Quo vadis Europa —balancing between efficiency and guarantees in criminal proceedings using the example of EU production and preservation orders

General remarks

The current state of play regarding the safeguards and fundamental rights protection in criminal proceedings among EU Member States involves the Charter of Fundamental Rights of the European Union and the Roadmap directives. ²² The question is if the regulation envisaged in EPOs is proposed with respect to those rights or states a threat to their protection.

Many concerns have been revealed in the five years since the Commission’s proposal. One of the most common concerns is the status of the private actors and their roles in protecting fundamental rights. As it is not a statutory obligation and the aim of the service providers is to protect the rights of their users during criminal proceedings, there is a threat that they will convey data to avoid sanctions. ²³ Direct cooperation means that the orders are not subject to general judicial review and that there is a lack of judicial control over their execution. ²⁴ Cross-border exchange of data means that the data will come under different law regimes, and there is no common rights protection system. ²⁵ There is a threat that the orders will fall beyond their scope or that they will obtain evidence that is inadmissible in the domestic system—but the private actors will not be able or willing to control it. ‘Often it is also not clear where the person actually lives or whether he or she is located in the issuing state after a production order has been presented’, ²⁶ so a conflict of laws can occur. Which laws should apply to the procedural guarantees is not apparent; that is, should the law be that of the issuing state, the service provider state or the state of the person involved. According to the rapporteur Sippel, ‘it should also be possible to reject an order if higher standards of protection exist in the executing state with regard to investigative measures’. ²⁷ It has to be stated that the Regulation provides for a special review procedure (Art. 17) if a service provider considers that compliance with EPO would conflict with an obligation under the law of a third country. After the service provider has filed a reasoned objection and informed the issuing and enforcing authorities, the issuing authority reviews the order and decides to uphold or withdraw it. Upholding the order requires a judicial review of the issuing State. Of particular importance, if the court recognises that the law of the third country prohibits disclosure of the data concerned, it will not automatically lift EPO; the court must balance relevant factors, particularly those indicated in Art. 17.6. of the Regulation in order to decide. ²⁸ This balancing procedure, by its very nature, means that some of the interests or rights would be infringed or diminished.

As most of the major players in the field of electronic communications services are based in the United States of America (USA), legislation procedure went along with negotiations with the USA on the rules for exchanging data over the ocean. The Clarifying Lawful Overseas Use of Data (CLOUD Act) amended previous US legislation and forced US service providers to comply with US authorities’ orders to disclose both content data and non-content data. Therefore, the model of private-public cooperation is well known to service providers, and EU legislators could draw on US experience. The Council Decision authorising the opening of negotiations for an EU and US agreement on cross-border access to electronic evidence was adopted in 2019. As both sides waited for the final wording of the legislative e-evidence package, the negotiations resumed in March 2023 and are currently ongoing. Since both EU and USA cooperate closely on the improvement of national security and the effectiveness of criminal proceedings, both signed the Budapest Convention and the Second Additional Protocol (including provisions on direct cooperation with private actors), and in mid-2023 the EU Commission adopted an adequacy decision for the EU-US Data Privacy Framework, in which negotiations can be expected to be successful. ²⁹

What is particularly alarming is the lack of an absolute obligation to inform the person whose data are sought about the order; ‘Affected persons could only make use of their rights if they knew about an order’. ³⁰ Also, the differentiation between the categories of data and different standards of protection, as indicated above, has been criticised. ³¹ Proportionality seems to be a keyword regarding the protection of fundamental rights in EPOs regulations, however, there are some doubts if this is a sufficient buffer. ³² The notion of proportionality remains vague despite the long tradition of this principle in the European area of freedom, security and justice. ³³ In general, it is put in place where two or more values are confronted in a particular situation. The effectiveness of criminal proceedings and avoiding obstructing investigations or procedures are traditionally at stake in its juxtaposition with procedural rights and guarantees. There is no easy way to balance these values and there are no clear guidelines on how far rights and guarantees can be limited. ³⁴ Opinions on whether the proposed instruments provide sufficient safeguards differ. European Digital Rights (EDRi) revealed concerns about ‘the lack of involvement for the “affected state” and the insufficient involvement of the executing state (…), as well as the lack of safeguards against fishing expeditions and deficiencies in mutual trust and EU judicial cooperation’. ³⁵ However, it did not go more into the details about what sufficiency in its opinion would mean.

