence) that: “The executing authority shall, without undue delay, transfer the evidence obtained or already in the possession of the competent authorities of the executing State as a result of the execution of the EIO to the issuing State” and “Where requested in the EIO and if possible under the law of the executing State, the evidence shall be immediately transferred to the competent authorities of the issuing State assisting in the execution of the EIO in accordance with Article 9(4)”. It is almost needless to say that the Directive doesn’t provide any indication on how this operation can be accomplished so in this Chapter a proposal for allowing the exchange of digital evidence in electronic way across borders in a secure way will be provided in the context of Cross-Border Digital Criminal Justice. The proposal aims at creating a legally valid instrument to exchange digital evidence related to MLA and EIO procedures over a secure infra-structure and a communication tool for managing their business logic.

F. Turchi () IGSG/CNR, Florence, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_5

35

36

F. Turchi

Nowadays, in cross-borders criminal cases, cooperation is mostly human based, from the Evidence Exchange point of view. This is one of the results obtained from the answers provided in questionnaire drafted within the activities of the EXEC project.1 The questionnaire was structured into 5 sections: a general section relating the status quo of the implementation of the EIO directive into national legislation (Section A); a Legal Section including specific questions on the practical handling of EIO requests and management by national authorities (Section B); a Technical/Operational section including questions on the technical management of requests and linked operations and actions by national authorities(Section C); Administrative section (Section D); and finally a section on Data protection issues when dealing with EIO and exchange of electronic evidence. The answers in Section C of the questionnaire highlighted that the evidence exchange, among judicial authorities, is chiefly human-based. In most cases the forensics copy of the original source of evidence or the original source of evidence seized is exchanged: a judicial/police authority from an EU member state A (Issuing State) requests an EU Member State B (Executing State) to generate a forensics copy, based on mutual trust between the two competent authorities. Later the exchange of the forensic copy will be attained on human based: the authority from country A instructs someone to take the copy or the copy is delivered by a secure courier to the requested authority. Only a low percentage (26%) of countries declared to rely on some cloud services. The scenarios described above rise the following problems: • exchanging evidence may be slow and expensive, e.g., personnel travelling between countries to transport the items being exchanged; • judicial and police authorities must invest substantial resources to keep pace with the development of forensics technology; • trusted procedures for the evidence exchange are of utmost importance. On the basis of the above considerations, it is fundamental to find a way to digitally exchange the collected evidence, guaranteeing appropriate levels of security, both for the confidentiality and the integrity of the data is being exchanged.2 This goal can be achieved composing a puzzle made of at least three different pieces. The first piece is to have at disposal a Secure Communication Channel for this exchange. In the current scenario this essential service is provided by eCODEX.3 e-CODEX is a decentralized network that allows a secure communication and information exchange between Member States in the field of justice, In a nutshell, e-CODEX is a e-delivery infrastructure, content agnostic, that supports

1 EXEC project (Electronic eXchange of e-Evidences with e-CODEX, Grant agreement n. 785818): Biasiotti MA, Conti S, Turchi F, Deliverable D2.1: Feasibility Report, Section C— Technical Operational Section. 2 Bille et al. (2020). 3 https://www.e-codex.eu. See also Carboni and Velicogna (2011), Francesconi (2012), Pangalos et al. (2014), Velicogna (2014), Velicogna et al. (2020), and Velicogna (2022).

Evidence Exchange Under the EIO: Technological Challenges

37

Fig. 1 e-CODEX technical infrastructure

cross-border e-Justice services.4 Without replacing the existing back-end systems in the Members States, e-CODEX interlinks national and European IT systems in the e-Justice domain, therefore each e-CODEX participant has to set up its own access point to participate in the communication. Currently e-CODEX offers a variety of services, known also as Use Cases, among which are the following: • EPO—European Payment Order • ESC—European Small Claims • MLA/EIO—Mutual Legal Assistance in Criminal Matters/European Investigation Order e-CODEX consists of two main elements, which are the Gateway and the Connector. The basic functionality of the Gateway is e-Delivery, which is the exchange of messages between partners and it is completely agnostic of the content of messages. The main functionality of the Connector is handling communication with the national implementations. Figure 1 shows the technical infrastructure of e-CODEX. In a such scenario, one of the fundamental concepts is the interoperability, considering the different information systems already in place in the different Member States: at this aim, e-CODEX respects a fundamental principle to make the cross-border communication possible: the interoperability is achieved through common requirements, leaving to the participants the maximum level of autonomy, in supporting those requirements. The next piece of the mentioned puzzle is to have a Communication Tool for the management of the EIO/MLA procedures in all their facets: messages exchange, files attachment, procedures, digital forms, business logic, statistics, log, etc. This tool has been developed and led by the European Commission that organised an

4 Casey

et al. (2017).

38

F. Turchi

Fig. 2 Cross-border scenario where the e-EDES system operates

expert working group (EG) with one legal and one technical representative from each Member State, and the General Secretariat of the Council. The EG’s task was to discuss, review and agree on the identified requirements, use cases and specifications of the IT system to be built. It was established that the scope of the first version of the system would be EIO/MLA exchanges between competent authorities. Many different meetings took place over a period between March 2017 and February 2018, to analyse and come to an agreement on the architecture of the system, legal aspects, security aspects, process model, workflows, messages and transmission of large files. The tool, called e-Evidence Digital Exchange System (eEDES) has been release in the version 1.2.x in 2020 and has been added to the framework where the digital evidence exchange may occur. Figure 2 illustrates the new scenario and highlights that: • e-CODEX remains the backbone on which all the national applications, included eEDES, rely on; • the main stakeholders of the whole systems, being under the EIO/MLA legal instruments, are the Competent Authorities in the Member States involved in the cross-border cooperation, more specifically the issuing Authority that plays the role of the investigative authority and the executing Authority who is in charge of gathering the requested evidence and transferring it to the issuing Authority. Nevertheless, when it comes to digital evidence, other actors are at stake: the trusted forensic laboratories (appointed by the national Competent Authority) or the Police Departments (Law Enforcement Agencies). These new actors are must be part of the last piece of the puzzle related to the Evidence Exchange scenario, because to deal with digital evidences a specific expertise is requested. This expertise has to include specific competencies in digital forensic, a branch of forensic science that includes the identification, the acquisition, the extraction and

Evidence Exchange Under the EIO: Technological Challenges

39

the analysis of data stored on digital devices. In any kind of investigation many different types of digital evidences are met, so a peculiar training for handling them is needed.

1.1 Evidence Exchange: Real Scenario Now considering the scenario presented before, it would seem possible to accomplish the digital exchange using the tool eEDES and attach the evidence file to any message, nevertheless, for a variety of reasons that will be illustrated later, it is fundamental to prepare the Evidence in a specific manner, as a package (Evidence Package) that contains the Evidence data and metadata represented in a standard manner, and in particular using the ontologies (standard language) Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE.5 ). Figure 4 depicts the scenario where the Evidence Exchange may take place, under the EIO/MLA legal instruments, relying on eEDES communication tool and eCODEX secure communication channel. This is the last piece of the puzzle related to the Evidence Exchange scenario. Before outlining the scene where a real Evidence Exchange may take place it is fundamental to explain when and how the Exchange process comes to play in the context of the judicial cooperation and why it plays an important role in the whole process. At this aim some fundamental questions are to be answered.

1.2 Evidence Exchange: Questions When it comes to Evidence Exchange, some important questions come to mind: • Why do we need to exchange an evidence by using an electronic mean? • When may the evidence exchange happen? • How can the evidence exchange be dealt with? The answer to the first question is simple and may be composed in the following way: 1. to expedite the judicial cooperation inside and outside Europe; 2. to better fight the crime. To answer to the second question, it is necessary to think about when an Executing State has to deal with an EIO and it will have to exchange a digital evidence with the Issuing State, for instance after a forensic acquisition from a smartphone of a suspect.

5 https://caseontology.org.

40

F. Turchi

Fig. 3 Evidence gathering by the executing state

In Fig. 3 an easy real example of Evidence gathering within the EIO/MLA procedure is shown. The components of the timeline in Fig. 2 are the following: • STEP 1—The Competent Authority (CA) in the Member State A (issuing State) issues an EIO to a Member State B (executing State) for requesting a “provisional measures to prevent destruction, transformation, moving, transfer or disposal of items that may be used as evidence” (Annex A, section C, last checkbox). The request consists of a search and seizure of the suspect’s devices and in particular of his mobile phone. • STEP 2—The CA of the executing State assigns the forensic tasks to the Police. The CA, in accordance with the national law, authorises the search and seizure activity on the suspect with the related warrant. • STEP 3—The Police seizes the device. Let’s assume to deal with a single device, for the sake of plainness. The Police shall draw up a report of the seized device (manufacturer, model, status, etc.). • STEP 4—The Police transfers the seized device to a national Forensic Laboratoy (FL), assuming that the police doesn’t have the expertise to deal with mobile devices. The FL receives the device from the LEA (first transfer) and they shall draw up a report. • STEP 5—FL carries out the Forensic Processing (Acquisition and Extraction) of the device. FL prepares a disk or USB pen drive with the output of the processing in the proprietary format of the forensic tool used to carry out the processing of the mobile phone, a software, provided along with the tool, to allow the reading of the output in proprietary format, and a report in PDF format. • STEP 6—CA receives by hand the evidence collected by the FL. Afterwards the CA of the executing State must send the result to the CA of the issuing State in

Evidence Exchange Under the EIO: Technological Challenges

41

a way that guarantees the confidentiality of the content, its integrity and also the authenticity of the Sender (CA of the executing State). So, the last question is: how can the CA of the executing State accomplish that goal? The answer lies in the platforms/systems illustrated above: • preparing the Evidence Package (E-Package) containing all data and metadata related to an evidence. It aims at representing the data in a suitable/standard representation, popular in the digital forensic community: UCO/CASE ontologies, already adopted or under study by many relevant organisations within the digital forensic domain such as Europol, U.S. Department of Defense Cyber Crime Center—DC3, NFI; • using a bespoke application, the Evidence Exchange Standard Package (EESP) application, being able to manage, import/export and prepare the E-Package. The application must support the UCO/CASE standard, it should have a modular design and be developed keeping in mind the possibility to be customised and integrated with the different national information systems in place; • relying on eEDES system that provides the business logic to manage an EIO/MLA including the attachment of the Evidence Package; • leveraging the e-CODEX platform that provides apropriate levels of security in terms of confidentiality, authenticity and integrity—all fundamental features for the admissibility of an evidence before a Court.

1.3 Evidence Exchange: Real Scenario Figure 4 shows a real scenario where the Evidence Exchange may take place, under the umbrella of the EIO/MLA legal instrument. The left part represents the Executing State or Recipient, from the EIO/ MLA flow view, the right part depicts the Issuing State or Sender, also from the EIO/MLA view, and in the middle, there is the e-CODEX platform where the real Evidence Exchange takes place. In Fig. 5 is represented the Evidence Package containing all the data and metadata related to the collected evidence that will be transferred or exchanged between the different involved stakeholders. It is important to bear in mind that in the scenario imagined in Fig. 4, the Evidence Exchange occurs only between the involved Competent Authorities, over e-CODEX, whilst, within the national borders, for instance from the Law Enforcement Agency (LEA) or from the trusted national Forensic Lab (FL) to the national Competent Authority, the package is transferred, manually in most cases or digitally. The whole scenario has been broken down into five items. The starting and the end points are the FLs/LEAs, supplied with the EESP application. When a FL is requested or needs to send/transfer an Evidence to a CA it has to adopt the proper measures to guarantee the confidentiality, the integrity and the authenticity of the Evidence Package (EP) transferred, and ultimately to avoid that someone can tamper with its content.

42

F. Turchi

Fig. 4 Evidence exchange scenario—overview

It is important to point out that: • between the trusted FL and the CA (national level) there is no exchange but transfer of the Evidence Package (Evidence Package refers to the data and meta data of an Evidence represented in a standard way through the language CASE that leverages the ontology UCO). in the majority of the cases this is manually accomplished, delivering the forensic process outcome on an external disk by hand to the national CA; • the EESP application has to be distributed/installed/used in all trusted Forensic Labs (FLs) that will carry out the E-Package transferring with their CA of reference. Moreover, the EESP application will be at disposal of the CA for importing the E-Package within their environment, checking its integrity and, optionally, reading the content to verify that it contains what is expected. Once the E-package has been imported, the CA, by using the EESP could export the EPackage using the appropriate encryption layers to guarantee the confidentiality, the Sender’s authenticity and its integrity; • the transfer of the E-Package will be accomplished, attaching it to all data related to an EIO (e-Forms, etc.) between CA and e-CODEX is in charge of the e-EDES system; • the Evidence Exchange occurs over e-CODEX, through the Connector and Gateway national access point. It is important to highlight that the e-CODEX project plays the role of controller, not the role of processor or viewer of the Evidence Package. Another view of the scenario is represented in Fig. 5 that highlights the main stakeholders involved in the projects, putting the Evidence Package in the center,

Evidence Exchange Under the EIO: Technological Challenges

43

Fig. 5 Evidence exchange within the EIO/MLA: stakeholders and actions

and where it is pointed out that the E-Package is always shown as a sealed box to convey that the information contained is protected by unwanted/not allowed access. Looking at Fig. 5 and following the vertical layout, it is immediately clear that there are two different operational levels: • the national level where the FLs/LEAs and CAs operate; • the international level where only e-CODEX is involved. e-CODEX is in charge for the real exchange of the evidence, thanks to the appropriate level of security provided. It plays the role of the controller of the EP, being a content-agnostic platform in the sense that the transport of data is independent from the format of the files being exchanged and from the business processes being supported. At national level there will be the CA/JA in the country A (Executing state) and the CA/JA in the country B (Issuing state) along with their trusted Forensic Labs

44

F. Turchi

that will be in charge for the preparation, encryption and transfer of the E-Package, by using the EESP application. Figures 4 and 5 are important for understanding the role of the EESP application, where it will be deployed and the actions carried out by the application within the whole scenario, with particular attention on the impact on eEDES communication tool and e-CODEX secure communication channel.

2 Standard for the Evidence Exchange When it comes to Electronic Evidence Exchange, it is fundamental to bear in mind what information should be exchanged. Moreover, at the moment, there is no standard concerning the Electronic Evidence Exchange (in comparison with forensic acquisition described in the ISO/IEC 27037:2012, and forensic analysis illustrated in the ISO/IEC 27042:20151) and the scenario is rather diversified, so it might be possible to manage the exchange differently on the basis of the kind of evidence. There are there some similarities between the CASE standard and ISO/IEC 27037:2012 (Information technology—Security techniques—Guidelines for identification, collection, acquisition and preservation of digital evidence). ISO standards developed for Information Security (2700 series) and Forensic Science (ISO/TC 272 Forensic sciences) provide high level requirements and recommendations for specific practices/processes. Nevertheless they do not provide a standard for representing and exchanging data. On the contrary CASE can be used to implement and strengthen certain requirements illustrated in ISO standards to fulfil the objectives of efficiency and quality. CASE is designed to support automation, which increases the efficiency, consistency, comprehensiveness, and traceability of processing digital evidence. CASE also opens new opportunities for analysis and exchange of digital evidence, enhancing LEA capabilities to investigate crime including cross-border coordination. CASE is open source and free. Unlike ISO standards which are not updated frequently, the CASE standard is actively developed by the community to keep pace with the evolving needs of digital age forensics. Finally CASE is uniquely suited to cyber-investigations, and there is no other standard for this purpose. In the next paragraph the formal language, UCO/CASE, is briefly outlined with regard to a standard representation of the evidence data and metadata and its exchange. UCO/CASE provides a standard language, actually a set of ontologies, for representing information collected, extracted, analysed and exchanged during investigations involving digital evidence. The main aims of UCO/CASE are: • to make interoperability between different tools and organisations possible; • to automate normalisation and combination of differing data sources to facilitate analysis and exploration of investigative questions (who, when, where, what, etc.);

Evidence Exchange Under the EIO: Technological Challenges

45

• to ensure all analysis results are traceable to their sources (known as Chain of Evidence). The ontologies consist of: • objects and their associated properties, including data sources (mobile devices, storage media, memory) and well-known digital objects such as files and folders, messages (email, chat), documents (PDF, Word), multimedia (pictures, video, audio) and logs (browser history, events); • a set of data and metadata for describing all actions (i.e. tasks); • actors (e.g.: subjects, victims, authorities, examiners, etc.); • tools (i.e. digital tools for carrying out different forensics processes); • objects relationships (e.g. Contains, Extracted From, et.), in particular for expressing the Chain of Evidence, that is which file (archive, database, etc.) a specific digital trace (Observable in term of the ontologies) has been extracted from. The need for a standard to represent and exchange electronic evidence has been augmented by the rising relevance of the digital evidence in a wide range of circumstances within investigative cases. The requirement upon a standard language to represent a broad range of forensics information and processing results has become an increasing need within the forensics community. Research activities conducted in this field have been used to develop and propose many languages, but, at the moment, UCO/CASE represents the most suitable standards to representing data and metadata related to an evidence exchange for a variety of reasons: • it has been developed in the cyber security environment but it also include lots of essential elements to representing digital forensics information; • it allows to describe technical, procedural and judicial information as well; • it has been developed with the extensibility in mind so it is adaptable to the fastpace development of technology and it allows the introduction of new elements to include forensics information not envisaged yet; • it leverages the UCO ontology that permits the description of Actions, Actors and their relationships; • it is open source; • it already contains a composed structure for representing a wide range of forensics information. It is worth mentioning that existing standards for exchanging general criminal justice information, including the National Information Exchange Model (NIEM), have not kept pace with the evolution of electronic evidence.6 One of the most common issue in dealing with the outcome of a forensic acquisition or analysis, concerns the possibility to verify findings extracted/ generated by forensics tools. This need is becoming even clearer considering the ever-increasing

6 https://www.niem.gov.

46

F. Turchi

speed of innovation involving digital devices and the consequences on forensics tools (i.e. operating system, data storage strategies, etc.). The lack of a standardised format for representing the output of forensics tools makes it difficult to compare results produced by different tools with similar features/functionalities. The use of a common standard language would offer many advantages: • it would allow comparing results produced by different versions of the same forensics tool in order to evaluate the progress in terms of information extraction and interpretation; • it would speed the automatic search activity avoiding analysing the same information already processed by the previous version of the tool; • it would foster the data and information exchange between different organisations and different actors involved in the investigation. Finally it should be highlighted that there are already existing platforms for the information exchange such as the Secure Information Exchange Network Application (SIENA) by EUROPOL, and HANSKEN by the Netherlands Forensic Institute,7 but either they don’t use a detailed structure related to digital forensics information for exchanging data or they don’t use a widespread standard accepted within the forensic community, so it has been decided to endorse the UCO/CASE standard language that has become popular among many important stakeholders such as Europol, U.S. Department of Defense Cyber Crime Center—DC3, NFI, Cellebrite, Magnet Forensic and others.

3 Standard Language: CASE/UCO Ontologies An investigation generally involves many different tools and data sources, therefore pulling together information from these various data sources and tools is time consuming, and error prone. Tools that support UCO/CASE can extract and ingest data, along with their context, in a normalized format that can be automatically combined into a unified collection to strengthen correlation and analysis.8 Moreover, cyber-investigation information, to be effective, needs to be represented and shared in a form that is usable in any contexts (i.e. digital forensic science, incident response, and situational awareness, etc.) and is flexible enough to accommodate evolving requirements. The main aim of UCO/CASE is the interoperability—to enable the exchange of cyber-investigation information between tools, organizations, and countries.

7 On SIENA system, documentation is rather scarce, some basic information can be found at www.

europol.europa.eu/operations-services-and-innovation/services-support/information-exchange/ secure-information-exchange-network-application-siena; on HANSKEN see the articles: van Beek et al. (2015, 2020). 8 Casey et al. (2017).

Evidence Exchange Under the EIO: Technological Challenges

47

The power of such a standard is that it supports automated normalization, combination correlation, and validation of information, which means less time extracting and combining data, and more time analysing information. In the context of cyber-investigations, traces are the fundamental objects of study. A trace is a vestige, left from a past event or activity, criminal or not. To represent cyber-investigations, it is necessary to capture details about specific traces and their context such as manufacturers and serial numbers of storage media, network connection details, and names of files stored on a removable USB device with associated date-time stamps and cryptographic hash values. To represent this variety of information, as well as other non-trace cyber-investigation information (identities, locations, tools, etc.), UCO/CASE defines “Objects” and potentially associated “Property Bundles” containing details about the object. CASE leverages the base UcoObject type, derived Object sub-types, and Property Bundles that are defined by UCO. Objects encompass any concept pertaining to cyber-investigations including traces such as a mobile device, a file extracted from a device, an email address extracted from a file, a location extracted from EXIF metadata, or non- trace concepts such as a forensic action taken by an examiner. Ultimately the benefits in using such a formalism/standard language are: • to foster interoperability between different tools, organisations and countries; • to strengthen the admissibility of the evidence, representing the provenance or the chain of evidence, that is the set of tools and transformations that led from acquired raw data to the resulting product, highlighting the traceability of the potential digital evidence; • to address and to solve the lack of standards for the representation of the forensics tools results; • to provide trustworthy information: in a legal context, the evidence authentication process uses information about provenance, including evidence collection documentation, continuity of possession forms (chain of custody), audit logs from forensic acquisition tools, and integrity records, which all help establish the trustworthiness of digital evidence. CASE implements UCO to represent certain types of information that transverse the cyber domain as core entities. They consist of a set of data and metadata (Evidence Metadata or E-Metadata) for describing (see Fig. 6) the following items: • people involved in the evidence life-cycle, from search and seizure to the report before the Court, technical and legal (subjects, victims, authorities, examiners, etc.); • surrounding information about Legal authorization (i.e. search warrant); • information about the Process/Lifecycle (i.e. seizing, acquisition, analysis, etc.); • information about the Chain of custody by identifying Who did What, When and Where from the moment the Evidence has been gathered; • actions performed by people (seizing, acquisition, analysis, etc.);

48

F. Turchi

Fig. 6 Evidence metadata represented in CASE

• source of evidence, that is physical objects involved in the investigative case (e.g.: hard disk, smartphone) but even digital source of evidence (i.e. memory dump); • description of the Objects inside the digital evidence and their Relationships (e.g. Contains, Extracted From, etc.). CASE is being developed along with the Unified Cyber Ontology (UCO) that provides a format for representing all cyber artefacts. CASE, as a specific profile of UCO, provides support for cyber-investigations in any context, including criminal, corporate and intelligence. CASE and relevant portions of UCO build on the

Evidence Exchange Under the EIO: Technological Challenges

49

Fig. 7 SMS in CASE with a reference to Phone Account objects that contain phone numbers

Hansken data model developed and implemented by the Netherlands Forensic Institute (NFI). CASE supports any serialisation (default JSON-LD), and can be utilised in any context, including criminal, corporate and intelligence. JSON-LD is 100% valid JSON with some specific JSON structures defined which allow full structural and semantic validation of each object, array and field in the JSON content to a relevant ontological specification for that element. Each Object is assigned an identifier (@id) that can be used to refer to the Object that cannot be changed that points to another Object, representing a relationship to that other Object. In the proposed approach, such references are represented using an embedded property that specifies the @id of another Object. Figures 7 and 8 show an SMS message, represented in CASE and serialised in /JSON-LD format, with a reference to a Phone Account objects that contain phone numbers involved in the communication.

4 Large Evidence File Exchange Within the Evidence Exchange flow, one of the main issues to address is how to exchange the physical data of an Evidence when its size overcomes a specific threshold. This problem has been indicated as Large Evidence File Exchange issue. This is a common problem to all the platforms that implement a secure and reliable exchange of data, whatever it is. The threshold depends on the context, at the moment the physical limit imposed by e-CODEX Secure Communication Channel

50

F. Turchi

Fig. 8 Phone Account in CASE whose reference is contained in the from property of the SMS object

on files size is about 2 GB. Therefore, when the Evidence Package size is less than 2 GB it will travel over e- CODEX to be delivered to the recipient (Issuing State), otherwise the Evidence Package will contain only meta data and the physical data will be asynchronously delivered to the recipient via a different channel. Having said that, it should be highlighted that there are two basic scenarios where the Evidence Exchange may take place: • Scenario A: the Evidence Package contains meta data and physical data related to an evidence whose total size is less than 2 GB. This limit is at present the largest size of a message that e-CODEX platform is able to manage. This scenario has been called Small Evidence File of evidence (less than 2 GB) where the meta data of the Evidence Package includes a reference (path name) to the physical files. • Scenario B: the Evidence Package contains meta data, whilst the data, whose size ranges between 2 GB and N GB, where the number N, greater than 2, depends on the limit of the system information features of Member States involved in the Exchange. This scenario has been called Large Evidence File (greater than 2 GB) where the physical file, duly encrypted, will separately travel from the Evidence Package itself. The physical file may be saved (encrypted) on a national Cloud under the Member State (Executing State)/National Competent Authority responsibility and the Evidence Package meta data will include a web reference to the physical file on the executing State Cloud. Looking at Fig. 9, it is important to emphasize that: • the National Cloud (NC) must be under the Competent Authority responsibility. The download/exchange process may also directly happen between the

Evidence Exchange Under the EIO: Technological Challenges

51

Fig. 9 Evidence exchange scenario for large file of evidence

LEAs involved, but this will mostly depend on national legislations and the relationships between the judicial/competent authorities and the LEA in the MSs involved; • it must be discussed with the MSs how to manage the security levels (symmetric/asymmetric keys) of the files stored in the NC, bearing in mind that each MS may have different systems/procedures. To encrypt the large file of Evidence, it is recommended to use the same symmetric key that has been used to encrypt the Evidence Package and that is exchanged over e- CODEX; • the download process is an external process and it should be managed by a download manager being able to support pausing and resuming in case of transfer network interruption. This means that once the process has been started there is no need to control the final outcome.

5 Conclusions The road to reach a standard solution for the Evidence standard representation and its Exchange is still long, a not exhaustive list of issues to be addressed are the following: • the adoption of UCO/CASE ontologies to represent data and metadata of an Evidence and to facilitate its exchange needs a heavy involvement of the forensic tools producers that have to adapt their software tools to export the processing output in UCO/CASE standard;

52

F. Turchi

• the preparation of the Evidence Package needs a robust and standard application (the EESP application that will be illustrated in Chap. 7) that supports UCO/CASE and can be easily integrated in the existing systems; • the E-Package must be tailored in order to guarantee appropriate levels of security, in addition to the ones provided by e-CODEX, including the capacity to specify the permitted conditions for sharing and to enforce exchange policies, relying on UCO/CASE that provides for data markings to support proper handling of shared information;9 • the spread of trust in using the systems and the standard among all the potential involved stakeholders. It is crucial for the development of UCO/CASE and the other systems involved in the loop. Last, but not least, it is of utmost importance to seek sensible solutions to address the Exchange of Large File of Evidence in order to streamline the cross-border cooperation in judicial matters.

References Bille W, Debsk T, Heimans D, Kamaràs E, Verheggen H (2020) Cross-border digital criminal justice. Final Report. https://www.legalbusinessworld.com/post/report-xbordercriminaljustice Carboni N, Velicogna M (2011) Electronic data exchange within European justice: e-CODEX challenges, threats and opportunities. Int J Court Admin 4:104 Casey E, Barnum S, Griffith R, Snyder J, van Beek H, Nelson A (2017) Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language. Digit Invest 22:14–45 Casey E, Biasiotti MA, Turchi F (2017) Using standardization and ontology to enhance data protection and intelligent analysis of electronic evidence. In: ICAIL 17 proceedings of the 16th edition of the international conference on artificial intelligence and law, p. 10 Francesconi E (2012) Supporting transnational judicial procedures between european member states: the e-Codex project. In: Proceedings of JURIX, vol 2012, pp 41–50 Pangalos G, Salmatzidis I, Pagkalos I (2014) Using IT to provide easier access to cross-border legal procedures for citizens and legal professionals-implementation of a European payment order E-CODEX pilot. Int J Court Admin 6:43 van Beek HMA, van Eijk EJ, van Baar RB, Ugen M, Bodde JNC, Sieme AJ (2015). Digital forensics as a service: game on. Digit Invest 15:20–38 van Beek HMA, van den Bos J, Boztas A, van Eijk EJ, Schramp R, Ugen M (2020) Digital forensics as a service: stepping up the game. Digit Invest 35:13 Velicogna M (2014) Coming to terms with complexity overload in trans-border e-justice: the eCODEX platform. In: The circulation of agency in E-Justice. Springer, Dordrecht, pp 309–330 Velicogna M (2022) Cross-border dispute resolution in Europe: looking for a new “normal”. Oñati Soc. Legal Ser 12(3):556–581 Velicogna M, Steigenga E, Taal S, Schmidt A (2020) Connecting EU jurisdictions: exploring how to open justice across member states through ICT. Soc Sci Comput Rev 38(3):274–294

9 Casey

et al. (2017).

e-CODEX: A Secure Infra-Structure for Cross-Border Cooperation Thomas Gottwald, Martin Schneider, Robert Behr, and Mathias Maurer

Abstract e-CODEX (e-Justice Communication via Online Data Exchange) is a way of communicating and collaborating cross-border in the area of the judiciary in Europe. It therefore provides technical components to be used for setting up national access points to connect to the e-CODEX network. The initial e-CODEX project was an ambitious and trend-setting project supposed to enable citizens and business entities in all of Europe to electronically communicate with the courts of other Member States in a secure and easy way in cross-border cases. In addition, it was supposed to enable electronic communication among judicial authorities of the Member States. The project was funded by the EU and had a volume of around EUR 25 million. As the e-CODEX project ended in May 2016, sustainability of e-CODEX (ongoing operation and maintenance also beyond the project term) is of major importance and should be warranted by way of a European agency. Until the project is operated and maintained by an existing European agency, the duties are being fulfilled by the bridging Me-CODEX projects. The European order for payment procedure has already been successfully set up as a pilot project for e-CODEX in Austria, Germany, Estonia, France, Greece, Italy, the Netherlands, Poland, Portugal, Spain and in the Czech Republic; the European small claims procedure, transmissions in the area of the commercial or business registers, administrative penalties, cross-border exchange of sensitive data regarding conventions on mutual judicial assistance and the European arrest warrant are other pilot projects currently running. e-CODEX has therefore already proven to

T. Gottwald Informatics and ICT Department in the Austrian Federal Ministry of Justice, Vienna, Austria e-mail: [email protected] M. Schneider Informatics and ICT Department in the Austrian Federal Ministry of Justice, Vienna, Austria University of Vienna, Vienna, Austria e-mail: [email protected] R. Behr · M. Maurer () Austrian Federal Computing Center and Austrian Ministry of Justice, Vienna, Austria e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_6

53

54

T. Gottwald et al.

be ready to support the electronic communication for the European Investigation Order procedure.

1 Introduction High mobility and European integration lead to an increase in cross-border legal cases. These cases require cooperation between national judicial systems. The use of ICT can make these legal processes more transparent, efficient and economical. At the same time, it will make it easier for citizens, businesses and public authorities to access these judicial procedures. e-CODEX (e-Justice Communication via Online Data Exchange) is a “Large Scale Pilot Project” on the cross-border exchange of data in the judiciary. The aim is to improve access for citizens, practitioners and businesses to cross-border judicial proceedings, to enable electronic communication with courts of other Member States by secure and simple means in cross-border proceedings, and to improve cross-border interoperability between national judicial authorities. By creating interoperability between existing national IT applications, transnational cooperation between courts and authorities is also made faster and more efficient.1 The overall objective was to create productive cross-border pilot projects based on e-CODEX between participating Member States in the judicial domain. As the e-CODEX project expired at the end of May 2016, it was important to ensure the sustainability of e-CODEX (ongoing operation and maintenance beyond the project) and to continue to ensure the sustainability of e-CODEX as part of a European agency solution. The Me-CODEX and Me-CODEX II projects carried out the tasks until the operation and maintenance of e-CODEX would be handed over to a European agency as of 1st of July 2023.

2 Legal Bases Numerous pilot projects based on e-CODEX are emerging for various legal instruments in the field of civil and criminal justice. These instruments are based, for example, on Regulation 1896/2006 creating a European order for payment procedure, Regulation 861/2007 establishing the small claims procedure, Council Framework Decision 2002/584/JHA on the European arrest warrant and the surrender procedures between Member States, Council Decision 2005/671/JHA on the exchange of information and cooperation concerning terrorist offences, or the Directive creating the European Investigation Order. The interconnection of

1 https://www.e-codex.eu.

See also Carboni and Velicogna (2011), Francesconi (2012), Pangalos et al. (2014), Velicogna (2014), and Velicogna et al. (2020).

e-CODEX: A Secure Infra-Structure for Cross-Border Cooperation

55

company registers and commercial registers is based on the Directive of 14 June 2017 on certain aspects of company law (see below). In July 2017, the European Commission (EC) launched an impact assessment on the future of e-CODEX. Various scenarios for a sustainable solution for e-CODEX were examined. The (unpublished) Impact Assessment (IA) Report assessed the envisaged transfer of e-CODEX to the European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) as the best option. On 18th December 2017, the Regulatory Scrutiny Board issued a “Positive Opinion with Reservations” on the IA Report. The proposal for an e-CODEX Regulation was finally published on 2nd December 2020.

3 History The Electronic Legal Communication (ERV) has been the indispensable centerpiece of electronic justice (e-Justice) in Austria since the early 1990s. The ERV is the paperless electronic communication between the parties and their representatives with courts and public prosecutors’ offices and serves the purpose of transmitting structured and unstructured submissions and proceedings. It is the main electronic interface of the judiciary and has been supporting judicial proceedings in a wellestablished way since 1990. At the 2009 e-Justice conference in Prague, the idea of using the ERV also for transnational judicial proceedings was born. This would need to be technically combined with similar tools in other EU Member States to enable a secure electronic exchange of structured data and accompanying documents between two countries in Europe. For example, on the basis of Regulation 1896/2006 of the European Parliament and of the Council creating a European order for payment procedure, a lawyer could file an order for payment action of his clients in Austria against the defaulting party in another EU Member State. Since 2009, it has already been possible for Austrian lawyers to submit such complaints to the Bezirksgericht für Handelssachen Wien (District Court for Commercial Matters Vienna) as ERV participants. If the lawyer wishes to address a party abroad for his/her client, this cannot be done electronically with the 2009 solution. A project on “Concept for Crossborder Electronic Filing and Delivery for the European Electronic Payment Order” was launched from the idea for the said e-Justice conference in Prague, together with the partners Amtsgericht Wedding (District Court Wedding)/Berlin, the Ministry of Justice of North Rhine-Westphalia, the Ministry of Security and Justice in the Netherlands, the Dutch Kadaster and the Ministry of Justice in Romania. The project funded by the European Commission analysed the feasibility of linking two national legal communication systems on the base of the Austrian ERV and the German Electronic Judicial and Administrative Mailbox (EGVP). The reference procedure was the European order for payment procedure.

56

T. Gottwald et al.

Austria, together with Germany, the Netherlands and Romania, prepared this concept for the cross-border transmission of electronic documents, completed in early 2011. Austria also participated in the ‘Distributed Identity Management’ and ‘Payment’ concepts. The experience gained was incorporated into the e-CODEX project. The result of the project showed the main cornerstones of such transnational data and document exchange on the base of relevant EU regulations or directives. One of the cornerstones is that the national applications with their specific features must remain in place and that this exchange of data and documents is based on an established technical standard that ensures a high degree of sustainability of a solution. Once the national applications use different solutions such as user authorisation and authentication, document creation and verification, the partner in the other country must trust this solution and its output. Shortly in 2009, the European Commission announced and finally launched a “Large Scale Pilot” project in the area of e-Justice. The call for tenders called for cross-border judicial procedures and their electronic implementation with as many Member States as possible as partners as central to a project proposal.

