nmann77 - stock.adobe.com

Germany: European Court of Justice ruling on EncroChat could lead to new legal challenges

A ruling by the European Court of Justice could prompt legal challenges in EncroChat prosecutions in Germany and other EU states

A decision by Europe’s highest court is expected to lead to legal challenges over the use of evidence from EncroChat and other encrypted phone networks infiltrated by law enforcement.

The Court of Justice of the European Union (CJEU) ruled on 30 April 2024 that member states must formally notify other member states when they intercept communications in their jurisdiction.

German defence lawyer Christian Lödden said this week that the ruling opens up the way for legal challenges to future EncroChat prosecutions in Germany and other countries.

He said that France had failed to provide a formal notification of the hacking operation to Germany and other member states as required by EU law, adding that France “violated [the law]”.

The ruling is the latest in a series of legal challenges over the lawfulness of evidence gathered by French and Dutch police in a novel hacking operation into the EncroChat phone network, which offered encrypted messaging services.

French and Dutch police harvested messages from 4,600 EncroChat phone users in Germany in 2020 and tens of thousands of phone users in other countries after infiltrating EncroChat servers hosted at the OVH data centre in Roubaix in Northern France.

The operation led to 6,500 arrests worldwide and the seizure of nearly €900m after a three-year investigation by police into organised crime and drug groups using EncroChat phones.

CJEU ruling focus on evidence sharing between EU states

The CJEU issued its ruling last month in response to a series of questions put forward by the Berlin Regional Court over the lawfulness of the EncroChat operation.

The judgment follows a preliminary opinion by the advocate general of the European Court of Justice in 2023 that found Germany obtained EncroChat data legally from France but left critical legal questions for national courts to resolve.

The CJEU’s latest decision aims to clarify whether European Investigation Orders (EIOs) issued by the German Public Prosecutor’s Office to obtain material intercepted by French investigators from EncroChat phone users in Germany were lawful under EU law.

The court found that, according to the EIO directive, France was required to formally notify Germany of the interception of EncroChat phones on German soil, and to give German authorities the opportunity to object to the operation within 96 hours, if they wished.

France’s notification should have contained details of the targets identified by phone number, IP address or email, the identity of individuals targeted, including their address, date of birth and social security numbers, as well as a description of the offence committed, according to a sample notification included in the EIO directive.

Notification requirements when an EU state intercepts communications in another member state

States are required under EU law to issue a formal notification when they intercept communications in another member state, giving the following details:

  • Whether the notification is issued before, during or after the interception has taken place;
  • Anticipated start and end date of the interception;
  • Target of the interception identified by telephone number, IP address or email;
  • Identity of the person subject to surveillance, including name, sex, nationality and identity number or social security number, date of birth, place of birth, address or last known address;
  • In the case of a company or other legal entity subject to surveillance, the registration number, trading name, address, name and contact of the representative of the organisation;
  • A description of the case, details of the offensive, the relevant statutory code and information to allow the notified country to assess:
    1. Whether interception would be authorised in a similar case in the notified country and whether the intercepted material cold be used in legal proceedings in the notified country.
    2. Where interception has already taken place, whether the material can be used in legal proceedings.

The notified country has 96 hours to object to the interception or use of the intercepted material once it has already been obtained following receipt of the notification.

Source: Annex C of the EIO Directive

Lödden argues that had France formally notified Germany upfront that it was planning to infiltrate more than 4,600 devices in Germany with malware, a German judge would likely have found the operation unlawful under German law.

This is because France was not able to demonstrate concrete suspicion required by German law that each of the 4,600 people targeted were involved in criminality, he said.

Lödden believes that German prosecutors have since changed their approach. In a 2021 hacking operation against the encrypted phone network, Sky ECC, prosecutors issued individual EIOs citing specific evidence of criminality for each phone user under investigation rather than the single EIO covering all phone users in Germany, with Lödden pointing out: “In SKY ECC, they slowed down and they had to issue an EIO for every user.”

It will now come down to the discretion of individual German courts to decide whether to admit EncroChat evidence in the light of the European Court ruling in future cases.

