Author: Marta Ramat
Committee: Academic Committee
Date: 09/07/2024
Over the last couple of months, the CJEU issued a number of judgments concerning the protection of fundamental rights in criminal proceedings. The issues dealt with by the Court in such cases may, in the future, be relevant to EPPO proceedings, as well; hence, this blogpost aims to provide a brief illustration of the judgments in question.
The first judgment is M.N. (EncroChat) (C-670/22). The case stems from a criminal investigation, carried out in France but involving several Member States and a Joint Investigation Team, against various people suspected of committing international drug trafficking offences by using encrypted mobile phones, equipped with the EncroChat system. In essence, upon authorisation by a French judge, those mobile phones were infiltrated with a ‘trojan horse’ and thereby intercepted. In this context, a German PPO issued three European Investigation Orders (EIOs), aiming to obtaining the transfer from French authorities of data of all German EncroChat users, to be presented as evidence in German criminal proceedings. In this context, the German judge – the Landgericht Berlin – referred various preliminary questions.
First, it asked the Court whether an EIO can be issued by a PPO, even if the interception of traffic, location and communication data should usually be authorised by a court in light of both German law and settled CJEU case-law. The Court replied that, where the EIO is aimed at obtaining the transfer of pieces of evidence which are already in the possession of a foreign authority, the competence of the PPO depends on whether it would be entitled to ask for the transfer of evidence from other national authorities, regardless of which authority can order the gathering of such evidence.
Secondly, the Court ruled on whether the requirements of proportionality and necessity enshrined in Art. 6(1) of the EIO Directive prevent the issuing of an EIO where the interception was carried out in the absence of specific and concrete suspicion, against each intercepted person, of serious criminal offences. The Court answered in the negative: it held that such specific degree of suspicion is not required by EU law, and it may only apply if it is imposed by national law as a precondition for the transfer – not the initial gathering – of the evidence concerned.
Finally, this case allowed the Court to clarify two important principles regarding evidence and defence rights. First, it recalled that the mutual trust underlying any mutual recognition instrument, such as the EIO, prevents in principle the judge in the issuing Member State from assessing the legality of the gathering of evidence in the executing Member State. Nonetheless, according to the right to a fair trial, a piece of evidence shall be excluded where the defendant has not been able to comment on it effectively and it is “likely to have a preponderant influence on the findings of fact”.
Under the EPPO Regulation, European Delegated Prosecutors (EDPs) are entitled to order or request, inter alia, the interception of communications (Art. 30(1)(e)), as well as to assign such an investigation measure to an EDP from another participating Member State (Arts 31 and 32). In addition, the EPPO Regulation prohibits the exclusion of evidence “on the mere ground” that it was gathered in a different Member State, but still guarantees the discretion of the trial court in the assessment of evidence (Art. 37). Therefore, it will be interesting to see how and to what extent the principles established by the Court in M.N. (EncroChat) will apply to EPPO cross-border investigations.
The second relevant case, decided by the Court on the same day as EncroChat, is C-178/22, Procura della Repubblica presso il Tribunale di Bolzano. The judgment concerns the interpretation of Art. 15(1) of Directive 2002/58, read in light of Arts 7, 8, 11 and 52(1) of the Charter, with particular regard to the access by a national PPO to traffic and location data retained by providers of electronic communication services. According to settled case-law of the Court, such access constitutes a serious interference with the fundamental rights to private and family life and to data protection. Thus, it can only be authorised by a court or independent administrative body, and for the purposes of combating serious offences or serious threats to public security.
The specific notion interpreted by the Court in this judgment is that of “serious offence”: the Italian Judge for preliminary investigation basically asked whether “serious offences” may be defined as all offences punished by a maximum penalty of at least three years of imprisonment. The Court ruled that, on one hand, equating the seriousness of a crime to a certain penalty threshold is consistent with the need to rely on objective criteria; nevertheless, on the other hand, the authority entrusted with the authorisation request shall be entitled to perform an assessment of the seriousness in concreto of the offence at stake, taking account of “the societal conditions prevailing in the Member State concerned”.
The notion of “serious offence” is also relevant in the context of the EPPO Regulation: for instance, the second sentence of Art. 30(3) allows Member States to limit the use of certain investigation measures – interception of communications, and tracking and tracing of objects – to “specific serious offences”. Should the Court be called to interpret this provision, it will be interesting to see whether it will still allow for references to penalty thresholds (also mentioned in Recital 55 of the Regulation), and to what extent other factors such as the repercussions of the offence at EU level (see, in this regard, Recital 37 of the Regulation) or the damage caused (Art. 40(2)(a)) will also be relevant.
A third judgment worthy of attention and published on the same day as the two above was issued in Case C-470/21, La Quadrature du Net. This particularly complex case concerns, in essence, the access, by the French authority responsible for preventing online breaches of copyright and associated rights, to the civil identity of users associated to their IP addresses. Under relevant French law, such data are in the first place retained by providers of electronic communication services, and subsequently accessed by another authority, without any prior review by a court or independent administrative body; on the basis of such data, that authority has the power to carry out a “graduate response procedure” that may lead, after a series of procedural steps, to the referral of the identified perpetrators of copyright infringements to the PPO. In that regard, the Court emphasised how even access to limited personal information may, in the long run, entail a serious interference with fundamental rights to privacy and data protection, in that it may ultimately allow the competent authority to infer many precise details about the profile of person concerned. Hence, the Court ruled that, even before the identified user is referred to the PPO, independent review of the public authority’s access to data shall be ensured.
This case does not, per se, concern either criminal proceedings or ‘PIF’ offences. Nevertheless, ordering or requesting the production of stored computer data is, under Art. 30(1)(c) of the EPPO Regulation, one of the powers conferred to EDPs. Thus, this judgment is interesting in that it shows the tendency of the CJEU to prescribe judicial – or, in any event, independent – review of the access to data by authorities entrusted with the prevention of crime.
The last, relevant judgment has been issued more recently in Joined Cases C-255/23 and C‑285/23, AVVA and Others (Procès par vidéoconférence en l’absence d’une décision d’enquête européenne). In this case, the Court deemed the preliminary questions inadmissible, as its answer had been rendered devoid of purpose by the lack of suspension of the main proceedings. Still, it is important to briefly illustrate the legal issues underlying such questions.
Albeit in slightly different terms, the two joined cases posed the same legal problem: whether the defendant, who is a resident of a Member State different than the one bringing criminal proceedings against him or her, may attend the hearing remotely via videoconference, by means of an EIO issued by the trial state. In case C-258/23, the Latvian referring judge also asked whether, under Art. 8(1) of Directive 2016/343, the accused person has a right to participate remotely to the trial from his or her Member State of residence.
Considering that EPPO investigations are often characterised by cross-border elements, and that the residence of the suspect or accused is not the main criterion applied to establish which EDP (and, consequently, judge) is competent ratione loci (Arts 26(4) and 36(3) of the EPPO Regulation), the same issues may in the future arise in EPPO proceedings.