Hugo Partouche, a Paris Bar Attorney-at-law (avocat), and Chloé Berthélémy, a Senior Policy Advisor at EDRi, collaborated on this piece.

Photo credit: hacker-silhoutte, via Wikimedia commons

*This article initially appeared in French in Actualité Juridique (AJ) Pénal, Dalloz Revues. You can find it here.

The Court of Justice of the European Union (CJEU) issued its decision on the ‘EncroChat’ case on April 30, 2024.

This case arose from large-scale European police operations targeting organized crime. These operations utilized spyware for mass interception of encrypted communications, a practice known as “hacking.” In the EncroChat case alone, millions of messages from 32,000 users across 122 countries were collected, including nearly 4,600 users in Germany. This led to over 6,500 arrests and 3,800 legal proceedings within the European Union.[1]

The Berlin Regional Court, referred to as the “Berlin Court,” presented questions to the CJEU regarding a German European Investigation Order (“EIO”). The EIO sought the transfer of data acquired by French investigators through hacking. The Berlin court questioned whether this EIO aligned with fundamental rights.

The Court’s response primarily hinges on the principle of mutual trust, considered essential for effective European judicial cooperation.[2] Regrettably, the decision avoids connecting this ruling to its existing case law on privacy and data protection rights in criminal matters. This body of law has been developing since the EU Charter of Fundamental Rights (the “Charter”) came into effect.

Consequently, the Court views EU law as minimally relevant to the fundamental rights issues raised in this case. According to the Court, data transfers between Member States under an EIO are governed solely by the rules of the issuing state, which is Germany in this instance. Similarly, an EIO’s proportionality is evaluated only based on the issuing state’s law, including the evidence deemed sufficient to justify such an order. The Court separates this from the question of data integrity during court proceedings. It asserts that only the trial court can determine if the defense can effectively challenge the evidence presented, a right enshrined in EU law. [3]

1. Overview of the EncroChat Investigation

‘EncroChat’ was a closed, encrypted communication network used by organized crime. It operated using modified mobile phones and servers located in France. In April 2020, French authorities, partnering with the Netherlands, formed a joint investigation team. This team, operating under Eurojust with Europol’s support, obtained legal authorization to introduce Trojan horse software. This software was installed first on the EncroChat servers and subsequently on individual user devices (phones). The investigators used Europol’s SIENA messaging system to informally notify other agencies that they would intercept data located outside their jurisdiction. Germany’s criminal police (BKA) expressed interest in accessing the collected data.

Based on this information, the Berlin Court viewed the investigation as a unified European project. The project’s goal was dismantling the EncroChat network and enabling prosecutions against European users in their respective countries. Several factors supported this view: existing Franco-Dutch cooperation since 2018, Eurojust and Europol support, the sophisticated interception technique, prior knowledge by German authorities about interception extending into their territory, and the 2020 initiation of an “empty shell” procedure by the Frankfurt public prosecutor’s office. This procedure aimed to receive data on German users for potential prosecution in separate proceedings using information accessed from Europol’s servers.

Adding to the complexity, the technical specifics of the hacking operation[4] remain unknown due to their classification as a French national defense secret.[5] A substantial portion of the case file is also classified by the German public prosecutor’s office, which withheld details from the Berlin Court about pre-interception information exchanges between national authorities.[6] Furthermore, numerous data inaccuracies, including incorrect message senders and timestamps, have been identified.[7]

2. Limited Impact of the Judgment on Data Protection Precedents

The Berlin Court expressed concerns that the data collection appeared to be driven by the intent to transfer it, not the other way around, suggesting that the EIO Directive might not adequately address such circumstances. The Court argued that an independent judicial body should review the proportionality of such data transfers. However, the CJEU maintained a clear distinction between data transmission and collection. It interpreted the EIO Directive literally. The directive states that the admissibility of an EIO for data transmission is governed solely by the issuing state’s laws, meaning a German public prosecutor would have the authority in this case (§92, §77).