“We have good arguments because it’s now on paper that [France] broke the law,” claimed Lödden.

Defence secrecy

In another significant ruling, the CJEU found that national courts of member states should disregard evidence that is likely to have significant impact on the findings of fact if a defendant is not in a position to comment on the evidence.

Defence lawyers are likely to argue in future cases that German courts should disregard EncroChat evidence on the grounds that France has refused to disclose how it obtained and processed the intercepted messages, citing “defence secrecy”.

However, it will be up to national courts to interpret the CJEU judgment and to decide on a case-by-case basis whether evidence from EncroChat is admissible.

Investigations began in 2018

Police began investigating EncroChat in 2018 after encrypted phones were seized in a number of drug operations. Investigators were able to take copies of data from EncroChat servers, which were held at the OVH datacentre in Roubaix in 2018 and again in 2019.

French police, working in a joint investigation team with the Dutch, infiltrated the EncroChat encrypted phone network between March and June 2000. They were able to infect around half the 66,000 phones in the network with a software implant, enabling police to access the contents of phones in 122 countries.

The German Federal Police Office, the BKA, learned about the operation in a video conference with representatives from France, Holland, the UK and other countries, organised by the European agency for criminal justice co-operation, Eurojust, in March 2020.

The BKA subsequently announced that it was opening an investigation into all users of EncroChat in Germany, stating that the use of the EncroChat service itself was grounds for suspicion that serious criminal offences, particularly drug dealing, were being committed.

On 7 March 2020, the BKA received a secure message from Europol inviting them to confirm in writing that they had been informed of the methods used to obtain EncroChat messages in Germany in order to receive access to EncroChat messages collected by French Police from German phones.

The BKA received daily downloads of data from a Europol server between 2 April and 28 June 2020, when EncroChat administrators issued a message warning users that the service had been compromised.

The Frankfurt Public Prosecutor’s Office issued the first of three European Investigation Orders on 2 June 2020 requesting authorisation from the French authorities to use EncroChat data in criminal proceedings.

The Public Prosecutor’s Office justified the request by explaining that Europol had informed the BKA that a large number of serious criminal offences were being committed in Germany by unknown persons using EncroChat encrypted phones.

German courts disagree on law

Germany’s Supreme Court, the Federal Court of Justice, ruled on 2 March 2022 that the public prosecutor’s office was a competent body to issue EIOs for transmission of evidence from France to Germany

The Supreme Court also found that EncroChat evidence provided by France to Germany could be used as evidence in Germany for investigating serious criminal offences.

The Landgericht Regional Court in Berlin in turn referred a series of questions to the European Court of Justice in October 2022 after disagreeing with the Supreme Court’s findings.

Summary of questions to the European Court of Justice

Main questions

  • Must an EIO be issued by a judge to obtain evidence if the taking of evidence in a similar domestic case should have been ordered by a judge?
  • What effect would it have if the telecommunications interception carried out extended to all handsets in the territory, and there are no concrete indications that serious criminal offences have been committed by an individual user, in particular if the integrity of the data cannot be verified due to extensive secrecy?
  • To what extent is a data skimming measure from terminal equipment of an internet-based communications service surveillance of telecommunications traffic within the meaning of the EIO directive, and what information obligations exist for which institutions, if the measure could only be ordered by a judge under national law?

      Further questions

      • What is the effect if the measure underlying the data collection would have been inadmissible in a comparable domestic case?
      • If evidence is obtained by an EIO that is contrary to EU law, does a ban on the use of evidence result immediately or to what extent is such a consideration to be taken into account in the context of a balancing decision, especially if the seriousness of the crime is justified by the evaluation of the evidence obtained?

        Source: Christian Lödden, defence lawyer at Lödden & Barczyk Rechtsanwälte.

        The Berlin court argued that the mere suspicion that multiple criminal offences may have occurred in Germany was not sufficient grounds for German prosecutors to issue a EIO to obtain the French data.

        It also questioned whether the EIOs were proportionate, given that under the EU Charter of Fundamental Rights and the Convention for the Protection of Human Rights and Fundamental Freedoms, defendants are required to have a “real opportunity” to comment on evidence presented in court.