There have been many proposals for amendments, including introducing a mandatory and automatic notification procedure for the executing State with suspensive effect, ensuring access to effective remedies both in the issuing and executing States ³⁶ and addressing any order simultaneously to the service provider and the competent authority in the executing Member State where the service provider is established. ³⁷ Such postulates have been partly recognised. In Art. 8 of the Regulation, the automatic notification regarding traffic data (except for data requested for the sole purpose of identifying the user) and content data was implemented. The exceptions involve the situation where there are reasonable grounds to believe that the offence takes place in the issuing State and the person whose data are sought resides in the issuing State. As the notion of reasonable grounds leaves the margin of discretion, the abovementioned reservations from rapporteur Sippel can be in place. However, bearing in mind that it is an exception-to-the-rule scenario, the high standard of those grounds should be required (information ex officio - from the tax offices, courts, public administration). The proposal of ensuring access to effective remedies both in the issuing and executing States has not been recognised.

Regarding the safety of personal data, issues surrounding the system of transferring data should be raised. According to Art. 19 of the Regulation, communication between authorities and legal representatives, including the exchange of data requested under EPO and EPO-PR, shall be carried out through a secure and reliable decentralised IT system. What has to be seen is the fact that the e-evidence package is a part of a wider movement among the EU, aimed at the digitalisation of the public sphere, enhancing judicial cooperation between Member States, and regulating governance of data. EU bodies proposed or adopted an array of regulations, including Regulation (EU) 2022/850 on e-CODEX system ³⁸ , Regulation (EU) 2023/2131 on digital information exchange in terrorism cases ³⁹ , Regulation (EU) 2023/969 on a collaboration platform to support the functioning of joint investigation teams ⁴⁰ , the Regulation (EU) 2023/2844 on the digitalisation of judicial cooperation and access to justice ⁴¹ and the Directive (EU) 2023/2843 as regards to digitalisation of judicial cooperation ⁴² , as well as GDPR ⁴³ , LED ⁴⁴ or Data Act ⁴⁵ . Having said that, in order to enable safe, but also fluent transfer of evidence, two relevant platforms exist in the EU field: e-CODEX and SIRIUS. E-CODEX, namely e-Justice Communication via Online Data Exchange, provides an easy way of exchanging evidence and other types of data between judicial authorities. SIRIUS is a project led by Eurojust and Europol, offering help with accessing data held by service providers, especially those serving as evidence in criminal proceedings. ⁴⁶

The right to an effective remedy

The identified threats to the abovementioned rights envisaged in EU law, mostly in the criminal law Roadmap directives, can be detected in the EPO Regulation. First, Article 47 of the Charter says that anyone whose rights and freedoms as guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article. The right to question any actions violating one’s rights or guarantees is only possible when one knows about those actions.

Based on Art. 18.1 of the Regulation, any person whose data was requested via the European Production Order shall have the right to effective remedies against the European Production Order. The wording differs from the one proposed by the Commission, as Art. 17 of the Commission’s proposal stated that suspects and accused persons whose data was obtained via a European Production Order shall have the right to effective remedies against the European Production Order. It can be clearly seen that the scope of subjects benefiting from the right has been widened. It is not only the person whose data was obtained, but also the one whose data was sought, who can benefit from the right to effective remedies. However, the right to effective remedies is related solely to EPO, leaving EPO-PR beyond the scope. ⁴⁷

