On April 30, 2024, the Court of Justice of the European Union (CJEU) ruled that public prosecutors can request encrypted data from abroad and use it as evidence in cross-border criminal cases. The Regional Court of Berlin had requested a preliminary ruling from the CJEU on the lawfulness of collecting and using data from an encrypted telecommunications service called “EncroChat” received from another member state in the context of cybercrime investigations.
Facts of the Case
In investigations by French authorities concerning illegal drug trafficking in a cross-border case, it appeared that the accused individuals were using encrypted mobile phones that used EncroChat, a service used worldwide in illegal drug trafficking. A joint investigation team, including experts from the Netherlands and French police, infiltrated the chat using a Trojan software that was uploaded to the servers used for the chats. This software was then installed on phones using EncroChat. The investigation team was able to decrypt the data and transmit the communications, which led to several arrests. (Decision, paras. 19, 20.)
During a conference between representatives of different EU member states, representatives of France and the Netherlands provided other EU member states with information about the collected data. The German public prosecutor’s office requested a European Investigation Order (EIO) from the French authorities to use the encrypted communications in ongoing drug trafficking investigations. (Id. paras. 21, 26.) An EIO is an order issued or validated by a judicial authority of one EU country to have investigation measures taken in another EU country to gather evidence, or to obtain evidence already in the possession of another EU country. (Directive 2014/41/EU, art. 1, para. 1.)
The transmission and use of the EncroChat data was authorized by a French criminal court. Subsequently, in 2020, the German Federal Criminal Police Office (Bundeskriminalamt, BKA) and German public prosecutors received the data of EncroChat users from the French authorities. The data was shared via servers of Europol, the EU’s Agency for Law Enforcement Cooperation. (Decision, paras. 24-27.)
After receiving the data, the BKA was able to initiate more than 2,250 investigations and arrested more than 750 individuals who had used EncroChat. One of those cases, involving the trafficking of narcotics, was brought before the Regional Court of Berlin (Landgericht Berlin).
Referral to the CJEU
In an earlier case from April 2022, the German Federal Court of Justice (Bundesgerichtshof, BGH), Germany’s supreme court for civil and criminal cases, had ruled that the use of EncroChat data provided by French authorities as evidence was permitted. (BGH decision, para. 25.)
However, the Regional Court of Berlin did not agree with the decision of the Federal Court of Justice. In its opinion, only a court, and not a public prosecutor, could issue an EIO, and therefore the data could not be used as evidence. The Regional Court of Berlin submitted a request for a preliminary ruling to the CJEU to clarify whether the German investigation authorities had violated EU law in obtaining EncroChat data, and if so, how this violation affected the admissibility of the EncroChat data in criminal proceedings. (CJEU decision, para. 29.) According to Article 267 of the Treaty of the Functioning of the European Union (TFEU), a national court of a member state can request the CJEU to interpret EU law to ensure its uniform application.
The Decision
The CJEU held that an EIO for the transmission of evidence already in the possession of the competent authorities need not be issued by a judge if, under the law of the issuing state, the public prosecutor in a domestic case would be competent to order the transmission of that evidence. (Id. para. 77.)
The court stated that article 1 of the Directive 2014/41/EU does not determine the nature of the authority that is authorized to issue an EIO. (Id. para. 70.) The CJEU opined that the term “judicial authority” includes public prosecutors if they have “competence in the case concerned.” (Id. para. 73.) It ruled that a public prosecutor has such competence with respect to an EIO if, under the domestic law of the issuing state, the public prosecutor has the competence to order investigative measures for the transmission of evidence. (Id. para. 74.)
The CJEU further clarified that notice of surveillance of a communication service such as EncroChat must be given to the member state on whose territory the person under surveillance is located. (Id. para. 119.) This means that if German security authorities monitor a person in France via EncroChat, they must inform the French authorities.
Prepared by Eva Dauke, Law Library Intern, under the supervision of Jenny Gesley, Foreign Law Specialist
Law Library of Congress, May 30, 2024