The WP29 calls on the Commission to align any envisaged proposal with the principles stated in the provisions of the GDPR, the law enforcement Directive and the ePrivacy framework, taking into account the relevant case law at European level.
The WP29 invites the Commission to follow the work of the Cybercrime committee on the drafting of an additional Protocol to the Budapest Convention in order to make sure that both instruments are compatible with the EU law and case-law.
The WP29 invites the Commission to take into consideration and assess the potential impact of the Directive on the European Investigation Order on the access to eevidence located in another Member State before proposing new legislative measures which might overlap with the effects of the Directive on the European Executive Order.
The WP29 recommends to clarify the respective procedural rules governing access to eEvidence at national and European level in order to ensure that the competent authorities will not have different powers and competence depending on the location of the controller who will receive the production order/request.
As the current and future ePrivacy framework, as well as the related limitations to the right to privacy, will apply to the rules regulating law-enforcement access to electronic evidence, the WP29 recommends that a broader definition of electronic communication data, which include metadata, applies to the future proposal, in order to ensure that the appropriate safeguards to be established also covers metadata.
The WP29 also highlights that a precise definition of “subscriber data” is currently lacking in order to assess the direct impact of the measures envisioned on the affected persons’ rights to data protection and privacy.
The WP29 recommends that substantive and procedural conditions for access to electronic evidence cover both traditional communication services and Over-The-Top (OTT) services in order to ensure a consistent application of the appropriate safeguards to be established.
The WP29 expresses concerns at the envisioned option of production requests/orders that would directly compel service providers to provide data located outside the EU, potentially conflicting with third countries jurisdictions and applicable law, and contradicting the current interpretation of Article 32 of the CoE Convention on Cybercrime.
The WP29 recalls that consent of a data subject cannot be considered as a legal ground for law-enforcement access to electronic evidence.
The WP29 also recalls that in a law enforcement context, "consent" is understood to be the consent of law enforcement/judicial authorities that need, in relation to a specific case, to exchange data
The WP29 recalls that EU data protection law provides that existing international agreements such as a mutual assistance treaty (MLAT), must – as a general rule - be obeyed when law enforcement authorities in third countries request access or disclosure from EU data controllers. The circumvention of existing MLATs or other applicable legal basis under EU law by a third country’s law enforcement authority is therefore an interference with the territorial sovereignty of an EU member state. Vice versa, EU law enforcement authorities should also - as a general rule - be required to respect existing international agreements such as MLATs or any other applicable legal basis under EU law when requesting access or disclosure from data controllers in third countries.