According to Art. 18.2. of the Regulation, the right to an effective remedy shall be exercised before a court and shall include the possibility to challenge the legality of the measure, including its necessity and proportionality, without prejudice to the guarantees of fundamental rights in the enforcing State. This part of the Regulation is in accordance with Art. 47 of the Charter. However, the Regulation indicates the court in the issuing State, in accordance with its national law. It must be emphasised that the person whose data was sought can reside in an issuing State, enforcement State or any other State. The right to challenge the legality of the measure can, however, only be executed in the issuing state, according to its national procedure and national language. It raises serious doubts about the effectiveness of such a measure. Among others, S. Tosza has revealed some concerns, indicating that “regulation mandates the member states to provide for effective remedies leaving the details to national legislation. It remains to be seen how these remedies are elaborated. But in a system designed in this way, it is questionable if one can really speak of effective remedies where a person may be subject to investigation (including collection of the content of his or her email correspondence) in another member state, in another language, and potentially not knowing about the transfer of data”. ⁴⁸

However, a reference to the former evidence of EU legislation should be made here. The effective remedies provision in the EPOs Regulation is worded differently than in the Directive 2014/41/EU on the European Investigation Order in criminal matters (hereinafter, the EIO Directive). ⁴⁹ It can be said that the EU legislator learns from his own mistakes. Bearing in mind the controversy on the wording of Article 14 of the EIO Directive, especially the issue of non-existence of national legal remedies on some evidence actions in EU Member States, ⁵⁰ instead of indicating that Member States shall grant legal remedies equivalent to those available in a similar domestic case, Art. 18.1. of the EPOs Regulation indicates that without prejudice to further legal remedies available in accordance with national law, the subject shall have the right to effective remedies against the order. In consequence, the effective remedies may differ between states, but they must exist. ⁵¹ Nevertheless, the scope and the forum principle remain analogical to those in the EIO Directive. The right to remedies can be exercised before a court in the issuing State, but without prejudice to the guarantees in the enforcing State. The provision is modelled on Art. 14.2. of the EIO Directive and similar reasoning exists behind it. The orders - both investigation and production - are quite vague in merits and the content on circumstances of the case, and the grounds for refusal are very limited. Executing bodies should execute them unless obvious obstacles appear. This is why, according to both aforementioned legal acts, as a rule the legal remedies should be executed in the issuing state. ⁵² However, the effectiveness of these remedies can be questionable, as indicated.

Keeping in mind that Art. 47 of the Charter was modelled after Art. 13 ECHR, it should be indicated that according to the ECHR case law, the Court assesses the effectiveness of remedies taking into account a number of criteria. First and foremost, the remedy must be effective both in law and in practice. ⁵³ It cannot restrict to the illusory protection, formally provided by law. It is also necessary that it can be applied and work in practice. What is particularly relevant is that accessibility to the potentially affected person is verified. ⁵⁴ Remedies must be achievable for everyone. The costs to be borne by the complainant are also important factors influencing the Court's assessment of the effectiveness of resolution measures. According to case law, the costs associated with filing a complaint about the violation, the fear of incurring high costs if the infringement is not established and the taxes charged on the compensation obtained make the measures inaccessible and consequently ineffective. ⁵⁵ The effectiveness of a measure that must be executed in the non-resident country, according to national procedure and language, which entails high costs, can be put into question. It should be stated that it does not meet the requirement of accessibility and in consequence, both the ECHR standard and EU standards of effectiveness.

The proposed wording of Art. 18.2. is as follows: The right to an effective remedy shall be exercised before a court in the issuing State in accordance with its national law and shall include the possibility to challenge the legality of the measure, including its necessity and proportionality, without prejudice to the guarantees of fundamental rights in the enforcing State. If the affected person resides in other than issuing State, the right to an effective remedy can be exercised before a court in this State or in the enforcing State, in accordance with its national law, according to the person’s choice.