3.1 e-CODEX Project (2011–2016) At last, the most important thing for this project application was most to find a smart and modern project name, which also had good chances to survive the project duration of three years. There were proposals such as “CONDITIO”, in its long form Court Online National Decentered Interoperably Trusted Identities Organised, or as a variant “Communications Operated with Networks Data Interchanged Transmission of Information Open Standards”. The “conditio” was conceived as a loan from the Latin phrase “conditio sine qua non”. A somewhat leaner proposal was e-THEMIS (“e-Transeuropean homogeneous electronic Management of Interjustice systems”). Finally, the name proposal of the Dutch colleagues with “e-CODEX” was the winner. This proposal seemed the most appropriate to all. e-CODEX started in 2010 with 15 partners, including the European professional associations of lawyers (CCBE) and notaries (CNUE). The Ministry of Justice of North Rhine-Westphalia in Germany was ready to lead the consortium. The project was initially designed for three years, with pilots going into real operation in the last year of the project. The total budget was EUR 14 million, 50% funded by the EU. In order to structure the work within the e-CODEX project, different aspects were considered in order to achieve an optimal organisation. The project provided interoperable building blocks for e-Justice services in Europe, which should, however, as far as possible be without prejudice to existing national applications. These building blocks have been used in real e-Justice services, but they should also be flexible enough to be used for other services.

e-CODEX: A Secure Infra-Structure for Cross-Border Cooperation

57

A structure of the technical work packages (WP) for: • e-identity in the context of natural and legal persons (WP4) • Transport of data and documents (WP5) • Document Standards and Semantics (WP6) was evident. In order to achieve this, horizontal work-packages were needed for: • the overall architecture (WP7) • Communication and marketing (WP2) • Project Management (WP1) as well as a work package around • piloting (WP3). Work Package 5 defined and implemented the transport infrastructure for the e-CODEX pilot projects. This transport infrastructure should connect national systems such as Austrian ERV and the German electronic judicial and administrative mailbox (EGVP) for any exchange of data. The infrastructure had to meet strict security and integrity requirements, but it also had to reflect correctly the underlying directives. Electronic payment of court fees for submissions also needed to be supported. The results of the concept project “Concept for Crossborder Electronic Filing and Delivery for the European Electronic Payment Order” for a transport solution between Austria and Germany using the European order for payment procedure could be used as a basis for WP5. Comprehensive communication activities have been established to keep Member States, legal practitioners, industry and other potential stakeholders informed about developments within the project. e-CODEX had also agreed to reuse or adapt the results of neighbouring projects such as STORK, PEPPOL and SPOCS. The first pilots in the field of civil justice started in 2013. From the beginning of 2014, e-CODEX went into the “Extension Phase”, which brought new pilot partners (UK, Poland, Norway, Sweden and the standardisation organisation OASIS), additional pilot projects and the extension of the pilot of the European order for payment procedure. This also ensured the sustainability of the project’s success. Solutions developed as part of the project should continue to be operated and maintained after the end of the project.

3.2 Me-CODEX Project (2016–2018) “Me-CODEX” (“Maintenance of e-CODEX”) was a consortium project led by the Ministry of Justice of North Rhine-Westphalia with 14 additional partners, launched in November 2016. The project aimed at maintaining the components of e-CODEX, the technical solution for the European legal communication, and developing sustainable governance solutions to bridge the gap between the end

58

T. Gottwald et al.

of the e-CODEX project in 2016 and the transfer (meanwhile postponed) of the operation and maintenance of e-CODEX to an EU agency.

3.3 Me-CODEX II Project (2019–2021) During the first Me-CODEX project it became clear, that the handover of e-CODEX to an EU agency would be postponed. A new consortium was therefore formed on the basis of the previous consortium to apply for another funding by the EU. The Me-CODEX II project continued the operation and maintenance of e-CODEX. Additionally, it prepared the handover activities to the EU agency, chosen for the takeover of e-CODEX: eu-LISA.

3.4 Me-CODEX III Project (2022–2024) The objective of the Me-CODEX III project is to prepare, implement and followup the handover of all e-CODEX components to the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). In addition to the handover to eu-LISA at the end of the project period, it is the objective to ensure a continued robust sustainability framework for the further management, development and maintenance of the eCODEX system during the project period until the handover as well as the support for the existing and upcoming users of e-CODEX in accordance with the relevant legislation.

4 Description The objective of e-CODEX is a fully interoperable European e-Justice system. The solutions envisaged must take into account judicial independence but also subsidiarity. However, the e-services and infrastructures established in the Member States should not be replaced by new centralised solutions. Rather, e-CODEX must create an interoperability layer connecting national services across borders. The infrastructure solution works as a hub between national applications and connects them for data and document exchange. National systems should not need to be adapted accordingly. In addition to national systems, the e-Justice Portal will also be available as a further way of filing. E.g. the transfer can take place in Austria via the Austrian ERV and, in future, also via the e-Justice Portal (https://e-justice. europa.eu). The main objective for e-CODEX is to launch real pilot projects in order to bring real benefits to the participating Member States.

e-CODEX: A Secure Infra-Structure for Cross-Border Cooperation

59

The European order for payment procedure, which is particularly important for Austria, has already been successfully launched as a pilot for e-CODEX with the Czech Republic, Estonia, France, Germany, Greece, Italy, the Netherlands, Poland, Portugal and Spain; The European Small Claims Procedure, transfers in the area of commercial and company registers, administrative penalties, cross-border exchange of sensitive data concerning MLA Conventions, and the European Arrest Warrant are other pilots in progress. The basic principle of e-CODEX is to connect and use national systems with their national specifics. This applies in particular to the electronic identities of the parties involved, such as lawyers and court staff. The way in which someone authenticates in his/her final system and how to ensure the authenticity and integrity of a document created and sent is resolved in different ways in the project partner countries. eCODEX is not meant to define a common standard but to create an interoperability layer so that pilot countries can trust each other’s identities.

4.1 Technical Implementation Together with the other Large Scale Pilot Projects “STORK” and “SPOCS”, a technically broad and future-proof architecture for the e-CODEX transport layer has been chosen, using the established ebXML Message Service (ebXML Message Service) in its latest specification as “ebMS V3.0”. This would, on the one hand, satisfy the requirement of creating an open and licence-free solution and, on the other hand, be compatible with future industrial solutions based on the ebMS V3.0 standard. This conclusion is obvious after today’s industrial solutions support the predecessor standard ebMS V2.0 for transport solutions worldwide. In judicial proceedings, the time of service of a document and proof of that date is essential to accurately reflect the applicable time limits. The e-CODEX Work Package 5 used a standard based on ETSI REM (Registered e-mail, ETSI REM TS 102640) to generate appropriate proof of delivery of a document from the issuer to the recipient. The use of structured data in the electronic exchange of data and documents makes it easy to process the data in the particular application, while ensuring the quality of the data exchanged. As a result, “building blocks” were created for semantic interoperability of exchanged messages. In particular, basic schemes have been modelled for the use cases ‘European order for payment procedure’ and ‘Small claims procedure’. Both proceedings are based on structured forms which are well-suited for the technical modelling of schemas. In a first stage, these basic schemes represent entities, such as persons and courts, which can be expected in all judicial processes. The individual forms of the European Order for Payment Procedure and the Small Claims Procedure were then modelled using these basic entities. For the European order for payment procedure, forms A, B, C1, C2, D, E, F and G were modelled, and forms A, B, C1, C2 and D for the small claims procedure. Nationally implemented applications such as those

60

T. Gottwald et al.

developed jointly by Austria and Germany usually use proprietary schemes that do not correspond to the basic schemes developed by WP6. Consequently, a mapping from the respective national scheme to the e-CODEX scheme for sending and again a mapping back from the e-CODEX scheme to the national scheme for receiving must be carried out. This semantic interoperability ensures that national applications can still be used by the respective Member States and that data can, at the same time, be exchanged in a structured and synonymous manner.

4.2 Authentication e-CODEX supports two different approaches for electronic authentication: authentication-based systems and signature-based systems. The first approach is used for example by Austria. The Austrian ERV, successfully used for decades by the Austrian Federal Ministry of Justice, is a closed system to which only authorised users, identified with UserID, password and a corresponding electronic certificate, have access. Lawyers get their user credentials with the necessary software only if they are duly registered with the Austrian Bar Association. Documents produced by a lawyer and sent via the ERV are therefore clearly linked to a user. The secure connection between the lawyer’s software and the ERV ensures that documents or data are not modified on their way to the court, i.e. the integrity of the data and documents is ensured. Such a closed system, such as Austrian e-Justice, is referred to in e-CODEX as ‘authentication-based system’. On the other hand, signature-based systems usually use a qualified electronic signature, e.g. by the lawyer, to ensure authenticity and integrity. Such a system is applied in Estonia, for example. Both means of authentication must be supported and usable in e-CODEX. The Work Package 4 made it possible to do so by means of software which is familiar with the specific features of the national system in question. Each Member State uses different user authorisation and authentication, document creation and verification solutions. Therefore, the partner in the other country must trust this solution and its output. This trust must, of course, be established between partners. The concept therefore has been developed for a Circle of Trust. The Circle of Trust must be a multilateral agreement to be applied together with the relevant European Regulation or Directive for cross-border data exchange. The Circle of Trust is defined as follows: ‘[T] he principle of a Circle of Trust is understood as the mutual recognition between Member States of an electronic document within the existing legal framework’. Specifically, this document defines the backend systems and their properties that are permissible in the project. It must be ensured that a document is authenticated by the sender, that it is unaltered from the sender to the recipient and that this document is clearly linked to the sender. It must be possible to identify any potential modifications of the document during the transmission.

e-CODEX: A Secure Infra-Structure for Cross-Border Cooperation

61

This trust in the authenticity of a document must be shown to the recipient by means of a “trust token”. The software checks this specificity when sending a document and if the result of this analysis is positive, a trust token is generated. This trust token is a document generated by the sender and sent together with the document itself. This trust token indicates in a positive case that the production and dispatch of the document was generated in accordance with the rules of the sending Member State and that the recipient can trust it. In the negative case, the trust token provides appropriate information on gaps in this process. The trust token, together with the document to be sent, is sent as a kind-of quality label. For piloting, it became clear very early that there is a need for an agreement between piloting Member States to ensure mutual recognition of the documents and data exchanged on the base of the underlying regulations and directives. The Circle of Trust Agreement had subsequently to be signed by the respective participants in the pilot projects before the pilots could actually go live. After very intense discussions, the Circle of Trust Agreement could be adopted in the first quarter of 2013, in time for the launch of the first pilot projects. The agreement probably becomes obsolete with theThe Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) or will at least need a revision.

4.3 Communication Communication on the e-CODEX project takes place through participation in specialised fairs and events, publications in specialised journals and presentations of the project at national and international events. Social networks such as Twitter and LinkedIn are used as well as an e-CODEX newsletter and its own website https:// www.e-codex.eu. For communication activities, e-CODEX also tries to address the individual stakeholders according to their needs. Lawyers need other information about the project, such as the supported judicial procedures and their concrete appliance in e-CODEX, than software companies that are interested for example in technical interfaces to connect the e-CODEX solution. e-CODEX tries to provide the different stakeholders with the appropriate information and to be present at events with different auditorium as well. Finally, a “marketing toolkit” is available for national events.

4.4 Financing The e-CODEX project was funded by the EU and amounted to around EUR 25 million. Me-CODEX, with a budget of around EUR 2 million, was supported by the Connecting Europe Facility with a funding rate of 80% and ended in 2018. The

62

T. Gottwald et al.

follow-up project Me-CODEX II was again funded by the EU with a budget of EUR 3 million and a generous 100% funding rate. The Me-CODEX II consortium strives for another and final funding project for the maintenance to close the gap between the end of Me-CODEX II in 2021 and the handover to eu-LISA in 2023.

4.5 Future Further e-CODEX piloting with other European Member States is planned for the interconnection of registers, the European Small Claims Procedure and the European Arrest Warrant, each on the basis of EU legislation. After the expiration of the Me-CODEX projects, a permanent solution to ensure the sustainability of e-CODEX by transferring its day-to-day operations and development to the European agency eu-LISA is of the utmost importance and is supported by all Member States. A proposal for a regulation for the handover of e-CODEX to eu-LISA has been published by the European Commission on 2nd December 2020. It was subsequently adopted by the competed European legislative bodies an went into force as Regulation (EU) 2022/850 on 30 May 2022.2 With the successful adoption of the e-CODEX regulation the handover to euLISA is planned in 2023.

5 Other e-CODEX Projects 5.1 Pro-CODEX Launched in March 2016 under the leadership of the Italian Ministry of Justice, the project aims to connect the Austrian court competent for the European order for payment procedure and the Italian lawyers (electronic communication in both directions). In April 2018, a first case was submitted electronically to the Austrian court. Pro-CODEX was coordinated by the National Research Council of Italy.3

5.2 e-CODEXPlus The aim of e-CODEX Plus was to broaden the use of e-CODEX. The objective of the project, which started in June 2017, was to connect the participating MS (AT,

2 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=uriserv:OJ.L.2022.150.01.0001.01.ENG. 3 On

the project see: Velicogna and Ontanu (2019).

e-CODEX: A Secure Infra-Structure for Cross-Border Cooperation

63

DE, PL, GR, NL, PT) with each other and with the e-Justice Portal in the area of use cases EPO and Small Claims Procedure. The project was coordinated by Germany.

5.3 European Order for Payment Procedure This pilot was successfully launched in July 2013. As part of this e-CODEX pilot, cross-border electronic submission of claims in the European order for payment procedure is piloted between Austria, Germany, Italy and Estonia via the e-CODEX platform. The competent court for such EU orders for payment for the whole of Germany is the Amtsgericht Wedding in Berlin. Germany supported, from the beginning, the receipt of Form A (application for a European order for payment) and the sending of Form B (Invitation to complete and/or rectify an application for a European order for payment) in accordance with the Regulation. Italy supports the receipt of Form A and the sending of Forms B, C (Proposal to the claimant to amend his application for a European order for payment) and D (Decision rejecting an application for a European Payment Order) under the eCODEX Regulation. The court participating in the pilot project is the Tribunale Ordinario di Milano, with territorial jurisdiction in the Milan region. Italy has defined nationally that the Tribunale Ordinario di Milano (District Court, Milano) has jurisdiction only in the case of an European order for payment with a value of more than EUR 5,000. In the case of a claim below this amount, the Giudici di Pace, the Italian courts of peace, have jurisdiction but are not connected to e-CODEX. In Estonia, the court of Pärnu Maakohtu Maksekäsuosakond in Haapsalu is the court with jurisdiction over the whole of Estonia. This court supports the reception of Form A and the sending of Forms B, C and D. Estonia also offers its lawyers the opportunity to send Form A to a competent foreign court. In Austria, since 1st of July 2009, the Bezirksgericht für Handelssachen Wien (District Court for Commercial Matters, Vienna) has been the competent court for all European orders for payment. Austria supports the cross-border transmission and reception of form A and forms B, C, D and G (declaration of enforceability) for foreign claimants via e-CODEX. The advantage for participants in the Austrian ERV is that they can now bring claims for European orders for payment electronically not only to the Bezirksgericht für Handelssachen Wien, but also directly to the participating pilot courts through the connection by e-CODEX. Work is ongoing on connecting further Member States and courts. This may create new business opportunities for lawyers because, as a result, outstanding claims—e.g. by Austrian lawyers throughout Germany—can simply be recovered electronically and effectively through the single-step European order for payment procedure. A German company could even assign its claims to an Austrian subsidiary in order to pursue claims in Germany more effectively through the European order for payment procedure (one single step—with service on the

64

T. Gottwald et al.

defendant) than through the German national order for payment procedure (two steps—with two notifications and two means of appeal).

5.4 iSupport An application has been developed to support cross-border maintenance claims under the 2009 EU Maintenance Regulation and the 2007 Hague Maintenance Convention. The project is named ‘iSupport’ and is led by the Hague Conference on Private International Law (HCCH). The cross-border electronic exchange of data between the participants is based on e-CODEX. iSupport 2.0 is the successor to iSupport. Again, the consortium leader is the Hague Conference on Private International Law. The project addresses an update and extension of the current system, connection to the e-Justice Portal and ensuring the maintenance and sustainability of iSupport. The project initiative will also be promoted accordingly. Further follow-up projects are done subsequently to continuously improve the functionalities of iSupport.

5.5 API for Justice API for Justice was a support project led by the Dutch Ministry of Justice to extend the e-CODEX platform with interfaces. These interfaces should enable citizens consumers to be able to bring complaints under the Small Claims Procedure more easily without change in media on the web. The project was successfully concluded in July 2017.4

5.6 EXEC-Electronic Xchange of e-Evidences with e-CODEX EXEC (“Electronic Xchange of e-Evidences with e-CODEX”) was an EU-funded project launched in February 2018 under the guidance of the Austrian Ministry of Justice to build the infrastructure for Europe-wide electronic exchange of orders and evidence, based on the European Investigation Order and the related client “eEvidence Reference Implementation”, which is being developed by the EC. With using the interoperable solution of e-CODEX it will also be possible to connect existing national solutions. A total of 16 project partners have participated.

4 Velicogna

(2017) and Velicogna (2019).

e-CODEX: A Secure Infra-Structure for Cross-Border Cooperation

65

A follow-up project EXEC II continued the work which was begun in EXEC and extended the scope of the activities to the integration of the “e-Evidence Reference Implementation” with national systems.

5.7 EVIDENCE2e-Codex The EVIDENCE2e-Codex project (short: E2E) was the “sister project” of EXEC and launched in February 2018. It was led by the Ministry of Justice of Italy and the Institute of Legal Information Theory and Techniques (“ITTIG”) in Florence, and addressed, inter alia, data research aspects in the context of the transmission of evidence in EIO proceedings via the EC’s e-Evidence Platform. The aim was to develop know-how on electronic exchange of evidence.

6 Related Projects 6.1 e-SENS and Other Large Scale Pilots In addition to e-CODEX, four other large-scale pilot projects existed to enable cross-border interoperability of e-government services and technologies in different procedural areas. ‘STORK’ (‘Secure idenTity acrOss boRders linKed’) sought to create an interoperability framework based on individual national solutions that allows secure electronic identification and authentication of natural persons, including crossborders. An essential aspect of this is the introduction of an authentication level to map the heterogeneous landscape of electronic identity solutions, both quantitatively and qualitatively, and to harmonise mutual acceptance. The SPOCS (Simple Procedures Online for Cross-border Services) project aimed at improving the procedures for implementing the Services Directive. In particular, the aim was to facilitate the cross-border provision of services. The objective of the ‘epSOS’ (Smart Open Services for European Patients) project was to establish and improve interoperability between eHealth solutions from different European countries. More specifically, cross-border access to patient files, cross-border e-prescriptions and international dispensing of medicines. The PEPPOL (Pan-European Public Procurement Online) project aimed to provide competitiveness through an EU-wide online public procurement system. This was achieved by connecting national procurement systems through standards and a corresponding interoperability architecture. Under the leadership of the Land of North Rhine-Westphalia, 20 national consortia with a total of approximately 100 partners were involved in the e-SENS project (Electronic Simple European Networked Services).e-SENS is expected to

66

T. Gottwald et al.

consolidate the results of the PEPPOL, SPOCS, e-CODEX, epSOS, etc. projects of the different domains. The project was successfully completed in March 2017. The e-SENS project succeeded in creating pan-European IT building blocks for digital administration, to be used in the different administrative and judicial sectors and to facilitate interoperability. The building blocks are provided as “CEF Building Blocks” (“eDelivery”, “eInvoicing”, “eID”, “eSignature” and “eTranslation”) by the European Commission under the Connecting Europe Facility (CEF). eDelivery is implemented by the DOMIBUS Gateway, which is the transport solution developed in e-CODEX and in particular in the e-CODEX Work Package 5 led by the Austrian Federal Ministry of Justice together with the Spanish Ministry of Justice on the basis of ebMS V3.0.

7 Outlook/Outlook At the time of writing there are two mains aspects under discussion in the European e-Justice community. The first aspect is the sustainable establishment of e-CODEX at the European level. There is a need to move e-CODEX from the time-constraint maintenance projects to a sustainable organisation for the future maintenance of e-CODEX. There is a further need to establish e-CODEX legally in European legislation so that European Member States and other organisations interested in the use of eCODEX can rely on the legal validity of the data transfer by e-CODEX. Both issues are addressed by the European Commission’s proposal for an e-CODEX regulation, published on 2nd December 2020. The proposal is currently under negotiation by European legislators. After the successful closure of the negotiations e-CODEX will have a sound legal basis and will be handed over to the European agency eu-LISA. The second aspect is whether the European Union needs a legal act laying down the legal framework as regards the rights and obligations that everyone must provide for communication in the field of European e-Justice. For example, if a service of documents in a competition case is not correctly sent to the addressee and this may lead to significant financial consequences, the question arises as to who is clearly responsible in this area. It is true that European or national instruments already provide solutions for this. However, would it not be more appropriate for the rights and obligations of each to be specified in a legal instrument? It seems that further clarification is essential. The European Commission has already announced the proposal for a regulation for the digitalisation of justice. The proposal is expected for the end of 2021. The European e-Justice community is looking forward to intensify its level of digitalisation with this regulation.

e-CODEX: A Secure Infra-Structure for Cross-Border Cooperation

67

References Carboni N, Velicogna M (2011) Electronic data exchange within European justice: e-CODEX challenges, threats and opportunities. Int J Court Admin 4:104 Federal Ministry of Constitutional Affairs, Reforms, Deregulation and Justice, Austria (2018) From punchcards to legal tech – 40 years of e-Justice in Austria. Nova MD, Vachendorf Francesconi E (2012) Supporting transnational judicial procedures between European member states: the e-Codex Project. In: Proceedings of JURIX, vol 2012, pp 41–50 Pangalos G, Salmatzidis I, Pagkalos I (2014) Using IT to provide easier access to cross-border legal procedures for citizens and legal professionals-implementation of a European payment order E-CODEX pilot. Int J Court Admin 6:43 Velicogna M (2014) Coming to terms with complexity overload in trans-border e-justice: the eCODEX platform. In: The circulation of agency in E-Justice. Springer, Dordrecht, pp 309–330 Velicogna M (2017) In search of smartness: the EU e-justice challenge. Informatics 4(4):38 Velicogna M (2019) Building information infrastructures for smart cities: the e-CODEX infrastructure and API for justice project experiences. In: Setting Foundations for the Creation of Public Value in Smart Cities. Springer Cham, pp 197–222 Velicogna M, Ontanu E (2019) Improving access to courts and access to justice in cross-border litigation: lessons from EU experiences. Ciências e Políticas Píblicas 5(1):67–93 Velicogna M, Steigenga E, Taal S, Schmidt A (2020) Connecting EU jurisdictions: exploring how to open justice across member states through ICT. Soc Sci Comput Rev 38(3):274–294

e-Evidence Digital Exchange System (eEDES) Djamila Ben Miloud and Cristian Nicolau

Abstract On the 9th of June 2016, the Justice Home Affairs Council adopted conclusions on improving criminal justice in cyberspace. In these conclusions, the Council requested from the Commission the creation of “a secure online portal” for the exchange of requests and responses in the context of judicial cooperation including electronic evidence. The Commission services started a consultation process with the Member States consisting in the creation of an Expert Group that discussed and agreed on the specifications of the system to be built. From the consultation with the Member States, a broad consensus emerged that the exchange platform should be based on e-CODEX. A majority of Member States requested the Commission to provide the online portal, as a “Reference Implementation”, which they could connect nationally to the e-CODEX network, in a “decentralised” set up. The European Commission started then the project of specifying and implementing the e-Evidence Digital Exchange System and its Reference Implementation Portal. The system was tested cross-border and will go live in 2022.

D. B. Miloud () European Commission, Bruxelles, Belgium e-mail: [email protected] C. Nicolau eJustice, IT and Document Management, DG Justice, European Commission, Bruxelles, Belgium e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_7

69

70

D. B. Miloud and C. Nicolau

1 Introduction The e-Evidence Digital Exchange System (eEDES) was built in the context of Directive 2014/41/EU regarding the European Investigation Order in criminal matters.1 The Directive 2014/41/EU deals with the gathering and transfer of all types of evidence, including e-evidence, within the EU. It provides a Reference Implementation Portal (RI) allowing the management and exchanges of the e-Forms for the following legal instruments: • EIO (Annex A, Annex B and Annex C (ITN)); • MLA. The acronyms and definitions used in this paper can be found in Annex I.

2 Background On the 9th of June 2016, the Justice Home Affairs Council adopted conclusions on improving criminal justice in cyberspace. In these conclusions, the Council requested from the Commission the creation of “a secure online portal” for the exchange of requests and responses in the context of judicial cooperation including electronic evidence (e-evidence). In order to implement the Council conclusions, the Commission services started a consultation process with the Member States consisting in the creation of an Expert Group that would discuss and agree on the specifications of the system to be built. This Directive 2014/41/EU was used as the basic legal reference for the online portal. Such portal should provide several functionalities of which standardised forms to harmonise and facilitate the execution of requests. On the 9th of November 2016, the first expert group meeting was organised to discuss options for the online portal. The expert meeting provided important guidance for the set-up of the system. The meeting was followed by a series of other workshops to clarify the organisation of the portal and the storage capacity. Two options were proposed: a centralised and a decentralised solution for each one of them. From the consultation with the Member States, a broad consensus emerged that the exchange platform should be based on e-CODEX. A majority of Member States requested the Commission to provide the online portal and the storage solution, as a “Reference Implementation”, which they could connect nationally to the e-CODEX network, in a “decentralised” set up. Member States underlined the importance of the system being secure and to avoid the risk of: 1 Directive 2014/41/EU of The European Parliament and of The Council of 3 April 2014 regarding the European Investigation Order in criminal matters.

e-Evidence Digital Exchange System (eEDES)

71

• security breach in the access to the Portal(s) that mediate(s) the exchanges; • security breach during the transfer of data and e-evidence; • security breach in the storage of data and e-evidence. Other elements to be ensured included confidentiality (guarantee that access is granted only to authorised parties), integrity (guarantee that the data has not been altered during transfer or storage) and availability (guarantee that the data is not lost and available as needed). The system should comply with data protection rules by design. The European Commission started then the project of specifying and implementing the eEDES and its Reference Implementation Portal (referred to in the rest of the document as “the eEDES Portal”) that would later be provided to the Member States for deployment.

3 Project Scope The eEDES project aims at managing the exchange of judicial cooperation requests and responses including e-evidence in the context of the EIO Directive and MLA conventions through a Web-based application in order to: • facilitate judicial cooperation between the competent authorities of Member States in relation to proceedings in criminal matters; • facilitate judicial cooperation between the competent authorities of the Member States with the aim to improve cross-border access to evidence on the basis of the EIO (including electronic evidence); • improve the transparency of the process; • reduce the complexity and resource-intensity of the exchanges; • simplify the tasks of the Member States; • reduce the operational risks; • support the extension and continuous improvements of the business process to new requirements; • get a visibility on the eEDES Portal usage by producing statistics. The objective of the developed the eEDES Portal was therefore to: • ease the exchange of information between the Member State Administrations (MSAs); • support new requirements that are not yet supported by the current tools if any. By using the eEDES Portal, authorized users, having the appropriate rights, can fill in the available e-Forms. They can then send these e-Forms to other MSAs. Anonymous or guest users cannot have access to the eEDES Portal. In a first stage, the eEDES Portal will cover the exchange of e-evidence among EU competent authorities based on EIO and MLA. However, in a longerterm perspective, an extension of the IT platform could be considered in order

72

D. B. Miloud and C. Nicolau

to facilitate judicial cooperation within the EU in other domains (such as other mutual recognition instruments), to facilitate direct cooperation between competent authorities of Member States and service providers to obtain electronic evidence, as well as to judicial cooperation between competent authorities of Member States with competent authorities of third countries.

4 Business Objective, Domains and Processes The business objective of the eEDES exchange processes is to allow and facilitate the exchange of information between competent authorities of the Member States. The eEDES Portal allows the preparation and exchange of e-Forms in the field of EIO and MLA. It is designed so that it can be extended to other e-Forms domains. This current solution covers the following forms: • • • • • • •

annex A: EUROPEAN INVESTIGATION ORDER (EIO); annex B: CONFIRMATION OF THE RECEIPT OF AN EIO; annex C: NOTIFICATION (ITN); Mutual Legal Assistance; further supporting forms necessary to the EIO business process; forms pertaining to other business domains (e.g. MLA); other forms defined by the business users or imposed by the business needs.

4.1 eEDES Domains As depicted on Fig. 1, the main eEDES overall exchange domain can be divided into three categories: Common domain, National domain, and External domain.

e-Evidence Exchange domains

Common domain

Fig. 1 eEDES domains

National domain

External domain

e-Evidence Digital Exchange System (eEDES)

73

• Common domain: The Common domain is the environment that allows the various Member State Administrations to intercommunicate; • National domain: The National domain is located in the Member State Administration environment. The National domain operates on one hand as a national network, which allows the national stakeholders to communicate with each other. On the other hand, it provides the national application, which allows the MSA to exchange information with the national applications in all other countries, and with the Commission if applicable; • External domain: The External domain is the environment that is outside the eEvidence exchange system. It can be any system or application used by the MSA to communicate with other actors.

4.2 eEDES Global Business Processes and Sub-processes The main processes and Sub-Processes of the e-Evidence system are presented in Fig. 2.

4.3 eEDES Request Legal Assistance Process The Request Legal Assistance Process covers the following sub-processes: • send request for assistance to the Competent Authority of the Executing State— the Issuing Authority requests legal assistance from another Member State; • send a notification to the Competent Authority of the Executing State—whenever needed, the Issuing Authority sends notifications to inform about important events; • provide additional information to the Competent Authority of the Executing State—whenever needed and requested by the Executing State, the Issuing Authority provides missing information or clarifies it to help the execution of the legal assistance request; • change request—the Issuing Authority decides to change the initial request and to amend it due to a new situation or a new need. A small change can be requested or a full amendment. In the latter case, the initial request can be fully updated, follow the entire internal workflow and sent out again to the Executing State; • withdraw request—the Issuing Authority decides to withdraw the original request for assistance and to terminate the process, as it is no longer needed.

74

D. B. Miloud and C. Nicolau

Fig. 2 eEDES global business processes and sub-processes

4.4 Provide Legal Assistance Process The provide legal process covers the following sub-processes: • register incoming request; • assess conformity of an incoming request; • forward request;

e-Evidence Digital Exchange System (eEDES)

• • • • • •

75

notify Issuing Authority; request additional information; inform about the progress of a request (including delays); send the results of the request; reject request; terminate a process upon withdrawal of the request by the Issuing Authority.

5 eEDES System Setup Based on the results of Expert Group meetings and on the answers received from the Member States, the two major elements of the eEDES Digital Exchange system consist of e-CODEX as the “means of transmission” of the various exchanges and the eEDES Portal as a back-end application implementing the business logic of the whole system. The e-CODEX network is made up of a series of physical gateways located in the national administrations. On the one hand, each gateway is interconnected with the other ones through a common communication protocol. On the other hand, each gateway communicates to a national portal and/or national computers. The e-CODEX connection itself (between gateways) offers a strong security using well-proven authentication and cryptographic algorithms (a threelayer encryption comprising two-way SSL encryption, encryption of the payload and of the ASiC-S container that transports the forms). The exchanges between national administrations, and more precisely, authorised users, can consist of requests, replies, replies with e-evidence, notifications, etc. These messages are transmitted using electronic forms (e-Forms) that can be accessed, filled in and then sent using the eEDES Portal. Based on the majority option for a decentralised solution, it was agreed that the eEDES Portal would be: • either developed, deployed and operated by the Member States themselves; • or developed by EC in the form of a Reference Implementation (RI) and provided to Member States in the form of an installation package, to be deployed and operated by the Member States themselves. The eEDES Portal will then connect to e-CODEX for the transmission of different exchanges: messages and files. For very large files, national transmission channels have limited capacity in terms of traffic volumes allowed. Therefore, either national capacities are increased or very large files should be exchanged outside the e-Evidence system. In that case, administrative cooperation mechanisms should be agreed to ensure the best and safest way to hand them over. As for the business modelling, taking into account the diversity of the national processes and procedures in the Member States, the reference portal should provide the possibility to exchange messages and files using e-CODEX. e-CODEX ensures a full point-to-point encryption. When the information leaves the e-CODEX system and arrives in the national portal, it enters national jurisdic-

76

D. B. Miloud and C. Nicolau

tion. As regards security, this means that national security rules apply. Member States will have to make sure that the last (or first) parts of the transmission are encrypted according to their national standards and rules. Automated translation was also implemented as a non-mandatory feature in the eEDES Portal, should it be useful to the end-users.

5.1 Overall Architecture Every Member State is equipped with a communication node, represented by the national domain. For the communication between the National domains, the asynchronous protocol was proposed. The overall architecture is depicted in Fig. 3: eEDES System Setup. The National domains are connected through e-CODEX gateways. The Connector is used to ensure that the format of the messages exchanged over the common domain is constructed following a standard European format. The entry point of the eEDES system is the eEDES Portal. It must be accessible to the Member States users in their national infrastructure. Member States users log in to the eEDES Portal to perform the various functions such as editing forms, filling or sending them. The eEDES Portal is linked to the e-CODEX exchange platform. All exchanges take place over the e-CODEX exchange platform in a secured manner. The Reference Implementation or the eEDES Portal handles all the workflows and processing required by the business transactions. It allows for the exchange and transfer of messages and files between Issuing and Executing Authorities and provides the necessary security level for such exchanges via the access control and the end-to-end encryption of the flows.

Fig. 3 eEDES system setup

e-Evidence Digital Exchange System (eEDES)

77

6 Supported Messages and Workflows The exchange of information is based on message-oriented approach. In eEDES exchange system, we can distinguish three groups of messages: 1. Messages for which a form already exists and is clearly defined. These messages are those based of the forms attached to the EIO Directive. These are namely: (a) Annex A—EIO; (b) Annex B—confirmation of the receipt of an EIO; (c) Annex C—Interception of Telecommunication Notification. The XML form of these messages was directly derived from these existing forms. 2. Messages for which the corresponding form does not exist but where the XML format has already been discussed and agreed among some of the Member States during different projects. This is the case of most messages identified and defined in the MLA pilot project that started in 2014 between Belgium, the Netherlands and North-Rhine Westphalia (Germany). 3. Messages identified during the different discussions between the Member States but for which no equivalent pdf form or XML format exists. The structure of these messages are free form messages.

6.1 Functional Messages 6.1.1

From the Issuing Authority to the Executing Authority

The following messages can be exchanged: • Sending: – send an EIO (Annex A to the EIO Directive) / Notification of interception (Annex C to the EIO Directive) / MLA request; – amend or change EIO (Full or Small) / MLA request (Small); – withdraw totally an EIO / MLA request; – reply to request for additional information; – send notification about the legal remedies sought against the issuing of the EIO; – send a service message to send any additional information not covered by the above message list using a free form message. ◦ Receiving:

.

– receive confirmation of receipt of an EIO (Annex B of the EIO Directive); – receive request for additional information; – receive return of the request message with grounds for refusal;

78

D. B. Miloud and C. Nicolau

– receive result of the request message, including evidence (total or partial reply); – receive reject of the request message in case of non-recognition/nonexecution, either in whole or in part; – receive other notification messages (delay, forward. . . ) (see Sect. 6.1.2); – receive confirmation about the end of the transaction in case of withdrawal; – receive a service message to send any additional information not covered by the above message list using a free form message.

