Few topics have sparked as much controversy in 2024 as the seizure and examination of mobile data carriers and the data found therein. Despite an urgent need to have the legal framework amended by the end of 2024, a new draft bill was published only on 20 November 2024. We take a look.
The current legal framework
If the Public Prosecutor's Office (PPO) wants to seize objects (for evidentiary purposes, to secure civil-law claims or to secure the enforcement of property rights), the Austrian Code of Criminal Procedure (ACCP) requires that the PPO establishes the status of the suspicion on which the investigative measure is based, the objects to be seized and their relevance, and why the seizure is proportionate and necessary; in other words, why the evidentiary purpose of the measure would be jeopardised if more lenient actions would be taken. Importantly, a court order is not necessary, as opposed to house searches or surveillance measures.
For a long time, the seizure and subsequent analysis of mobile data and data carriers was not treated any differently. Mobile data carriers were treated like "ordinary" objects, regardless of the external and internal data found when analysing them.
However, this changed due to two decisions in particular:
Decision by the Constitutional Court, December 2023
On 14 December 2024 (G 352/2021), the Constitutional Court of Austria rendered a landmark verdict on whether the provisions applicable to the seizure of "ordinary" objects also apply to the seizure of mobile data and data carriers. The Court concurred with numerous experts and rejected this notion. In essence, it stated that the invasion of data protection and privacy was particularly intense, as access to a data carrier not only provided a snapshot of the person's behaviour, but comprehensive insight into significant parts of their past and present life.
The Court further provided a guideline on which aspects would need to be considered when amending the legal framework. Most prominently, the PPO would need to obtain an order by the respective court of first instance. Furthermore, the lawmaker would have to ensure that the analysis is comprehensible and verifiable, and the data carriers would only be evaluated to the extent necessary. It would also have to be ensured that the persons concerned received the information necessary to safeguard their rights in the proceedings. The Court also suggested implementing independent supervision, which reviewed whether the PPO or the police remained within the scope of the court order.
The Court granted the lawmaker time until 31 December 2024 to amend the current provisions. From 1 January 2025, the current provisions on seizures of all kinds will cease to be in force.
Decision by the ECJ, October 2024
The uncertainty regarding the seizure of mobile data and data carriers was further aggravated by a decision of the European Court of Justice (ECJ) dated 4 October 2024 (C-548/21). This decision was based on Directive (EU) 2016/680, read in light of certain provisions of the EU Charter of Fundamental Rights.
In the decision, the ECJ stated that mobile data and data carriers could be seized and analysed regardless of the seriousness of the offence. Therefore, such measures are not restricted only to grave offences.
However, the ECJ then essentially took a stance previously also taken by the Constitutional Court in its earlier (and completely separate) decision, highlighting the requirement of a court order, clear and precise rules defining the type or categories of the offences concerned to ensure proportionality, and the rights of the persons concerned to be informed about the purpose of the data processing and the remedies available to them.
Contrary to the decision by the Constitutional Court, the ECJ's decision binds all Member States with immediate effect regarding the interpretation of the relevant EU law provisions. A national court that disregards a decision of the ECJ risks violating EU law.
Decision by the Vienna Regional Criminal Court, October / November 2024
Additionally, in a recent (unpublished and pending) decision by the Vienna Regional Criminal Court (332 HR 369/23 m), the Court stated that the processing of data not relevant as evidence, or of personal data not necessary for the purposes of the investigation, constitutes a violation of the law. Data resulting from such unlawful conduct must immediately be erased from the copies of data or mirror images.
The status of the amendment of the current legal framework
In June 2024, the Government presented a draft bill to amend the provisions on the seizure and analysis of mobile data and data carriers, which also included other amendments to the ACCP. However, due to heavy criticism, the draft bill was pulled.
A new draft bill was published only on 20 November 2024, just in time to enable its entry into force in 2024 (subject to the passing of a resolution to that effect).
The key points of the draft bill are:
- Introduction of a new investigative measure for the "seizure of data carriers and data", separating this measure from the seizure of "ordinary" objects.
- Requirement of a prior court order.
- Requirement to set out the data categories, period and data content by the Public Prosecutor's Office (and court) when ordering such a measure.
- Implementation of nullity sanctions ("Nichtigkeitssanktionen") if the measure has not been lawfully ordered and authorised.
- Implementation of rights for the suspects and victims to participate in the selection of relevant facts for the investigations or criminal proceedings.
As previously, in addition to the amendment of the regime to seize and analyse mobile data and data carriers, the draft bill contains many other amendments to the ACCP, such as implementing measures to expedite pre-trial proceedings.
In light of the recent elections in Austria, which have left the previous government that drafted the bill without a majority, it remains to be seen whether this draft bill will come into force and, if so, whether it will undergo any changes.
Decree of the Ministry of Justice, 11 November 2024
For the time being, legal practitioners remain in limbo about the circumstances under which the seizure and analysis of mobile data and data carriers are lawful. Addressing this legal uncertainty and attempting to offer at least a temporary solution, particularly due to the decision of the ECJ, the Ministry of Justice recently published a Decree on how the PPO are to proceed. Accordingly,
- it must be clearly defined which data categories and data contents are to be analysed in relation to which period and for which investigation purposes. If certain data were not explicitly included when they were originally seized, a separate order for their analysis is required; if further data need to be analysed, the act must again be legitimised by a separate order.
- in cases in which access to potentially all data stored on a carrier not only provides a selective picture of the behaviour of the suspect or person concerned, a court order should be obtained;
- a transparent approach to the analysis of the data must be ensured and the accused must be given the opportunity to contribute to the search for exculpatory material, by providing relevant data categories and suitable search selectors; and
- personal data that has been collected and became part of the investigation file in contravention of the provisions of the ACCP must be deleted ex officio.
The subordinate authorities (in particular the PPO) are bound by the provisions of the Decree, provided these do not contradict the laws.
Conclusion
Seizures and analysis of mobile data and data carriers are a fundamental part of criminal investigations and beyond. Therefore, it is to be hoped that the lawmaker will soon amend the current legal framework by addressing the courts' concerns.
Whatever the outcome, it is to be expected that any legal framework that comes into force will be thoroughly challenged by those individuals and legal entities affected by such measures.
By Oliver M. Loksa, Counsel, Schoenherr