The right to information, translation and a lawyer

The obligation to inform someone about the order should be—as a rule—set by an issuing authority, not the SP. The right to delay the information, indicated already in the Commission’s proposal, has been upheld at each stage of the legislative process, however in different wording. What was particularly controversial was the right of the issuing authority to abstain from informing the person whose data is being sought. According to Art. 11.3 of Council’s general approach in 2022, ⁵⁶ the issuing authority could abstain from informing the person whose subscriber or access data was sought where necessary and proportionate to protect the fundamental rights and legitimate interests of another person, and in particular where these rights and interests outweigh the interest to be informed of the person whose data were sought. At this stage, the Regulation was ‘enriched’ with the scenario that persons whose data has been sought will never know about it. ⁵⁷ Finland and Germany reported reservations with the entirety of this provision, advocating for further details, such as information on legal remedies. ⁵⁸ In addition, Germany stated that persons concerned should always be informed about the order. ⁵⁹ However, Art. 13.2 of the Regulation states that the issuing authority may, in accordance with the national law of the issuing State, delay or restrict informing, or omit to inform, the person whose data is being requested, to the extent that, and for as long as, the conditions in Article 13(3) of Directive (EU) 2016/680 are met; which means a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned, in order to avoid - primarily, in the context of the EPO - obstructing official inquiries, investigations or procedures. The information about the EPO can not only be delayed - as proposed by the Commission - but also restricted or omitted. Furthermore, it relates to all types of data, not limiting to subscriber or access data as proposed in 2022. As a consequence, the scope of the justified scenarios of omission of the information has been widened at each stage of the legislative process. It means that the scenario where persons whose data has been requested will never know about it was upheld. ⁶⁰

It can be seen that according to the Regulation, any persons whose data were requested via a European Production Order shall have the right to effective remedies against the European Production Order (Art. 18.1.) - except for the ones that were never informed that the EPO was issued (Art. 13.2). It must be stated that the Regulation in this part is self-contradictory, as well as inconsistent with the right to an effective remedy before a tribunal envisaged in the Charter. The conditio sine qua non of exercising the right to an effective remedy is to be informed about the actions that could violate one’s rights or procedural guarantees.

It should also be remembered that Directive 2012/13/EU envisages the right of suspects or the accused to information about their rights arising from the time persons are made aware by the competent authorities of a Member State that they are suspected or accused of having committed a criminal offence. Such provision has been repeated in Art. 4 of the Directive 2016/800. Furthermore, as far as the situation of children being suspects or accused is concerned, the right to information is extended to holders of parental responsibility. If the subject is never informed of the fact that data has been sought, they have neither been informed of their right to an effective remedy stemming from it. In the Author’s view, in order to achieve the self-coherence of the Regulation as well as consistency with the Charter and the Directives (2012/13/EU and 2016/800), the legislator should get back to the concept where the right to the effective remedies is envisaged for suspects and accused persons whose data was obtained or indicate that information duty can be delayed or restricted, but not omitted. As the latest concept is more guaranteed, the first one is not disqualified. Seeking the data does not necessarily have to lead to the rights infringement. If it does (e.g. the right to privacy, provisions on data retention or the national requirements that must be met to seek the data), the right to the effective remedy stemming from the Charter will be in place.

Also, additional commentary is needed here. It could be analysed if the word omission is possibly used in the context of the temporary, not permanent, exclusion. What may suggest this direction of the interpretation is Article 13.2 EPO Regulation, taking into consideration the wording for as long as the conditions in Article 13(3) of Directive (EU) 2016/680 are met. It can be stated that the omission lasts only as long as the requirements of Article 13 (3) of Directive (EU) 2016/680 continue to exist. However, in the Author’s view, such an interpretation would be unjustified. Following certain interpretation rules, the interpretator must begin with the rule of literal construction. According to this, the words used in a statute are to be understood in their natural and grammatical meaning unless such a construction leads to an absurdity or the context suggests a different meaning. ⁶¹ However, the context may be interpreted in favour of the aforementioned interpretation, whereby two other rules have to be borne in mind. First, stating that the same word used in the legal act has the same meaning. Second, stating that two other words used in the legal acts have different meanings. ⁶² Regarding these rules, it must be emphasised that the temporality is the feature of the delay, contrary to the omission. If the legislator used these two words, pointing out the exhausting list of exemptions, the interpretator must acknowledge it as two different legal situations. Also, following the legislation process, it is clear that amendment of the commented provision and extension of the scope of exemptions is not accidental. The omission exception cannot be considered as a synonym to the delay exception, accepting the assumption of the rational legislator. For these reasons, it must be stated that the final version of the Regulation assumes the case scenario where a person whose data has been sought will never know about it.