6.1.2

From the Executing Authority to the Issuing Authority

The following messages can be exchanged: • Receiving: – receive an EIO (Annex A to the EIO Directive)/Notification of Interception (Annex C to the EIO Directive)/MLA request; – receive a change in the EIO (Full or Small)/MLA request (Small); – receive a withdrawal of an EIO/MLA request; – receive additional information; – receive a notification about the legal remedies sought against the issuing of the EIO; – receive a service message with additional information not covered by the above message list using a free form message. • Sending: – – – – –

send Confirmation of the receipt of an EIO (Annex B to the EIO Directive); return the EIO; send a request for additional information; send result of request message, including evidence; send reject of the request message in case of non-recognition/non-execution, either in whole or in part; – send notification of delay: in taking the decision on recognition/execution of an EIO; in carrying out the investigative measure; – – – –

send notification of postponement of recognition/execution of an EIO; send notification that the ground for postponement seized to exist; send notification that it’s impossible to provide the assistance requested; send notification about the recourse to a different type of investigative measure; – send notification about impossibility to take decision on recognition/execution of an EIO; – send notification about carrying out other investigative measures not initially foreseen;

e-Evidence Digital Exchange System (eEDES)

79

– send notification about impossibility to comply with formalities and procedures requested by the issuing State; – send notification about legal remedies sought against the recognition/execution of an EIO; objections received in the executing State in respect of the substantive reasons for issuing the EIO; – send notification that the requirement of confidentiality cannot be complied with; – send a notification in reply to submission of ANNEX C of the EIO; – send notification on the decision concerning provisional measure and on lifting the provisional measure; – send confirmation about the end of the transaction; – send a service message to send any additional information not covered by the above message list using a free form message.

6.2 Technical Messages During the exchange of information, the eEDES Portal and the e-CODEX platform generate technical messages at different points of the message transfer. These technical messages inform about the progress of the technical transaction. The evidences generated by the domibus Connector in a signed XML format consist of: • SUBMISSION_ACCEPTANCE/SUBMISSION_REJECTION: This evidence is generated by the sending connector and informs the original sender of the message (via national backend application) if the message was processed successfully by the sending connector and submitted to the sending gateway. This evidence is also attached to the message as business attachment. • RELAY_REMMD_FAILURE: If the message was submitted to the gateway, but the gateway cannot submit it to the recipients’ gateway, this evidence is generated and sent to the original sender by the sending connector. To be able to do so, the domibus Connector relies on the information from the gateway that the submission has failed. • RELAY_REMMD_ACCEPTANCE/REJECTION: Once the message arrives at the recipients’ domibus Connector, this connector generates the evidences, adds it to the message, but also sends it back to the original sender. Once received, an original sender can conclude, that the message was received by the recipients’ gateway and connector, but not, if the processing of the message on the recipients’ side was successful. • DELIVERY/NON_DELIVERY: In case the processing of the message on the receiver side fails, a NON_DELIVERY is generated by the connector and sent back to the original sender. Once the message could be processed successfully and is delivered to the national backend application, the domibus Connector depends on the trigger of the national back-end application if the delivery to the

80

D. B. Miloud and C. Nicolau

final recipient was successful or not. If triggered, the domibus Connector generates the DELIVERY (if successful) or NON_DELIVERY (if not successful) and send it back to the original sender. • RETRIEVAL/NON_RETRIEVAL: This evidence type is optional and hardly used by participants. This is due to the fact that it is not easy for national backend systems to acknowledge the retrieval of a message. However, if triggered by the backend application, the domibus Connector generates such an evidence and sends it back to the original sender.

6.3 Errors and Warnings Various components generate error and warning messages. The errors are conditions under which a message cannot be processed by the e-CODEX platform or the recipient, as it does not fulfil some technical or business constraints. The list consists of: • • • • •

SUBMISSION_REJECTION RELAY_REMMD_FAILURE RELAY_REMMD_REJECTION NON_RETRIEVAL NON_DELIVERY

The last element of this list indicates that the message could not be successfully delivered to the national backend application, thus the sender must ensure that the message is compliant with the rules in order to have a smooth operation of the system that avoids generation of error indications by the recipient. When the message reaches the recipient, it is validated and any error thrown during that validation results in the NON_DELIVERY message. If this happens, it means one of the following could have occurred.

6.3.1

Syntactic Validation

• Message not well formed: The message is not well-formed and cannot be decoded • Message not compliant: The message cannot be validated against the XML schema

6.3.2

Semantic Validation

Semantic validation takes place on any field of the message structure. Possible examples are:

e-Evidence Digital Exchange System (eEDES)

81

• Different country code: when the country code of the receiving authority is different that the country code of the Digital Exchange System receiving the message. • Received message is not of expected type: if the message type does not match one of the expected types, for example, a withdrawal message is expected to be sent by the issuing authority following Annex A submission, but postponement notification is not. • Missing any of the following: message type; xml form; main pdf; issuing authority; receiving authority.

6.4 Workflows The workflows represent the procedures in the Member States for preparing, reviewing and sending a message to another Member State. They are implemented in the Reference Portal to facilitate the procedures between services in the National Authorities.

6.4.1

Internal Workflow

The internal workflow depicts the internal procedures in the Member States for preparing, reviewing and sending a message to another Member State. It enhances the quality control before issuing a message to another Member States and, hence, reduces the risk of errors or refusal of a message.

6.4.2

External Workflow

The external workflow refers to the exchange between two different Member States.

7 Security Objectives The use of the eEDES system should facilitate judicial cooperation and the exchange of information between judicial authorities, and be simple to use. A necessary condition to meet this objective is to make sure that the eEDES architecture fulfils the security requirements raised by the Member States. The specifications of the eEDES system as regards confidentiality, integrity, availability of the e-evidence assets, and legitimate use of the system are described below.

82

D. B. Miloud and C. Nicolau

7.1 Reliability Reliability: concerns the ability of the system to perform consistently in a useracceptable manner when operating within the environment and according to its specifications.

7.2 Confidentiality Confidentiality: protecting the information from loss or disclosure to unauthorized parties. The eEDES system was designed to ensure the confidentiality of all data assets. In particular, it ensures that access must be restricted only to authorized users involved in a given exchange. Only those users should have access to the content transmitted, received or stored in a dedicated storage system. The main mechanisms of protection of confidentiality in information systems are cryptography and access controls. Access to the portal is implemented via strong authentication methods using at least two different ones.

7.3 Integrity Integrity: maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Integrity of the data does not only refer to integrity of information itself but also to the origin integrity, that is, integrity of the source of information. The eEDES system shall ensure the integrity of this data since the use of contaminated system or corrupted data could result in inaccuracy or erroneous decisions, hence reducing the reliability of the e-evidence system. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized users or inadequate technical processes. Cryptography plays a major role in ensuring data integrity and it should be used at the different layers of the infrastructure in place. This covers user access data, business data and transmission channels.

7.4 Availability Availability: ensuring the continuity of the system and its services to its users. The eEDES system should never be the cause for a loss or an unacceptable delay in the transmission of data. In particular, this requirement highlights the need of adequate security measures to be implemented at infrastructure level (e.g.

e-Evidence Digital Exchange System (eEDES)

83

equipment redundancy/back-up), at application level, and at business level (e.g. establishment of a business continuity plan).

7.5 Legitimate Use of the System Security measures (referring to authentication, access control, and secure audit logs) shall be implemented such as to ensure that: • protected resources are not used by unauthorised persons or in unauthorised ways; • users and application activity can be traced back (activity records). Non-repudiation is implicitly included in the “Legitimate Use of the System” objective, which requires that users and application activity can be traced back (activity records). This ensures that the user/application activity log cannot be modified without this being detected. Cryptographically protected audit logs provide a valid trace of the system use (covering non-repudiation). To fulfil these objectives, several aspects need to be addressed in detail, relating to: • • • • • • • • • •

the organization of information security; the management of assets; human resources security; physical and environmental security; the management of communications and operations; access control; information systems development and maintenance; management of information systems security incidents; the management of business continuity; security risk assessment, measures and implementation plan.

The overall system security also relies on the assurance that every Member States will effectively implement the necessary security measures for the proper running of its national system and infrastructure.

8 Data Protection Aspects Article 5, Paragraph 1-(f) of the Data Protection Regulation states that personal data shall be: ...processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

84

D. B. Miloud and C. Nicolau

In practice, it means that appropriate security measures must be put in place to prevent the personal data held being accidentally or deliberately compromised. In particular, the Member States and the eEDES implementation will need to ensure that the right physical and technical security, backed up by robust policies and procedures are implemented.

9 Model Analysis 9.1 Global Model The eEDES Portal is built in a Web-based application that can be extended to other fields of application. It is designed to allow the addition of e-Forms under other instruments than EIO and MLA. The main aim of the eEDES Portal consists in exchanging information between different Member States in different fields of application under the scope defined for this project. More generally, the eEDES Portal allows authorized end-users to achieve the following actions in this context: • Access to e-Evidence Portal: the eEDES Portal is accessible only to authorised users. There is no public page; • Workflow follow-up: the authorised users can see: – The pending received and sent requests; – The complete requests received and sent during a configurable period. • Access to e-Forms domains: the eEDES Portal also contain links to the accessible e-Forms domains and their common functionalities: – – – – –

Create and fill in e-Forms; Save centrally the e-Forms filled in; Validate the filled in data; Send the e-Forms to other MSAs; Read and update the centrally saved and received e-Forms.

9.2 System Architecture The overall architecture of the eEDES is shown in Fig. 4: The logical architecture on Fig. 4 shows the different layers composing the eEDES and the components that are be integrated in the Reference Implementation solution. It is based on the EIRA2 recommendations. 2 An

introduction to the European Interoperability Reference Architecture (EIRA©), v2.0.0.

e-Evidence Digital Exchange System (eEDES)

85

Fig. 4 eEDES—overall architecture

The description of the layers is as follows.

9.2.1

The Legal View

This view represents the public policy development enablers and implementation instruments that shall be considered in order to support legal interoperability. In the context of the eEDES Project, the main outcome from this layer is the governing Directive regarding the European Investigation Order in criminal matters. Other policy instruments are the conventions covering the MLA exchanges. Exchanges between the organisational layer (Public Services) and the Legal layer (Legal Services) can still take place. This might result in amendments of the legal texts. In this case, an impact analysis is done to determine if any amendment is needed in the technical implementation.

86

9.2.2

D. B. Miloud and C. Nicolau

The Organisational View

This view represents the business layer (Public Service) in the eEDES Project. It encapsulates the competent authorities in the respective Member States and determines the business transactions that need to take place in the current project (Business Information Exchange). The exchanges that take place in this context are performed by different Actors having different Roles in the global exchange. The output of this layer is very important as it determines the whole exchange system, its rules, conditions, data, etc. This output is then used to determine, design and build the two next layers: the technical layer, the portal and the infrastructure.

9.2.3

The Technical View: The Reference Portal Layer

In the eEDES, this layer represents the Reference Implementation, also referred to as “the eEDES Portal”. The eEDES Portal is responsible for the preparation and the exchange of messages between National Authorities. The exchanges between these authorities, and more precisely, authorised users, can consist of requests, replies, replies with evidence (including e-evidence), notifications, etc. These messages are built using electronic forms (e-Forms) that can be accessed, filled in and then sent using the eEDES Portal, while the evidence (including e-evidence) files are stored or accessed to in the e-evidence Storage System. The specifications of the eEDES must comply with the security objectives expressed in terms of confidentiality, integrity, availability of the e-evidence assets, and legitimate use of the system. The Reference Implementation is designed in a way that the modules are interchangeable, meaning that if, for a given component, the Member States decides to design their own implementation module (e.g. own authentication module), this can be done. The appropriate technical standards are foreseen during the technical specifications to ensure this important feature of the reference implementation. Moreover, the connectivity and interoperability layer allows the reference implementation to interconnect with the national systems whenever needed.

9.2.4

The Technical View: Infrastructure Layer

The main element of this layer is the Domibus Gateway, also referred to as the e-CODEX gateway. It represents the “means of transmission” of the various exchanges. The e-CODEX connection itself (between gateways) is made secure using well-proven authentication and cryptographic algorithms. The Connector, on the other hand, is used to ensure that only the “European” or standard format of messages is exchanged over the e-CODEX platform. It performs

e-Evidence Digital Exchange System (eEDES)

87

the mapping between the incoming message (from the eEDES Portal) and the one supported by the Domibus gateway.

9.2.5

Information Security and Information Privacy

Information Security and Information Privacy are required for security and data assurance policies. They ensure the compliance with all internal and (required) external policies. Thus, these services are needed to create and maintain businessrelevant, risk-appropriate solutions to meet and mitigate security threats.

9.2.6

Connectivity and Interoperability

The Connectivity and Interoperability layer provides interoperability between the services defined in the e-Evidence exchange system. It provides and supports transport and communication protocols, interface mapping capabilities, and interoperability functions.

9.2.7

Business Process Orchestration and Collaboration

The Business Process Orchestration and Collaboration layer provides two key capabilities. The first one provides end-to-end business process orchestration capabilities based on workflows containing automated tasks as well as human tasks. These workflows can take place across differing groups of users and systems. The second one provides the capabilities so that all users can collaborate in an appropriate way. This can be achieved by the e-Evidence Portal, messaging or email service or any other means enabling communication between the end-users. This is not limited to the business exchanges covered by the e-Evidence project as it covers all interactions with the organisation. The Reference implementation is designed in a way that the modules are interchangeable, meaning that if, for a given component, the Member States decides to design their own implementation module (e.g. own authentication module), this can be done. The appropriate technical standards were foreseen during the technical specifications to ensure this important feature of the reference implementation. Moreover, the connectivity and interoperability layer should allow the Reference Implementation to interconnect with the national systems whenever needed.

88

D. B. Miloud and C. Nicolau

10 Search for the Competent Authority: Criminal Court Database An important aspect in the exchange of messages between Issuing State and the Executing State is to determine the Competent Authority in the receiving Member States to which the message should be addressed. To achieve this, the eEDES Portal implementation makes use of the Criminal Court Database tool. The criminal court database is the data store entity containing all imported data of the Member States’ courts of justice. It contains: • • • • • •

the Courts details; the Member States municipalities; the official legal instruments as defined by EU regulations; the Court’s competences; the Court’s e-CODEX address; the Member States Accepted Languages.

The data in the Criminal Court database is provided by both EJN Atlas and it is the role of the Member States to keep the competent court list up to date. It is to be noted that the Criminal Court Database tool offers web-services for both searching for the competent authority in another Member States and uploading data in the system.

11 Implementation Approach In order to implement the eEDES, several aspects needed to be covered. A successful completion of the project could only be achieved if the global picture was kept in mind at all times and all project aspects tackled.

11.1 Organisational Aspects Based on the timeline set out by the Council, a project team consisting of representatives of the Commission and of all Member States was established. The project team is responsible for the implementation of the project. It can meet at expert level, depending on the subject to be discussed. Experts report to project team. The e-CODEX group of Member States played an important role in this process. Depending on the topic, different experts were involved in the various meetings, e.g.: • the Authority of Member States who decides on the forms and workflow required;

e-Evidence Digital Exchange System (eEDES)

89

• the Authority of Member States responsible for rolling-out of the required infrastructure; • IT experts overseeing the building of the portal and storage capacity; • the Authority of Member States responsible for creating national solutions; • the entities at Member States and DG JUST responsible for conducting the testing.

11.2 Requirements Analysis 11.2.1

Functional Requirements

The functional requirements were thoroughly discussed and listed in specific documentation. The challenge was to ensure that all the actions performed by the legal practitioners in their daily tasks are implemented in the e-Evidence Portal, while aiming at simplifying and facilitating these same tasks.

11.2.2

Non-functional Requirements

The non-functional requirements refer to the following qualities: • qualities related to the way the functional requirements are satisfied, not being evaluated in terms of internal implementation, but rather in terms of characteristics observable or measurable by the end-users (run-time qualities); • qualities related to the development process, including the effort and cost associated with current development as well as support for future changes or uses (development-time qualities).

11.2.3

Usability

Usability requirements concentrate on the ability of the system supporting the exchange of e-Forms using the eEDES Portal to be used by the end-users. It includes all the facilities developed or put into place to assist new end-users in getting operative. 11.2.4

Security

Security requirements focus on the measures to be put into place to ensure good protection of the interconnected systems and of the information circulating between those systems.

90

D. B. Miloud and C. Nicolau

Security requirements group the following objectives to be fulfilled: Reliability; Confidentiality; Integrity; Availability and Legitimate Use of the System. To fulfil these objectives, several aspects were be addressed: • • • • • • • • • • •

the organization of information security; the management of assets; human resources security; physical and environmental security; the management of communications and operations; access control; information systems development and maintenance; management of information systems security incidents; the management of business continuity; security risk assessment, measures and implementation plan; the permanent deletion of intercepted material at a certain point in time.

11.3 Business Continuity The business continuity requirements qualify the ability of the system to continue to reach its objectives after an unexpected event with minor or major consequence (disaster). These requirements are principally achieved through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy.

11.4 Quality of Service Quality of service-related requirements concern all performance expectations for the eEDES Portal implementation, including response time, transit delay, latency period, etc.

11.5 Development and Deployment 11.5.1

Define the Workflow and the Forms

This was the first step in the technical implementation of the e-evidence project. Several working groups were planned between the EC and the Member States to discuss the content of the e-Forms that need to be exchanged and according to what workflow(s). These workflows are already mentioned in the Directive 2014/41/EU on the European investigation Order (EIO). They needed however to be further detailed.

e-Evidence Digital Exchange System (eEDES)

11.5.2

91

Develop and Distribute the Forms

Based on the agreed workflows and forms, the corresponding e-Forms were developed, tested and then: • distributed to the Member States using their own national implementation, to integrate in their national system; • integrated in the RI to build by DGJUST and distributed in the remaining Member States.

11.5.3

Set Up the Infrastructure at the Member States to Host e-CODEX and the RI

While the e-CODEX and the RI packages were being adapted or developed, as the project evolves, the purpose of this action were to ensure the hosting infrastructure set-up, deployment and configuration activities are ready as early as possible.

11.5.4

Adapt the e-CODEX Package to Support the Integration of e-Evidence

At this stage, the e-CODEX consortium and DG JUST have analysed the possible impacts of the new eEDES on the e-CODEX package. This covered, amongst others, possible impacts resulting from the new forms to be exchanged and any new requirement linked to security aspects or transfer of large files. The e-CODEX package (connector and gateway) could then be adapted (if needed), tested and distributed to all Member States to set it up in their national infrastructure.

11.5.5

Install and Test e-CODEX Package in the Member States Infrastructure

Once ready, the e-CODEX package was distributed to all Member States for deployment. After installation, connectivity testing should take place to ensure that the infrastructure is properly set up and ready to be connected to the RI.

11.5.6

Prepare and Deliver the e-Evidence Solution (RI)

This action consisted in the specification, development and testing of the e-evidence solution.

92

D. B. Miloud and C. Nicolau

The detailed specifications of the systems were prepared by DG JUST, discussed and agreed upon with all Member States, including those using their own national implementation. Discussions took place in different meetings and working groups. The topics discussed during these working groups were legal, business, technical and organisational. Upon completion of the development activities and the successful testing of the produced software, the package was finally provided to the Member States (not having yet a national solution) for installation, testing and operation. This action required a high level of coordination and availability of all the involved actors and particularly the Member States to ensure that the final product is “fit for purpose” and of high quality.

11.5.7

Install and Test the e-Evidence Solution (RI) in the Member States Infrastructure

At this stage, the Member States should have already installed and tested the connectivity to the e-CODEX network. They then deploy the RI and perform testing locally before proceeding with interoperability testing with other Member States. DG JUST provides continuous support to perform the installation activities and guidelines to perform the testing activities.

11.5.8

Create or Adapt Own Solution (for Member States Opting to Use a National Implementation)

Some Member States already have a national solution that can be reused for the exchanges in the context of e-evidence project. Those Member States might need updating their national systems to integrate the e-evidence workflow, security agreements, etc. They also participated in all meetings and working groups where discussions took place.

11.5.9

Rollout in Production

During this action, Member States deploy the new eEDES in production. They perform final sanity checks and ensure that all requested connections, from the end users to the portal and from the portal to e-CODEX are operational. They will also ensure that all authorised users are registered in the system and that they have been sufficiently informed on the go-live date of the new system to be used. A

e-Evidence Digital Exchange System (eEDES)

93

communication strategy needs to be put in place during the project to keep end users up-to-date. Training and/or presentation sessions are also arranged for the end users of the system.

12 Live Exchanges At this stage, the system is in production and exchanges are taking place in several Member States. As users gain practical experience, it is likely that they will request enhancements or changes of the system. All such requests are reported to the solution provider, i.e. EC-DG JUST. Each requested enhancement or change is recorded and solutions are formulated by the business and technical experts. DG JUST takes into account the input from the Member States and present them the solutions for discussion during workshops as needed. Non-trivial changes will only be implemented when all the Member States reach an agreement on how to proceed. Member States must also agree when such changes must be implemented. DG JUST will then make the necessary updates to the system and, if necessary, produce a rollout strategy. Member States using their own implementation will also be part of such discussions and will implement the agreed changes in their system if relevant.

13 Successful Conclusion of the Project The successful conclusion of the project will require a continued commitment from both the European Commission and the Member States to ensure the necessary financial, technical and human resources. This requires input from multiple sources: legal practitioners to ensure that the system covers operational needs and procedures, practitioners and IT engineers to ensure that the system is fit for purpose and user friendly, IT engineers to ensure that the system is secure and national authorities to ensure that access is limited to authorised persons only.

94

D. B. Miloud and C. Nicolau

ANNEX I: Acronyms and Definitions See Tables 1 and 2. Table 1 Abbreviations and acronyms Abbreviation Art. BPM DIR DG JUST e-CODEX e-Form EIO MLA EU GW EC MS MSA NA P REG RI UC XML XSD

Meaning Article Business process modelling Directive Directorate-general justice and consumers e-justice communication via online data exchange Electronic form European investigation order Mutual legal assistance European union Gateway European commission Member state Member state administration National application Process Regulation Reference implementation Use case Extensible mark-up language XML schema definition

e-Evidence Digital Exchange System (eEDES)

95

Table 2 Definitions Term Action Actor Business process

Business process model e-CODEX

e-Form

e-Forms domain Form

Functional model Invalid e-form Reference implementation

Role Structured data User Valid e-form Workflow

Definition A feature that can be performed by the e-evidence portal An actor is someone or something outside the system that interacts with the system A series of steps performed by a group of stakeholders to achieve a concrete goal. These steps are often repeated many times, sometimes by multiple users and ideally in a standardized and optimized way (Process model) is a sequential representation of all functions associated with a specific business process A decentralised information technology system. It is a generic IT system to facilitate electronic exchange of information in a secure and reliable manner between competent authorities from Member States and in cross-border judicial proceedings. It is a common communication infrastructure that can carry encrypted messages A Form supported by electronic means. An Electronic Form presents editable areas such as windows or boxes into which a user can input information, with the purpose to support a dedicated process, for instance to send a request to another party A group of e-Forms linked to the same field of application (e.g. EIO, MLA...) The form and its data that is exchanged between MSs in a given business context. By extension, the XML file that is exchanged between the MSs through the e-CODEX platform a set of functions and their sub-functions that defines the transformations performed by the system to complete a task e-Form with one or several field(s) not filled in correctly from the validation rules point of view A system to be developed by the European commission and distributed to the member states in the context of e-evidence. It consists of a web portal accessible by authorised users to prepare forms and send them to counterparts and of a storage system for data exchanged, more specifically e-evidence A grouping of actions that a user has been assigned Data that resides in fixed fields within a standardised format container without layout information Any the e-evidence portal user e-form with all the fields filled in correctly from the validation rules point of view The exact sequences of possible communication exchanges between cooperating authorities in two or more Member States

Evidence Exchange Standard Package: An Application CASE Ontology Complied for the Preparation of the Evidence Package and Its Exchange Gerardo Giardiello and Fabrizio Turchi

Abstract The evidence exchange is carried out through the eEDES communication tool, described in Chap. 6 and over the e-CODEX secure communication channel, described in Chap. 5. The evidence to be exchanged, packed in a secure transport envelope, the Evidence Package, needs to use a standard for the representation of its metadata and data. To illustrate how to handle and prepare the Evidence Package and foster its exchange in a secure manner under the above scenario, a fictional Use Case—inspired by a real investigative case—has been created.

1 Use Case Scenario Under EIO The general scenario under the European Investigation Order (EIO)1 instrument envisages the transfer of evidence between two national Competent Authorities in different member States. The evidence exchange can be carried out through the eEDES tool2 and relying on e-CODEX secure communication channel, described in Chap. 5. In addition to the management and transportation tools dedicated to the Evidence, its data and metadata must rely on the use of a standard—described in Chap. 4—for its representation. More specifically the metadata is to be represented in a standard format and suitably packed, along with its data, in a safe container, the Evidence Package, before exchanging it. To illustrate how to handle and prepare

1 Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters, O.J. L 130, 1.5.2014, 1. 2 The eEDES communication tool, currently being developed by the European Commission, enables the digital exchange of European Investigation Order (EIO) and Mutual Legal Assistance (MLA) requests via a secure communication channel, as well as the exchange of subsequent messages and replies between competent national authorities in the Member States.

G. Giardiello () · F. Turchi Institute of Legal Informatics and Judicial System of the National Research of Council of Italy (CNR-IGSG), Florence, Italy e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_8

97

98

G. Giardiello and F. Turchi

Fig. 1 Use case broken down in three panels

the Evidence Package to foster its exchange in a secure manner under the scenario outlined above, the following elements must be available: • a specific application that supports the standard for the representation of data and metadata of an evidence, being able to prepare the Evidence Package. This tool, called Evidence Exchange Standard Package (EESP) application, will be described in details in Sect. 2; • a fictional Use Case—inspired by a real investigative case—to demonstrate how the Evidence Exchange can take place and how the EESP application can achieve this goal (see Fig. 1 as a reference of the numbered points of the Use Case timeline).

1.1 Terminology Now, before describing the Use Cases and the main features of the EESP application, it’s important to introduce some terms that are recurrent in the EESP application environment. The first concept or term is the Evidence Content (EContent) which consists of two elements: • the Evidence Metadata (E-Metadata); • the Evidence Data (E-Data).

Evidence Exchange Standard Package: An Application CASE Ontology. . .

99

The concept of E-Metadata refers to all the Objects and Subjects involved in an investigative case, therefore Objects/Subjects tied to the related Evidence. A non-exhaustive list of Subjects/Objects comprises People and their Role, Legal and Forensic Instruments used during the Evidence timeline, Investigative Actions such as Search and Seizure, Forensic Acquisition, Forensic Extraction, etc., Digital Trace for instance Devices, Calls, Contacts, Chats, Emails, Files, SMSs, Web activities. To better understand what E-Metadata is for a given Digital Trace, let’s focus on a message exchanged on a Chat platform. The Message of the Chat is composed of a Sender, one ore more Recipients (in terms of an Application Account as in Whatsapp) a Date and Time when the message was sent or received, whether it’s an Incoming or Outgoing message, and a Text of the message. These elements are classified as metadata so they are considered E-Metadata, although the text of a Chat Message may be also classified as data. Let’s assume that a Chat Message includes an attachment: in this case the attached file is not part of the E-Metadata, only its name, its size, its creation date/time and other data would be considered as E-Metadata but not the File itself. In addition to metadata there are the data related to an Evidence, the Evidence Data (E-Data) which represents the physical files, such as images, documents, audio, video, etc. Finally, the last concepts are: • the Evidence Package (E-Package) which is almost equivalent to the Evidence Content (E-Content) to which an encryption layer has been added. This is due to the fact that the E-Package is the object that will be exchanged and so it’s fundamental to guarantee its confidentiality and preserve its integrity. The EPackage is the only object that can be exchanged over Internet, travelling through eEDES and via e-CODEX; • the Evidence Manifest (E-Manifest): it is an additional file included in the EPackage that will be transferred together with it and it holds information about the EIO, the Issuing and Executing authorities, the symmetric keys for the encryption of the E-Content, the hash value of the E-Content for the validation of the integrity of the package. This file is automatically generated and managed by the EESP application.

1.2 Start of the Case The Use Case refers to an offence perpetrated via social network systems, emails and pictures taken with the suspect’s phone. The suspect is an Italian man who persistently threatens his ex-wife (the victim). The woman, who lives in Czech Republic, reported the crime and the national Competent Authority issues an EIO to the Italian Competent Authority, requesting the forensic analysis of the suspect’s smartphone and other devices for the following information: • messages from suspect’s home involving the victim; • pictures of the victim used for threaten or intimidate the victim;

100

G. Giardiello and F. Turchi

• web activities pertinent information; • phone calls to contact the victim; • visual reconstruction of the most pertinent elements and entities (people and objects). The Use Case has been broken down into three different panels and it is depicted in Fig. 1.

1.2.1

Italian CA Receives the EIO and Authorises the Search and Seizure of the Suspect’s Smartphone

The first panel, refers to processes that are external to the EESP application environment. It describes the initial timeline of the investigative case where the EIO is received by the Italian Competent Authority in the executing State, within the eEDES system. The EIO comprises the Search and Seizure and the processing of the suspect’s seized device. Therefore, the national Law Enforcement Agency, relying on a Search Warrant issued by a Judicial Authority (i.e., Judge or Public Prosecutor), carries out the Search and Seizure action and later it transfers the seized device (a smartphone) to a trusted Forensic Laboratory, assuming that the national LEA doesn’t have the forensic competencies for dealing with that mobile device. The forensic acquisition and the subsequent data extraction tasks are then assigned to an Italian Forensic Laboratory specialised in handling mobile devices.

1.2.2

Forensic Lab Carries Out the Initialisation Step, Then Processes the Seized Device and Finally Merges the Outcome

When the seized device is delivered to the Forensic Lab by the LEA, the first step that the Forensic Expert has to do is to initialise the E-Content, registering the two actions carried out by the national LEA. Maintaining the digital information related to the chain of custody is of utter importance while the piece of evidence is transferred, exchanged and processed. Before delving into the description of the varied features provided by the EESP application is worth showing the initial page of the frontend, displayed after the authentication process has been successfully accomplished (see Fig. 2). The initialisation step, mentioned before, is accomplished using the Create operation, under the Build menu item, as illustrated in Fig. 3. The Create operation has been split into four steps: • request for the metadata of the EIO (EIO number, National case number, Case name, EIO date and time, issuing State, executing State, Case description); • request for the metadata of the Search and Seizure action (Seizure performer, City of the seizure, Address of the seizure, Date and Time of the seizure, Search warrant identifier, Search warrant date and time);

Evidence Exchange Standard Package: An Application CASE Ontology. . .

101

Fig. 2 EESP application, initial page after the authentication process

Fig. 3 EESP create -> build operation, step n. 1

• request for the metadata of the Transfer action (Transfer performer, Forensic lab referent, City of the transfer, Address of the transfer, Date and time of the transfer) and • request for the metadata of the seized device (in Fig. 4 the form of the mobile device metadata is shown). The form includes the Add device button to add the device to the list of the EIO’s devices. For the sake of simplicity, it is assumed to consider one single device, so after having added the device to the list (Fig. 5), it is possible to confirm the Create operation and then receive the outcome of the action (Fig. 6).

102

G. Giardiello and F. Turchi

Fig. 4 EESP create build operation, step n. 4

Fig. 5 EESP create build operation, step n. 4, after the addition of a device

Afterwards, using a forensic tool, for instance, UFED PA, AXIOM Process, Encase,3 etc., the Forensic Lab completes the forensic processing (i.e., the Acquisition and the Extraction tasks), creating another E-Content with the E-Metadata containing details of the forensic processing and the E-Data related to all physical files extracted.

3 UFED

Physical Analyser by Cellebrite (https://www.cellebrite.com/en/ufed-ultimate). AXIOM Process by Magnet Forensic (https://www.magnetforensics.com/blog/magnet-axiom-featureprocessing). Encase by OpenText (https://security.opentext.com/encase-forensic).

Evidence Exchange Standard Package: An Application CASE Ontology. . .

103

Fig. 6 EESP create build operation, step n. 4, after confirmation

This new E-Content must be merged with the initial E-Content related to the Search and Seizure and the Transfer actions. This is obtained by using the Merge operation, under the menu item Create, provided by the EESP application. The Merge operation has been split into three steps: • selecting an existing EIO: it contains the initial E-Content related to the first two actions (Search and Seizure and Transfer) as shown in Fig. 6; • selecting the device associated to the selected EIO. In this case there is only one single device but this doesn’t represent the most common circumstance, considering that a single investigation involves many devices. • selecting the two files corresponding to the E-Content to be combined: the EMetadata (JSON file) and the E-Data (ZIP file) as depicted in Fig. 7. After the confirmation, the Merge operation starts and if it doesn’t raise any error, it will possible to use the Browse menu item to read the E-Content by using the Cyber Items’ view (Fig. 8) or the Investigative Actions’ view (Fig. 9).

1.2.3

Forensic Lab Prepares the E-Content to be Manually Delivered to the National Law Enforcement

Now the Forensic Lab can prepare the forensic processing result through the EESP application, using the Export operation. This is very similar to what occurs in a real case: the Forensic Lab provides the LEA or the Competent Authority with the processing outcome using an external memory (CD-ROM or USB) containing a set of files: the forensic result in proprietary format (i.e., UFDR for UFED), a software, provided by the tool vendor, to read that file, and finally a report, in PDF format, describing all the actions carried out to obtain the processing result (Fig. 10).

104

G. Giardiello and F. Turchi

Fig. 7 EESP create -> merge operation, step n. 1

Fig. 8 EESP create merge operation, step n. 3

These files are obtained by using the Export menu item provided by the EESP application. The operation has been split in three steps: • selecting an existing EIO: now it contains all the Actions referred to the corresponding evidence timeline; • assigning a name to the outcome of the Export operation (Fig. 11). This allows to assign any name for the E-Metadata (JSON file) and the E-Data (ZIP file) otherwise the proposed name will be used; • starting the Export process that will generate the link for downloading both the E-Metadata and the E-data related to the selected EIO (Fig. 12). Once the E-Metadata and the E-Data have been downloaded, they can be copied to an external memory (i.e., USB pen drive) and be manually delivered either to the

Evidence Exchange Standard Package: An Application CASE Ontology. . .

105

Fig. 9 EESP browse e-content based on cyber items view

Fig. 10 EESP browse e-content based on actions view

national LEA or to the Competent Authority. It is important to bear in mind that the E-Content format represents a common way to accomplish the Evidence Exchange when the action occurs between the FL and the LEA or the national CA, but the E-Content cannot be digitally exchanged, it can only be manually exchanged (by hand using a USB/external disk). This because it is not protected by any encryption layer and it cannot be guaranteed neither the confidentiality of the content nor its integrity during a digital transfer/exchange.

106

G. Giardiello and F. Turchi

Fig. 11 EESP export, step n. 2

Fig. 12 EESP export, step n. 3

1.2.4

Competent Authority Imports the E-Content in Their Environment

Afterwards the next operations will be carried out within the Competent Authority environment, where the E-Content prepared by the Forensic Lab and stored on a USB pen will be imported and immediately after read through the EESP application. This is obtained by using the Import operation of the EESP application. The operation has been split into three steps: • selecting an existing EIO or inserting in a new EIO; • displaying the list of devices already correlated to the current EIO and presenting a button to insert the new evidence/device;

Evidence Exchange Standard Package: An Application CASE Ontology. . .

107

• selecting the two files corresponding to the E-Content to be added to the EIO: the E-Metadata (JSON file) and the E-Data (ZIP file). Once the E-Content has imported it can be read using the Browse operation in the same way it has already seen before.

1.2.5

Competent Authority Exports the E-Package to be Sent to the Competent Authority in Issuing State

The final operation is to Export the E-Package, but at the moment the last two items of the timeline have not implemented yet. They represent a crucial operation to accomplish the Exchange of the Evidence after having prepared the E-Package and exported it. The E-Package will be made available to the eEDES system for its download. Immediately after the E-Package could be attached to the message whose final recipient is the CA of the issuing State.

2 EESP Application Overview Considering the importance of using a standard for the representation of the Evidence Package, it is necessary to rely on an application that is able to support that standard. In our case the standard is represented by the CASE/UCO language,4 therefore the primary aim of the EESP application is to support the CASE standard. CASE that stands for Cyber-investigation Analysis Standard Expression, provides a structured specification, actually a set of ontologies, for representing information that are analysed and exchanged during investigations involving digital evidence. The open-source Cyber-investigation Analysis Standard Expression (CASE) is a community-developed ontology designed to serve as a standard for interchange, interoperability, and analysis of investigative information in a broad range of cyber-investigation domains, including digital forensic science, incident response, counter-terrorism, criminal justice, forensic intelligence, and situational awareness (details on CASE are provided in the Chap. 4). The main features of the EESP application have already been partly presented previously, but other important ones are the following: • it supports the CASE/UCO language, being a standard for the representation of the Evidence Package metadata; • it is a web application for managing the E-Package;

4 Unified Cyber Ontology (UCO), a foundation for standardised information representation across the cyber security domain/ecosystem https://unifiedcyberontology.org. Cyber-investigation Analysis Standard Expression (CASE), an international standard supporting automated combination, validation, and analysis of cyber-investigation information, https://caseontology.org.