The Court missed an opportunity to leverage its established case law concerning Directive 2002/58, commonly known as the “ePrivacy Directive,” interpreted through the lens of the Charter. This is particularly relevant in the context of mass data retention. (Refer to judgments in cases like Prokuratuur and La Quadrature du Net and others). Retaining and accessing telecommunications data are both data processing activities that significantly impact the fundamental rights to privacy and personal data protection. Therefore, these activities should adhere to EU law criteria, irrespective of national rules. This is especially crucial for proportionality control and determining the appropriate authority.

The Berlin Court highlighted that the EncroChat case involves a more severe rights violation due to the nature of the collected data. The collected content included sensitive communications content obtained over a long period. The targeting was broad and indiscriminate, lacking specific, individualized suspicion. Furthermore, law enforcement directly collected the data without involving service providers.

However, the CJEU declined to adopt this reasoning or apply its data protection criteria to data transfers between law enforcement agencies. The Court prioritized the principles of European judicial cooperation over privacy protection when dealing with data exchanges between judicial authorities, as opposed to exchanges involving telecommunications providers.[8] This approach risks creating significant inconsistencies in the levels of protection and safeguards applied to various data processing activities within a cross-border telecommunications interception operation.

The legitimization of EncroChat data, despite its controversial collection methods, holds implications for the ongoing EU debate surrounding the use, or misuse, of spyware like Pegasus and Predator by various Member States and its alignment with EU law. The technical features and privacy implications of the Trojan horse software employed in the EncroChat case share similarities with these controversial spyware tools. The European Data Protection Supervisor posits that such tools, by undermining the very essence of privacy, might violate EU law. The adequacy of current European legal frameworks for police and judicial cooperation in safeguarding fundamental rights is called into question as state-sponsored hacking becomes increasingly sophisticated.

It is also worth noting that the judgment omits any mention of the storage conditions for EncroChat data by national authorities and Europol. Such storage constitutes an independent infringement on fundamental rights. This oversight is particularly concerning given the 2022 reform of Europol’s mandate. The reform permits Europol to deviate from its data protection rules under certain circumstances. It allows the agency to process large datasets, including bulk data, and permits the long-term storage of investigative data. This effectively enables Europol and investigative authorities to repeatedly access stored data without demonstrating concrete, individualized suspicion or adhering to the principles of necessity and proportionality.

3. Minimal Scrutiny of Proportionality and the Right to a Fair Trial

The Berlin Court sought guidance from the CJEU on the assessment of potential procedural rights violations related to the EIO’s proportionality.[9]

Concerning the right to privacy, the Berlin Court contended that demonstrating evidence of multiple offenses committed by unidentified individuals was insufficient to meet the necessity and proportionality criteria outlined in the EIO Directive for an EIO requesting data transfer.

The Court responded by stating, ‘By employing the phrases “under the same conditions” and “in the context of a similar national procedure,” Article 6(1)(b) of Directive 2014/41 [the EIO Directive] links the determination of the specific prerequisites for issuing a European investigation order exclusively to the issuing state’s law.’ It concludes that if the issuing state’s law mandates concrete evidence of serious offenses committed by the prosecuted individual or evidence admissibility as conditions for data transfer, then the adoption of an EIO is also subject to these same conditions. It can be inferred from this preliminary ruling request that the Berlin court subscribes to this view while acknowledging dissenting opinions from other German courts.

Regarding the right to a fair trial, the Berlin court inquired whether the proportionality principle precluded issuing an EIO when the confidentiality surrounding the technical aspects of the data collection made verifying data integrity impossible. This raised concerns that the defense might be unable to effectively challenge the data’s validity in subsequent criminal proceedings. The Court responded by citing Article 4 of the EIO Directive, which states that the necessity and proportionality of the measure are to be evaluated in accordance with the issuing state’s law. The Court further clarified that any consequences arising from evidence transmission deemed disproportionate or inconsistent with the framework of ‘similar’ national proceedings would fall under the purview of national law (§103).