        The right to a fair trial was undermined, it said, by the fact that the data requested by the EIOs could not be examined by technical experts in Germany because the French had classified the interception technique as a “defence secret”.

        In the view of the Berlin Court, German authorities could only issue an EIO to obtain evidence from a third country, in this case France, if the investigative measure would have been authorised in Germany in a similar domestic case.

        The Berlin Court took the view, contrary to the Federal Court of Justice, that the French investigating authorities should have notified Germany in advance of their intention to infiltrate EncroChat phones in Germany through a German court of law.

        It also called into question decisions by national courts to assume that data from EncroChat can be used in prosecutions and where there were potential infringements of EU law involving EncroChat evidence, priority must be given to criminal prosecutions in view of the seriousness of the offences.

        Under Germany’s criminal procedure, data collected through phone tapping – in the absence of judicial approval and in the absence of concrete suspicions of a specific offence – would be legally inadmissible, the Berlin court argued.

        Preventing information and evidence obtained unlawfully from unduly prejudicing a suspect could be achieved by prohibiting the material from being used as evidence. Alternatively, it could be achieved by factoring-in whether the material is unlawful when assessing evidence or determining a sentence, the Berlin court argued.

        Under EU case law, combatting serious crime cannot justify the general and indiscriminate retention of personal data, the Berlin Court said.

        As a result, Landgericht Regional Court decided to stay proceedings and to refer a series of questions to the European Court of Justice for a ruling.

        CJEU decides on lawfulness of EncroChat EIOS

        The Berlin court’s request to the CJEU relates to the lawfulness of three EIOs issued by the Frankfurt Public Prosecutor’s Office requesting the intercepted data from phone users in Germany from French police.

        The European Court of Justice considered whether Germany was required to have concrete evidence that each individual EncroChat user was suspected of a criminal offence.

        The CJEU was also asked whether it was proportionate to issue an EIO when the integrity of the data gathered by the French cannot be verified because details of the interception operation were protected by “defence secrecy”.

        European Court of Justice ruling

        • An EIO does not necessarily have to be issued by a judge, rather than a public prosecutor, where under the domestic law of the country issuing the EIO the public prosecutor is considered a competent authority to order the transmission of evidence within the country.
        • A public prosecutor in Germany, for example, may issue an EIO to receive evidence acquired by, say, France by intercepting communications in Germany provided that the EIO satisfies all the conditions laid down in German law for transmitting similar evidence within Germany.
        • France must notify Germany if it intercepts telecommunications in German territory. The information required in the notification is set out in the EIO directive.
        • EIOs are (according to Article 31 of the EIO directive) also intended to protect the rights of people subject to telecommunications interception.

        The court found that a public prosecutor in Germany could issue an EIO requesting the transmission of intercepted messages from France to Germany, providing the transmission of data would be also be lawful in a domestic case in Germany.

        The CJEU also found that national courts should disregard information and evidence if a person accused of criminal offences is not in a position to comment on the evidence against him, and that information is likely to have a significant impact on the findings of fact.

        The EIO directive, the court concluded, is not only intended to guarantee the sovereignty of member states, but also to protect the rights of users affected by an operation to intercept telecommunications.

        Impact of ruling

        Lawyers said that the CJEU’s findings would lead to challenges on the admissibility of EncroChat evidence in Germany and in other countries.

        However, Lödden told Computer Weekly, the decision would not impact cases in Germany where people had already been convicted of crimes using evidence from EncroChat, which cannot be re-opened without new evidence, adding: “It’s now in the decision of the court or all the other courts how they rank these violations.” 

        Dutch defence lawyer Justus Reisinger said that the EncroChat operation would have been unlikely to have been approved by a Dutch judge if it was carried out domestically in Holland. He said that France had not issued a formal notification to Holland about the EncroChat operation as required by EU law.

        However, he said that the situation in Holland was more complicated than in Germany because Holland was a member of the Joint Investigation Team responsible for the EncroChat interception operation with France.

        The case will now be referred back to the Berlin Regional Court to make a ruling.

        Read more about key EncroChat decisions in Germany

        Read more on Hackers and cybercrime prevention