108

G. Giardiello and F. Turchi

• it aims to prepare the E-Package and facilitate its exchange via the eEDES system and through e-CODEX. A summary of the foremost operations provided by the EESP application is outlined below (see also Fig. 2): • Browse. It allows to read the E-Content related to the sources of evidence (devices) correlated to a European Investigation Order/Mutual Legal Assistance (EIO/MLA). The operation provides two different views, one based on the Cyber items extracted by the seized device, the other based on the Actions carried out during the Evidence timeline (Search and Seizure, Transfer, Forensic Acquisition, Forensic Extraction); • Build -> Create. It aims at generating the initial E-Content to register all the metadata related to a Search and Seizure action. This subtask also includes the optional Transfer action; • Build -> Merge. It enables to combine the initial E-Content with the E-Content obtaining from the forensic processing carried out on the same device (source of Evidence); • Export. It enables the export of either the E-Content or the E-Package of a EIO/MLA for the Transfer and the Exchange of the Evidence respectively; • Import. It allows to incorporate either the E-Content or the E-Package of the Evidence into the system; • Generate. It allows to automatically generate a report on the Actions carried out, selecting the Actions to be included in the final document; • Display. It enables to show statistics on the EIO/MLA metadata in terms of Cyber items kind, number of cases broken down in the involved Member States; • Show. It permits the view of the logs of the operations carried out by the application users. The EESP application is a composition of several web-service components, both frontend and backend sides, that allow to compose a distributed architecture over HTTP that follows the REST web service paradigm.

2.1 EESP Application: Import and Export Operations Before delving into the details of how the EESP application provides the Export and the Import of both E-Content and E-Package, it is essential to give an overview of the uses of the application. Important features of the EESP application include, but are not limited to, the following: • • • •

Browse E-Content Build: Create and Merge E-Content Import E-Content and E-Package Export E-Content and E-Package

Evidence Exchange Standard Package: An Application CASE Ontology. . .

109

Fig. 13 Main operation of the EESP application

• Report E-Content • Statistics on Cyber items, EIO, Operations, Logs In this context it is more important to put the focus on how the EESP application can • import/export/read an E-Content, • import/export an E-Package with all the information (data and metadata) needed for prepare its transfer/exchange. Figure 13 illustrates the main operation provided by the EESP application.

2.2 Evidence Packaging and Unpacking The transfer/exchange of the Evidence Content (E-Content) may take place under two different conditions: • the E-Content can be transferred between a Forensic Lab and the national Law Enforcement (see Sect. 1.2.2) or the national Competent Authority. In this case, this will be carried out in a manual way, in the same manner as it is implemented nowadays. It is of utter importance to highlight that the E-Content is lack of encryption protective layers and cannot be transferred through a digital channel; • when the E-Content has been delivered to the national Competent Authority, it can be imported into their system and then be exported as E-Package in order to deliver it to the eEDES system and finally be exchanged over the secure eCODEX infrastructure as attachment to a message, to reach its final destination, the national Competent Authority in the issuing State. From both a packaging and unpacking perspective, the operations carried out within the EESP application do not differ substantially, because in both cases the EESP application will export the package before the exchange and import

110

G. Giardiello and F. Turchi

the package for its reading when the package reaches the recipient, regardless of the channel used for the exchange. In order to explain the packaging/unpacking processes, it is necessary to describe the flow that occurs between the FL/LEA and the national Competent Authority. The E-Package preparation process begins with an E-Content containing all of the data (E-Data) and metadata (E-Metadata) related to the case under investigation.

2.2.1

Evidence Packaging

The Evidence Package comes into play when a Competent Authority in the executing State needs to prepare the E-Package to be exchanged with the Competent Authority in the issuing State. This circumstance happens in the Competent Authority’s environment and this goal is accomplished by using the Export functionality provided by the EESP application. The E-Package contains the following files: • the E-Metadata-Enc, the E-Metadata expressed in CASE-JSON format, encrypted with a symmetric key (SK). The SK is automatically generated at random by the EESP application and it remains transparent or hidden to the user. The symmetric key is generated using the AES-256 block cipher that works on 128-bits blocks and use a 128-bits (16 bytes) key length. It is also possible to use a 192-bits key, or 256-bits key. All three of these options are considered secure according to today’s standard recommendations; • the E-Data-Enc is the E-Data containing the physical files related to the evidence, compressed in ZIP format and encrypted with the same SK used for the Evidence Package; • the E-Manifest-Enc containing the list of files included in the E-Package and the SK used to encrypt both the E-Metadata and E-Data (see Fig. 14); • E-Recipient.enc containing the SK key, and the hash of E-Manifest.enc (for the integrity). E-Recipient is encrypted by using the Recipient’s Public Key (for the confidentiality); • E-Sender.enc containing the hash of E-Recipient.enc (for the integrity) and it is encrypted by using the Sender’s Private Key (for the authenticity). When the E-Package is ready, it can be transferred to the eEDES system, using a REST API service provided by the EESP application. Afterwards the EPackage could travel on e-CODEX as attachment to a message between the involved Competent Authorities.

2.2.2

Evidence Unpacking

Once the E-Package reaches the Competent Authority in the issuing State, they can open the E-Package (unpacking) and read its contents by using the EESP application. Relying on the E-Recipient, the EESP application could read the value of the SK key and decrypt E-Manifest, E-Metadata and E-Data content. All these

Evidence Exchange Standard Package: An Application CASE Ontology. . .

111

Fig. 14 EESP manifest file (evidence packaging)

operations will be completely transparent to the Competent Authority who will receive a message about the success or the failure of the operation outcome. The EPackage Import would perform the reverse operations in relation to the encryption process to import the E-Content into the Recipient’s environment.

3 Packaging Services: Architecture, API and Functionality The EESP is a Full Stack Application that has been built on two main components: a frontend (FE) and a backend (BE) that can communicate with each other through a REST API.

112

G. Giardiello and F. Turchi

Front end

Browser

ReactJS

Back end

NodeJS

Filesystem MongoDB

Item 1 Item 2

Fig. 15 The EESP application high-level architecture diagram

The BE implements the Packaging API, a collection of services for accessing and managing the Evidence Packages (EP). The packaging services architecture is based on Node.js,5 an open-source and cross-platform JavaScript runtime environment, which allows to run server-side scripts, implementing an event-driven architecture capable of asynchronous I/O (non-blocking paradigms), suitable for all kinds of projects (Fig. 15). The primary feature of Node.js is performing a single thread event loop. In this way the FE, via requests, implements a distributed event management system, event driven, realizing what software engineers call observer-pattern.6 This component must be installed on a server machine, which adopts security policies, not described in this Chapter, and it implements web services, through a thin layer called Express.js,7 the de facto standard server framework for Node.js. The Express.js main tasks are to manage data (E-Data and E-Metadata) and their persistence, check the authorization to access the data and prepare this data to be transferred out of the application (Fig. 16).

5 https://nodejs.org/. 6 Observer is a behavioural design pattern that lets you define a subscription mechanism to notify multiple objects about any events that happen to the object they’re observing. 7 https://expressjs.com.

Evidence Exchange Standard Package: An Application CASE Ontology. . .

113

Browser / Client

Back end

Express

Filesystem Mongoose ODM

Item 1 Item 2 Item 3 Item 4

MongoDB

Item 5

Fig. 16 The EESP BE diagram—REST API is exposed and consumed from a client frontend

3.1 The Packaging Services The packaging services include: • a Web Service Interface, built on Express.js framework. It implements an application programming interface (API) taking advantage of the software architectural style, called REpresentational State Transfer (REST). A web service exposes an interface for applications to integrate and use the packaging services; HTTP clients (FE) can request a collection of endpoints (URLs of web resources) via a subset HTTP protocol (verbs GET, POST, PUT, DELETE); • utilities such as parsers and JSON generators according to the UCO/CASE ontology schemes (See Chap. 4 for details on the CASE ontology), the standard used for the representation of the Evidence Package metadata; • a Database Server for storing metadata (E-Medadata). In particular MongoDB is used. MongoDB is a general purpose, document-based, distributed database built for modern application developers and for the cloud era. MongoDB stores data in JSON-like documents that made it suitable to store CASE file, serialised in JSON-LD format.; • packaging and encryption modules based on the most popular Node.js library modules aiming at packaging and encryption purposes. The encryption is performed using the symmetric key method and the AES-256 algorithm, relying on the AES256 Node.js module to simplify the built-in crypto module for AES-256 encryption with random initialization vectors. This module generates a random

114

G. Giardiello and F. Turchi

initialization vector each time one of the encrypt methods is called. Furthermore, the symmetric session key (a.k.a. secret passphrase) can be of any size because it is hashed using SHA-256; • a package Hosting Service. This is a file hosting service for the E-data first, and subsequently for the E-Package: the files are stored on the servers’s folder only until they are imported or downloaded. This type of service is required even because the encryption of large packages can take a long time; • E-Manifest Validation module. The Packaging service that supports the EManifest file generation, includes supporting tasks for the validation process as well and it comprises: – calculation of the MD5 hashes of the packages before their encryption, as described in RFC 13217; – creation of the E-Manifest file in the outgoing directory that currently includes the EIO number, the hash calculation, the internal/national identifier, and the issuing and executing state. These are only a subset of the manifest file schema that is presented in Fig. 14. A sample manifest information, provided below, has been generated during the demonstration by the Packaging service; • a Keys service module, that is a repository of known public keys. The list of keys is used by the frontend so that the users can choose the key for encrypting the Manifest file. The application uses MongoDB’s Collections to save users, groups, metadata on the EIOs and devices (E-Metadata), as well as the representations of the digital evidence in UCO/CASE language. Furthermore, the application uses the filesystem for storing the physical files (E-Data). To maintain the link between collections and physical files, the latter are saved in folders named with the national case number metadata. Inside them, they are organized in sub-folders mapped on the type of files. The paths to these physical resources are reported in the corresponding JSON UCO/CASE objects, which is a case document metadata saved in the mongoDB. The BE, as mentioned, uses a database to store the E-Metadata related to a given EIO. A concise representation of the main data processed is shown in Fig. 17 in which the following items are shown: • the eio collection, representing an EIO with its metadata, • one or more document of the device collection, each of them representing a seized device associated with it and linked by the list eioDevices field. In the same way, the device collection contains the device metadata and a field linked to the document of the case collection. Finally, the case collection contains the representation of the case serialized in JSON-LD format and complied with the CASE/UCO standard. As can be seen from Fig. 17, the access to EIO data is granted to a user’s group, through the field groupId of the eio collection, therefore the users of a given group share the same rights to operate on the same set of documents of the eio collection.

Evidence Exchange Standard Package: An Application CASE Ontology. . .

115

Fig. 17 MongoDB main data model

This access policy is implemented in the EESP application but can be changes to meet the national needs. The creation of both groups and users is under the responsibilities of the system administrator that is defined in the initial configuration of the EESP application. The action diagram (Fig. 18) illustrates the application flow that occurs when the user interacts with the UI, FE side, to request details about the digital traces extracted from a device associated to a given EIO. The flow highlights that the data stream is bi-directional, from FE to BE and vice versa. This represents a generic paradigm for any kind of communication between the FE (client side) and the BE (server side) within the EESP application functioning.

116

G. Giardiello and F. Turchi

API client-side

UI React Module

User

API server-side

UI interaction /device/{id} Call module get function(id) https request

Response JSON data Processed data Render data

Fig. 18 Action diagram, generic flow related to a request to view some data

Any request is carried out using a HTTPs request based on the GET method having the following structure: scheme://host:port/route where: • scheme identifies the protocol used to access the resource. Possible values are either HTTP or HTTPS; • host name, and the optional port number, identifiy the host where the BE is available and the port listening in; • route identifies a component that is to be called and corresponds to a specific UI page of the FE. For instance, the call: http://localhost:3000/device/60af4ecea28b5f29888ce6f3 represents a user request for a specific device with an identifier id=60af4.... The FE, based on ReactJS components, under specific circumstances, invokes a get function that is in charge for calling the asynchronous REST call of the API BE. The above call is processed by the BE which returns a JSON object, representing the data contained in the device, passed back to the ReactJS component. Then the

Evidence Exchange Standard Package: An Application CASE Ontology. . .

App routing

Front end

User

API server-side

117

Browse module

Import module

Export module

API client-side REST calls

Fig. 19 UI user iteration and FE/BE communications

UI ReactJS component updates the state and re-renders the UI to be presented to the user with the information obtained by the request. In the next Sections the three main operations involving the user are shown, highlighting the routes, the client-side and server-side APIs, as shown in Fig. 19 that depicts the following events: 1. interactions with the BE to retrieve some data; 2. presentation of the returned data or request of user input through proper. This reveals that the application business logic relies on the user-interface (FE); 3. interactions with the BE to save data.

3.2 The Browse E-Content Operation The Browse operation is the sequence of actions that allows the user to perform the following steps: • request the list of EIOs, processable by the user on the basis of their rights; • see the list of devices associated with each visible EIO; • choose a device to see the evidence extracted (cyber items) or the list of investigative actions performed during the evidence timeline. Here the evidence is referred to each potential evidence extracted from the selected device.

118

G. Giardiello and F. Turchi

This sequence of steps is rendered to the user by the FE using two components, that correspond to the following API calls in which the HTTP verb and the route are indicated: • GET /eio: the FE loads the module corresponding to the chosen route, the UI presents the user with the list of EIOs based on the user access privileges. To do this, before rendering, the FE performs this call to BE: • GET /api/cases: according to the REST API paradigm, it gets a representation of the target resource’s state. The BE responds with a JSON representing the list of the EIOs, and connected devices, see Fig. 20. The BE returns a JSON array containing all the available resources: • the EIOs; • all the associated devices for each EIO. The FE renders these resources to the user in a user friendly manner, via a list of the available EIOs. Starting from that list the user can select an EIO and choose one of the associated device to view its content invoking the following route: • GET /device/60bf38887e359d07b03fa627: the FE loads the module corresponding to the chosen route, the UI presents the user a view divided into two blocks: in the first block there is a tree view component with the cyber items divided by type; in the second block a lists with all the investigative actions concerning the selected device (see Figs. 9 and 10). To do this, before rendering, the FE performs the call to BE: • GET /api/devices/60bf38887e359d07b03fa627: the BE responds with a JSON file representing the E-Metadata in UCO/CASE standard, containing all information about the cyber items extracted from the device.

3.3 The E-Content Import Operation The Import operation is the sequence of actions that allows the user to perform the following steps: • enter the metadata of an EIO, using a specific form provided by the FE; • upload the E-Content represented by two files, a JSON file containing the EMetadata and a ZIP file containing the E-Data concerning one or more devices that, in our scenario, the FL has delivered to the CA. This sequence of steps is rendered to the user by the FE using only one component, which asks for the data necessary to accomplish the operation: • GET /import: the FE loads the module corresponding to the chosen route, the UI presents the user the data entry and file upload forms.

Evidence Exchange Standard Package: An Application CASE Ontology. . .

119

Fig. 20 JSON response concerning the list of EIOs and devices

At the end of the procedure, the FE performs this call to BE to save the data: • POST /api/import: according to the REST API paradigm, create the state of the target resource with the state defined by the representation enclosed in the request. The BE responds with a JSON representing the success or failure status of the operation just performed.

120

G. Giardiello and F. Turchi

3.4 The E-Content Export Operation The Export operation is the sequence of actions that allows the user to perform the following steps: • select an EIO available to the user; • choose the name for the files to export; • get the generated files via two links provided by the application for the download: a JSON file containing the E-Metadata and a ZIP file containing the E-Data concerning one or more devices. This sequence of steps is rendered to the user by the FE using only one component, which asks for the data listed above with a step-by-step procedure up to presenting the links to download the necessary files. • GET /export: the FE loads the module corresponding to the chosen route, the UI presents the user with the list of EIOs based on user access privileges. To do this, before rendering, the FE performs this call to BE: • GET /api/cases: already described in Sect. 3.2 At the end of the procedure, the FE performs the final call to BE to create the temporary files available as download via the URLs provided by the BE: • POST /api/export: enclosed in the request information the Id of the EIO to export and the name chosen to generate the files. The response, as mentioned, is a JSON file that lists the temporary files and the URL to contact to download them.

4 EESP Frontend: Packaging Views The EESP application frontend is depicted in Fig. 21, even though its general aspect can undergo a substantial revision both on their look and feel to adapt it to the new development in the digital forensic domain technology. Moreover, to implement the frontend application the following technology have been chosen: the JavaScript as development language, the ReactJS and Material-UI Design, the world’s most popular React UI framework, a design system created by Google and available for both mobile and web applications. The client-side application takes care of the presentation of the data and of the interaction with the user. In compliance with the APIs exposed from the backend, the FE makes these functionalities accessible to the user in a user-experienced manner through menu lists and step-by-step wizards for entering or selecting data. Moreover the EESP application uses the Model-View-ViewModel (MVVM), an architectural pattern based on declarative data bindings to allow clearly separation of the user-interfaces (UI) from the business logic and the behaviour of the application.

Evidence Exchange Standard Package: An Application CASE Ontology. . .

121

Front end

Web Browser

Browse module

Import module

Export module

Report module

Statistics module

Admin module

API client-side REST calls

NodeJS REST APIs

Fig. 21 The react FE presents the UX/UI to the user. Each router handles a component in the diagram and consumes a rest APIs exposed from Node.js by the BE

The BE is responsible for the model, its definition, for the admissible operations and the persistence of data through the use of MongoDB and the filesystem. In other words, the BE defines the model, holds the information, manages the business data, but it does not deal with the user’s interactions or behaviour. The FE manages the business logic and it is responsible for: • tailoring the presentation layer; • requesting the necessary data to the BE, to view or edit them; • sending data for saving or updating them. By doing so the combination of BE and FE carries out an application with a loosely coupling among models and views. The view model of MVVM is a data converter layer and it is responsible for exposing the data objects from the Model in such a way that objects are easily managed and presented. Moreover the MVVM architecture provides two-way data binding between view and view-model and the view-model makes use of observer pattern to make changes in the view-model.

122

G. Giardiello and F. Turchi

UI events

Model change events

Property change events ViewModel

View

ViewModel data

Update

Model

Read

Fig. 22 In the MVVM, the view observes a model and is notified when the model changes, allowing the view to update itself accordingly

Figure 22 shows how the model notifies the View that it has changed and in turn the View fetches the data and updates itself. Here is the context where ReactJS comes into play. The View is based on the Document Object Model (DOM), the object that represents the HTML page as a tree structure, whose items build up a web page. Nevertheless, reading and writing the DOM is not efficient, so React components overcome this technical hindrance to reactively update the page using an alternative DOM, called virtual DOM. The React virtual DOM is a JavaScript object and reading and writing it is much faster. React components never read from the real DOM, so when the render function, responsible for the UI management, is called, the React components will update the virtual DOM which will make only the necessary changes to the real DOM, speeding up the DOM rendering. The render function is called whenever the component state—where the property values that belongs to the component are stored—is updated. This happens when the user interacts with the view through the UI components provided by the application or when the FE fetches data from the BE. Figure 23 illustrates the process of synchronization and updating via two-way data binding.

5 Security, Encryption, Communication Protocols and Access Control The security aspects of the application concern the individual components involved and the data that are exchanged between them. These components comprise: • the server component (BE); • the client component (FE); • the FE-BE data exchange;

Evidence Exchange Standard Package: An Application CASE Ontology. . .

123

React module frontend UI React module

API client side

Action

React state

https request

New state

single source of truth

https response

NodeJS backend API server side

Fig. 23 Action diagram lifecycle

• the exchange of data (E-Content or E-Package) to a third party outside the application environment. In this section the aspects of cross-border communication, between competent authorities, included the exchange of evidence are not taken into consideration. Details about the Secure Communication Channel to achieve a secure cross-border can be found on the Chap. 5 (dedicated to the e-CODEX). Moreover, the security aspects related to server management, users, access policies, backups, disk data encryption at-rest are not considered and they will be part of the EESP integration process within the eEDES system, the national systems and the policies already in place.

124

G. Giardiello and F. Turchi

5.1 Server-Side Security As far as the server-side critical aspects are concerned, two issues have to bear in mind: • the persistence of data in the database; • the persistence of data on file system for both permanent and temporary files. The permanent files should be encrypted using a symmetric key, set up in the initial EESP application configuration. Instead for temporary files the approach is different: they should persist on the file-system for the shortest possible time and immediately removed after their use. The access to the files is based on the principle “anyone with the link” that means who knows the link to a file is also entitled to download it. This can be changed in deployments of the services “in production” environment in order that only authorised users could access to those files. The MongoDB database relies on SSL/TLS protocols for network communications encrypted, which ensures secure “in-flight” communication between the database and the server, moreover, the database system also supports encryption of data “at rest”.

5.2 EESP Application Security The EESP application is based on the HTTPS protocol transmission for both requests and responses. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, its predecessor, Secure Sockets Layer (SSL). Furthermore, practically all operations invoked within the EESP application can only take place after the user authentication is successfully accomplished. The EESP application authentication system is based on the traditional user-name and password request. At the moment a multiple factor authentication has not been implemented yet, but in the eEDES integration perspective this stronger authentication method could be integrated if requested. After the authentication, the user has gained the right to operate on the available EIOs and the client obtains an access JSON Web Token,8 an open, industry standard RFC 7519 method for representing secure claims between two parties, in general between the client and the server, in the EESP application context, between the FE and the BE. This token will then be exchanged between FE and BE at each communication and it will allow the server component to check the user’s right before accessing/managing the data (see Fig. 16).

8 JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and selfcontained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

Evidence Exchange Standard Package: An Application CASE Ontology. . .

125

Another issue related to the use of the application concerns the use of sensible data, client side, as in the case of the Preview of an image, video, etc. contained in the E-Data. In this case a sensible data can remain on the temporary memory (cache) of the web browser and being visible at a later moment. To mitigate this possible negative effect, the application uses an encoding (base64) for these sensible data, rendering them at fly within the application itself. With this approach the data stored in the browser cache will not be immediately visible or at least it will be possible to visualize it only within the original context.

5.3 Data Exchange Security To support the secure transfer of the Evidence Package between the two involved Competent Authorities in the issuing State and in the executing State, the following solution is implemented: • the E-Metadata, the E-Data and the E-Manifest are encrypted with a Symmetric Key (SK) by the Competent Authority, executing State side; • the SK is stored in the E-Recipient and then it is encrypted with the Public Key of the Recipient (Competent Authority, issuing State side); • The hash value of the E.Recipient is stored in the E-Sender file and then it is encrypted the Sender’s Private key In this way it will also be possible to manage the scenario related to the Large Evidence File (E-Large-File) Exchange because the E-Large-File containing the digital evidence data (E-Data)is encrypted with the same symmetric key generated for the Evidence Package exchange and so that encryption key could be used to open the file, once it is downloaded by the Competent Authority issuing State, once the E-Package with only E-Metadata will be received by using eEDES and over e-CODEX.. For the encryption and decryption of the E-Manifest, E-Metadata and E-Data with the SK the AES256 module is used. The EESP application uses, for assuring the integrity of the data, the Messagedigest algorithm (i.e. MD5), a hash function producing 128-bits hash value, as a checksum to verify the integrity of the package files (E-Metadata and E-Data). The hash value of the packages is stored inside the E-Manifest file, encrypted with the receiver’s public key, for verifying the data integrity when receiving the E-Package file.

6 Conclusions This Chapter has described the most common digital Evidence Package exchange scenarios, involving two Competent/Judicial authorities from different member States and also from a national appointed Forensic Laboratories or LEA and the

126

G. Giardiello and F. Turchi

national Competent Authority. Moreover the Sect. 3 has described the details of the software components that have been used to facilitate and implement this exchange through the EESP application that supports the CASE/UCO ontologies standard in the forensic field. The primary aim of the EESP Application has been to adopt a “standard” specification language that is widely supported by practitioners, industry and academia for representing information commonly exchanged during investigations involving digital evidence. The CASE/UCO ontologies have been used both as a data model for the application and as a serialisation format for the cyber-investigation data. The development of the EESP application has focused on the Evidence Package management, because it is the only object that can be digitally exchanged ensuring the confidentiality of its content and the integrity of its data, due to the encryption layers with which is endowed. There is still a long way to go in order to foster the use of the EESP and the CASE standard and in regards to this, there are two points that are worth mentioning: • the integration of the EESP in the identity management in place at national level; • the integration of the EESP within the eEDES system in terms of data communication, for instance how the E-Package is transferred from the EESP environment to the e-EDES system. From whatever perspective the scenario is seen it is indisputable that the use of a standard for the representation and exchange of evidence and an application, like EESP, that supports that standard will bring relevant benefit to the judicial cooperation cross-border, streamlining the whole process.

Legal Framework for Digital Evidence Following the Implementation of the EIO Directive: Status Quo, Challenges and Experiences in Member States Melania Tudorica and Jeanne Mifsud Bonnici

Abstract Currently, the leading legal instrument for the exchange of digital evidence within the European Union (EU) is the European Investigation Order (EIO), which will be digitised within the eEDES system. The EIO Directive 2014/41/EU was implemented to create a simpler, unified European framework on the collection of evidence within the EU, backed by the appropriate procedural and fundamental rights standards. In spite of this, there is still a lot of fragmentation in the legal framework as regards digital evidence, especially considering that the EIO does not apply to all countries equally or to the collection of all types of evidences equally. For EU states that have opted out of the EIO Directive, such as Ireland and Denmark, traditional Mutual Legal Assistance (MLA) legal instruments need to be relied upon. The fragmentation is a result of a scattered legal framework which consists of national, European and international laws and regulations, bilateral agreements and multilateral agreements which all play a role in regulating the gathering, analysis and exchange of digital evidence. Countries cooperate by way of MLA in crossborder criminal cases and exchange digital evidence based on these instruments. The choice of instrument depends on the countries involved and the type of information needed. With the EIO now being the leading legal instrument for exchanging evidence, the choice of legal instrument for requesting evidence seems to be clearer. However, uncertainty about this legal instrument and the fact that some Member States have opted out of the EIO Directive are still challenging the exchange of evidence and leading to Member States relying on traditional MLA legal instrument. These MLA legal instruments are slower as they can take a long time to be executed. This can be problematic considering the volatile nature of digital evidence, which can easily be moved, altered or even deleted. This Chapter is devoted to understanding the current legal framework for the exchange of digital evidence, including data protection considerations, and the challenges that come with it in the post-EIO implementation era. The focus of this

M. Tudorica () · J. M. Bonnici University of Groningen, Department of Transboundary Legal Studies, Groningen, The Netherlands e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_9

127

128

M. Tudorica and J. M. Bonnici

Chapter will be on the European situation as the EIO Directive will be the central legal instrument discussed in this chapter. This Chapter combines the results of the INSPECTr project and the Evidence 2 E-codex project and also uses experiences from the TREIO project (For the INSPECTr project see https://inspectr-project.eu and INSPECTr Deliverable D2.1: Intelligence Network and Secure Platform for Evidence Correlation and Transfer, Deliverable D2.1, Initial Legislative compliance relating to law-enforcement powers and evidence requirements; For the EVIDENCE 2 E-codex project see: https://evidence2e-codex.eu and Deliverables D2.1 and D2.2: EVIDENCE2E-CODEX Deliverable D2.1, Linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe—Report on implementation of EIO; EVIDENCE2E-CODEX Deliverable D2.2, Linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe—Report on EIO and MLA; For the TREIO project see https://treio.eu, project ongoing.).

1 Introduction The amount of electronic data in today’s society is massive considering that we use technologies in many aspects of our daily life. This data can potentially help Law Enforcement Agencies (LEAs) to predict, detect, manage and solve crimes. Digital evidential material may be located or stored anywhere in the world due to the very nature of data, modern technologies and growing globalisation. Because of this increased cross-border dimension, sharing information and evidence across borders has become extremely relevant. The gathering, analysis, prioritisation and sharing of data across jurisdictions for criminal investigations is regulated by law and LEAs are bound by law in their activities, considering that LEAs need a variety of powers which can be intrusive when investigating criminal matters. These criminal laws are still very much based upon national laws and traditions, but are also inspired by international and European legal instruments which have been implemented into national law or which are applicable to the countries who are signatories. To date, there is no comprehensive international legal framework for digital evidence, instead there is a patchwork of legal instruments, including bilateral and multilateral agreements, which can be used depending on the countries involved. While a minimum level of harmonisation was achieved by some of the major international legal instruments, all countries have a different legal system1 and have implemented international Acts differently, according to their national laws and traditions. This means that approaches to handling digital evidence vary considerably,

1 Some countries may have a common law legal system where the body of law is mainly derived from case whereas other countries may have a civil law legal system where the body of law is derived from codified legal Acts. Civil law can furthermore be divided within different ‘schools’, by which the body of law is influenced, such as Napoleonic and Germanic law.

Legal Framework for Digital Evidence Following the Implementation of the. . .

129

even amongst countries with similar legal traditions.2 These differences in national approach can potentially challenge cross-border cooperation. Furthermore, to be able to share evidence across borders, countries cooperate by way of Mutual Legal Assistance (MLA), which allows authorities in one country to request evidence from other countries by relying on various international legal instruments or bilateral and multilateral agreement. Requesting evidence helps countries in criminal investigations or proceedings where there is a cross-border dimension. To be able to do so, countries need to rely on legal instruments to be able to exchange evidence. Within the European Union (EU), the leading legal instrument for requesting evidence is the European Investigation Order (EIO) Directive. This legal instrument is still in its infancy as it was introduced only in 2017. The important thing to realise as regards MLA and EIO is that not all countries are signatories or states parties to all international conventions or agreements. This means that those conventions or agreements do not apply to them and cannot be relied upon when exchanging evidence with these countries. Ireland for example has not yet ratified the Cybercrime Convention.3 Even within a European Union (EU), Ireland and Demark have opted out of certain legal instruments within the Area of Freedom, Security and Justice (AFSJ) context, including the EIO Directive. This means that the choice of legal instrument for an exchange of evidence depends on the countries involved in a cross-border case.4 The variety of available legal instruments in the area, exacerbated by the EIO Directive not always being clearly formulated, leads to uncertainty as regards choice of legal instrument, which can potentially challenge cross-border cooperation. Finally, the third major challenge to cross-border cooperation is the variety of channels available for exchanges, some of which take longer for the request to be answered than others. This is the result of fragmentation as regards actors in the field and networks used. Gathering digital evidence involves LEAs—including police forces on local, regional and national level, cybercrime units and specialised forces –, CSIRTs, prosecution, the judiciary, administrative authorities acting in their capacity as investigating authority in criminal proceedings (such as customs or tax authorities) and national contact points. In order to issue an EIO or MLA, the issuing authority needs to send the request to the competent authority in another

2 United Nations Office on Drugs and Crime, Comprehensive Study on Cybercrime, draft February 2013, p. 158. 3 Ireland has signed the Cybercrime Convention, but not ratified it. While signing means that the terms of the Convention have been agreed upon by the States Parties to the convention, ratification is required following national procedures in order to become binding law. Ireland has however implemented the EU’s Directive on Security of Network and Information Systems (NIS), which has provisions that are similar to the provisions of the Cybercrime Convention. As such, Ireland has already partly given effect to the provisions of the Cybercrime Convention. Ratification of the Cybercrime Convention will most likely follow after the entry into force of a new Irish Cybercrime Act. See http://www.justice.ie/en/JELR/Pages/SP19000010. 4 In the case of Ireland for example, MLA to and from Ireland cannot be requested based upon the EIO or the Cybercrime Convention: other legal instruments need to be resorted to.

130

M. Tudorica and J. M. Bonnici

country. The challenge is identifying this competent authority considering that countries decide how to organise this: some countries may thus have a receiving authority, a national contact point and an actual executing authority. While the European Judicial Network provides an Atlas5 with an overview of these authorities, the information may not always be up to date following national reorganisations for example. Judicial and police cooperation furthermore often takes place via international and European agencies and bodies who assist Member States in preventing, detecting, investigating and prosecuting cross-border crimes. These agencies and bodies, including Interpol,6 Europol,7 Eurojust8 and ENISA,9 assist in international cooperation, gathering and exchange of digital evidence and have their own regulations for these processes. Apart from informal requests between LEAs, digital evidence is often shared via the secure channels of these agencies and bodies, such as Europol’s Secure Information Exchange Network Application (SIENA), the Camden Asset Recovery Inter-agency Network (CARIN) for more informal requests, the Schengen Information System (SIS) and the e-Evidence Digital Exchange System (eEDES) which is currently being developed by the Commission for EIOs. The secure channels of Interpol or Europol are often favoured for police cooperation and the exchange of information and there are guidelines available for the working process of international exchanges which are based on best practices and regulations of Interpol and Europol.10 While countries do know their way around the system and channels and although improvements to simplify and speed up exchanges of evidence have been made to facilitate judicial cooperation, the practical reality remains that there still is room for improvement. Challenges remain, even in the post-EIO era. This Chapter will look at the status quo of the current regime for exchanging digital evidence, with a more detailed focus of the EIO and its challenges following its introduction in 2017 as it is still taking shape and the platform for digitally requesting an EIO is still being developed by the European Commission (the Commission) and tested

5 Part

of which is publicly available. See https://www.ejn-crimjust.europa.eu/ejn/ejn_home.aspx. largest international police organisation under international law, global coordinating body, aiding in mutual assistance, also provides targeted training, expert investigative support, relevant data and secure communications channels and facilitates international police cooperation. 7 The European Police Office (Europol) assists Member States in their fight against serious international crime and terrorism. It also includes the Europol European cybercrime centre (EC3) specialised in cybercrimes. 8 Eurojust assists Member States when dealing with cross border criminal matters by stimulating and improving cooperation and coordination of investigations and prosecutions between Member States, for example by facilitating the execution of international MLAs and extradition requests. 9 The European Network and Information Security Agency (ENISA) is the EU’s centre of expertise for the purpose of ensuring a high and effective level of network and information security within the EU which assists the EU and the Member States and cooperates with the private sector. 10 As indicated by the Estonian respondent in the INSPECTr project, see: Intelligence Network and Secure Platform for Evidence Correlation and Transfer, Deliverable D2.1, Initial Legislative compliance relating to law-enforcement powers and evidence requirements. 6 World’s

Legal Framework for Digital Evidence Following the Implementation of the. . .

131

by Member States. This Chapter will therefore focus on the legal framework postEIO: what is the current status quo, what works, what does not work and what are (still) the challenges? The EIO and some of the main MLA legal instruments11 from a European perspective relating to digital evidence will be discussed paragraph 1. Paragraph 2 will discuss proposed legislation that is currently being drafted and paragraph 3 will discuss data protection considerations relevant to the digital evidence. Following this status quo, paragraph 4 will discuss challenges before concluding the main findings on this current regime. Member State experiences where relevant will be used as examples throughout this Chapter following the answers to the questionnaires used in the INSPECTr and EVIDENCE 2 E-codex projects.