In what is potentially this judgment’s most significant contribution to the numerous ongoing EncroChat cases across Europe, the Court reaffirms that if a party ‘is incapable of effectively challenging evidence with the potential to significantly influence the assessment of facts, that court must acknowledge a violation of the right to a fair hearing and exclude said evidence to rectify this breach’ (§105).

Regrettably, the CJEU declines to articulate a more robust control mechanism, be it substantive or procedural (§89), concerning technically intricate cross-border investigative measures. The Court restricts its scrutiny to the aspect of judicial review regarding fundamental rights compliance, as stipulated in Article 14 of the EIO (§§101 et seq.).

The Berlin court’s inquiries, however, were particularly pertinent on two fronts. Firstly, the Court’s established case law dictates that the mere ease with which an interference can be executed is not sufficient to establish its proportionality.[10] Secondly, any limitation imposed on a Charter right, while presumed proportional, “might be deemed disproportionate if the criteria governing it lack clarity or fail to establish genuinely objective and verifiable conditions.”[11] The judgment omits these concepts.

The Court’s line of reasoning, though unsatisfying in its minimalist approach, is not unexpected. The Court consistently prioritizes upholding the principle of mutual trust over seeking grounds for a comprehensive review of judicial cooperation tools’ implementation within the Charter. This stance is inherently logical given the nature of these tools.

Nonetheless, the intricacies of the EncroChat investigation presented the Court with a unique opportunity to expand its existing jurisprudence. In the Aranyosi and Caldararu case, the Court initiated the application of what some legal experts have termed the “principle of acquired mutual trust” as opposed to “blind mutual trust”.[12] This was particularly relevant concerning the risks associated with forum shopping.

4. Deliberate Overlooking of Potential Forum Shopping?

The Court contends that the unique structure of these investigative measures holds no particular relevance to the EIO Directive.

While acknowledging that the data was gathered for Germany and within its jurisdiction, the Court fails to address the possibility that Germany may have strategically delegated the data collection to France, where data interception regulations are less stringent. The Court posits that the EIO Directive doesn’t consider the location of data collection (§98). This allows the Court to sidestep assessing the risk of forum shopping, a practice that exploits the differing regulations between data collection and transmission in the state where the data is collected, in this case, Germany.

In this context, it is particularly striking that the judgment, without offering justification, asserts that ‘it doesn’t appear in this case that the aim or outcome of the gathering and subsequent transmission of the evidence thus obtained through a European Investigation Order constituted such circumvention, a matter that should be ascertained by the referring court’ (§97). This demonstrates the Court issuing a ruling on a matter it deems outside its purview.

The Berlin Court, however, was quite clear about the genuine risk of circumvention. It reasoned that it would have been more logical to issue an EIO before the data collection. Had this been the case, German law, based on the CJEU judgment of December 16, 2021, in the Spetsializirana prokuratura (Traffic and location data) case, would have necessitated authorization from an independent judicial authority. This leaves the referring court with a contradictory response to its inquiry.

The Court’s ambiguity stems from an overreliance on the principle of mutual recognition in this particular context. This principle, itself grounded in mutual trust, justifies the referring court’s lack of authority to scrutinize the legitimacy of the EIO issuance process to the executing state for data transfer purposes (§§99-100). This aligns with the Advocate General’s stance, which posits that the ‘interception occurred independently of the EIOs in question’ (paragraphs 15-16 of the opinion).

However, this principle was explicitly questioned in scenarios where mutual trust, rather than simply facilitating interstate cooperation, masks potentially questionable law enforcement tactics. This lack of oversight over such strategies and their potential impact on fundamental rights means no direct control from EU law, despite its past role in safeguarding privacy in the face of technological advancements.

Did the Court miss an opportunity to address complex and novel technical challenges that could reshape European judicial cooperation?