Regarding the language in which the information is being passed along to the defendant, the Regulation does not seem to be contrary to the right to interpretation and translation in criminal proceedings. The Regulation addresses the issue of translation in the context of the language of the state or authorities involved. However, authorities should bear in mind that any notification and cautions should be made in the language understood by the person concerned, ⁶³ which can be another language than the one of the issuing or executing states.

The right to information is supported by the right to a lawyer, in order to enable execution of the defendants’ rights. The right to a lawyer is provided to suspects or accused persons in criminal proceedings from the time they are made aware that they are suspected or accused of having committed a criminal offence by the competent authorities of a Member State by official notification or otherwise. ⁶⁴ The phrase ‘or otherwise’ is relevant with regard to the discussed regulation. Furthermore, to be ‘made aware’ requires notification of the acts that have been taken. ⁶⁵ Regarding the situation of children being suspects or accused in criminal proceedings, the Directive 2013/48 fully applies, going even further when it comes to the obligatory assistance of a lawyer, however, it does not directly influence the situation of the children during the data-gathering procedure with EPO or EPO-PR. ⁶⁶ The information about the action directed to obtain incriminating evidence should be considered as the starting point from which the person concerned has a right to a lawyer. As the notification can be delayed, it does not need to be the moment of seeking the data. The Regulation does not address or raise the issue of defence rights in detail. ⁶⁷ Again, the right to information about the actions taken has to be emphasised. Lack of proper notification causes not only restriction of the right to the effective remedy, but also - as indicated above - to the right to the lawyer.

The Regulation does not influence the right to legal aid, envisaged in the Directive (EU) 2016/1919. The right to legal aid, paid by the state, derives from the right to a lawyer. If the right to a lawyer applies and, the suspect or accused lacks sufficient resources, they should be granted a lawyer paid by a state. According to domestic rules, an additional means or merits test can also apply. ⁶⁸

The right to be presumed innocent

When it comes to the presumption of innocence, this rule has different aspects. We can detect the aspect of:

1) the burden of proof which should be on the prosecution ⁶⁹ ,

The relation between electronic evidence and the presumption of innocence is particularly vulnerable. ⁷¹ Research conducted in the EU shows that not only the prosecutor and judges but also defence lawyers, lack the professional training and knowledge of how to deal with electronic evidence, preserve it, assess it and verify its integrity and authenticity. ⁷² This creates a threat that electronic evidence will not be rightly verified and will be automatically considered as a proper basis for a conviction. During the past decades, detailed procedures have been developed in national legal orders concerning the acquisition and preservation of material evidence. It also includes some electronic evidence - e.g. recordings obtained as a result of wiretapping. Due to the examples of interference in the content of private recordings and modification of the content or metadata of recordings or electronic correspondence, the practice of testing the reliability and authenticity of evidence by court experts has developed. This is because it is already clear what data needs to be examined and what inaccuracies can lead to the refutation of the credibility of evidence in question. With the vast majority of electronic evidence currently used in criminal proceedings, this is not the case. The lack of sufficient knowledge and training in this area prevents both authorities and defence counsel from proper assessment of what issues may lead to the rebuttal of the credibility of evidence and how evidence should be obtained and stored in a proper manner in order to prevent loss or alteration of data. ⁷³ In most countries, there is a lack of the Standard Operational Procedure (SOP) for obtaining electronic evidence. To give an example of data requested for the sole purpose of identifying the user, there are tools to modify this data, such as tunneling network ports, using TOR browser, using VPN, hiding IP addresses and using public networks. There can also be time stamp errors with IP numbers (e.g. different time zones) and geolocation data. Thus, there may be situations where the identification of the perpetrator of a crime by means of the indicated electronic evidence is not questioned, even though, to the best of IT knowledge, these results should not be considered to unambiguously identify the perpetrator. That assumption can be very dangerous, as the mistakes in that field are already known. ⁷⁴ Notably, non-content data, including access and subscriber data, is sometimes not credible as the sole IP address is not always a plausible base for the identification of the suspect. ⁷⁵