2 European Legal Framework on Digital Evidence When we speak of the EU legal framework on digital evidence, it is important to note that the EU cannot adopt general EU criminal law. However, with the entry into force of the Lisbon Treaty12 and the creation of an Area of Freedom, Security and Justice (AFSJ) in 2009, the EU can add important value to existing national criminal laws within the limits of its competence. This means that there are a number of EU legal instruments which may be directly or indirectly relevant to digital evidence. This AFSJ introduced a supranational regime for EU criminal law in Title V of the Treaty on the Functioning of the European Union13 (TFEU). The aim of this AFSJ is to ensure a high level of security through measures to prevent and combat crime, through police and judicial coordination, through mutual recognition of judgements in criminal matters and, if necessary, through harmonisation of criminal laws.14 Criminal law and police cooperation is further elaborated upon in Chap. 4 (judicial cooperation in criminal matters) and 5 (police cooperation) of Title V TFEU. While this is certainly progress, nuance needs to be made as regards the practical realities, considering that judicial and police cooperation are on stringent terms with sovereignty regarding national security as national security is the sole responsibility of each Member State.15 This means that some subjects can be difficult to agree upon at EU level. Apart from this difficulty there are certain Member States who have made reservations on the rules regarding the AFSJ. 11 As these MLA legal instruments cannot be left out of the equation considering that they are still in effect and the EIO does not apply to all Member States. 12 Treaty of Lisbon amending the Treaty on European Union and the Treaty Establishing the European Community [2007] OJ C 306/01. 13 Consolidated version of the Treaty on the Functioning of the European Union [2012] OJ C 326/47. 14 Article 67 (3) TFEU. 15 See Article 4 (2) of the Treaty on the European Union (TEU): Consolidated version of the Treaty on European Union [2012] OJ C 326/13.

132

M. Tudorica and J. M. Bonnici

Ireland, for example, can opt out of any of the instruments and Denmark is only bound by virtue of its commitments under the Schengen Convention.16 With this critical note, police and justice bodies across Europe do tend to work together in preventing and solving cross-border crimes. One of the ways to achieve this kind of cooperation is through harmonisation of laws, in particular when it comes to a number of serious crimes, such as terrorism, organised crime and cybercrime, but also as regards the admissibility of evidence between Member States.17 The latter is based upon the principle of mutual recognition of for example judgements and judicial decisions, meaning that evidence collected lawfully in one Member State should be recognised by and admissible in another Member State.18 Harmonisation is achieved by adopting Directives and other measures to the extent necessary to facilitate judicial and police cooperation within the EU. As such, the EU has adopted a number of Directives and other measures with regard to criminal law. The relevant overarching European legal framework concerning digital evidence consists however not only of EU legislation, but also of the legal framework of the Council of Europe. When describing the European legal framework as regards digital evidence, the Council of Europe legal instruments cannot be disregarded. The Council of Europe instruments and documents are very important considering the number of Members, which includes all Member States of the EU. In particular with regard to cybercrime, the Council of Europe provided a binding international treaty that provides an effective framework for the adoption of national legislation and a basis for international cooperation in this field.19 The importance of the Council of Europe legal framework is emphasised and reiterated by several EU legislation and policy documents, which mention that the Council of Europe’s instruments are the legal framework of reference for combating cybercrime and that the EU legislation and policies build on those of the Council of Europe. The Council of Europe Convention on Cybercrime20 (Cybercrime Convention) remains the main (and only) international treaty which defines the procedural provisions for investigating and pursuing cybercrime. Considering that the treatment of digital evidence is the same regardless of whether a cybercrime or a traditional crime took place, the Cybercrime Convention applies when collecting, analysing and exchanging digital evidence.

16 Chalmers

et al. (2010, p. 582). Article 83 (1) TFEU. 18 See Article 82 (1) TFEU. 19 Joint communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of Regions Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace [2013] JOIN(2013) 1 final, p 9–15; see also Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA [2013] OJ L 218, Recital 15. 20 Convention on Cybercrime [2001] ETS No. 185. 17 See

Legal Framework for Digital Evidence Following the Implementation of the. . .

133

Apart from the Cybercrime Convention, the Council of Europe Convention on Mutual Assistance in Criminal Matters,21 and its1978 Protocol22 is also relevant within the context of digital evidence.23 Some of the main legal instruments will be discussed below.

2.1 The EIO Directive Currently, the leading legal instrument relating to digital evidence within the EU is the EIO Directive,24 which was implemented to address fragmentation and create a simpler, unified European framework on the collection of evidence abroad, backed by the appropriate procedural and fundamental rights standards. The Directive was introduced in May 2017 to replace the existing instruments in this area25 and sets up a comprehensive system that allows EU Member States to obtain evidence in criminal cases at all stages of criminal proceedings in other Member States. The purpose of an EIO is to have one or several specific investigative measures carried out in another Member State. The EIO thus enables judicial authorities in one Member State (the issuing state) to request that evidence be gathered in and transferred from another Member State (the executing state) based upon the principle of mutual recognition of decisions taken to obtain evidence. In principle, the EIO applies to all investigative measures aimed at gathering evidence, except when it comes to gathering evidence in Joint Investigation Teams (JITs). According to Article 4 of the EIO Directive, an EIO may be issued in cases concerning both natural and legal persons in: • criminal proceedings in respect of a criminal offence under national law; • administrative proceedings in respect of punishable acts under national law; • judicial proceedings in respect of punishable acts under national law. The EIO improves on existing EU laws covering this field by ensuring quick, effective and consistent cooperation between Member States. These objectives

21 European

Convention on Mutual Assistance in Criminal Matters [1959] ETS No. 030. Protocol to the European Convention on Mutual Assistance in Criminal Matters [1978] ETS No. 099. 23 Council of Europe Data Protection and Cybercrime Division, Electronic Evidence Guide A basic guide for police officers, prosecutors and judges version 1.0, Strasbourg, France, 18 March 2013. 24 Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters [2014] OJ L131/1. 25 A number of (corresponding provisions of) other legal instruments were replaced by the EIO Directive, this includes the European Convention on Mutual Assistance in Criminal Matters (including Protocols and bilateral agreements); the Convention implementing the Schengen Agreement; the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union and its protocol; and the European Evidence Warrant Framework Decision. See Article 34 of the EIO Directive. 22 Additional

134

M. Tudorica and J. M. Bonnici

are ensured through the establishment of setting strict deadlines for gathering the evidence requested and by limiting the grounds for refusing such requests. This is necessary to ensure that the issuing Member State can meet its procedural deadlines. The EIO also reduces paperwork by introducing a single standard form for authorities to request help when seeking evidence. While the Directive aims at introducing a single regime for gathering evidence, additional rules and practical arrangements between Member States may be necessary for certain types of investigative measures considering the differences in national laws. If this is the case, this should be mentioned in the EIO. Furthermore, the EIO Directive is replacing, but not repealing traditional MLA mechanisms. According to Espina, traditional MLA mechanisms are still in effect because the EIO Directive cannot repeal MLA Conventions due to the formal rules of withdrawal, and because of the fact that the EIO Directive is not binding on all Member States, among other things.26 As of the entry into force of the EIO Directive, the EIO Directive takes precedence over some of the other legal instruments and the corresponding provisions of these instruments were replaced by the EIO Directive for the Member States bound by the EIO Directive. This means that countries who are bound by the EIO Directive need to request for judicial cooperation via the EIO system and that for those countries the corresponding provisions of the EIO Directive apply. The traditional MLA mechanisms remain in force for those countries to whom the EIO Directive does not apply, such as Ireland and Denmark, and for exchanges with third (non-EU) countries. The fact that the EIO is not binding on all Member States adds the complexity that the EIO cannot be used when sharing digital evidence with these countries. This means that, upon sending a request for cooperation, the issuing state needs to check whether or not the EIO can be used for the request and, if not, which MLA legal instrument to use. This co-existence of different legal instruments can complicate judicial cooperation. Nevertheless, the EIO Directive is currently the leading legal instrument when it comes to the cross-border investigative measures within criminal proceedings aimed at gathering evidence among Member States bound by the EIO and those Member States should, in theory, give precedence to the EIO over other MLA mechanisms.27 When issuing an EIO, Annex A to the Directive needs to be completed and sent. Having one uniform template for sending and receiving an EIO has some advantages including, among other things, saving translation costs. This standard form includes information about the issuing authority, the object and reasons for the EIO, the necessary information available on the person(s) concerned, a description of the criminal act and of the investigative measures and evidence to be obtained. The Commission is currently working on the e-Evidence Digital Exchange System (eEDES28 ), a secure online portal for electronic requests and responses

26 Espina

Ramos (2019, p. 53). Recital 35 EIO Directive. 28 See for more information on eEDES:https://ec.europa.eu/info/policies/justice-and-fundamentalrights/criminal-justice/e-evidence-cross-border-access-electronic-evidence_en. 27 See

Legal Framework for Digital Evidence Following the Implementation of the. . .

135

for obtaining digital evidence. The standard EIO form is to be integrated within this platform. EIO’s needs to be necessary and proportionate and the requested investigative measures would have been ordered under the same conditions as in a similar national case.29 The executing authority is then obliged to recognise the EIO without further delay, and execute within the time limits set out in Article 12 of the Directive, unless one of the grounds mentioned in Article 11 apply.30 The executing Member States responds to the request by acknowledging its reception and by completing Annex B to the Directive. Considering the differences in national criminal laws an EIO may request for an investigative measure that does not exist under the law of the executing Member State. If that is the case, Article 10 determines that the executing authority has recourse to another similar investigative measure. According to Articles 7 and 13, the EIO of the Directive, the resulting evidence can be transferred by any relevant means of transmissions for the exchange of evidence. Some examples of these means of transmission include the secure telecommunications system of the European Judicial Network, Eurojust, or other channels used by judicial authorities or LEAs. While in theory the EIO seems pretty clear and straight forward, in reality, there are certain practical difficulties. These challenges will be discussed in paragraph 3.

2.2 Traditional MLA Mechanisms In case the EIO does not apply, because the scope or type of proceedings does not comply with the Directive or the EIO does not apply to the country involved in the request, traditional MLA mechanisms remain in force. MLA instruments are often favoured by national systems as they ensure the maximum respect of the sovereignty of states and are more flexible as regards measures, form and correspondence. The downside of traditional MLA mechanisms is that they often take a long time to be executed. This can be problematic considering the volatile nature of digital evidence, which can easily be moved, altered or even deleted. As these mechanisms are still in use, depending on the countries involved, the most relevant MLA legal instruments will be briefly discussed in this paragraph. The Convention on mutual assistance in criminal matters31 (EU 2000 Convention) was adopted in order to improve judicial cooperation in criminal matters within the EU.32 The EU 2000 Convention was based on the principles of and 29 Article

6 EIO Directive. Article 9(1) EIO Directive. 31 Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union [2000] OJ C 197/3. 32 Council Act of 29 May 2000 establishing in accordance with Article 34 of the Treaty on European Union the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union [2000] OJ C 197/1. 30 See

136

M. Tudorica and J. M. Bonnici

designed to supplement the European Convention on Mutual Assistance in Criminal Matters and its additional Protocol,33 a Council of Europe instrument which will be discussed below. Based on the EU 2000 Convention, Member States may request each other for mutual assistance in criminal matters and criminal proceedings.34 Within the context of this Convention, a requesting Member State may request for mutual assistance to a requested Member State, which needs to comply with the formalities and procedures indicated by the requesting Member State. Requests for mutual assistance are made in writing, transmitted and executed directly between judicial authorities with territorial competence or via the central authorities of Member States or—in case of emergency—via Interpol, Eurojust or Europol.35 The requested Member State then needs to execute the request for assistance as soon as possible. The Schengen implementing Convention36 ensures the security of those living or travelling in the Schengen Area, an area without internal borders. This includes rules on tightened controls at common external borders and enhancing police and judicial cooperation. This facilitates cross-border police cooperation, for example as regards missing persons, or criminal offences, and allows for faster judicial cooperation via the Schengen Information System (SIS), including a faster extradition system and exchange of evidence. Within this context LEAs assist each other for the purpose of preventing and detecting criminal offences and can request for assistance. To facilitate this, the SIS was introduced to enable competent authorities to enter and consult alerts on certain categories of wanted or missing persons and objects. The large, secure and protected EU database, which also includes Automated Fingerprint Identification System (AFIS), is exclusively accessible to the authorised users within competent authorities, such as national border control, police, customs, judicial, visa and vehicle registration authorities. Europol and Eurojust also have limited access 33 Article

1 Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union (2000/C 197/01) [2000] OJ C 197/3. 34 Article 3 Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union (2000/C 197/01) [2000] OJ C 197/3. 35 Articles 5 and 6 Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union (2000/C 197/01) [2000] OJ C 197/3. 36 The Schengen acquis—Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders [2000] OJ L 239/19. See also: Regulation (EC) no 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) [2006] OJ L 381/4; Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II) [2007] OJ L 205/63; Regulation (EC) No 1986/2006 of the European Parliament and of the Council of 20 December 2006 regarding access to the Second Generation Schengen Information System (SIS II) by the services in the Member States responsible for issuing vehicle registration certificates [2006] OJ L 381/1.

Legal Framework for Digital Evidence Following the Implementation of the. . .

137

rights to carry out certain types of queries on specified alert categories. SIS allows the use of biometrics, new types of alerts and the possibility to link different alerts. Member States supply information to the system through national networks (N-SIS) connected to a central system (C-SIS). The limitations to this system are that it is used for specific types of exchanges, that not all Member States are part of the Schengen Area (yet) and that not all countries operate the SIS fully.37 The European Arrest Warrant (EAW) is a judicial decision issued by a Member State with a view to the arrest and surrender by another Member State of a requested person, for the purposes of conducting a criminal prosecution or executing a custodial sentence or detention order.38 The EAW simplifies and speeds up procedures whereby EU citizens, who have committed a serious crime in another Member State can be returned to that country to face justice. An EAW may be issued for acts that are punishable in the Member State issuing the EAW. Article 2 of the EAW Decision provides the scope of the EAW and lists a number of offences that give rise to surrender39 pursuant the EAW, this includes for example participation in a criminal organisation, terrorism and sexual exploitation of children and child pornography. Transmission of the EAW may be effected via the secure system of the EJN or Interpol.40 The EAW Decision has been criticised enormously. In fact, it has prompted more challenges before constitutional Courts of the Member States than any other EU law. The most important concern in this regard is relates to trust in the prosecutorial and judicial process of the issuing state, mainly in that there might be insufficient guarantees that the surrendered person will receive a fair trial in the issuing state.41 The Decision on exchange of information and intelligence42 aims at simplifying rules based on which LEAs can effectively exchange information, intelligence in criminal investigations and criminal intelligence operations. This is of particular relevance considering the timely need to access accurate and up to date information as well as intelligence in order to detect, prevent and investigate crimes.43 According to this Decision, police, customs and other authorities authorised by national law to detect, prevent and investigate crimes can request their counterparts in other Member States for information and intelligence. Information and intelligence within the meaning of this Decision is any type of information or data held by LEAs, public 37 For

more in-depth analysis of these limitations see for example: Velicogna (2014, pp. 185–215) and Bellanova and Glouftsios (2022, pp. 160–184). 38 Article 1 (1) EAW Decision. 39 Surrender of the suspect by one police force to another foreign police force. 40 Article 10 (3) EAW Decision. 41 Chalmers et al. (2010, cit., p. 599) and De Sousa Santos (2010). 42 Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union [2006] OJ L 386/89. 43 Article 1 (1) and Recital 4 Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union [2006] OJ L 386/89.

138

M. Tudorica and J. M. Bonnici

authorities or private entities which is available to LEAs. Based on this Decision, Member States need to ensure that the conditions for those requests are not stricter than requests on a national level.44 This means that Competent authorities need to treat request for information or intelligence from another Member State the same as requests within the Member State. Additionally, they also need to respond within eight hours for urgent cases and within one week for non-urgent cases. Following Article 6 of the Decision, exchange can take place via any existing channels for international cooperation using the form annexed to the Decision. The European Convention on Mutual Assistance in Criminal Matters45 is a Council of Europe legal instrument, which has a wider reach than the EU’s legal instruments, considering that it has 50 Contracting Parties, including all of the EU Member States. The Contracting Parties to the Convention agree to afford each other the widest measure of mutual assistance in criminal matters.46 Mutual assistance under this Convention can be requested by way of letters rogatory sent to the requested Party.47 This means that the requesting Party can send a letter rogatory relating to a criminal matter for the purpose of obtaining evidence, including the hearing of witnesses, experts, etc. The 1978 and 2001 Additional Protocols48 improved the Convention, in particular considering the way in which mutual assistance can be requested which makes it easier, quicker and more flexible in view of technological developments and better takes into account data protection. With the 2001 Additional Protocol, requests for mutual assistance are done in writing by the Ministry of Justice of the requesting Party to the Ministry of Justice of the requested Party and are returned via the same channels.49 In urgent cases, requests can also take place via Interpol.50 While modernisations have improved the Convention, this traditional MLA system is a slow process. The Cybercrime Convention51 is the first and most important international legally binding treaty in the field of cybercrime considering its large reach, beyond the

44 See Article 3 Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union [2006] OJ L 386/89. 45 European Convention on Mutual Assistance in Criminal Matters [1959] ETS No. 030. 46 Article 1 (1) European Convention on Mutual Assistance in Criminal Matters [1959] ETS No. 030. 47 Article 3 (1) European Convention on Mutual Assistance in Criminal Matters [1959] ETS No. 030. 48 Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters [1978] ETS No. 099 and Second Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters [2001] ETS No. 182. 49 Article 4 (1) Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters [2001] ETS No. 182. 50 Article 4 (7) Additional Protocol to the European Convention on Mutual Assistance in Criminal Matters [2001] ETS No. 182. 51 Convention on Cybercrime [2001] ETS No. 185. As of 2021, the Cybercrime Convention currently has 65 ratifications and 3 signatures not yet followed by ratification.

Legal Framework for Digital Evidence Following the Implementation of the. . .

139

EU. The Cybercrime Convention harmonises national criminal law of offences and connected provisions in the area of cybercrime in all the States Parties to the Convention and improves international cooperation between those countries. Within the context of digital evidence this Convention is of particular importance considering that cybercrimes, by their nature, consist of digital evidence. In other words, the Cybercrime Convention may also apply to digital evidence that is not necessarily born out of a cybercrime as it provides for national procedural law powers that are necessary for the investigation and prosecution of offences committed by means of a computer system or evidence in digital form.52 The Cybercrime Convention is addressed to the State Parties as an ‘assignment’ to take measures at national level, which reflects the content of the Convention, and thus harmonising national laws of the States Parties to the Convention. States Parties are furthermore bound to cooperate with each other in accordance with Articles 24–35 of the Cybercrime Convention and other relevant legal instruments applicable to them. According to the general principles, States Parties need to afford each other mutual assistance to the widest extent possible, for the purpose of investigations or proceedings concerning criminal offences related to computer systems and data or for the collection of digital evidence of a criminal offence. The Cybercrime Convention has been updated in 2021 by way of the Second Additional Protocol to the Cybercrime Convention53 in order to improve technological capacity and cooperation between governments and with service providers.

3 Proposed Legislation While the EIO does make things easier by introducing a simplified system which takes precedence over traditional MLA mechanisms, the reality remains that the system is not infallible and that challenges remain, as will be discussed in paragraph 4. According to the Commission, more than half of all criminal investigations today include a cross-border request to access digital evidence, such as texts, e-mails or messaging apps. The Commission is therefore proposing new rules with the aim to make the exchange of digital evidence easier and faster for police and judicial authorities.54 To be able to use digital evidence that exists cross-borders in court, a request needs to be made to the country holding the digital evidence using the legal instruments described in this report. Taking this ‘shift’ to a more digital nature

52 See

Council of Europe, “Explanatory report to the Convention of Cybercrime” (ETS No 185), p. 4. 53 Second Additional Protocol to the Convention on Cybercrime on enhanced co-operation and disclosure of electronic evidence. The Second Additional Protocol will be opened for signature in May 2022. 54 See: https://ec.europa.eu/info/policies/justice-and-fundamental-rights/criminal-justice/e-evidence -cross-border-access-electronic-evidence_en.

140

M. Tudorica and J. M. Bonnici

of evidence into account, the Commission proposed new rules along two paths: international negotiations and internal rules. International negotiations aim at improving cooperation with third (non-EU) countries, including with the United States of America (USA), as crimes do not stop at EU borders. As such, the Commission proposed two sets of negotiations. The first is an agreement between the EU and the USA on cross-border access to digital evidence for judicial cooperation in criminal matters55 which aims at avoiding conflicting obligations for service providers between the EU and the USA. The second is an authorisation to participate in negotiations on a second Additional Protocol to the Cybercrime Convention56 which aims at more effective MLA, including for example direct cooperation with service providers in other jurisdictions. The Second Additional Protocol has been approved by the Committee of Ministers on 17th November 2021 and will be opened for signature in May 2022. For improving the internal rules to make cross-border evidence gathering within the EU easier and faster, the Commission proposed a Regulation57 and a Directive58 for the creation of a European Production and Preservation Orders for digital evidence in criminal matters as well as harmonised rules for legal representatives for gathering evidence in criminal proceedings. These new legal instruments will not replace the EIO Directive, but will provide an additional tool for authorities. A production order is an instruction from an issuing authority, such as LEAs, to a service provider to deliver or make available certain information which is considered to be digital evidence. A preservation order requires the service provider to preserve the digital evidence in view of the subsequent request for production.59 These tools are considered to be necessary due to the fact that network-based services can be provided from anywhere in the world. As a consequence, the digital evidence is often stored outside of the jurisdiction of the Member State investigating a crime. As such, the investigating authority needs to request the Member State where the service provider is based for mutual assistance. In view of the growing number of digital evidences, these requests through the official channels can take a long time. Combining this with the lack of a clear framework for cooperation with service providers makes it challenging for service providers to comply with LEA requests,

55 Recommendation for a Council Decision authorising the opening of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters, COM(2019) 70 final. 56 Recommendation for a Council Decision authorising the participation in negotiations on a second Additional Protocol to the Council of Europe Convention on Cybercrime (CETS No. 185), COM(2019) 71 final. 57 Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters, COM (2018) 225 final. 58 Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, COM (2018) 226 final. 59 See Article 2 of the Proposed Regulation.

Legal Framework for Digital Evidence Following the Implementation of the. . .

141

in particular LEAs from another country. The new Regulation will allow LEAs to approach the service providers directly, without the involvement of a judicial authority in another Member State. The Directive will lay down harmonised rules, obliging service providers in the EU to designate at least one legal representative for the receipt of, compliance with and enforcement of production and preservation orders and any other orders issued in the context of gathering evidence in criminal proceedings. Having legal representatives means that LEAs will have a clear point of access to address service providers. This legislation still has a long way to go before it can be adopted. The European Parliament has had quite some comments to these proposals.60 It is therefore difficult to say what this legislation will look like eventually and how it will work in practice.

4 Privacy and Data Protection When investigating crimes and gathering evidence, LEAs need to execute their investigative powers and procedures with regard for human rights and fundamental freedoms. Article 11 (1, f) of the EIO Directive even determines that one of the grounds for not recognising or not executing an EIO is that the investigative measure indicated in the EIO violates fundamental rights and freedoms as recognised by the Charter of Fundamental Rights of the European Union (the Charter).61 While it does not distinguish fundamental rights, the right to privacy and data protection are essential within the context of digital evidence considering that digital evidence, by nature, consists of data, which is prone to privacy and data protection violations. One of the reasons for this is that digital evidence in criminal cases hardly ever stands alone. It exists for example on a device or on an account that contains a lot of information: not only the name and personal information of the person who owns the device or uses the account may be part of the data, but also information on other people. Most human rights and fundamental freedoms are however not absolute, meaning that, depending on the circumstances, public authorities may interfere with this right.62 As such, investigations and gathering digital evidence, needs to be necessary and proportionate to the purposes compatible with the prevention, investigation, detection and prosecution of crimes. This means, among other things, that only the necessary information can be gathered and that privacy and data protection need to 60 See

https://www.europarl.europa.eu/doceo/document/A-9-2020-0256_EN.html#title3 and https://www.europarl.europa.eu/doceo/document/LIBE-AM-644870_EN.pdf. 61 Charter of Fundamental Rights of the European Union [2000] OJ C 364/01. 62 Interference may take place if it is provided for by law; necessary and proportionate in a democratic society and in the interests of national security, public safety or the economic wellbeing of the country; for the prevention of disorder or crime; for the protection of health or morals; or for the protection of the rights and freedoms of others.

142

M. Tudorica and J. M. Bonnici

be taken into account by following certain conditions and safeguards.63 Following these conditions and safeguards can be challenging, in particular in high impact cases which pose a threat to national security, such as terrorism, where swift action may be required. In such cases, there is a need to strike a balance between security and fundamental rights considering that the two need to be able to coexist: security can only be sound and effective if it is based on fundamental rights and freedoms and individuals’ rights cannot be safe without security, including safe networks and systems. Security measures thus, need to be proportionate and guided by core values such as human dignity, freedom, democracy, equality, the rule of law and the respect for fundamental rights. Privacy and data protection means that everyone has the right to respect for his private and family life, his home and his correspondence64 and everyone has the right to the protection of personal data concerning him or her.65 This right to data protection was further elaborated upon in the Council of Europe Convention for the protection of individuals, with regard to the processing of personal data (Convention 108+)66 and in the EU Data Protection Directive 95/46/EC,67 which has been replaced by the General Data Protection Regulation (GDPR)68 and the Law Enforcement Directive (LED).69 The GDPR lays down general rules for data protection: it provides rules for the protection of personal data70 and free movement of such data. It is legally binding in its entirety, applies automatically and uniformly

63 Safeguards include for example judicial or other independent supervision, grounds justifying application, limitation of the scope and the duration of investigative powers and procedures. 64 Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms [1950] ETS No. 005 and Article 7 of the Charter of Fundamental Rights of the European Union [2000] OJ C 364/01. 65 Article 8 of the Charter of Fundamental Rights of the European Union [2000] OJ C 364/01 and Article 16 (1) of the Consolidated version of the Treaty on the Functioning of the European Union [2012] OJ C 326/47. 66 Convention for the protection of individuals with regard to automatic processing of personal data [1981] ETS No. 108. Convention 108 was modernised in 2018 by the adoption of the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data [2018] ETS No. 223 and is now referred to as Convention 108+. 67 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31. 68 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1, hereinafter GDPR. 69 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016] OJ L 119/89. 70 Personal data as any information that can directly or indirectly identify or help to identify a person. Indirectly identifiable means that data relates to an individual, but not necessarily

Legal Framework for Digital Evidence Following the Implementation of the. . .

143

to all Member States without the need for implementation into national law. The GDPR applies to data processing that is wholly or partly by automated means and to processing other than by automated means which forms or will form part of a filing system.71 It does not apply to data processing by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties or safeguards against and prevention of threats to public security.72 This means that data processing by LEAs when investigating crimes falls outside the scope of the GDPR and is covered by the LED. If LEAs or other competent authorities process data for other purposes than the aforementioned purposes, then the GDPR applies. This means that the GDPR, on some occasions, may apply to data processing by LEAs, but that the main data protection legal instrument to consider is the LED, in particular when collecting, analysing and sharing digital evidence for investigative purposes. In order to prevent, investigate, detect and prosecute crimes and to prevent against threats to public security, LEAs need to be able to gather and share data, including across borders. This needs to be facilitated while ensuring data protection. Therefore, the LED was adopted to protects citizens’ data when their data is used by LEAs. The LED strengthens the rights of data subjects and the obligations of LEAs when processing the data. This Directive was adopted due to the specific nature of data processing in the area of judicial and police cooperation, which needed specific rules as opposed to the general rules in the GDPR.73 Moreover, it applies to all authorities that process personal data for the purpose of prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties and safeguarding and preventing threats to public security. Any data processing which falls outside this scope is covered by the GDPR.74 The Directive is aimed at harmonising rules to protect data that is processed within the context of law enforcement and ensuring that data can be exchanged among competent authorities.75 Similar to the GDPR, the Directive includes rights for data subjects and obligations for controllers and processors.76 The Directive determines that processing of personal data, within the context of the LED, needs to be lawful and fair.77 It does not prevent investigations, rather it facilitates LEAs carrying out their activities, including for example covert operations, as long as the

immediately identifies the individual. This is also considered to be personal data considering that an individual can still be identified by combining the data with other sources. 71 See Recital 15 GDPR. 72 See Article 2 GDPR. 73 See recital 10 LED. 74 See recital 11 LED. 75 See recital 15 LED. 76 See recital 7 LED. 77 See recital 26 LED.

144

M. Tudorica and J. M. Bonnici

data is collected for and processed in a manner that is compatible with specified, explicit and legitimate purposes.78 Data furthermore needs to be adequate, relevant and not excessive, meaning that no excessive data should be collected and that the data is not kept longer than necessary. This includes data processed beyond the context of prevention, investigation, detection or prosecution of criminal offences as this is sometimes necessary in order to develop an understanding of criminal activities and to make links between different criminal offences. This data also needs to be accurate considering the great impact it may have if this is not the case, as it may include statements that are based on the subjective perception of persons, which are not always verifiable. Article 7 of the LED therefore determines that a distinction needs to be made between personal data based on facts and personal data based on personal assessments. Data that is inaccurate, incomplete or no longer up to date needs to be erased or rectified and cannot be transmitted or made available. As to the erasure of data, it needs to be ensured, using appropriate time limits that the data is not kept for longer than necessary, depending on the purpose for processing.79 Similar to the GDPR, the LED also provides that appropriate security needs to be ensured by using appropriate technical and organisational measures, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.80 The Directive applies to the processing of personal data of data subjects. While the GDPR speaks of data subjects in general, the Directive includes different categories of data subjects as this is inherent to processing within the law enforcement context: a clear distinction needs to be made between suspects, convicts, victims, witnesses, informants, associates, etc..81 While the GDPR, in principle, prohibits the processing of special categories of data, the Directive allows this where strictly necessary, subject to appropriate safeguards and only if authorised by law, to protect the vital interests of the data subject, or if this data was already made public by the data subject.82 Being able to share information among LEAs across the globe is of the utmost importance considering that digital evidence, due to its very nature, is not bound by borders. Chapter 5 of the Directive therefore provides for transfers of personal data to third countries. Transfers to third countries can only take place if it is necessary for the purpose of prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties safeguarding and preventing threats to public security and if the data is sent to a competent authority who is charged, according to national law, with this purpose.83 Similar to the GDPR, transfers are allowed on the basis of an adequacy decision taken by the Commission84 or, in the

78 Ibidem. 79 Article

5 LED. 29 LED. 81 Article 6 LED. 82 Article 10 LED. 83 Article 35 LED. 84 Article 36 LED. 80 Article

Legal Framework for Digital Evidence Following the Implementation of the. . .

145

absence of an adequacy decision, if appropriate safeguards have been taken.85 If there is no adequacy decision and no appropriate safeguards have been taken, the transfer can only take place if: it is necessary to protect the vital interests of the data subject or other persons, to safeguard the legitimate interest of the data subject, to prevent an immediate and serious threat to public security and in individual cases for the purpose of prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties and safeguarding and preventing threats to public security or for the establishment, exercise or defence of legal claims relating to this purpose.86 These derogations are interpreted restrictively and should be limited to what is strictly necessary. There are currently no adequacy decisions that cover data exchanges in the area of law enforcement, only one with the UK for which the Commission started negotiations.87 This means that transfers to third countries should, in principle, only take place after authorisation by the Member State from which the data were obtained, unless there is an immediate threat. If there is an adequacy decision in place, transfers can take place without authorisation. As there are currently no adequacy decision in the area of law enforcement, transfers are allowed if appropriate safeguards have been provided in a legally binding instrument, such as bilateral or multilateral agreements, including cooperation agreements between Europol or Eurojust and third countries. It should furthermore be noted that all EU Member States are affiliated with Interpol and that Interpol receives, stores and circulates personal data to assist competent authorities in preventing and combatting international crime. Interpol thus aids in an efficient exchange of data. As a result of the LED, which has been implemented into the national laws of the Member States and in order to keep the data processed by LEAs secure, safeguards, such as access controls, have been built into the LEA databases.88 Many Member States, if not all, have their own rules on access to databases. This includes access restrictions with strong authentication, determining who has access to which database and which files and with whom it may be shared under which circumstances. While these rules are necessary in our technology-driven world, there are also side-effects to the data protection legislation which can negatively impact LEA investigations. For example, controllers are encouraged to take technical and organisational measures, such as anonymisation, pseudonymisation and measures on storage and deletion of data after a certain amount of time. While these are good measures to counter cybercrimes for example, the adverse effect is that the data

85 Article

37 LED. 38 LED. 87 See https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-prote ction/adequacy-decisions_en. 88 See answers provided to the questionnaire in the INSPECTr project: Intelligence Network & Secure Platform for Evidence Correlation and Transfer, Deliverable D2.1, Initial Legislative compliance relating to law-enforcement powers and evidence requirements. 86 Article

146

M. Tudorica and J. M. Bonnici

may no longer be available to LEAs following data retention rules. This could make investigations more difficult.

5 Challenges to the Current Regime Following the status quo analysis above, this paragraph aims at providing an overview of challenges to the current regime on digital evidence. Paragraphs 1– 3 above described part of the landscape for regulating digital evidence, with the emphasis on ‘part’, considering that there are many more rules, including national laws, bilateral and multilateral agreements, that have not been discussed here. It shows the most relevant legal instrument within the European context, which have resulted in harmonisation, approximation and modernisation of laws. However, what has become evident is that there is still fragmentation in the field and that there are still pieces of the puzzle missing. This fragmentation is not only evident on a European level, but also on a national level considering that the choice of legal instrument for the EIO was a Directive.89 This means that Member States needed to implement the Directive into national law. The problem with this is that not all Member States implement the Directive in the same way and that some Member States even have fragmentation within their own national laws, the Czech Republic for example has implemented the EIO Directive in 42 national laws. In addition, there is often no English version available of the implemented text, meaning that Member States cannot see the nuances in implementation in order to see the differences among them which may lead to obstacles in carrying out EIOs.90 In its form, the EIO is seen as a major improvement, in particular when it comes to the recognition of requests, the standard form and time limits set, which all result in the simplification and speediness of digital evidence exchanges. However, while the form of the EIO is seen as an improvement, there are still a number of challenges. The first is that even with modern technologies in reach, some Member States may still deal with EIOs manually considering that there are still few standards on the transfer of digital evidence. The problem is that manually dealing with EIOs takes

89 As

opposed to a Regulation for instance, which is directly applicable to all Member States. for more information on EIO practices in Member States: Report from the Commission to the European Parliament and the Council on the implementation of Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters (COM/2021/409 final), available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021DC0409&qid= 1650539233383; Eurojust, European Judicial Network, Joint Note of Eurojust and the European Judicial Network on the practical application of the European Investigation Order, 2019, ISBN: 978-92-9490-398-3, available at https://www.eurojust.europa.eu/sites/default/files/ assets/eurojust_ejn_joint_note_practical_application_european_investigation_order.pdf; Eurojust, Report on Eurojust’s casework in the field of the European Investigation Order, 2020, ISBN: 978-92-9490-502-4, available at https://www.eurojust.europa.eu/sites/default/files/2020-11/202011_EIO-Casework-Report_CORR_.pdf. 90 See

Legal Framework for Digital Evidence Following the Implementation of the. . .

147

longer and is more prone to errors. Even the actual exchange of evidence is still often done by creating a forensic copy of the original source of evidence and then delivered by hand. This not only delays the process but is also more expensive. The EC is currently working on digitising the EIO in the eEDES system, which will most likely improve this issue. The second challenge, in spite of the form of the EIO, is language barriers. Article 5 of the EIO Directive determines that Member States need to list at least one official language of the institutions of the EU in addition to their own language for completing or translating the EIO when executing an EIO. Not all Member States have however complied with this obligation, which may also lead to obstacles in the execution of an EIO.91 As a result of this, challenges sometimes include bad or inaccurate translations and issues with interpretation following translation.92 The EIO Directive has furthermore been highly debated. Some general comments include for example the absence of an impact assessment and the lack of studies or empirical research to support the need for the EIO regime before it was adopted.93 Scepticism was furthermore expressed regarding the need for a new legal instrument, as well as the suitability of mutual recognition in this area.94 As regards the content of the Directive, several notions—including necessity, proportionality and recourse to an investigative measure—are criticised for being too vague, while other notions—such as admissibility of evidence—are criticised for not having been included in the Directive while they should have.95 These vague formulation of some of the provisions in the Directive has led to the criticism that it might be difficult for LEAs to determine the scope of the measures covered by the EIO and whether the MLA should be resorted to instead. In other words, there may be uncertainty or lack of clarity among LEAs as to the scope of the EIO, which may lead to MLA requests where EIO should have been used. Furthermore, as regards necessity and proportionality, there seems to be a concern that issuing authorities do not always weigh necessity and proportionality when issuing an EIO due to pressure on human and financial resources.96 Not only do vague formulations cause uncertainty among LEAs, so does the identification of the competent executing authority and the relevant transmission channels. In order to issue an EIO or MLA, the issuing authority needs to send the

91 See EVIDENCE2E-CODEX deliverable D2.1, linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe: report on implementation of EIO, pp. 33–36. 92 Some best practices have been developed to handle translation issues, this includes a request for a new translation and asking Eurojust for assistance. This can however delay the process even further. See EVIDENCE2E-CODEX Deliverable D2.1, Linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe: report on implementation of EIO, p. 30. 93 Ruggeri (2014, p. 8). 94 Schunemann (2014, p. 29) and Arasi (2014, p. 135). 95 See for more on this debate: EVIDENCE2E-CODEX deliverable D2.1, linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe: report on implementation of EIO. 96 See EVIDENCE2E-CODEX deliverable D2.1, linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe: report on implementation of EIO, p. 30.

