nmann77 - stock.adobe.com

Germany: European Court of Justice hears arguments on lawfulness of EncroChat cryptophone evidence

The European Court of Justice will decide whether the collection and sharing of data intercepted by law enforcement from EncroChat crypto phone network is compatible with European law

The European Court of Justice has heard legal arguments from EU member states whether electronic communications obtained by an international police operation to hack the EncroChat encrypted phone network can be lawfully used as evidence in courts in the European Union.

Prosecutors from France, Germany, the Netherlands, Spain, Hungary, Sweden, the Czech Republic, and Ireland gave oral evidence to the Court of Justice of the European Union (CJEU) in Luxembourg during a seven-hour hearing on 4 July 2023 in a complex case focusing on European law.

Defence lawyers believe the case could have implications for hundreds of prosecutions of people accused of drug dealing and organised crime on the basis of hacked messages from EncroChat, and another encrypted phone network, Sky ECC, where there is no supporting evidence of criminality, if the CJEU finds there were breaches of EU law.

The hearing came days after a widely reported press conference hosted by Europol in which prosecutors announced that a joint French and Dutch operation to hack EncroChat in 2020, had led to 6,500 arrests of people involved in organised crime and drug trafficking and seizures of €900m over the past three years.

The European Court of Justice hearing follows a decision by a German court last year to refer a series of questions to the European Court of Justice seeking clarification whether France’s sharing of hacked EncroChat messages with other countries is lawful under European law.

German defence lawyer Christian Lödden said that the court’s Advocate General had focused on the critical legal facts and questions, rather than the “politics” of the high profile hacking operation, during the hearing.

He said that the hacking operation affected the privacy of more than 30,000 encrypted phone users in Europe whose phones were successfully hacked, and raised questions whether messages harvested from EncroChat were admissible as evidence in German courts.

Member states told the court’s 15 judges of the Grand Chamber that the EncroChat operation had been highly successful at disrupting organised crime and drug trafficking and cases of murder or torture across Europe.

Quoting figures from last week’s Europol press conference, prosecutors told the court that the EncroChat operation had led to the seizures of more than 100 tonnes of cocaine, 160 tonnes of cannabis, three tonnes of heroin, the seizure of over 900 weapons and more than 21,000 rounds of ammunition.

Legally, the case centres on the question of whether Germany can lawfully use thousands of EncroChat messages obtained and supplied by the French Gendarmerie from phones in Germany, without first obtaining legal authorisation from the German courts.

German prosecutors argue that it was unnecessary to obtain a court order from the German courts to transfer data to Germany when the data had already been obtained by the French Gendarmerie under a French court order.

The court’s Advocat General questioned whether the operation created a loophole that meant German citizens had no recourse to challenge the lawfulness of the EncroChat hacking operation – which is protected by French military secrecy – either in Germany or France.

One of the judges, Professor Dr. Thomas von Danwitz from Germany, questioned whether Germany, rather than transferring data from France to Germany to use in criminal prosecutions, had re-purposed data it had already obtained from France to identify potential threats to life (TTL) for use in criminal cases.

Prosecutors argue that transferring data gathered by France to Germany was not as intrusive to privacy given that the data had already been collected by France.

The court prioritised three out of five questions put forward by the German court for evidence in the hearing. This includes the question of whether the German public prosecutor’s office, rather than a German court, was the competent authority to apply for a European Investigation Order (EIO), given that the prosecutor’s office would have had to obtain a German court order to collect the same data had it originated in Germany.

The court has also been asked to assess whether it was proportionate to intercept data from all the handsets in a particular territory when there was no concrete evidence of criminality against individual phone users in the territory when the interception was authorised.

The court has also made it clear that it is not only considering the questions referred in relation to the EIO, but is also reviewing the general principles of cooperation in criminal proceedings.

Berlin regional court

Germany’s Supreme Court ruled in March 2022 that evidence from EncroChat could lawfully be used in criminal trials.

Yesterday’s CJEU hearing follows a decision by the Landgericht Berlin Regional Court to refer a series of questions to the CJEU in October 2022.

The Berlin court is seeking to establish if there has been a breach of European law, whether that would prevent evidence from EncroChat phones being used in criminal proceedings in EU countries.

It has raised questions whether EIOs issued by Germany to France to obtain evidence and data from French investigators were properly carried out.

Ruling expected in six months

The Advocate General of the European Court of Justice is expected to issue a preliminary opinion on the questions on 27 October, which will be followed by a final decision from the full chamber of the court, expected by the end of the year.

The courts’ findings will be referred back to the Berlin Regional Court for a further ruling to decide on the admissibility of EncroChat evidence once the European Court of Justice has made a final decision.

The judges of the referring chamber of the Berlin Regional Court, representatives of the Federal Constitutional Court and the Office of the Attorney General and defence lawyers from other European countries, attended the hearing as observers.

Prosecutors used last week’s press conference [27 June] to criticise reports in international publications and on social media that suggested the novel hacking operation against EncroChat might not be legal under European laws.

They pointed to court decisions in The Netherlands and France that found evidence from the hacked phone network could be used in criminal cases, but did not refer to Germany’s pending hearing at the European Court of Justice.

The chief prosecutor at the judicial tribunal in Lille, which oversaw the EncroChat investigation, Carole Etienne, said the French investigation “was conducted in accordance with the applicable legal rules using a special investigative technique implemented in accordance with the provisions of the Code of Criminal Procedure”.

Broad approach to legal protection

Commenting on the case after attending the hearing, Dutch defence lawyer Justus Reisinger said that the questions asked by the Advocate General and the court indicate that the court is considering a broader, integrated approach to legal protection of citizens and suspects in cases of an European cooperation in criminal investigations.

“This is a hot topic in the Netherlands as well and therefore the opinion of the Advocate General will be really important for the Dutch cases,” he said. “It looks like there will be a more general consideration of the right to a fair trial and privacy versus mutual recognition and trust between member states of the EU.”

Summary of questions to the European Court of Justice

Main questions

  • Must an European Investigation Order (EIO) be issued by a judge in order to obtain evidence if the taking of evidence in a similar domestic case should have been ordered by a judge?
  • What effect would it have if the telecommunications interception carried out extended to all handsets in the territory, and there are no concrete indications that serious criminal offences have been committed by an individual user, in particular if the integrity of the data cannot be verified due to extensive secrecy?
  • To what extent is a data skimming measure from terminal equipment of an internet-based communications service surveillance of telecommunications traffic within the meaning of the EIO directive, and what information obligations exist for which institutions, if the measure could only be ordered by a judge under national law?

Further questions

  • What is the effect if the measure underlying the data collection would have been inadmissible in a comparable domestic case?
  • If evidence is obtained by an EIO that is contrary to EU law, does a ban on the use of evidence result immediately or to what extent is such a consideration to be taken into account in the context of a balancing decision, especially if the seriousness of the crime is justified by the evaluation of the evidence obtained?

Source: Christian Lödden, defence lawyer at Lödden & Barczyk Rechtsanwälte.

Read more on Information technology in France

Data Center
Data Management