The Regulation does not violate the right to be presumed innocent per se. However, the focus should be on the quality of data shared by service providers with judicial authorities. It should be ensured that both content and non-content data are properly preserved and their verification, for example, by expert witnesses, will be possible in further stages of the proceedings.

The right to protection of privacy

The right to protection of privacy should be considered when analysing the Regulation. According to Art. 7 of the Charter, everyone has the right of respect for his or her private and family life, home and communication. Directive (EU) 2016/800 emphasised the right to protection of privacy of children during criminal proceedings. ⁷⁶ However, the right to privacy is not an absolute one. Rich case law of both the European Court of Human Rights (hereinafter, ECHR) and the Court of Justice of the European Union (hereinafter, CJEU) exists on balancing the right to privacy with LEAs interference.

Regarding ECHR case law, the authorities should pay attention to necessity, proportionality, scope and time limits related to gathering and preserving data ⁷⁷ for the purposes of criminal proceedings, as well as proper safeguards and protection against abuses. ⁷⁸ The Court has held that ‘where a State institutes secret surveillance, the existence of which remains unknown to the persons being controlled with the effect that the surveillance remains unchallengeable, individuals could be deprived of their Article 8 rights without being aware and without being able to obtain a remedy either at the national level or before the Convention institutions’. ⁷⁹ This is particularly relevant when new technologies rapidly develop, and the State may have an interest in preventing crime and terrorism. ⁸⁰ The ECHR states that ‘whatever system of surveillance is adopted, there must be adequate and effective guarantees against abuse’ ⁸¹ and ‘powers of secret surveillance of citizens are tolerable only in so far as strictly necessary for safeguarding the democratic institutions’. ⁸²

The judgements in the cases of Pietrzak v. Poland (no. 72038/17) and Bychawska-Siniarska and Others v. Poland (no. 25237/18) will—hopefully—be relevant and significant. These applications concern the Polish legislation authorising a system of secret surveillance of telephone, postal and electronic communications and the collection of data relating to these communications. In November 2019, the Court gave notice of the applications to the Polish government and put questions to the parties under Articles 8 (right to respect for private life and correspondence) and 13 (right to an effective remedy) of the Convention. Eleven third-party interveners have been given leave to take part in the written procedure. ⁸³ The judgements can shed new light on the matter of required safeguards and notifications regarding the acquiring of electronic data by the LEAs and other authorities.

For now, the position of the ECHR is that surveillance as well as gathering electronic data for the purpose of criminal proceedings is admissible, ⁸⁴ however safeguards and protection against abuses are required. Under these notions ECHR understands the information duty of the State, ⁸⁵ the right to the effective remedy against those measures, ⁸⁶ possibility to challenge the use of those measures, their proportionality and necessity. ⁸⁷ Gathering information cannot be blank and general. ⁸⁸ By confronting the requirements of the Court with the EPO Regulation, it seems that in the scenario where someone is not informed about the existence of activities involving their personal data, they cannot perform their rights. In consequence, the Strasbourg requirements are not met. ⁸⁹