148

M. Tudorica and J. M. Bonnici

request to the competent authority in another country. Member States determine who competent authorities are, meaning that it could be the public prosecution service, an office within a Ministry, or any other authority according to national law. Some Member States may even have a receiving authority, a national contact point and an actual executing authority. This distinction may be unclear and the information on competent authorities may not always be up to date, in spite of the EJN’s best efforts. As a consequence, there may be difficulty or confusion in identifying where and how to send an EIO which may cause delays and may lead to MLA requests where EIO should have been used. This is further exacerbated by complex EIOs, for example when there are several persons concerned, several measures requested or several competent authorities involved. Such EIOs are difficult to clearly communicate and to respond to in a timely manner.97 Examples from respondent Member States in the EVIDENCE 2 E-codex project have indicated that this lack of certainty has led to some issuing authorities issuing an MLA request instead of an EIO, which in many cases can be safely transmitted to the requested state through the Ministry of Justice. Not only do MLA mechanisms take longer to be executed, which is undesirable when dealing with digital evidence, another consequence of opting for a different instrument than what should have been used is the impact it could have on evidence admissibility in later proceedings. One of the reasons for opting for MLA instead of an EIO may be found in the fact that the co-existence of different legal instruments can complicate judicial cooperation. This co-existence is necessary considering that the EIO does not apply to all Member States98 and follows from Article 34 of the EIO Directive, which determines the relationship between the EIO Directive and other legal instruments. According to this Article, the EIO Directive replaces the corresponding provisions of the EU 2000 Convention, the Schengen implementing Convention and the European Convention on Mutual Assistance in Criminal Matters as well as bilateral agreements based on the latter Convention. The Directive is however not clear about what ‘corresponding provisions’ are, which may lead to further confusion.99 While, in theory, Member States should give precedence to the EIO over MLA mechanisms, the reality remains that Member States resort to traditional MLA mechanisms instead as the ‘safer’ option.100 Substantively there is also some criticism on the Directive. The main point is that the EIO was deemed a prosecution mechanism with limited grounds of refusal and no due regard to the rights of defence, the principle of equality of arms or the

97 See EVIDENCE2E-CODEX deliverable D2.1, linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe: report on implementation of EIO, p. 31. 98 I.e. Ireland and Denmark. 99 See EVIDENCE2E-CODEX deliverable D2.1, linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe: report on implementation of EIO, p. 29. 100 See Recital 35 EIO directive. For a more extensive overview of challenges see Guerra and Janssens (2019, pp. 46–53).

Legal Framework for Digital Evidence Following the Implementation of the. . .

149

right of privacy.101 According to Article 1 (3) of the Directive, an EIO may also be requested by (the lawyer of) a suspected or accused person. Article 1 (1) determines however that the EIO is a judicial decision which has been issued or validated by a judicial authority. In some Member States, the public prosecution service is however the sole executing and thus the sole validating authority as opposed to an impartial judge. As a consequence, the risk is that the defence needs to disclose (part of) its defence tactic to the prosecution as the validating authority in order to request for an EIO, whereas the prosecution can make a direct request.102 This can be seen as an inequality of arms for the defence. What is also not included in the EIO Directive is a clear cooperation mechanism between LEAs and Internet Service Providers (ISPs), which is deemed necessary considering that data is often held by ISPs. The approach for requests to ISPs varies immensely per country. While in some Member States there might be a cooperation procedure based on a legal obligation, in most Member States there is only the possibility for voluntary cooperation by ISPs. The proposed legislation discussed in paragraph 2 is speaking of addressing this issue. In the current situation there is however no uniform cooperation procedure between LEAs and ISPs, which may cause unnecessary delays when requesting digital evidence from ISPs.

6 Conclusion To date, there is no comprehensive international legal framework for digital evidence, instead there is a patchwork of legal instruments. Currently, the leading legal instrument for the exchange of digital evidence within the EU is the EIO, which was implemented to create a simpler, unified European framework on the collection of evidence abroad, backed by the appropriate procedural and fundamental rights standards. In spite of this, there is still a lot of fragmentation in the legal framework as regards digital evidence. The EIO Directive is replacing, but not repealing traditional MLA mechanisms. Traditional MLA mechanisms are still in effect because the EIO Directive cannot repeal MLA Conventions due to the formal rules of withdrawal.103 Following the entry into force of the EIO Directive, the EIO takes precedence over some of the other legal instruments and the corresponding provisions of these instruments were replaced by the EIO Directive for the Member States bound by the EIO Directive. The traditional MLA mechanisms thus remain in force for cases where the EIO does not apply, for those Member States to whom the EIO Directive does not apply and for exchanges with third (non-EU) countries.

101 See

Sayers (2011, p. 8) and Jurka and Zajanckauskiene (2016, p. 56). (2014, p. 101). See EVIDENCE2E-CODEX deliverable D2.1, linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe: report on implementation of EIO, p. 26 and answers to the questionnaire. 103 Espina Ramos (2019, p. 53). 102 Belfiore

150

M. Tudorica and J. M. Bonnici

MLA mechanisms—which are not adapted to the realities of today’s crimes which are increasingly global, complex and fleeting and heavily impact the potential for rapid and efficient transfers of electronic evidence—thus coexist with the EIO. The EIO is the first serious attempt to provide a modern solution for today’s crimes. It does however not fundamentally solve the approach to digital evidence in the cross-border dimension. In particular the lack of clarity following vague formulation in the EIO Directive as regards the scope of the measures covered by the EIO and competent executing authority have led to challenges in its application. Other challenges include language barriers, lack of cooperation with ISPs and substantive issues such as inequality of arms. As a result of the lack of clarity, Member States may still resort to MLAs where an EIO should have been used, with the consequences that come with it, i.e. slow process and possible admissibility issues. Although improvements to simplify and speed up exchanges of evidence have been made to facilitate judicial cooperation, the practical reality thus remains that there still is room for improvement. Challenges remain, even in the post-EIO era. Considering that the EIO is still in its infancy, these challenges may be overcome in time, in particular following the digitisation of the EIO in the eEDES portal, proper training and the entry into force of additional legislation. The Challenging Path towards the Establishment of the EU Legal Framework Regulating Cross-border Access to Digital Evidence

References Arasi S (2014) The EIO proposal and the rules on interception of telecommunications. In: Ruggeri S (ed) Transnational evidence and multicultural inquiries in Europe: developments in EU legislation and new challenges for human rights-oriented criminal investigations in cross-border cases. Springer, Berlin Belfiore R (2014) Critical remarks on the proposal for a european investigation order and some considerations on the issue of mutual admissibility of evidence. In: Ruggeri S (ed) Transnational evidence and multicultural inquiries in Europe: developments in EU legislation and new challenges for human rights-oriented criminal investigations in cross-border cases. Springer, Berlin Bellanova R, Glouftsios G (2022) Controlling the schengen information system (SIS II): the infrastructural politics of fragility and maintenance. Geopolitics 27(1):160–184 Chalmers D, Davies G, Monti G (2010) European union law. Cambridge University Press, Cambridge De Sousa Santos B (2010) The European arrest warrant in law and in practice: a comparative study for the consolidation of the European law-enforcement area. https://opj.ces.uc.pt/wp-content/ uploads/2021/10/EAW-Final-Report-Nov.-2010.pdf Espina Ramos JA (2019) The European Investigation order and its relationship with other judicial cooperation instruments. EUCrim 1/2019 Guerra JE, Janssens M (2019) Legal and practical challenges in the application of the European investigation order: summary of the Eurojust meeting of 19–20 September 2018, EUCrim 1/2019 Jurka R, Zajanckauskiene J (2016) Movement of evidence in the European union: challenges for the European investigation order. Baltic J Law Politics 9(2):56–84

Legal Framework for Digital Evidence Following the Implementation of the. . .

151

Ruggeri S (2014) Introduction to the proposal of a European investigation order: due process concerns and open issues. In: Ruggeri S (ed) Transnational evidence and multicultural inquiries in Europe: developments in EU legislation and new challenges for human rights-oriented criminal investigations in cross-border cases. Springer, Berlin Sayers D (2011) The European investigation order-travelling without a ‘roadmap’, CEPS liberty and security in Europe. https://www.ceps.eu/wp-content/uploads/2011/06/No%2042 %20Sayers%20on%20European%20Investigation%20Order.pdf Schunemann B (2014) The European investigation order: a rush into the wrong direction. In: Ruggeri S (ed) Transnational evidence and multicultural inquiries in Europe: developments in EU legislation and new challenges for human rights-oriented criminal investigations in crossborder cases. Springer, Berlin Velicogna M (2014) The making of pan-European infrastructure: from the schengen information system to the European arrest warrant. In: The circulation of agency in e-justice. Springer, Berlin

Data Protection and European Investigation Orders Nikolaus Forgó and Emily Johnson

Abstract Given that European Investigation Orders (EIOs) concern requests for information on an individual, multiple individuals and/or acts connected to those individuals, personal data is frequently processed as part of the request and execution of EIOs. Within the European Union (EU), the processing of personal data is enshrined in primary law, including fundamental rights law and in secondary law. This Chapter outlines the applicable EU data protection legislation that applies to the EIO processes when personal data is processed. In particular, this Chapter distinguishes between the application and scope of the General Data Protection Regulation in the ‘standard’ processing of personal data and of Directive 2016/680 which applies to the processing of personal data for the purposes of law enforcement in tackling crime. Moreover, data protection provisions applicable to the processing of personal data during the EIO procedure will be discussed in detail, including the definitions in data protection law, the principles of data protection and the rights of the data subject.

1 Introduction Through the requests and execution of European Investigation Orders (EIOs), information on the person(s) concerned, or a description of the criminal act or investigative proceedings,1 frequently requires the processing of personal data. The protection of personal data in the European Union is enshrined as a fundamental right as laid down by Article 8 of the Charter of Fundamental Rights of the European Union (the Charter)2 and it is affirmed in Article 16 if the Treaty

1 Directive 2 Charter

2014/41/EU, Article 5(1)(b),(c) and (d). of Fundamental Rights of the European Union.

N. Forgó · E. Johnson () University of Vienna, Department of Innovation and Digitalisation in Law, Vienna, Austria e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_10

153

154

N. Forgó and E. Johnson

of the Functioning of the European Union. The right to data protection is therefore enshrined in EU primary law (and beyond the EU in the European Convention on Human Rights). Secondary legislation then aids in the practical protection of the right to data protection that permeates all circumstances of personal data processing, including in the transmission and receipt of EIOs. The following Section will set out the EU legislation on data protection in relation to EIOs and the primary data protection aspects of EIO implementation.

2 The EU Legislation on Data Protection: Regulation 2016/679/EU and Directive 2016/680/EU Within the EU, while data protection legislation exists specifically for some EU institutions,3 the two most prominent pieces of legislation, which regulate data protection, are the General Data Protection Regulation (GDPR)4 and Directive 2016/680/EU.5 These two pieces of legislation apply in isolation of the other. When the GDPR applies to processing activities, then Directive 2016/680 does not and vice versa.6 The GDPR and Directive 2016/680 were implemented at the same time and as parallel pieces of legislation have been coined as being “siblings but not twins”.7 Significant effort was made by the legislators to ensure that the Regulation and the Directive, though distinct in their application, still maintain consistency in their observance of the principles of data protection. In terms of the relationship between the GDPR and Directive 2016/680, “the current EU data protection legal framework has developed to recognise two distinct regimes of data protection that could potentially apply to information sharing [. . . ] one general and one for data processing by law enforcement authorities for law enforcement purposes”.8 As such, these two legal regimes are distinguished by the purpose of processing. Therefore, understanding the different applications of these legislations assists in assessing the legal basis for data processing in the issuing and receiving of EIOs. The scope of the GDPR applies to the processing of personal data wholly or partly by automated means. The GDPR defines ‘processing’ as «any operation or

3 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. 4 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 5 Directive (EU) 2016/680. 6 Directive (EU) 2016/680, Article 9(1), Recital 34; Regulation (EU) Regulation 2016/679, Recital 19, Article 2(2). 7 De Hert, Papakonstantinou 2016, pp. 7–19. 8 Purtova 2018, pp. 52–68.

Data Protection and European Investigation Orders

155

set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction».9 However, the GDPR does not apply to possessing by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security,10 but instead Directive 2016/680 applies. While EIOs are most often requested and received in a law enforcement context for the fight against crime, there are some circumstances in which an EIO may be issued and the GDPR would apply. Article 4(b) of the EIO Directive applies “in proceedings brought by administrative authorities in respect of acts which are punishable under the national law” of the applicable Member State and which may subsequently give rise to court proceedings. Article 4(c) of the EIO Directive also refers to proceedings brought by judicial authorities. Such activities may be related to a criminal act but may not come under the Directive 2018/680 Article 1(1). Competent authorities should pay close attention to the distinction between the scopes of the GDPR and Directive 2016/680. While for the most part the processing of personal data in the course of EIOs will come under Directive 2016/680 and, therefore, under its national implementations, there may be instances that are closely connected to the fight against crime, and yet do not constitute the fight against crime per se. A public notification of a missing person would be an example of this—while it may be connected to the fight against crime, in the absence of any evidence, it may not necessarily be connected to a crime, a person may have just run away from home.11 In such an instance, the GDPR would apply. This point is confirmed by Recital 19 of the GDPR, which lays down the distinct applications of the GDPR and Directive 2016/680. Consequently, some specific rules on processing of personal data by courts are set in GDPR12 despite the principle of non-applicability of GDPR in criminal matters. Directive 2016/680 (also frequently known as the ‘Police Directive’ or the ‘Law Enforcement Directive’) bridged the legislative gap between Directive 95/ 46/EC (the predecessor of GDPR) and Framework Decision 2008/977/JHA.13 Directive 2016/680 provides the EU legal basis for personal data processing and exchange in a criminal law enforcement context. More specifically, Directive 2016/680 only

9 Regulation

(EU) 2016/679, Article 4(2). (EU) 2016/679, Article 2(1)(d). 11 Kühling J, Buchner B (2018) pp.107–108. 12 Regulation (EU) 2016/679, Article 37(1)(a). 13 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters OJ L 350, 30.12.2008, pp. 60–71. 10 Regulation

156

N. Forgó and E. Johnson

applies to the processing of personal data “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.14 The TFEU states that ‘competent authorities’ includes “police, customs and other specialised law enforcement services in relation to the prevention, detection and investigation of criminal offences”.15 Recital 11 of Directive 2016/680 echoes the TFEU definition but provides further details in stating that a competent authority for the purpose of the Directive may include judicial, police and law-enforcement authorities, as well as ‘any other body or entity entrusted by Member State law to exercise public authority and public powers’16 for the purposes of the Directive. Directive 2016/680 applies to both cross-border and national data processing by the competent authorities of a Member State. With regard to EIOs and the crossborder transfer of evidence more broadly, Directive 2016/680 states that the free flow of personal data between the competent authorities in this context will contribute to “the building of a strong and more coherent framework for the protection of personal data in the Union backed by strong enforcement”.17 Additionally, it states that data protection is a facilitating factor that is ‘crucial in order to ensure effective judicial cooperation in criminal matters and police cooperation’.18 A consequence of the Member State discretion provided by Directive 2016/680 is that there may be variations in national law with regard to the specific types of authorities, which come under the scope of the Directive. Distinct from the GDPR, Directive 2016/680 provides for a minimum level of harmonisation by setting out the results to be achieved by the Member State, thus allowing Member States discretion on how to implement the Directive into EU law. A Member State may therefore provide higher standards than the ones initially set out in the Directive.

3 Data Protection and the Judicial World Directive 2016/680 states that the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data shall be protected.19 The Directive applies specifically to the processing of personal data by competent authorities.20 This defining aspect of the Directive is one that makes

14 Directive

(EU) 2016/680, Article 1(1). version of the Treaty on the Functioning of the European Union, Article 87(1). 16 Directive (EU) 2016/680, Recital 11. 17 Ibid., Recital 4. 18 Ibid., Recital 7. 19 Ibid., Recital 1. 20 Ibid., Article 1(1). 15 Consolidated

Data Protection and European Investigation Orders

157

it distinct in scope and application from the GDPR. The term ‘competent authority’ is defined in a predictably broad manner to permit Member State discretion. It encompasses “any public authority” who is competent in processing personal data for the purposes of Directive 2016/680, which comprise of the “prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.21 Additionally, a ‘competent authority’ may also be any other such body or entity who, as permitted by Member State law may “exercise public authority and public powers” for the purposes of processing set out in Article 1(1) of the Directive. Specifically the term covers the “prosecution of criminal offences or the execution of criminal penalties”,22 all activities which are frequently carried out by criminal courts. Thus Member State law permitting, criminal courts and any other judiciary entities, who are processing personal data for the aforementioned purposes, will be regulated under Directive 2016/680. Under the remit of the Directive, if judicial authorities process personal data, including in the context of an EIO, there are specific legislative factors which need to be taken into consideration that are distinct from the GDPR. Much like the GDPR, the Directive requires that the processing of personal data be pursuant to data processing principles. These principles are not new and hark back beyond the GDPR’s predecessor, Directive 95/46/EC, and, in some cases even further back in time to documents such as Convention 108 of the Council of Europe23 (from 1981). Such principles are almost identical in both Directive 2016/680 and the GDPR. However, while the Directive similarly requires fairness and lawfulness of processing, it deliberately omits the requirement for transparency of processing which can be found in Article 5(1)(a) of the GDPR. The reasoning behind this legislative omission, if not already apparent from the separate purposes of processing, becomes clearer when one examines the data subject rights set out in the Directive. Article 15 on ‘Limitations to the right of access’ permits Member States to enact legislative measures to wholly or partially limit the data subject’s right to access their own personal data (similar, but more specific, to Article 23 GDPR). Such a limitation must be necessary and proportionate and must be for one of the following purposes: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security; (d) protect national security; (e) protect the rights and freedoms of others.24 21 Ibid. 22 Ibid.,

Article 3(7)(b). 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28.1.1981. 24 Directive (EU) 2016/680, Article 15(1). 23 Convention

158

N. Forgó and E. Johnson

For any authorities carrying out EIOs, including judicial authorities, it must be noted that where the decision is taken to limit data subject access rights, then the controller must, “without undue delay” provide in writing the data subject with the reasoning behind the access denial. However, if the notification would also cause issues with the limitation purposes to the right of access set out in Article 15(1)(a)(e), then notification does not need to be completed. In this case, data subjects must be made aware of their ability to lodge a complaint or seek judicial remedy if they so choose.25 Another notable practical requirement is the need to document the reasoning behind the access limitation, and provide that document to a supervisory authority.26 Another unique data processing requirement for judicial authorities is requirement for a distinction between different categories of data subject as set out in Article 6 of the Directive. The Directive provides examples, rather than an exhaustive list of the different categories, which include: (a) persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence; (b) persons convicted of a criminal offence; (c) victims of a criminal offence or persons with regard to whom certain facts give rise to reasons for believing that he or she could be the victim of a criminal offence; and (d) other parties to a criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, persons who can provide information on criminal offences, or contacts or associates of one of the persons referred to in points (a) and (b).27 This data subject categorisation must be taken into consideration by all competent authorities including judicial authorities, and throughout the data processing life cycle including in carrying out EIOs. Such a distinction of data subjects not only serves to make policing and judicial processes more efficient, but it also protects the data subject and particular those who may be victims or witnesses, thereby preventing their data being mixed or convoluted by those who have committed a criminal offence.

25 Ibid.,

Article 15(3). Article 15(4). 27 Ibid., Article 6. 26 Ibid.,

Data Protection and European Investigation Orders

159

4 Analysis of the Data Protection Aspects of the EIO Implementation Narrowing the discussion to focus more closely on data protection and EIOs, the following Section will examine the various actors within the context of EIO implementation and data protection, and the legal rules and rights, which bind them. When it comes to issuing or executing an EIO in relation to data protection, Recital 42 of the EIO Directive states that “Personal data obtained under this Directive should only be processed when necessary and should be proportionate to the purposes compatible with the prevention, investigation, detection and prosecution of crime or enforcement of criminal sanctions and the exercise of the rights of defence”. Additionally, Article 6(1)(a) of the Article states that «1. The issuing authority may only issue an EIO where the following conditions have been met: (a) the issuing of the EIO is necessary and proportionate for the purpose of the proceedings referred to in Article 4 taking into account the rights of the suspected or accused person». Article 6(1)(a) is particularly relevant because the necessity and proportionality of the purpose of the proceedings are directly connected to the necessity and proportionality behind Recital 42 and the collection and processing of personal data. In terms of what it means for processing to be proportionate, the principle of proportionality applies to “any balancing of competing principles, values or arguments”.28 The purpose of processing, as confirmed in both Articles 1 of Directive 2016/680 and the EIO Directive, can by its very nature, be seen as addressing a pressing social need. If the purpose limitation principle as contained in both Directives is met, then the necessity requirement can be considered to be fulfilled. As such, according to Article 6 of the EIO Directive considerations must be made in accordance with the purpose, subject matter, amount, and means of data transfer when executing an EIO and gathering and transferring electronic evidence.

4.1 Controllership Depending on the specific circumstances, for the purposes of data protection both the issuing parties and the executing parties of EIOs may be data processors or data controllers. The EIO must be issued by the issuing authority in one Member State to the executing authority in another Member State. The EIO Directive asserts that access to personal data shall only be restricted to authorised persons.29 Equating the EIO actors to the data protection roles depends on the functions and responsibilities of either party. Common to both the GDPR and Directive 2016/680,

28 Sieckmann 29 Directive

J (2018), p. 4. (EU) 2014/41, Article 20.

160

N. Forgó and E. Johnson

determining the role of a data controller hinges upon whether an entity determines the purposes and means of processing personal data.30 A ‘processor’ on the other hand is an entity, which processes personal data on behalf of the controller.31 The role of the processor dictates that the processor must not engage in any other processing activities other than those set out by the controller. With regard to the obligations of the controller, the controller must perform the following assessment to comply with Directive 2016/680. Namely: “taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Directive. Those measures shall be reviewed and updated where necessary.”32 The onus is therefore on the data controller to correctly interpret and implement law according to Directive 2016/680 in all processing of personal data for the purposes of Directive 2016/680, including the issuing and execution of EIOs.

4.2 Principles of Data Protection In addition to confirming the roles of the actors in the EIO process, the principles of data protection must also be adhered to as a means of ensuring the protection of the data subject’s rights. With one exception, the principles for data processing are identical in substance in both the GDPR and Directive 2016/680. The first exception to the indistinguishable nature of the principles is the principle of ‘lawfulness, fairness and transparency’. As is unsurprising given the purposes of processing, the term ‘transparency’ is omitted from Directive 2016/680. In terms of the lawfulness of processing, processing must, in accordance with Article 8 Directive 2016/680 be “necessary for the performance of a task carried out by the competent authority for the purposes set out in Article 1(1) and that is it based on Union and Member State law”.33 In ensuring necessity, the competent authority must, if required, be able to show that data processing using the EIO was the only adequate measure to achieve the aim of the law enforcement authority. Additionally, to provide for lawfulness of processing, the grounds for processing must be provided for in data protection legislation, whether in Union or Member State law, through the transposition of Directive 2016/680. The GDPR also requires that the processing be necessary in relation to the purposes and means of processing.34 However, a key variation between the GDPR

30 Regulation

(EU) 2016/679, Article 4(7); Directive (EU) 2016/680, Article 3(8). (EU) 2016/679, Article 4(8); Directive (EU) 2016/680, Article 3(9). 32 Directive (EU) 2016/680, Article 19. 33 Ibid., Article 8. 34 Regulation (EU) 2016/679, Article 5(1)(c). 31 Regulation

Data Protection and European Investigation Orders

161

and Directive 2016/680 relates to the possibility of using the consent of the data subject as one of the lawful grounds for data processing. While the GDPR states that one of the grounds for data processing includes consent from the data subject, within the context of criminal investigation, consent from the data subject is not required by EIO Directive and Directive 2016/680 since the processing of personal data might be necessary to comply with a legal obligation. A further reason behind the absence of consent in Directive 2016/680 is that under the GDPR, consent should be freely given by the data subject, however if the data subject is required to provide their personal data as part of a legal obligation, then consent is not freely given.35 Finally, consent in the sense of GDPR needs to be revocable with the consequence that further processing may not be longer based on it (Article 7(3) GDPR). The second part of the lawfulness principle is ‘fairness’. The European Data Protection Supervisor (EDPR) stated that “fairness of personal data is a core principle alongside lawfulness and transparency”.36 The EDPS also considers that the principle of fair processing goes beyond transparency obligations as it has ethical connections.37 The requirement of fairness of processing is also reinforced in Article 8(2) of the Charter of Fundamental Rights of the European Union which states that “. . . data must be processed fairly for specified purposes. . . ”.38 Though not explicitly defined in EU law, fairness within this context should be understood as the impartial and objective treatment with regard to what data should be processed, with reference to ethics and fundamental rights laws and principles. Following the wording of Article 4(1) of Directive 2016/680, it is the responsibility of a Member State to ensure compliance with the paragraphs contained in Article 4. The reasoning for the omission of the transparency requirement in this principle in Directive 2016/680 can be observed in Article 13 titled ‘Information to be made available or given to the data subject’. Article 13(3) states that pursuant to Directive 2016/680, Member States may adopt legislative measures that delay, restrict or omit the provision of information to the data subject in order to: (a) avoid obstructing official or legal inquiries, investigations or procedures; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security; (d) protect national security; (e) protect the rights and freedoms of others.39 These provisions reflect the Article 1(1) purposes for processing and the likely sensitive nature of the data and processing paired with the potential negative consequences stemming from transparency of processing.

35 Directive 36 European

(EU) 2016/680, Recital 35. Data Protection Supervisor (2016), p. 8.

37 Ibid. 38 Charter

of Fundamental Rights of the European Union, Article 8(2). (EU) 2016/680, Article 13(3).

39 Directive

162

N. Forgó and E. Johnson

The next principle of data processing is the ‘purpose limitation’ that requires that personal data shall be collected for “specified, explicit and legitimate purposes”.40 While both the GDPR and Directive 2016/680 state that as part of the purpose limitation, personal data shall not be processed “in a manner that is incompatible with those purposes”, the GDPR also features the term ‘not further processed’ and a provision on processing for public interest, scientific or historical research purposes or statistical purposes. This further processing provision in the GDPR would not apply to EIOs given the purpose of transmitting and executing EIOs. When it comes to further processing in Directive 2016/680, Article 4(2) provides for the conditions under which further processing may take place as long as it is in line with the Article 1(1) purposes for processing, and such processing is authorised and is necessary and proportionate in relation to the purposes under Union or Member State law.41 Both data protection regimes require that the data minimisation principle be adhered to. The GDPR states that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.42 Directive 2016/680 features a slight variation of terms to the GDPR as it states that personal data shall be “adequate, relevant and not excessive in relation to the purposes for which they are processed”.43 While these different terms may be interpreted as meaning the same thing in practice, it remains curious as to why the same wordings were not used. Recital 11 of the EIO Directive is the only part of the legal provision, which mentions the requirement for adequacy, and it does so when concerning the execution and validation of an EIO.44 The EIO directive does not elaborate further on the data minimisation principle. Within the meaning of the word ‘adequate’, the data collected must be satisfactory, meaning that it must be enough for the purpose of the investigation and must not exceed the adequate and necessary amount of data required. As connected to the principle of necessity, it is essential to refer to Article 5(4) of the TEU and the principle of proportionality that confirms that an action “shall not exceed what is necessary to achieve the objectives”.45 Moreover, the data collected must be ‘relevant’, therefore it must have a contribution in achieving the overall purpose of the action as set out in Article 1(1) of both the EIO Directive and Directive 2016/680. The next applicable standard to data protection and EIOs is the ‘accuracy’ principle which requires that personal data be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”.46

40 Regulation

(EU) 2016/679, Article 5(1)(b); Directive (EU) 2016/680, Article 4(1)(b). (EU) 2016/680, Article 4(2). 42 Regulation (EU) 2016/679, Article 5(1)(c). 43 Directive (EU) 2016/680, Article 4(1)(c). 44 As formally contained in Article 9 Directive 2014/41/EU (EIO Directive). 45 Treaty on the Functioning of the European Union, Article 5(4). 46 Regulation (EU) 2016/679, Article 5(1)(d); Directive (EU) 2016/680, Article 4(1)(d). 41 Directive

Data Protection and European Investigation Orders

163

In practice when executing or submitting an EIO request, competent authorities should consider the phrase “every reasonable step must be taken”. As one author suggest taking these steps assists in “maintaining personal data to ensure accuracy” and should be built into regular processing.47 Such an approach to data processing would also assist in providing for data protection by design.48 The ‘storage limitation’ in principle in both the GDPR49 and Directive 2016/ 680 asserts that personal data shall be: “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed”.50 This provision relates directly to the concept of data retention and the principle of storage limitation. It incorporates several core principles of data protection, namely what can be considered “a form which permits identification of data subjects”, what is the necessary time to keep such data, and how is this evaluated? Each of these questions hinge on the purpose limitation in relation to the broader principles of necessity and proportionality. Finally, the principle of ‘integrity and confidentiality’, which is identically worded in both the GDPR and Directive 2016/680 states that personal data shall be «processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures».51 The onus is on the controller and processor to consider procedures such as risk analyses, appropriate internal organisational policies which are in accordance with data protection and other relevant laws (whether of the EU or Member State law). Article 19 of the EIO Directive titled ‘Confidentiality’, echoes the aim of the security provisions contained in Directive 2016/680 and places responsibilities confidentiality of data through both the issuing and execution of an EIO. Within the context of EIOs, the security of processing requires particular attention due to the nature of electronic evidence. Data can be remotely observed, stolen, altered etc. Such actions can affect the entire integrity of a case, or compromise the identities and safety of individuals relevant to a case. Compromised security in data processing may therefore certainly disrupt the entire criminal procedure. Consequently, it is vital to ensure the appropriate level of security when carrying out mutual cooperation procedures with the use of electronic evidence.

47 IT

Governance Team 2018, p. 112. (EU) 2016/680, Article 20. 49 Regulation (EU) 2016/679, Article 5(1)(e) also contains a further provision on the storage of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1). 50 Regulation (EU) 2016/679, Article 5(1)(e); Directive (EU) 2016/680, Article 4(1)(e). 51 Regulation (EU) 2016/679, Article 5(1)(f); Directive (EU) 2016/680, Article (4)(1)(f). 48 Directive

164

N. Forgó and E. Johnson

Each of the principles of data protection discussed contribute to the overall aim ensuring the adequate protection of the data subject’s rights by providing accountability on the part of the data controller or processor throughout their processing activities.

4.3 The Data Subject Given the roles of those issuing and executing EIOs and the principles of data protection, it is crucial to discuss how the rights of the data subject apply. According to both the GDPR and Directive 2016/680, a data subject is an “identified or identifiable natural person”.52 The EIO Directive states that the in the protection of personal data, “[a]ccess to such data shall be restricted, without prejudice to the rights of the data subject.”53 While electronic evidence may feel far removed from its data subject, particularly in the case of EIOs and international data transfers, the data subject nonetheless has a number of rights that need to be considered by the competent authorities. Therefore, Chapter III of Directive 2016/680 sets out the ‘Rights of the data subject’. Specifically, Article 14 outlines the ‘Right of access by the data subject’, as, subject to the limitations to the right of access as contained in Article 15 Directive 2016/680 (see above): “Member States shall provide for the right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of and legal basis for the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject; (f) the right to lodge a complaint with the supervisory authority and the contact details of the supervisory authority; (g) communication of the personal data undergoing processing and of any available information as to their origin.”

52 Regulation 53 Directive

(EU) 2016/679, Article 4(1); Directive (EU) 2016/680 Article 3(1). (EU) 2014/41, Article 3(1).

Data Protection and European Investigation Orders

165

As can be seen, Article 14 of Directive 2016/680 contains a number of specific types of information the data subject can obtain by right of access. Each of the provisions contained in Article 14 reiterate the previous analysis in this report and add further emphasis for both obtaining and retaining clear records as to the purposes and nature of data processing, particularly in the case of electronic evidence. In this sense, the rights of the data subject as set out in Directive 2016/680 significantly solidify the conditions under which the processing of the personal data of natural persons may take place. Barring any limitations to access, Article 12 of Directive 2016/680 provides the details by which Member States shall provide for the data controller to “take reasonable steps to provide any information referred to in Article 13”. As such, Article 13 of Directive 2016/680 contains the details of which information can be made available to the data subject. The Article states that: «1. Member States shall provide for the controller to make available to the data subject at least the following information: (a) (b) (c) (d)

the identity and the contact details of the controller; the contact details of the data protection officer, where applicable; the purposes of the processing for which the personal data are intended; the right to lodge a complaint with a supervisory authority and the contact details of the supervisory authority; (e) the existence of the right to request from the controller access to and rectification or erasure of personal data and restriction of processing of the personal data concerning the data subject.»

In addition to Article 13(1) of Directive 2016/680, paragraph 2 of the same Article holds that Member States must provide in law the legal parameters by which a data controller must provide the data subject information which enables the exercise of such rights. The information includes (a) the legal basis for the processing; (b) the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period; (c) where applicable, the categories of recipients of the personal data, including in third countries or international organisations; (d) where necessary, further information, in particular where the personal data are collected without the knowledge of the data subject. The provision of such information once again confirms the necessity for clear, accurate and detailed data protection procedures at an operational level in order to be compliant with data protection law. For electronic evidence, this means organisations must ensure they have and follow clear and precise practices of data protection, including though not limited to, storage, data types, and information surrounding the method, type and recipient of data exchanges.

166

N. Forgó and E. Johnson

However, as with Article 15(1) of Directive 2016/680, Member States may adopt legislative measures to delay, restrict or omit the provision of information contained in paragraph 2.54 In addition to the conditional right to access found in Directive 2016/680, the data subject may also exercise their right to rectification or erasure of personal data and restriction of processing as can be found in Article 16. This provision applies a number of the core data protection principles. Article 16(1) holds that the data subject has a right to obtain from the controller without undue delay the rectification of inaccurate personal data relating to him or her. Taking into account the purposes of processing, data subjects also have the right to have incomplete personal data completed.55 Further, Article 16(2) and (3) of Directive 2016/680 refer to the erasure of personal data and they state that where required Member State law shall require a controller to erase personal data without undue delay, but there are limitations to this right. Despite this provision, controllers may restrict the right to erasure, for instance, Article 16(3) states that the controller can restrict the right to erasure where the accuracy of the personal data is contested by the data subject but the accuracy or inaccuracy cannot be confirmed, or that the personal data must be maintained for the purposes of evidence.56 Article 16(4) of Directive 2016/680 enforces the requirement for the data controller to provide the requesting data subject with a written refusal of the rectification or erasure of personal data, along with the reasoning behind the decision. However, the decision of the data controller to refuse the erasure or rectification request must be in line with principles of necessity and proportionality with regard to the fundamental rights and legitimate interests of the natural person concerned. Data subjects then have the opportunity to lodge a complaint with a supervisory or judicial authority. Member States must adopt measures to provide a supervisory authority to assist data subjects where required—the controller must refer to this authority when referring requests from the data subject. Member States and data controllers must adhere to the provisions contained in Chapter III of Directive 2016/68. Throughout EIO procedures, including with the transfer of electronic evidence, data controllers and processors must observe and respect the rights of the data subject within the limitation provided by Directive 2016/680.

