e-Evidence regulation: Why it matters for medical confidentiality
Electronic data has become a defining component of criminal investigations. Emails, data stored “in the cloud”, private messages – investigators increasingly seek such data, often held by private companies, as evidence for their criminal cases. This can also encompass health data. Under current legal rules, when such data is stored abroad, national law enforcement authorities need to rely on so-called “mutual legal assistance treaties” or other types of international instruments for data exchange. These processes involve a dialogue between two competent judicial authorities, which are entrusted to ensure the legality of the data transfer and the protection of fundamental rights.
However, the European Union (EU) Member States and the European Commission consider the current processes too burdensome, slow and inefficient. To remedy this problem, the Commission in 2018 proposed a new law enforcement data-gathering instrument, called the Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (also known as the “e-Evidence Regulation”). This new legislative framework would allow investigative authorities to directly request data from private companies established in other Member States. Law enforcement authorities would simply need to send a request to the company, without any involvement of another competent authority, as is usually the case in cross-border cooperation frameworks. High financial sanctions are foreseen to incentivise companies to automatically comply with orders received without asking further questions.
Digital rights advocates, lawyers, journalists and media organisations have repeatedly pointed out the loopholes and dangers of this proposal for people’s rights, including its impacts on the right to a fair trial, freedom of expression and press freedoms, as well as the right to privacy. Police accessing journalists’ emails, lawyers’ correspondence with their clients or getting hold of someone’s data without concrete suspicion of serious criminality is not without consequences for the quality of our democratic societies.
These new cross-border police powers are accompanied by barely adequate safeguards. There is a crucial lack of systematic independent judicial oversight and the secrecy granted to pretrial orders prevents the individuals affect- ed from exercising their defence rights. It is important to stress that this intrusive instrument, ripe for abuse, will also land in the hands of certain EU governments, which, over the past decade, have weakened the independence of their judicial systems, shown their defiance of European values and illegally spied on political dissidents.
Medical confidentiality is key to the protection of patients’ rights. Health data is considered private and sensitive information and, as such, needs to be adequately protected by medical professionals. However, with the digitisation of health records and the increasing use of telemedicine, doctors and healthcare providers rely more and more on private entities for the storage and processing of electronic health data. If such data is accessed for any purpose other than providing healthcare and without the patient’s consent, there must be thorough checks and strong safeguards. Something the e-Evidence Regulation is currently failing to provide.
In October 2021, Standing Committee of European Doctors (CPME) partnered with European Digital Rights (EDRi) and twelve other organisations to showcase in a series of scenarios how the e-Evidence Regulation would undermine fundamental rights, including medical confidentiality and patient rights. As the legislative proposal is currently being negotiated by the Council of the EU and the European Parliament, the scenarios and related recommendations give EU legislators concrete ideas of safeguards in order to mitigate these harms. Doctors and patients need assurances that sensitive health data will not be illegally accessed. As the e-Evidence Regulation passes through the next legislative steps, we will continue to ensure that privacy and fundamental rights are put first.