CJEU case law, relating to both - right to the privacy and protection of personal data - is rich. The famous Schrems II case ⁹⁰ indicates some directions on the privacy guarantees. The applicant argued, among other things, that in light of the large-scale surveillance measures applied by United States intelligence services, the data protection level guaranteed in the US was not adequate within the meaning of the Data Protection Directive. The main issue in the CJEU judgement seems to have been the effective remedies available to EU persons to challenge how their personal data is used (in the example of Facebook) once it is transferred to the US (Article 47 of the Charter). In its decision, the CJEU found that Article 1 of the Privacy Shield Decision is invalid. The Court opined that the legislation that allows ‘public authorities to have access on a generalised basis to the content of electronic communications’ compromises the essence of the fundamental right to privacy. ⁹¹ Another judgement that involved Facebook was delivered on 15 June 2021 (Grand Chamber). ⁹² It stated that some infringements of the collection and use of information on the browsing behaviour of Belgian Internet users by means of various technologies, such as cookies, social plug-ins or pixels, were not allowed, whether or not they were Facebook account holders.

Regarding data retention, ⁹³ in 2014 the CJEU declared the directive on data retention invalid, on the grounds that the wide-ranging and particularly serious interference with fundamental rights was not sufficient and not able to ensure that interference was limited to strictly necessary purposes. ⁹⁴ In the case of Tele2 Sverige and Home Secretary v. Watson, ⁹⁵ the CJEU in general upheld its position. With regard to access to data, the CJEU presented similar standards, indicating that access to retained data is possible only for the purpose of fighting serious crimes, limited to what is strictly necessary, proportionate and based on the precise conditions and requirements. ⁹⁶ General and unlimited access to data cannot be seen as proportionate and necessary. Purpose must be limited to the data of individuals somehow involved in serious crime proceedings. Such an approach was in general upheld in 2018 with Ministerio Fiscal case ⁹⁷ and a further Privacy International case. ⁹⁸ However, in Ministerio Fiscal, the CJEU opened a door for data retention and access in minor criminal cases. It indicated that the seriousness of the interference should be proportionate to the seriousness of the proceedings. In Quadrature du Net judgment ⁹⁹ , the CJEU opened the door to some even wider exceptions - general retention of traffic and location data of all users does not have to be contrary to EU law if it is for a limited period of time. Such ‘door opening’ approach was upheld in Garda Síochána case. ¹⁰⁰

The current Luxembourg standard regarding the right to privacy and protection of personal data is as follows. Both surveillance as well as access to personal data for the purpose of criminal proceedings are admissible. ¹⁰¹ Data retention is not precluded, and neither is national authorities’ access to the retained data. However, it is only possible ¹⁰² :

1) for a specific purpose,

In assessing the correspondence of the Regulation with the CJEU standards, it can be detected that, primarily, EPO Regulation does not give an autonomous base for data retention. Data retention is executed according to national rules as the common EU grounds do not currently exist. Assessment of the provisions related strictly to data retention is beyond the scope of the article. However, what needs to be done is the assessment of the standards of access to the retained data envisaged in the Regulation. It can be stated that:

1) It is possible for the purpose of the proceedings (Art. 5.2.) to meet the CJEU standard.

The CJEU has provided requirements similar to those presented by the ECHR. Both the ECHR and CJEU have given a clear signal to the authorities not to gather and preserve data, even for the purpose of criminal proceedings, when the highest requirements of necessity, proportionality and safeguards are not met. It can be seen that EU bodies took a lesson from the data retention saga, and deployed the threshold when accessing traffic and content data, narrowed the purpose of access and implemented the notification duty as a rule. However, the reservations on the field of the right to information and right to an effective remedy should be upheld.

It is still an open question if national rules of retention data would be considered as corresponding with EU standards and if not - whether the data obtained via EPO can be seen as admissible and further used in criminal proceedings. Neither ECHR nor CJEU interfere in admissibility issues, leaving it to the national orders. ¹⁰⁵ ECHR assess if the trial as a whole was fair. However, some attempts aimed at the unification of admissibility standards among Member States were recently made. ¹⁰⁶