54 Directive

(EU) 2016/680, Article 13(3). C (2018). Directive (EU) 2016/680, Article 16(1). 56 Ibid., Article 16(3)(b) and (c). 55 Jasserand

Data Protection and European Investigation Orders

167

5 Conclusion This Chapter has set out the most applicable EU legislation on the protection of personal data relevant to the transmission and receipt of EIOs. In doing this, the distinctions between the GDPR and Directive 2016/680 have been highlighted with regard to their scope, application and practical considerations in the context of EIOs. Similarly, overlapping concepts and definitions such as the role of the controller and data subject rights have each been discussed, thereby demonstrating the unique practical and operational measures that need to be taken into consideration depending on the applicable piece of legislation. It is important to note that both GDPR and Directive 680/2016 might contribute to the legal environment against which any EIO needs to be assessed against. Although public institutions might not be confronted with the significant fines, private controllers can be affected by, infringement of (complex) data protection rules might still be a significant risk to any legal procedure based on EIO.

References Consolidated version of the Treaty on the Functioning of the European Union. OJ C 326, 26.10.2012, pp. 47–390. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX: 12012E/TXT:en:PDF De Hert P, Papakonstantinou V (2016) The new police and criminal justice data protection directive: a first analysis. New J Eur Criminal Law 7:7–19 Directive (EU) 2016/680 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA Directive (EU) 2014/41/EU of the European Parliament and of the council of 3 April 2014 regarding the European investigation order in criminal matters European Data Protection Supervisor (2016) Opinion on coherent enforcement of fundamental rights in the age of big data. https://edps.europa.eu/sites/edp/files/publication/16-09-23_ bigdata_opinion_en.pdf. Accessed 12 Oct 2019 Jasserand C (2018) Law enforcement access to personal data originally collected by private parties: missing data subjects’ safeguards in directive 2016/680? Comput Law Secur Rev 34(1):154– 165 Kühling J, Buchner B (2018) Article 2. In: Kühling J, Buchner B (eds), DatenschutzGrundverordnung Bundesatenschutzgesetz, 1st edn, pp 107–108 Purtova N (2018) Between the GDPR and the police directive: navigating through the maze of information sharing in public–private partnerships. Int Data Privacy Law 8(1):52–68. https:// doi.org/10.1093/idpl/ipx021 Sieckmann J (2018) Proportionality as a universal human rights principle. In: Duarte D, Silva Sampaio J (eds), Proportionality in law: an analytical perspective. Springer, Berlin

Different Perspectives on EIO Maria Angela Biasiotti and Sara Conti

Abstract The Chapter is dedicated to give an overview of the representatives of the legal domain (Lawyers, EJTN Representatives) and the technical community (Digital Forensics and IT Experts) who are involved in the implementation of the EIO, in order to discuss with them the improvement and application of EIO across MSs and better understanding in practise the potential barriers and gaps existing in the different European countries. A survey has been conducted among different stakeholders involved in the EIO procedure: a tailor-made questionnaire has been circulated in order to catch the real situation going on in the different contexts and MSs.

1 Introduction The implementation of EIO in the Member States is an ongoing process that includes the integration into national law. EIO is a new instrument that must land into the existing criminal law procedures in a Member State. The uptake of EIO into national procedures of the MSs could lead to minor divergences in deployment of EIO in and between MSs. These divergences might hamper the digital exchange of EIO and e-Evidences and should therefore be identified and if necessary, overcome. The analysis of national EIO implementation is based on surveys involving selected and targeted groups of stakeholders. In the technical context the digital exchange of EIO and e-Evidences requires MSs to share information on the national ICT architecture and operational ICT policies. For example, the national policies on firewalls, connectivity and encryption are essential to know beforehand to be able to design and setup the exchange of EIO and e-Evidences.

M. A. Biasiotti () · S. Conti IGSG/CNR, Florence, Italy e-mail: [email protected]; [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_11

169

170

M. A. Biasiotti and S. Conti

Within this context required technical adjustments needed to adhere to the eEvidence exchange infrastructure taking into account available resources will be also of interest for this Chapter. In the legal context a complete overview on the exchange of data, on the gathering of e-evidences and on the procedures of requesting further investigation in the context of EIO, needs to take into account also the contribution given by the Council of Bars and Law Societies of Europe (CCBE). It is fundamental to collect feedback by those stakeholders in order to catch the real situation going on in the different contexts and MSs. In order to achieve this last point a tailor-made questionnaire was drafted to be filled out by such stakeholders for acquiring from them the relevant information about the status quo of the EIO and MLA procedures as well as on the implementation and handling of e-Evidences at their national level. The survey was conducted under the activities of the EXEC (Electronic Xchange of e-Evidences with e-CODEX) and E2e-CODEX (Linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe) Projects. The questionnaire was elaborated by the partners of the projects and it was circulated from June 2018 and ended in December 2018. In these 6 months the research groups of the Projects got in contact with a huge number of stakeholders (around 250) equally distributed among the different categories (legal community, technical community) and geographic areas. The overall feedback received from the various engagements gave to the projects goals a relevant and global view of the concrete state of the art in the EU MSs as to EIO and MLA procedures, outlining at the same time the existing barriers and obstacles for the full implementation of such legal instruments. The full version of the questionnaire was disseminated online and circulated to the Ministries of Justice of European countries.1 A short version of such a questionnaire was circulated to EJN-European Justice Network (representatives of the legal community). A more restricted version of the questionnaire with some different questions was delivered to the legal and technical community at large also including European Institutions, LEAs2 and Digital forensics experts, during the workshops held at the Hague3 and in Florence.4

1 Ministries of Justice of the EU MSs and also no EU States: under this category are to set judicial authorities (judges, Public prosecutors, Investigative judges), court staff including administrative and IT, institutional training authorities. More specifically the countries involved were almost all the European States. 2 Law Enforcement Agencies. 3 The face-to-face meeting was held in The Hague on the 20–21 of November 2018 under the activities of the EXEC and E2e-CODEX Projects. To this event a good representative from EU institutions was present: OLAF, Europol, Eurojust and Eu commission. 4 The meeting with the legal community was held in Florence on the 27 and 28 September 2018 with the representatives of the European Justice Training Network under the activities of the EXEC and E2e-CODEX Projects. The seminar was organised by the EJTN-European Justice Training Network for judges and prosecutors of EU MS. Totally participants were 35 coming from the judicial authorities of the following States which were also no EU MS: Belgium, Bulgaria, Czech Republic, Croatia, Denmark, France, Germany, Greece, Italy, Latvia, Netherland, Poland, Portugal, Romania, Slovak, Spain, Sweden and Ukraine. A specific topic addressed by the seminar was

Different Perspectives on EIO

171

Finally, the questionnaire was delivered in its short version to the lawyers’ members of the CCBE, who were requested to give a specific feedback only on those issues directly related to EIO and MLA and their daily activities as criminal lawyers.

2 Lawyers’ Perspective The CCBE, representing through its members more than 1 million European lawyers, gave a fundamental contribution to the analysis of the use of EIOs in interested MS: according to Art. 1 Par. 3 of the Directive 2014/41/EU, “The issuing of an EIO may be requested by a suspected or accused person, or by a lawyer on his behalf, within the framework of applicable defence rights in conformity with national criminal procedure”. Thus, it is fundamental to closely consult with the CCBE in order to have a thorough and complete view on the EIO procedures which are in place among lawyers of different MSs and also no EU States. It is to be noticed that in the digital era lawyers are more and more involved in cross-border matters and in particular when dealing with EIO: an in-depth analysis of the status quo of the exchange of e-evidence between national judicial authorities and legal practitioners could be a useful starting point for the purpose of identifying any potential problems or good practices. To this extent, CCBE drafted and circulated a concise targeted questionnaire for legal practitioners only on some on the topics of EIO procedures which involve their daily work. The drafted questionnaire was circulated among the following countries: Czech Republic, Estonia, Finland, France, Greece, Ireland; Liechtenstein, Spain, Sweden and The Netherlands. Therefore, the view offered by the replies it’s only focused on specific targeted issues suitable to express the lawyers’ perspective on the current scenario going on with EIO. These results are very important to give the global vision of the scenario in the legal community at large. All those countries answered to the questionnaire, except for Ireland (which has not yet opted into the EIO at that time) and Liechtenstein (which did not yet implement the EIO Directive at that time). The survey was mainly focused on the questions below reported. Q1. In your country, how can the issuing of an EIO be requested on behalf of a suspected or accused person? The results of the survey demonstrated that in general such request is considered as any other request for gathering evidence or for further investigation as in purely domestic proceedings.

“Evidence in the cloud: new challenges in collecting evidence on cyberspace in the European Union”.

172

M. A. Biasiotti and S. Conti

There were no specific formalities, but some MSs highlighted the importance of a written request stating the grounds for the request itself and what is sought to be obtained. In other words, the request to conduct (further) investigation must be substantiated, e.g. the suspect must argue that and why it is in the interest of his/her defence to execute the investigation. Q2. Is there any specific procedure for this in place? Are there any preconditions to be met for requesting the issuance of an EIO? General results showed that all MSs confirmed that EIO may be requested in the same way as any other request for gathering evidence and no special pre-conditions of the request are to be met. More in details, the request has to be only “reasonable” and “substantiated”: if evidence can have significance to the matter, the EIO should be issued. Only Sweden declared that Swedish public prosecution service has issued guidelines for issuing and receiving EIO requests. Q3. Are there any deadlines concerning the processing of requests for the issuing of an EIO (e.g. are judicial authorities obliged to respond to a request within a certain period of time)? As for the above question, the results are almost aligned as all the participants to the survey declared that no specific deadlines concerning the processing of the request for the issuing of an EIO were in place. In general, there is a common understanding: the request of an EIO is not handled in a specific way and is not conducted considering specific deadlines. It should be performed on the same bases and as quickly as a domestic procedural act, and the deadlines should be the ones provided for in the Code of Criminal Procedure. More in details, all respondents simply declared that the request of an EIO has to be handled “as soon and possible” and without undue delay. Q4. Which kind of data can the request for the issuing of an EIO cover? As to the question on the type of data that the request of an EIO could cover, results showed that all respondents’ answers are very balanced, as the three types of data proposed (subscriber data, content data and metadata, including traffic data, location and access log) are almost always requested together. Q5. Do you have any national definition of subscriber data, metadata and content data? If yes, please specify. More specifically, when respondents have been requested on the domestic definition of subscriber data, metadata and content data, the answers were aligned as almost all countries declared that no legal definition is provided in their national system. Only Sweden declared that the definition of metadata has been explained in governmental reports as information generated by communication suppliers for

Different Perspectives on EIO

173

Table 1 Procedures to transfer the data obtained through an EIO to lawyers Czech Republic Estonia Finland France Ireland Spain Sweden The Netherlands

Primarily the data are transferred in lawyer’s data box (electronic system). Alternatively, it can be transferred via postal services. Most commonly through the E-File system. At the moment either in printed documents or in electronic format (usually CD-ROM/DVD). According to the procedures referred to in Articles 114, 390 and 390-2 of the CPP (access to the dossier-file). Not applicable—Ireland has not opted into the EIO. Ireland continues to operate under the mutual legal assistance rules. No experience on that. The data is transferred in different ways regarding the request/result. The data will be transferred via the investigative judge and on data storage devices.

the purpose of providing communication service including transferring messages, billing purposes etc. Q6. How do the relevant judicial authorities in your country transfer the data obtained through an EIO to lawyers? And in which format? Table 1 below gives an overview of the different procedures in place in European countries under investigation. The view offered by the replies it’s only focused on specific targeted issues suitable to express the lawyers’ perspective on the current scenario going on with EIO: however these results have been very important to give the global vision of the scenario in the legal community at large. A core group of potential obstacles and barriers highlighted in the replies is common to all the involved stakeholders (lawyers, judicial authorities, LEAs, Digital Forensics experts) even if the degree of impact is different in relation to their specific role in the EIO/MLA procedure and the step of the procedure. Replies from the lawyers of the CCBE have been analysed extensively in the light of the barriers, actions and gaps identified by judicial authorities (representatives of European Ministries of Justice).5 The cross fertilization of the answers and the comparative analysis of the results demonstrated that a large number of barriers also exists according to the lawyer’s perspective (CONFIRMED). The Comparative analysis produced the following results shown by Table 2.

5 As indicated before under the activities of EXEC and E2e-CODEX Projects a full version of a questionnaire has been circulated among different European Ministries of Justice as a representative of the judicial sector directly involved in the EIO procedures.

Confirmed

Confirmed

Spread/Promote the use of a secure platform to expedite the Confirmed evidence exchange and simultaneously adopt a standard to represent the evidence data, being able to foster the interoperability between different organizations and different countries.

The Evidence Exchange of large file is still mostly human based. Strengthen the quality of the Internet connection to allow the To address this issue, it is fundamental to have a good and stable transfer of large file. connectivity to accomplish the transfer from the Executing State to the Issuing State.

The Evidence Exchange, under the EIO/MLA legal instruments, between different Member States is still mostly human based. The standard de-facto consists of exchanging the original source of evidence that has been seized or creating the forensic copy of the original source of evidence and then to deliver it by hand. This method makes the exchange very slow and expensive.

Spread/Promote the use of digital platforms to tackle these legal instruments, in particular the e-CODEX platform that is becoming more and more popular between all Member States, thanks to the high level of security provided.

Enhance the dialogue during the EIOs execution where doesn’t exist Confirmed

Lack of networking between authorities during the execution of EIOs Too many countries still deal with the EIO/MLA procedures in a manual way, without relying on new technologies to expedite the process. This method makes the operation cumbersome and more likely prone to errors.

Technical procedures

Adopt electronic tools such email for a smart transmission or use of Confirmed e-Codex secure and trusted platform and the Reference Portal which are highly recommended because already in place and tuned.

Instrument of transmission mostly traditional (Post and fax)

Confirmed

Confirmed

Transmission of EIOs

Adopt the electronic tools such email for a smart transmission or use of e-Codex secure and trusted platform

Lawyers feedback

Input and regular communication of the competent executing authorities at national levels (including information on district/federal competent authorities) to the available system in use (EJN- Atlas and EUROJUST national contact Points). Implementation of a further tool called Criminal Court Database (CDB) where competent executing authorities can be easily identified per MS.

Instrument of transmission mostly traditional (Post and fax)

EIO and MLA

Actions

Information on Identification of Executing authorities the executing Authority

Barrier

Topic

Table 2 Actions and barriers, comparative view

174 M. A. Biasiotti and S. Conti

Different Perspectives on EIO

175

3 Technical Community’S Perspective The technical community was involved in the survey within a face-to-face meeting which was held in The Hague on the 20–21 of November 2018. The feedback of the participants was asked on a set of questions excerpted from the full version of the questionnaire. To this event a good representative from EU institutions was present: OLAF, Europol, Eurojust and Eu commission. Digital Forensics and IT experts were also involved. Some of the main questions that were prepared were the following: Q1. Which are the most relevant issues that you have addressed in handling digital evidences? The answers of the first question reveal that the authenticity and the integrity of the original evidence are the most challenging requirements to accomplish. The authenticity is strictly connected to the Chain of Evidence, that is how a potential evidence has been obtained starting from the original source of evidence, whilst the integrity is connected to the Chain of Custody and to the security level adopted for its exchange and handling (Fig. 1). Q2. Within the EIO and/or MLA procedures which are the issues that most hamper the exchange of digital evidence with another country? The result from the second question are shown in Fig. 2 and the outcome has been expected: security issues and handling of large file are the most difficult problems to tackle. 10

100%

9

90%

8

80%

7

70%

6

60%

5

50%

4

40%

3

30%

2

20%

1

10%

0

0% INTEGRITY AUTHENTICITY

CHAIN OF EVIDENCE

CHAIN OF CUSTODY

ADMISSIBILTY

Fig. 1 Main issues in handling digital evidence (Q1)

LOW TRAINING LACK OF FAMILIARITY

OTHER

176

M. A. Biasiotti and S. Conti

SECURITY ISSUES

MISTRUST

LARGE FILES

LOW TRAINING

OTHER Fig. 2 Main issues in exchange digital evidence under EIO/MLA (Q2)

OTHER

INTERNET INTERCEPTION

PHONE INTERCEPTION

HARD DISK

MOBILE DEVICES 0

2

4

6

8

10

12

14

Fig. 3 Most common traces (Q3)

Q3. Which are the most common traces/devices that you have encountered in cybercrime investigations? Results of this question are depicted in Fig. 3.

Different Perspectives on EIO

177

18 16 14 12 10 8 6 4 2 0 ANONYMOUS COMMUNICATIONS

CRYTOGRAPHIC TECHNIQUES

STORAGE DATA SIZE

INTERNET OF THINGS

OTHER

Fig. 4 Most challenging issue in the future for investigators (Q4)

This is particular significant for the development of the standard language for the representation of the Evidence meta data because they represent a real workbench for testing the quality of the language in representing these kinds of evidence/trace. Q4. In the future, which of the following cases, could be more challenging from an investigative perspective? (juridical and technical as well) The result from the fourth question are represented in Fig. 4. The most issues that forensic investigators will have to address in the future is cryptographic techniques and anonymous communication. All these strategies represent a serious threat to the investigation because they allow criminals to hide each vestigial/trace of their actions. Q5. In the forensics community there is an increasing need to ensure the reliability of computer forensic tools. Digital forensic tools require rigorous/accurate testing prior to use in order to catch bugs before they may have a negative impact on a digital investigation. How do you deal with the above issues in order to guarantee that the potential evidence you extracted is admissible before a Court? The results from the fifth question are represented in Fig. 5. In the forensics community there is an increasing need to ensure the reliability of computer forensic tools. Digital forensic tools require rigorous/accurate testing prior to use in order to catch bugs before they may have a negative impact on a digital investigation. The result shows that the dual-tool validation is still a common practice of using more than one method to verify data extracted. In doing so, a comparison is made between the two data sets to conclude the accuracy and precision of the data.

178

M. A. Biasiotti and S. Conti

Manual examination for dual tool validation

DUAL TOOL VALIDATION

TRUST IN THE FORENSIC TOOL

TRUST BASED ON PUBLIC TEST

OTHER

Fig. 5 Methods validation for forensic tools (Q5)

4 The Legal Community at Large The legal community at large was involved in the survey within the seminar for judges and prosecutors of EU MS organised by the EJTN-European Justice Training Network held in Florence on the 27 and 28 September 2018. Totally participants were 35 coming from the judicial authorities of the following States which were also no EU MS: Belgium, Bulgaria, Czech Republic, Croatia, Denmark, France, Germany, Greece, Italy, Latvia, Netherland, Poland, Portugal, Romania, Slovak, Spain, Sweden and Ukraine. The specific topic addressed by the seminar was “Evidence in the cloud: new challenges in collecting evidence on cyberspace in the European Union”. Some of the questions of the questionnaire were selected, presented and distributed among participants and the answers received were analysed. The first slot of questions were the following: Q1. Do you know what an electronic evidence is? Q2. Do you know what the digital evidence life cycle means? (evidence life cycle) Q3. Are you familiar with the digital forensic jargon? (forensics acquisition, forensic copies, forensic analysis, forensic tools) Q4. Are you dealing with digital evidences during your daily activities? Figure 6 shows results of the question from 1–4. The audience of the workshop were all Public prosecutors and judges from EU MSs. They were almost aware of the meaning of Electronic evidence, even if when it comes to the knowledge of the Electronic evidence life cycle the awareness becomes lower and this is also reflected in their level familiarity of the digital forensic jargon although a good percentage of them daily deals with this kind of evidences during their activities.

Different Perspectives on EIO

179

35

30

25

20

15

10

5

0

Q1

Q2

Q3 YES

Q4

NO

Fig. 6 Q1 to Q4 result of the EJTN seminar for judges and prosecutors

Q5: Which are the issues that you have addressed in handling digital evidences? (admissibility, authenticity, integrity, chain of evidence, chain of custody, low training, lack of familiarity, others) Specifically, when dealing with electronic evidence in their daily activity their perception is that admissibility and authenticity together with integrity and the chain of evidence are the most relevant features that need to be secured and guaranteed. The results are shown in Fig. 7. The second slot of questions were the following: Q6: Have you ever exchanged evidence with a foreign country, inside or outside Europe? Q7: Which legal instrument have you used? Q8: How the evidence exchange is carried out? Q9: Within the EIO and/or MLA procedures which are the issues that most hamper the exchange of digital evidence with another country? Results demonstrate that the audience have had some relationship with foreign countries for exchanging evidence and the legal umbrella for this flow was mainly MLA procedures under the Budapest Convention. As for the legal instruments used by the participants confirm that the tradition means are those prevailing for the exchange of the evidences (MLA procedures) as depicted in Fig. 8.

180

M. A. Biasiotti and S. Conti

OTHERS

LACK OF FAMILIARITY

LOW TRAINING

CHAIN OF CUSTODY

CHAIN OF EVIDENCE

INTEGRITY

AUTHENTICITY

ADMISSIBILITY 0

5

10

15

20

Fig. 7 EJTN seminar for judges and prosecutors, Q5 result

18 16 14 12 10 8 6 4 2 0

EIO

MLA

Fig. 8 EJTN seminar for judges and prosecutors, Q7 result

OTHER

25

Different Perspectives on EIO

HUMAN BASED

181

SECURE COURIER

EMAIL

OTHER

Fig. 9 EJTN seminar for judges and prosecutors, Q8 result

In most cases the exchange takes place human based or by secure courier. The email is rarely used as can be seen in Fig. 9. As to the identification of the major barriers hampering the exchange of digital evidence the results confirm that transmission of large files and security issues are the barriers at stake together with the low practice of training on EIO and MLA procedures in the MSs (Fig. 10). A specific attention has been given to the relationship with Internet Service providers when the acquisition of electronic evidence involves this particular recipient. The following questions have been posed: Q10: Have you ever had any cooperation with ISPs for the acquisition of a digital evidence? Q11: If yes, which kind of data has the request covered? Q12: If yes which are the most important improvements you would like to introduce in the relationships between judicial authorities and ISPs? Q13: How does the ISPs transfer you the requested data? Q14: In which format does the ISP transfer you the requested data? (by email, PDF, DOC, XLS) Feedback from the audience confirmed that majority MSs have some relationship with ISPs and that the requests are wide as they cover the three types of data owned by ISPs: subscriber data, content data and metadata (see Fig. 11).

182

M. A. Biasiotti and S. Conti

OTHER

LOW TRAINING

LARGE FILES OF EVIDENCE

MISTRUST

SECURITY ISSUES

0

2

4

6

8

10

12

Fig. 10 EJTN seminar for judges and prosecutors, Q9 result

SUBSCRIBER

TRANSACTION

CONTENT

EMPTY

Fig. 11 EJTN seminar for judges and prosecutors, Q11 result

The audience was requested to propose improvements able to enhance the relationship between judicial authorities and ISPs facilitating the flow of data. Figure 12 shows the actions required should be direct to: • create common templates for requesting data to ISPs;

Different Perspectives on EIO

183

OTHERS

SPECFIC TOOLKIT FOR THE EMERGENCY REQUESTS

COMMON TOOLS FOR THE EVIDENCE EXCHANGE

COMMON PROCEDURES FOR THE ACQUISITION

COMMON TEMPLATES FOR REQUESTS 0

2

4

6

8

10 12 14 16 18 20

Fig. 12 EJTN seminar for judges and prosecutors, Q12 result

• agree upon common procedures for acquisition of data; • implement common tools for the packaging the evidence before the exchange takes place; • implement a specific toolkit for the acquisition of evidences in case of urgencies. As to the specific questions on the methodologies used by ISPs for transferring data the audience gave the following feedback (see Fig. 13): • different means of transmission of data by the ISPs to the judicial authorities (mail, traditional means, web service) of the requests and different formats of the data communicated (PDF, Word, Excel) as shown in the two graphics below. On the training activities carried out by MSs involved in the workshop, the question to the audience was to give feedback on existing training session on EIO/MLA procedures in their State (Figs. 14 and 15). The audience declared that in the majority of the MSs the training courses on the specific topic cited above are not in place, even if approximately a 40% of participants declared that there are some initiatives going on in their countries. The audience confirmed that training courses are organized mostly only for judicial and not for Court staff, administrative staff as shown in Fig. 16. More in details on the training the feedback of the audience of the workshop on the focus of the training highlighted that the demand for training on EIO is for a huge and complete coverage going form the business aspects to technical ones (Fig. 17).

184

M. A. Biasiotti and S. Conti 16 14 12 10 8 6 4 2 0 EMAIL

DOWANLOAD FROM WEB

SECURE FTP

HUMAN BASED

Fig. 13 EJTN seminar for judges and prosecutors, Q13 result

18 16 14 12 10 8 6 4 2 0 PDF

DOC

EXCEL

TEXT

Fig. 14 EJTN seminar for judges and prosecutors, Q14 result

OTHER

Different Perspectives on EIO

185

20 18 16 14 12 10 8 6 4 2 0 YES

NO

EMPTY

Fig. 15 EJTN seminar for judges and prosecutors, Q15 result

JUDICIAL STAFF

ADMINISTRATIVE STAFF

Fig. 16 EJTN seminar for judges and prosecutors, Q16 result

OTHER

186

M. A. Biasiotti and S. Conti

OTHER

ONLY FOR THE ADMINISTRATIORS

USE OF E-EVIDENCE PORTAL

TECHNICAL ASPECTS

BUSINESS ASPECTS 0

2

4

6

8

10

12

14

Fig. 17 EJTN seminar for judges and prosecutors, Q17 result

5 Conclusions According to this overview on the different perspectives of the stakeholders involved in the EIO procedures, it has been possible to understand that a core group of obstacles and barriers is common to all the involved people even if the degree of impact is different in relation to their specific role in the EIO/MLA procedure and the steps of the procedure. Therefore, identified actors when putting in place the action to mitigate such barriers have to target this solution also in relation to legal and technical community at large. The conducted survey highlighted some key elements in the implementation of the EIO that should be considered to better carry on the use of such instrument in the exchange of electronic evidence: enhancement of trust between stakeholders and Ministries of Justice of the MSs, improvement in the admissibility of the procedures and digital exchange of EIOs requests, evidence exchange by digital tools, constant searching for the applicability of rule of law in the EIO process, action for a standardisation, fast exchange of EIO requests and electronic evidence, cross-border perspective as a needed approach, training as the key between awareness and knowledge, efficiency, and essential level of security. These core aspects have to be taken into account as the beacon light for the improvement of the exchange of e-evidence under the umbrella of EIO in the next future. It is fundamental in this context to build trust in the new technologies and in the tools built up for facilitation the cross-border cooperation in the criminal field.

Training on EIO: Overview of Training Courses in the EU Alexandra Tsvetkova

Abstract A variety of training providers and initiatives deliver training courses on the European Investigation Order across EU. The present Chapter focuses on the European Judicial Training Strategy’s framework and the EIO-dedicated educational and awareness activities provided by EU-funded projects and EU-level training providers.

1 European Judicial Training Strategy In September 2011, the European Commission published a Communication on building trust in EU-wide justice as a new dimension to European judicial training1 (“the 2011 European Judicial Training Strategy”) following the undertaken responsibilities under the Treaty of Lisbon2 and implementing the priorities established by the Stockholm Programme3 in the field of European judicial training.4 The Lisbon

1 European Commission, Communication, Building trust in EU-wide justice—a new dimension to European judicial training, COM (2011)551 final. Available via EUR-Lex. https://eur-lex.europa. eu/legal-content/EN/ALL/?uri=CELEX:52011DC0551. Accessed 18 Dec 2022. 2 Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, signed at Lisbon, 13 December 2007. 3 The Stockholm Programme—An open and secure Europe serving and protecting citizens, adopted by the European Council in 10-11 December 2009, Council document 17024/09. European Commission, Communication, Delivering an area of freedom, security and justice for Europe’s citizens: Action Plan implementing the Stockholm Programme, COM (2010) 171 final. Available via EUR-Lex. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM: 2010:0171:FIN:EN:PDF. Accessed 18 Dec 2022. 4 The origins of the 2011 European Judicial Training Strategy can be traced back to policy developments in the 2002-2007 period. See Commission Communication, Better monitoring of the application of Community law, COM(2002)725 final; Communication from the Commission to the

A. Tsvetkova () LIBRe Foundation, Sofia, Bulgaria e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_12

187

188

A. Tsvetkova

Treaty has given the European Union competence to “support the training of the judiciary and of judicial staff” in matters relative to judicial cooperation in civil and criminal law.5 While Member States have the primary responsibility in this field, it is considered that the European Union must provide support and financial backing, including establishing its own mechanisms to complement national efforts, and the EU and international cooperation aspects should be part of national curricula. In this respect, focus is placed on developing e-learning curricula and common training materials for judicial professionals, while participation in joint courses, exercises and exchange programmes should be based on the tasks implemented rather than sector-specific criteria. The 2011 European Judicial Training Strategy was a long-term strategy setting specific objectives for the training of justice professionals to be reached by 2020. It prescribed the European judicial training should be practice oriented, relevant for the practitioners’ everyday work, taking place during short periods of time and using efficient learning methods. In terms of topics, the Strategy prioritized the body of the EU acquis, including substantive and procedural law, judicial cooperation instruments and the corresponding jurisprudence of the Court of Justice of the European Union. It also encouraged the use of technology in support of training by promoting investment in e-learning as a flexible tool to address the time constraints faced by legal practitioners and to reach more end-users. The Strategy also recommended drafting practical guidelines with respect to the specific e-learning behaviour, adaptive training methodologies, and evaluation of quality and impact, including via common quality criteria and indicators. Specific focus was placed on the existing structures, actors, and networks, whether national or European, to increase their potential and training capabilities to ensure that judicial training activities include sessions on the prioritized topics and to further develop such trainings’ frequency, effectiveness, and impact on daily work. The implementation of the Strategy was based on interconnected political, logistic, and financial contributions, from four main categories of actors. Member States set training obligations and training programmes at national level for both initial and continuous training. Dedicated judicial schools exist in seventeen Member States, while in other States training is organized by the respective ministry, council for the judiciary and/or prosecution, or court and/or prosecutor’s office services, depending on the judicial hierarchy and distribution of responsibilities in place.6

European Parliament and the Council on judicial training in the European Union, COM(2006)356 final; and Communication from the Commission, A Europe of Results—Applying Community Law, COM(2007)502 final. 5 Articles 81(2)(h) and 82(1)(c) of the Treaty on the Functioning of the European Union. 6 Further information on all Member States’ national training structures for the judiciary is provided at the European e-Justice Web Portal, available at https://e-justice.europa.eu/ content_national_training_structures_for_the_judiciary-406-en.do?clang=en. Last review on 1 February 2020 by EC. Accessed 18 Dec 2022.

Training on EIO: Overview of Training Courses in the EU

189

EU-level training providers typically focus on developing and delivering crossborder training activities. The European Judicial Training Network (EJTN) was created as the network of the national judicial training structures and the European Law Institute (ERA) to coordinate their actions, share best practices, develop common curricula for judges and prosecutors to be used at national level, and organise on-site and online cross-border seminars.7 Judicial training providers at European level such as ERA, the European Centre for Judges and Lawyers of the European Institute of Public Administration (EIPA), the College of Europe, etc. are also well placed to provide training for professionals from different nationalities. European-level professional organisations such as bar or notaries’ associations8 have an important coordination role in setting up national requirements for continuous training of their members, organizing dedicated training activities for their legal sub-communities and promoting and/or organizing cross-border training activities. The European Commission provides a financial and operational framework mainly to EU and national training providers and organisations for justice professionals. Under the 2014-2020 financial framework,9 EC boosted European judicial training by reinforcing it as a priority in its existing work programmes10 and encouraged, notably through its grants, the development of training targeted at several Member States on the EU acquis and on national judicial systems. Award criteria focus on the development of practice-oriented, large-scale, and long-term projects, using active training methodologies, producing sustainable results and/or reaching a large target audience. Same approach is to be followed for the 2021-2027 framework.11 Reflecting the results of the 2011 European Judicial Training Strategy’s evaluation12 and the yearly reports on the participation of legal practitioners in training

7 Currently, EJTN has 36 members representing EU states as well as EU transnational bodies. Full list of EJTN members is available on the EJTN website, https://ejtn.eu/members/. Accessed 18 Dec 2022. 8 For example, the Council of Bars and Law Societies of Europe (CCBE) for lawyers, Notaries of Europe (CNUE) for notaries, the European Union of Judicial Officers (UEHJ) for bailiffs, etc. 9 Regulation (EU) No 1382/2013 of the European Parliament and of the Council of 17 December 2013 establishing a Justice Programme for the period 2014 to 2020, OJ L 354, 28.12.2013, pp. 73–83. 10 Information about EU financial support for European judicial training projects can be found on the websites of the Directorate General for Justice and Consumers, https://ec.europa.eu/info/ departments/justice-and-consumers/justice-and-consumers-funding-tenders_en, the Directorate General for Competition, http://ec.europa.eu/competition/calls/index.html, the Directorate General Migration and Home Affairs, https://ec.europa.eu/home-affairs/funding_en, the European AntiFraud Office, https://ec.europa.eu/anti-fraud/olaf-and-you/funding_en etc. Accessed 18 Dec 2022. 11 Council Regulation (EU, Euratom) 2020/2093 of 17 December 2020 laying down the multiannual financial framework for the years 2021 to 2027, OJ L433I, 22.12.2020, pp. 11–22. 12 European Commission (2019) Commission Staff Working Document Evaluation of the 20112020 European Judicial Training Strategy, SWD (2019)381. https://commission.europa.eu/system/ files/2019-10/5_en_document_travail_service_part1_v2.pdf. Accessed 18 Dec 2022.

190

A. Tsvetkova

in EU law in the European Union,13 a new European judicial training strategy for 2021-202414 was adopted. It places a particular priority to the key EU instruments for cross-border judicial cooperation and their effective implementation. In terms of effectiveness of the training activities, the 2021-2024 Strategy refers to the need for diverse forms of learning: reflective, conceptual, experimental, and concrete. Justice practitioners’ training should include a blend of face-toface residential activities, e-learning tools and on-the-job training. Cross-border face-to-face training activities are considered essential for developing skills and attitudes and building mutual trust and respect. However, piloting new approaches, such as hybrid formats (combining facetoface and online) and face-to-face crossprofessional training is also encouraged for specific topics of relevance. These objectives are not new as the standard for such a blended training was set with the 2016 EJTN’s Handbook on judicial training methodology in Europe.15 One step further, European Commission incorporated the European training platform in the European eJustice Portal16 as a central hub of information on training activities for justice professionals and a single access point for selfstudy materials on EU law.

2 EIO-Dedicated Educational and Awareness Activities by EU-Funded Projects The adoption of the EIO Directive in 2014 introduced the need for training professionals on this judicial cooperation instrument and it has become almost a constant priority under the Justice Programme 2014–202017 within its calls for proposal for transnational projects on judicial cooperation in civil or criminal matters and calls for proposals for transnational projects on judicial training covering civil law,

13 The Commission publishes annual reports on European judicial training summing up the main EU judicial training achievements each year and gave statistical data and analyses (broken down by justice profession and Member State). 14 European Commission, Communication, Ensuring justice in the EU—a European judicial training strategy for 2021-2024, COM/2020/713 final. Available via EUR-Lex. https://eur-lex. europa.eu/legal-content/EN/TXT/?uri=CELEX:52020DC0713. Accessed 18 Dec 2022. 15 European Judicial Training Network (2016) Handbook on judicial training methodology in Europe. https://portal.ejtn.eu/MRDDocuments/EJTN_JTM_Handbook_2016_EN.pdf. Accessed 18 Dec 2022. 16 https://european-training-platform.e-justice.europa.eu/about-platform. Accessed 18 Dec 2022. 17 Regulation (EU) No 1382/2013 of the European Parliament and of the Council of 17 December 2013 establishing a Justice Programme for the period 2014 to 2020, OJ L 354, 28.12.2013, pp. 73–83.

Training on EIO: Overview of Training Courses in the EU

191

criminal law, or fundamental rights.18 In this regard, a review of an exemplary list of projects enhancing the judicial cooperation under the EIO Directive and providing raising awareness activities on this instrument was implemented. ‘Criminal Justice Access to Digital Evidences in the Cloud—LIVE_FORensics’ (LIVE_FOR) Project, Grant Agreement 723150, put the focus on a number of investigative methods specified by the EIO Directive, where the non-localised nature of the data challenged the crime investigators with respect to technical problems and jurisdiction issues. Project activities included: (a) analytical activities consisting of data collection from the authorities appointed under EU legislation in cases that involve cybercrime; and (b) educational activities providing the target groups with knowledge on the legal and technical challenges of EIO application and raising awareness on the EIO Directive and the cooperation mechanism it provides (round tables, educational workshops, and public events). As a result of project findings, a report on best practices that were expected to be followed in cases when the EIO Directive was applied, was published in 2018. Besides the main instruction about its application, the document provided reasonable introduction to other fields of knowledge such as digital forensics and cross-border evidence collection from both technical and legal aspects. This approach was appreciated by validating experts to be most useful for prosecutors, judges etc. in EIO use cases.19 ‘best practices for EUROpean COORDination on investigative measures and evidence gathering’ (EUROCOORD) Project, Grant Agreement 723198, promoted judicial cooperation by developing systematic research and generating specific knowledge and tools addressed to the different stakeholders to contribute to the efficient and coherent application of the EIO Directive and other relevant regulations. Project activities included: desk and qualitative research on the EIO judicial framework; development of a Code of Best Practices for the EIO in criminal matters; training courses and seminars addressed to different target groups; and development of the European Observatory on EIO and related criminal matters. Each of the target groups—judges, prosecutors, and lawyers, was engaged in training on the legal framework, judicial practices and the Code of Best Practices20 developed under the project. Jurisdictional coverage included Italy, Spain, and Poland.21 ‘Judicial Cooperation in Criminal Matters and Electronic IT Data in the EU: Ensuring Efficient Cross-Border Cooperation and Mutual Trust’ (JUD-IT) Project, Grant Agreement 766467, aimed at providing an in-depth comparative assessment of promising practices and practical and legal challenges in securing, requesting 18 The author did not explore projects funded under the Justice Programme 2021-2027 framework due to lack of projects granted funding as of the completion date of this Chapter; even if such exists at the time of publication, they will be in their initial stages and will not be considered applicable for the purposes of the present review. Assessed 18 Dec 2022. 19 Jerman-Blažiˇ c and Klobuˇcar (2019); Jerman-Blažiˇc and Klobuˇcar (2020). 20 http://eurocoord.eu/wp-content/uploads/2018/11/D4.3_Code-of-Best-Practices.pdf. Accessed 18 Dec 2022. 21 http://eurocoord.eu/wp-content/uploads/2019/06/D2.4.-National-report-EOI_rev.pdf. Accessed 18 Dec 2022.

192

A. Tsvetkova

and obtaining digital information held by IT companies in the context of both the implementation of the EIO Directive and the domestic use and applications of EU Mutual Legal Assistance Treaties with third States like the USA and Japan. The project sought to facilitate the identification of ways forward and policy recommendations for EU and national policy makers to promote judicial cooperation in criminal matters in a global context of increasing use of electronic means and data in line with EU rule law and fundamental rights standards; and to secure the gathering of scientific evidence and practitioners experiences in better ensuring effective and trust-based use of mutual legal assistance instruments when having access to electronic information and using it as evidence in the EU Criminal Justice Area. JUD-IT Project developed a Handbook providing guidelines for practitioners and legal/judicial actors and dedicated training modules (with focus on most recent developments in EU legislation and related best practices).22 ‘EVIDENCE2e-CODEX Linking EVIDENCE into e-CODEX for EIO and MLA procedures in Europe’ (EVIDENCE2e-CODEX) Project, Grant Agreement 766468, pre-piloted the EVIDENCE23 Proof-of-Concept over the e-CODEX (e-Justice Communication via Online Data Exchange) Platform24 for the specific purpose of allowing the secure and trusted exchange of digital evidence among EU Member States in the EIO and Mutual Legal Assistance (MLA) context. The EVIDENCE Project had already identified a need to generate the necessary awareness of involved actors by disseminating properly information about the procedures and the legal framework in which these procedures will be needed, including the need for a specific training to understand, accept and finally promote the electronic evidence exchange. Thus, the EVIDENCE2e-CODEX Project aimed to cross fertilize stakeholders’ experiences and infrastructures by rendering those ready to implement the changes in treating electronic evidence and in exchanging it electronically by: creating a legally valid instrument to exchange digital evidence related to MLA and EIO procedures over e-CODEX; providing the legal and technical communities involved with ‘ready to use’ information on EIO, digital evidence and e-CODEX; and developing a ‘true to life’ example of how electronic evidence can be shared

22 Conclusions of the author are based on JUD-IT transnational judicial training workshop’s agenda available to the public. See Centre for Judicial Cooperation of the European University Institute (2018) Ensuring Efficient Cross-border Cooperation and Mutual Trust (JUD-IT) Transnational Judicial Training Workshop ‘Judicial Cooperation in Criminal Matters and Electronic IT Data in the EU’. http://jud-it.law.auth.gr/data/documents/Programme-1.pdf. Accessed 18 Dec 2022. 23 ‘EVIDENCE—European Informatics Data Exchange Framework for Court and Evidence’ Project (03/2014-10/2016), Grant Agreement No. 608185. http://www.evidenceproject.eu/. Accessed 18 Dec 2022. 24 e-CODEX has been developed and maintained with EU financial support by a consortium of Member States. EC adopted on 2 December 2020 a Proposal for a Regulation on a computerised system for communication in cross-border civil and criminal proceedings (e-CODEX system) and amending Regulation (EU) 2018/1726, COM/2020/712 final, which aims to entrust the further development and maintenance of e-CODEX to the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) as of 2023.

Training on EIO: Overview of Training Courses in the EU

193

via e-CODEX in a secure and standardised way in order to support MLA and EIO cases. An Action plan and guidelines for EU-wide implementation of the ‘true to life’ example were the final project results published.25 ‘Strategic AssessmenT for LAW and Police Cooperation’ (SAT-LAW) Project, Grant Agreement 800816, aimed at contributing to a bi-annual case-based report on the application of the EIO Directive (under Article 37 of the Directive), including with regards to the coherence, harmonisation, and interrelation with other judicial instruments in the judicial and law enforcement domains. SAT-LAW conducted quantitative and qualitative studies on the state of EIO implementation and its coherence with other EU judicial cooperation instruments and treaties and with all EU directives protecting rights of suspects and accused. The project also developed experimental Living Labs on the proportionality in the use of special investigation techniques and surveillance; interlinks between EIO, electronic evidence and new technologies; implementation models in different adversarial and/or inquisitorycentred national procedures to assess level of examination of conformity; EIO and fundamental rights; and EIO and prisons. A toolkit with promising practices, European, ECtHR and national-case-law, and blended training courses was prepared alongside dedicated manuals.26 ‘European Investigation Order—legal analysis and practical dilemmas of international cooperation’27 accumulated knowledge regarding the practical application of the EIO and its relation to other relevant instruments of mutual legal assistance and prepared trainings on the cross-border evidence gathering procedure under the EIO Directive and application guidelines in national languages covered by the project. ‘PRE-RIGHTS: Assessing impact and performance of preventive measures on EU Directives and Framework Decisions’28 promoted a balanced approach to judicial and police cooperation, in line with the provisions of the EU’s Security Agenda on prevention, and coherence between the new hybrid investigations in the “intelligence-led police approach” and the application of the EIO and the European Arrest Warrant, avoiding excessive de-juridicalisation. The project delivered analytical documents and guidelines on issues of judicial cooperation in crime prevention and applicable case-law of the CJEU/ECtHR, and application of MLAs and data exchange with third countries in the specific area of judicial prevention, alongside online training courses and judicial Living Labs. While each of these projects focuses on, among other topics, the EIO Directive implementation, the awareness and training activities envisaged do not reflect an allround blended approach but follow a particular angle of application chosen by the 25 All EVIDENCE2e-CODEX findings are available at https://evidence2e-codex.eu/a/deliverables.

Accessed 18 Dec 2022. SatLaw findings are available at https://satlawproject.eu/downloads/. Accessed on 18 Dec 2022. 27 EIO-LAPD’ Project, Grant Agreement 831623. Results and findings are available at https://lapd. pf.um.si. Accessed 18 Dec 2022. 28 PRE-RIGHTS Project, Grant Agreement 831616. Results and findings are available at https:// www.pre-rights.eu/publications. Accessed 18 Dec 2022. 26 All

194

A. Tsvetkova

respective project. Similar methodology is followed by most EU-funded projects on EIO and EIO-related trainings. ‘Applying the European Investigation Order’ Project, Grant Agreement 763552, was set to train 200 European judges, prosecutors, law enforcement officials, and defence lawyers on applying EIO Directive and the 2000 Mutual Legal Assistance Convention and to provide better understanding of the relation between the EIO, the European Arrest Warrant Framework Directive and the Convention of 29 May 2000 on Mutual Assistance in Criminal Matters between the Member States of the European Union and their application in the European Member States. The training activities looked at the differences regarding the implementation of the EIO at national level and the related best practices in a practice-oriented way bringing together different legal professions and encouraging cooperation among different legal professions. A total of four two-day cross-border trainings—all provided in English—were organized covering 17 jurisdictions in total. Each training included sessions on the EIO Directive’s overall scope, content and status quo, the specific conditions for issuing and executing of EIOs in the respective European Member States covered by the training, and some specifics issues related to free movement of evidence and/or exchange of electronic evidence. ‘BES Practice 2.0: Perfecting the skills of the EIO practitioner’29 aimed at improving judicial cooperation in the application of the EIO between Belgium, Germany, and the Netherlands, by strengthening mutual confidence, trust, and recognition among the network of legal practitioners, and exploring the obstacles, miscommunication, and practical issues in the application of the EIO between the three countries. A total of three two-day tri-national trainings were organized for 180 legal practitioners. In addition, a glossary of the Dutch, French, German and English technical terms used under the EIO has been developed. In 2020, a new project was approved for grant, namely ‘BES Practice 3.0: Intensifying the judicial cross border cooperation in criminal matters through training’30 to build upon and further enhance this approach. It offers two-year training programme covers 8 days divided into 4 sessions, each tackling a different subject. The BES Practice 3.0 Project will prepare and organise these sessions which will be attended by approximately 235 legal practitioners originating from Belgium, Germany, and the Netherlands and representatives from European Judicial Network and Eurojust. ‘Applying procedural rights in the EU—State of play’31 focused on the six Directives on procedural rights for suspects and accused persons and the state of play of their implementation, and looked at their application in combination with other EU criminal law instruments such as the EIO, including through the prism of the developing case law of the Court of Justice of the European Union. A series of four seminars were provided for a total of 190 EU legal practitioners.

29 BES

Practice 2.0 Project, Grant Agreement 762623. Practice 3.0 Project, Grant Agreement 101007772. The project is still ongoing. Accessed 13 Dec 2022. 31 Project, Grant Agreement 851832. 30 BES

Training on EIO: Overview of Training Courses in the EU

195

However, only one of the trainings was focused on procedural rights in the context of evidence gathering, especially in the context of the EIO and the forthcoming instruments regarding e-evidence such as the European Protection Order. New developments such as the new technical framework for the EIO are also part of this training. Specific point of interest was the blended audience envisaged, as judges, prosecutors, defence lawyers, legal interpreters, and prison and probation staff were brought together for each training. ‘Judicial Cooperation in Criminal Matters in the European Union’s Area of Freedom, Security and Justice: Recent Developments and Topical Issues’ 2020– 2021’32 seeks to provide hands-on training on the European Arrest Warrant, the European Investigation Order, the EU procedural guarantees legislation, and the Council Framework Decisions on detention and transfer of prisoners. The trainings explore how practitioners should respond to the fundamental rights and rule of law concerns in relation to certain EU Member States while administering EU mutual recognition criminal law instruments. Four training activities are to be implemented in four different locations, all of them coupled with an introductory on-line lecture. Simultaneous interpretation in several languages is to be provided, along translation of training materials. The educational activities target over 100 legal practitioners with criminal law background. ‘TRaining on European Investigation Order’,33 aims to develop and pilot an all-round cross-border training on European Investigation Order implementation to foster the use and successful exchange of EIO forms and evidence across EU. It is to tailor the content to cross-border specifics (judicial cooperation, investigative measures, procedures, safeguards, data protection compliance) and provide video tutorial on the technical aspects of the EIO implementation and the use of the e-Evidence Exchange Digital System, developed by European Commission. The training is to spread across 12 Member States launching the System by adopting a cascading train-the-trainer methodology and providing tailored online training. The TREIO Toolkit and Action Plan for future actions are to be delivered at the end of the project proposing the adoption of the training schema in all EU Member States. See also Chapter 13 for further details on the TREIO Project. The overview of stand-alone EIO training activities shows the variety of measures funded across Europe. However, while diversified, most trainings cover primarily the legal and operational aspects of the EIO Directive in a limited number of languages. Only one project (namely, TREIO) refers to an all-round type of training and EU-wide deployment of its training instruments.

32 Project, Grant Agreement 882080. The project is still ongoing. Additional information and ongoing activities are available at https://www.eipa.eu/services/protecting-rights-fundamentalrights-and-data-protection-in-eu-law/judcoopafsj. Accessed 18 Dec 2022. 33 TREIO Project, Grant Agreement 882068. The project is still ongoing. Additional information and ongoing activities are available at https://treio.eu. Accessed 18 Dec 2022.

196

A. Tsvetkova

3 EIO-Dedicated Educational and Awareness Activities by EU-Level Training Providers The European Judicial Training Network (EJTN) is an international non-profit association promoting training programmes with a European dimension for 36 members of the European judiciary from all EU Member States. Under EJTN’s Criminal Justice Programme, the organisation continuously delivers trainings on practical matters linked to the use of mutual recognition instruments and directives on procedural safeguards, including the European Investigation Order. All events are conducted mainly in English. EJTN’s Criminal Justice Programme has a long-standing history on delivering trainings on obtaining and transferring evidence in criminal matters between Member States in view of securing its admissibility. Build-in sessions on effective cooperation and mutual trust among the European judiciary took place allowing training participants to better face those situations where the use of evidence obtained in another EU Member State should be secured in view of its admissibility in another EU Member State. In 2016, seminars on the landscape of EU cross-border evidence gathering and use of evidence and the perspectives and challenges under the EIO Directive were offered to participants. In 2017, EJTN refocused their work on EU cross-border evidence towards making participants aware of the current legal landscape and different regimes for obtaining of evidence and providing in-depth knowledge on the EIO. The trainings onwards were divided in national breakouts sessions, international workshops, and plenaries, and reflected on legal and practical implications in cross-border investigations with respect to the changes the EIO Directive brought and the national challenges in its implementation. In 2019, EJTN divided the topics and launched an advanced EIO-in-practice series. The new seminars gather several national groups composed of judges and prosecutors representing their Member States and deal with obtaining evidence in complex cross-border cases, while focusing on the EIO Directive and similar legal instruments and their mutual interference, including the latest (inter-)national case law. The exchange of best practices and experiences on how differences in national systems can affect EU cross-border investigations is at the core of the seminar. Further, different case scenarios are discussed within multinational breakout sessions and international group workshops guided by experts. A closing plenary session usually highlights differences and common approaches in gathering, obtaining, and using evidence in view of its admissibility abroad. This methodology is highly appreciated by participants and has proven to be the most successful to date. Another institution delivering EIO(-related) trainings is the Academy of European Law. ERA is created with the main objective to enable individuals and authorities involved in the application and implementation of European law in Member States and in other European States interested in close co-operation with the European Union to gain a wider knowledge of European law, in particular European Union law and its application and to make possible a mutual and

Training on EIO: Overview of Training Courses in the EU

197

comprehensive exchange of experiences. The Academy pursues this objective by organising courses, conferences, seminars, and specialist symposia, particularly for the purposes of continuing vocational training, by issuing publications and by providing a forum for discussions. A detailed review of the ERA’s catalogue of events showed that the only events specifically dedicated to the EIO instrument are those implemented under the ‘Applying the European Investigation Order’ and ‘Applying procedural rights in the EU—State of play’ Projects34 presented above. In addition, two ‘Post-Brexit Cooperation in Criminal Justice’ seminars were conducted in 2018 and 2020 covering, amongst other topics, the future cooperation possibilities between the EU and the UK in relation to the EIO and other criminal justice tools and mutual recognition instruments (both trainings were provided in English). ERA provides for regular trainings—be they EU-funded or not—on electronic evidence and their life cycle, including handling electronic evidence in specific domains and/or using certain devices. However, the EIO instrument is typically not amongst the specifically targeted use cases. Further, each year ERA organizes a Summer Course on European Criminal Justice for judges, public prosecutors, defence lawyers, police officers and civil servants seeking an introduction to European criminal justice. Mutual legal assistance and mutual recognition, including tools for mutual legal assistance in criminal matters, EU legislation regarding serious cross-border crime, and organisation of police and criminal justice cooperation are amongst the regularly discussed topics. The European Investigation Order was first introduced during the 2014 edition and is part of the agenda ever since. However, since 2019 focus is placed on evidence gathering with a short practical workshop on issuing and executing an EIO. Again, on an annual basis, ERA organizes an Annual Conference on EU Criminal Justice facilitating the exchange of experiences among legal practitioners on current developments and future initiatives in the field of EU criminal justice. While European judicial cooperation instruments (and their transposition into national legislation) are largely discussed, no single session is yet dedicated solely to the European Investigation Order. The European Institute of Public Administration (EIPA) is another Europeanlevel provider of training to the judiciary and other legal professions. Most of these training activities is developed and delivered by EIPA’s European Centre for Judges and Lawyers (ECJL). The latter is also leading the implementation of the ‘Judicial Cooperation in Criminal Matters in the European Union’s Area of Freedom, Security and Justice: Recent Developments and Topical Issues’ 2020–2021’ Project presented above. In addition to open enrolment training and conference activities, EIPA ECJL provides a variety of tailor-made and practice-oriented training on to the

34 The trainings under the ‘Applying the European Investigation Order’ Project were conducted between February 2018 and February 2019 in Trier, Cracow, Barcelona, and Riga, while the ones under the ‘Applying procedural rights in the EU—State of play’ Project took place between February 2020 and April 2021 mainly online due to COVID-19 restrictions.

198

A. Tsvetkova

implementation of European law in the EU Member States and countries associated with the EU (candidate countries, European Free Trade Association countries, etc.). The consistent efforts of the EU-level training providers to deliver trainings of common interest place their focus primarily in dealing with complex cross-border issues, including the latest international case law, while supporting the networking and quasi alignment of national practices. Member States’ judicial authorities are considered best placed to adopt national training programmes on EIO while adapting them with regards to specific aspects on judicial cooperation. Through the years, the EJTN, ERA and EIPA have worked—and continues to work—on a project-by-project basis with the national judicial training institutions throughout Europe as well as with European-level associations for various legal professions, e.g., the Council of the Bars and Law Societies of Europe, etc. The latter also provide support for their members on national level.

References Jerman-Blažiˇc B, Klobuˇcar T (2019) A new legal framework for cross-border data collection in crime investigation amongst selected European countries. Int J Cyber Criminol 2(13):270–289. https://doi.org/10.5281/zenodo.3698359 Jerman-Blažiˇc B, Klobuˇcar T (2020) Removing the barriers in cross-border crime investigation by gathering e-evidence in an interconnected society. Inf Commun Technol Law 1(29):66–81 https://doi.org/10.1080/13600834.2020.1705035

Training on EIO: TREIO Project Maria Angela Biasiotti

Abstract The EIO has been introduced by Directive 2014/41/EU in order to strengthen the judicial cooperation in EU in the criminal matters. The EVIDENCE2e-CODEX and EXEC Projects and the eEDES platform developed and led by the EC (DG Justice and Consumers) are currently working together to build up the secure and trusted infrastructure allowing the exchange of EIO forms and evidences between judicial authorities of the Member States. The e-Evidence Digital Exchange System (the System), developed under the e-Evidence Project, is the system that manages the EIO/MLA procedures/instruments: e-Forms, business logic, statistics, log, etc. The Reference Implementation is the front-end portal of the System and is also provided by EC. Both instruments use e-CODEX (the EU content agnostic e-Delivery infrastructure that supports cross- border e-Justice services) being the secure platform/infrastructure for evidence exchange. The EXEC project extends & strengthens some components of e-CODEX to manage the evidence exchange use case, EVIDENCE2e-CODEX provides the evidence packaging application. Although these operational tools allow the exchange of EIO forms and evidence, they are still under development and will be launched by Jan 2020. The research done between June 2018 and March 2019 across 16 Member States under these three projects showed that there is a specific need to generate the necessary awareness of the actors involved by properly disseminating information and knowledge about the procedures and the legal framework in which these procedures will be needed, to create a specific cross-border training for magistrates and court staff to understand, accept and finally promote the EIO forms exchange along the exchange of electronic evidence.

M. A. Biasiotti () IGSG/CNR, Florence, Italy e-mail: [email protected] © The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 M. A. Biasiotti, F. Turchi (eds.), European Investigation Order, Law, Governance and Technology Series 55, https://doi.org/10.1007/978-3-031-31686-9_13

199

200

M. A. Biasiotti

1 Objectives In June 2019 the EC, within the Action grants to support transnational projects on judicial training covering civil law, criminal law or fundamental rights, approved the proposal to organise a training on the EIO: the TRaining on European Investigation Order (TREIO). The project aims to develop and pilot an all-round cross-border training on European Investigation Order (EIO) implementation to foster the use and successful exchange of EIO forms and evidences across EU. It will tailor the content to cross-border specifics (investigative measures, cooperation, procedures, safeguards, data protection compliance) and provide video tutorial on the technical aspects of the EIO implementation and the use of the e-Evidence Exchange Digital System (eEDES), developed by EC. The training will spread across the 12 Member States (MSs) adopting the System within the e-CODEX Infrastructure. The TREIO Toolkit and Action Plan for future actions will implement and propose the extension of the training to all EU MSs.

2 Background on the EIO The EIO has been introduced by Directive 2014/41/EU in order to strengthen the judicial cooperation in EU in the criminal matters. The EVIDENCE2e-CODEX and EXEC Projects and the e-Evidence Project led by the EC (DG Justice and Consumers) are currently working together to build up the secure and trusted infrastructure allowing the exchange of EIO forms and evidences between judicial authorities of the Member States. The e-Evidence Digital Exchange System (the System), developed under the e-Evidence Project, is the system that manages the EIO/MLA procedures/instruments: e-Forms, business logic, statistics, log, etc. The Reference Implementation is the front-end portal of the System and is also provided by EC. Both instruments use e-CODEX (the EU content agnostic eDelivery infrastructure that supports cross- border e-Justice services) being the secure platform/infrastructure for evidence exchange. The EXEC project extends & strengthens some components of e-CODEX to manage the evidence exchange use case, EVIDENCE2e-CODEX provides the evidence packaging application. Although these operational tools allow the exchange of EIO forms and evidence, they are still under development and will be launched by Jan 2020. The research done between June 2018 and March 2019 across 16 MSs under these three projects showed that there is a specific need to generate the necessary awareness of the actors involved by properly disseminating information and knowledge about the procedures and the legal framework in which these procedures will be needed, to create a specific cross-border training for magistrates and court staff to understand, accept and finally promote the EIO forms exchange along the exchange of electronic evidence. Currently, the scenario in the EU MSs regarding training on EIO is the following:

Training on EIO: TREIO Project

201

• There is lack of standardized training as existing training courses are developed at national level without any overall uniformity or agreement on the training programs. • There is lack of global vision as the training courses are organised mostly only for judicial and not for court or administrative staff. • Topics taught during the trainings are not globally referring to the EIO in general but limited only to some specific aspects. • There is a variety of legal and operational differences across MSs: still unclear interaction between EIO and Mutual Legal Assistance (MLA) instruments, missing general obligation for the MSs to officially report on EIO issued and transmitted, unclear competences of the administrative authorities when acting as competent authorities under the EIO Directive, issues with the identification of the competent executing authority, varying language regimes, still primarily manual dealing with EIO/MLA procedures and human-based evidence exchange, problems with exchanging large files of evidence, etc. • The use of the new tool which will be launched by the EC for the electronic exchange of EIO forms and evidence is completely ignored. A great part of the respondents (57%) showed specific interest in a future training on the e-Evidence Digital Exchange System, a minority (22%) were primarily interested in administering EIO forms and applying the relevant procedures and safeguards, and only 17% focused on the need of more information and training on the technical aspects of the EIO implementations, and the rest—on the business side of the process. These research results already establish the basis of the TREIO training methodology—to be successful and really foster the use of the EIO package (legal tool plus the operational tools), the training must be modular, multidisciplinary and multilevel: different stakeholders addressed by different crossborder topics (i.e., legal aspects, technical issues, business logic, e-evidence, etc.), providing for exchange of relevant best practices existing in the different MSs. However, to better map the stakeholder needs, TREIO will provide an independent comparative analysis of training initiatives existing at EU level in the different MSs and review of EIO-dedicated or EIO-related research and training projects in the last 5 years, the results of which will be further implemented in the TREIO training methodology. Having all specifics in mind, TREIO aims to develop an all-round crossborder training on EIO implementation to foster the use and successful exchange of EIO forms and evidences across EU by focusing not only on the 4 main components under Directive 2014/41/EU (investigative measures, cross-border cooperation, procedures and safeguards, and data protection compliance), but also providing specific tutorial on the technical aspects and the use of the e-Evidence Exchange Digital System. TREIO will provide for training of legal professionals and court/administrative officials in the 12 piloting MSs planning to adopt the System by the beginning of 2020, also taking into consideration the different language regimes applied by translating the content in the 11 official EU languages

202

M. A. Biasiotti

covered in these countries and English (12 in total). In short, TREIO addresses the priorities of the call and the needs assessment presented above by: • Developing training content for all-round EIO implementation—from business processes and logic, through operational and legal aspects, to technical implementation and specific use of the System allowing electronic exchange of EIOs and evidences by using information technologies; • Involving all stakeholders taking part in a EIO procedure tailoring the training courses and materials to their specific needs to provide for operational efficiency and more coherent results; • Creating uniform training modules and materials with the option to customize the content to the 12 piloting jurisdictions and their specific legal frameworks; • Piloting the TREIO cross-border on-site training in English for 120 professionals (following the train-the-trainer approach) and addressing regional jurisdictional similarities—the trainings will also address the effectiveness of the training content and methodology and its adapt to national specifics, thus supporting the TREIO training content validation process; • Providing for standardized training content in 12 official EU languages adapted for online training and setting up the TREIO e-learning platform for EU-wide use; and • Delivering the TREIO online training for over 1000 professionals in the 12 piloting MSs; and • Designing the TREIO Training Toolkit and guidelines for all-round EIO training adoption across EU and delivering an Action Plan for future

3 Objectives, Impact and Methodology The need for an all-round EU-wide cross-border EIO training tailored to fully present not only the legal and organization sides of Directive 2014/41/EU, but also the technical details of the EIO forms and evidence exchange, is reflected in both the specific project objectives and the overall design of the project activities, awareness measures and approach for long-term sustainability. Thus, TREIO sets for the following specific project objectives: • O1. Developing training methodology and content with a complete EIO coverage going from the business aspects to the technical ones and focusing on the electronic exchange of EIOs and evidences using information and communication technologies • O2. Involving all stakeholders taking part to the EIO procedure tailoring the training courses and materials to their specific needs • O3. Creating at EU-wide standardized and uniform training curricular and materials with guidelines on their adoption and customization to the different jurisdictions and legal specifics and procedures taking place on national level

Training on EIO: TREIO Project

203

• O4. Adjusting the e-CODEX testing environment to provide for real-time simulation of an EIO form and evidence exchange and preparing a special tutorial and video materials on the use of the e-Evidence Digital Exchange System towards a more operational and efficient training • O5. Providing cross-border training for trainers empowering them to teach and promote EU-wide EIO implementation in the 12 piloting MSs • O6. Providing online all-round EIO training in 12 official EU languages • O7. Developing Training Toolkit and guidelines for all-round EIO training adoption across EU and delivering an Action Plan for future actions on EIO training for all EU MSs • O8. Enhancing national and cross-European cooperation between national competent authorities and professionals on sharing EIO implementation best practices and contributing to the creation of a sound ecosystem in which cross-border cooperation problems and development gaps will be better identified and countered by both authorities and experts.

4 Impact The project’s common final objective is to deliver a practical oriented and tailored training toolkit (methodology, curricula and both paper-based and online content) and guidelines dedicated for the development of the EIO procedure and exchange of evidences in the criminal context in MSs. Cross-border and cross-sectorial participation will be fostered so that engaged and capacitated key actors from diverse backgrounds and countries will work together towards this goal. The achievement of this objective will produce the following: • Short-term results – TREIO will develop all-round EIO training curricula and tailored content in 12 official EU languages – TREIO will adjust the e-CODEX environment to provide for real-time simulation of an EIO form and evidence exchange and prepare a special tutorial and video materials on the use of the System towards a more efficient training and use of the technology in place – TREIO will facilitate the training of 120 trainers and 1000 professionals on EIO implementation – TREIO will develop a practical-oriented and tailored tools which provide the stakeholders involved in the EIO procedure and exchange of evidences in a criminal context with a clear knowledge and instruments to better address the relevant issues and increase the quality of the cross-border assistance instruments’ practical application – TREIO will create cross-border awareness on the EIO legal and operational differences across MSs. Mid-term results

204

M. A. Biasiotti

– TREIO will enhance understanding and foster practical application of Directive 2014/41/EU – TREIO will provide for increased awareness in the field of EIO procedure and can stimulate improvements to both the IT systems used and the legislation in place – TREIO will foster the knowledge on the chain of transmission and receiving of EIOs and evidences in a criminal context – TREIO will improve the knowledge of EIO actors across EU by elaborating specific and tailored training materials & methodologies. • Long-term results – TREIO will increase the overall EIO procedure and exchange of evidences efficiency across EU – TREIO will enhance national and cross-European cooperation between relevant executive authorities and judicial bodies, legal organisations and professional bodies, civil society organizations and academia, on sharing EIO procedure and exchange of evidences knowledge and best practices towards reaching a coherent and application of the EIO Directive in all EU MSs – TREIO will initiate the development of a European network of trainers with profound knowledge and skills in the field of EIO procedure and exchange of evidences – TREIO will increase of the knowledge levels of and foster the quality of the used cross-border IT solutions.

5 Methodology TREIO adopts design-thinking as part of its overall approach. Design thinking’s human-centered problem-solving approach can help stakeholders understand the roots of the issue in order to make decisions and design changes to counteract the problem—within the TREIO context: EU- wide EIO tailored practical implementation training. With exploration and experimentation as its guiding principles, design thinking can enable stakeholders to understand, informing design solutions and creating proper tools. The use of design thinking as a human-centered methodological approach allows us to integrate directly users such as magistrates, court and administrative officials, researchers, policy- makers, legal and technical experts, key professional bodies and CSOs representatives, etc. into the design of tools. Our approach puts stakeholders’ needs back at the forefront of tools (methodology) design to create a tangible and positive impact. TREIO user-centered design approach allow for the creation of a EIO Training Toolkit ensuring that the solutions co-created throughout the project deliver value and meet the respective legal, organizational and technological needs of the projects’ stakeholder pool. In addition, different methodologies are used for the implementation of the different five activities:

Training on EIO: TREIO Project

205

• The Activity 1 follows the Goal Oriented Project Planning (GOPP) methodology—a tool based upon Project Cycle Management that facilitates the planning and defines implementation fields with specific responsibilities connected to tasks and sub-tasks. • The Activities 2, 3 and 4 are based on cross-sectoral and participative methodology involving various stakeholders, all working together at different levels of responsibilities and with different duties. The methodology adopted combines different interests and point of views with empirical research and evidence-based findings. It is composed by a set of participative techniques to create a welldisposed background to transition and change, thus gaining consensus among different actors at different levels. • The Activity 5 explores blended methodologies to deliver synchronic and asynchronic online communication processes combined with face-to- face direct and cascading stakeholder interactions. TREIO adopts a M3 model (multidisciplinary, multiagency and multi-stakeholder) that will interconnect relevant e-Justice experts and socio-political actors through an informal international network as a mean of producing scientific knowledge which will be translated into intuitive tools and solutions useful to massively capacitate key stakeholders.

6 European Added Value and impact on Non-EU Countries To achieve its aims, TREIO takes into account the EU initiatives for building up the relevant tools allowing for the exchange of EIO requests in a coherent and consistent way. Such tools will be provided by the EC in synergy with two EU-funded projects: EVIDENCE2e-CODEX (GA 766468), EXEC (GA 785818) and DG Justice and Consumers are currently working together to build a secure and trusted infrastructure for exchanging EIO forms and evidences between competent authorities across the MSs (i.e., EIO package). The TREIO training will spread across the 12 piloting MSs currently adopting the System within the e-CODEX Infrastructure. In addition, TREIO will guarantee the sustainability and transferability of the results by also boosting cross-border and cross-sectoral cooperation among stakeholders working or interested in the field of judicial cooperation and its sub-domains (i.e., the EIO procedure). This will be feasible as another major asset of the consortium is the broad geographical scope of its members’ present activities, networks and community influence (referring to both their experience and involvement in related projects, with organizations throughout the EU who will actively collaborate with TREIO), thus contributing to provide the project European added value. One of the main added value features of TREIO is that it impacts heavily on the successful exploitation of the three EU-funded projects cited above and mainly of the System on which the EC is working on for facilitating the electronic exchange of EIO forms and evidences. The way in which the judicial communities of the EU MSs will react to the exploitation and daily use of the System will greatly rely on the effectiveness of the training they will receive and on the specific knowledge they will

206

M. A. Biasiotti

be able to acquire through TREIO. Therefore, the added value of the project will be in boosting the legal and technological tools available for the exchange of EIO forms and evidence and contributing to their effective and operational use strengthening the judicial cooperation in Europe. Furthermore, TREIO’s added value consists of: • building up a common evolutionary approach towards EIO training across different EU jurisdictions; • providing standardized and uniform training curricula and content to be used by the trainers and the institutional actors involved in the project, with a complete coverage going from the business aspects to the technical ones, including the specific use of the System allowing the electronic exchange of EIOs and evidences by using information and communication technologies: • providing the training materials in 12 EU languages and rendering their customization according to the different legal frameworks; • organizing interactive and practical oriented workshops for the training of trainers, to contribute to their knowledge and professional skills on the EIO procedure and exchange of evidences and to foster the creation of a common European legal culture in the field; • producing e-learning program based on the training materials elaborated by TREIO, for professionals (working in the field of criminal law and related fields) self-learning in the field of EIO procedure and evidence exchange; • creating a toolkit on EIO procedure and exchange of evidences training that will be easily transferable, granting even further trans-national dimension to the project and covering the most crucial aspects of EIO cross-border implementation (investigative measures, cooperation, procedures, safeguards, data protection compliance, and technical aspects); • generating mutual trust among judicial authorities in different MSs as to the procedures, rules and operating systems and actions regarding EIO; • fostering cross-border judicial cooperation between judicial authorities and other stakeholders across EU; and • dissemination and cross border spreading out of existing best practises on EIO exchange of forms and evidences. Besides those MSs participating at the piloting phase, all other European MSs will be able to profit from TREIO findings, TREIO Toolkit and Action Plan to foster their own national training initiatives, due to the detailed all-round approach and exhaustive training toolkit undertaken by the project.