The Latest EncroChat ruling from the French 'Supreme Court'

In June 2020 the EncroChat hack became public knowledge. Courts across Europe have considered the implications and admissibility of data obtained. This article explores the significance of the latest ruling in France.

Case Analysis Summary: The Court of Cassation considered whether EncroChat evidence could be used where the prosecuting authorities had withheld technical information about authorised hacking on grounds of ‘national defence secrecy’. They found that there was no objection in principle to using such evidence. For that purpose they also held there was no distinction in French law between data captured as ‘stored’ on a device or ‘transmitted’. But the appeal was allowed because the Court of Appeal had failed to consider the absence of a required “certificate of veracity” from the Technical Official of the hacking authority to verify the reliability of the data. The case was remitted to the Metz Court of Appeal for further consideration.

EncroChat: the background

The EncroChat hacking operation was conducted by French and Dutch authorities under a Joint Investigatory Team (JIT). The JIT subsequently supplied data obtained to the UK authorities. The servers were in France, the French Gendarmerie sent the implant to each EncroChat device to which harvested the data (a) stored on each handset at the time and (b) sent or received by each handset thereafter.

The question for the courts ever since has been: can the data obtained from that ‘hacking’ be lawfully used in evidence?

As prosecutions have continued courts have considered information about how the networks were infiltrated, the technical parameters of the ‘hack’ and the reliability of data obtained. The French authorities have withheld details on grounds of ‘national defence secrecy.’ In other words, to disguise their methods of intelligence gathering on grounds of national security. Defence practitioners have argued that they have been unable to test the reliability of the data. Very broadly speaking, rulings thus far have found the information supplied to be sufficient to use the data.

On 11 October 2022, the Criminal Division of the French Court of Cassation (loosely speaking a ‘French Supreme Court’) has generated some excited press coverage after allowing Appeal No. 21-85.148. This commentary focusses on what the French court did, and didn’t, decide.

Under 100 words on French Law

The particular details of the French Code of Criminal Procedure (‘the Code’) may not be top of the reading list but for the briefest possible context:

  • The Code permits state use of technical devices (i.e. ‘hacking’) to capture ‘computer data’ (Article 706-102-1)
  • Encrypted data should be accompanied by (i) technical information enabling it to be understood and (ii) a “certificate of veracity” from a relevant technical official to certify the ‘genuineness’ of data obtained. But they are “subject to the State claims of “national defence secrecy” so as not to disclose their methods (Article 230-3)
  • In April 2022, the Conseil-Constitutionel (French Constitutional Court) held the “defence secrecy” exception was not unconstitutional, per se; the Code allowed some means for courts to balance rights and interests.[i]

The French ‘Supreme Court’ ruling[ii]

The appeal considered the substance of three grounds, two and a half were rejected. The second ground was not directly related to EncroChat but to appeal procedures, in any case, rejected. However, the first and third ground drew on the above law.

Ground 1 – rejected – Illegality of capturing "transmitted" data

It was argued that (under French law and Article 8 of the European Convention on Human Rights (‘ECHR’)) under the code an order to capture “computer data” was for “stored” data and not data being “transmitted.” It was also argued that the orders to permit (a) “blocking” certain normal activities on the handset, and (b) “redirecting” certain data processes were also not “stored data” and therefore unlawful.

The court rejected the appeal holding that:

  1. The code made no distinction between types of computer data, whether “stored” or “in transit.” There was no basis for the distinction in French law.
  1. Operations such as “blocking” and “redirecting flow” were technical and necessary prerequisites to capturing data. The code assumes their inclusion otherwise those running an encrypted server could detect and neutralise the investigator’s hack.

Ground 3 – granted in part – the application of “defence secrecy” was a breach of A.6

The third ground regarding “defence secrecy” was split into two branches, that:

  1. The “defence secrecy” exception was contrary to French constitutional law and A.6 ECHR. It was in effect, a prosecutorial discretion whether to authorise data capture and there were inadequate controls about its use.

The Court rejected this branch outright since the Constitutional Court had determined that “national defence secrecy” was, in principle, constitutional (above.) On the second branch it was argued:

  1. The “defence secrecy” exception had been unlawfully applied given:
  1. There was an absence of technical information, and
  2. There was no “certificate of veracity”

which the code (Article 230-3) required and the lower court did not properly address.

The appeal succeeded on the second branch of ground 3. The Code stated that both (2)(a) and (b) together were “subject to national defence secrecy." However, the Court of Cassation did not rule separately on whether the lack of technical information (2(a)) nor certificate ((2)(b)) was justified by “defence secrecy.”  Rather, any judgement must include sufficient reasons (Article 593) and the ruling did not adequately address the absence of a certificate. The decision was therefore remitted to Metz Court of Appeal for redetermination.

The Implications of the Decision

The significance of the appeal allowed on grounds 2 can be both overstated and understated:

  1. On one view, this is a limited judgement in favour of the appeal due to a procedural failure in a lower court about a certificate requirement specific to French law.
  1. On the other hand, the French authorities are at the heart of EncroChat from where data has been shared internationally. Questions arise about whether the data can be certified as reliable at all. Any such finding has the potential to effect the admissibility of EncroChat data throughout Europe.

Perhaps, like Schrodinger’s cat, it is both - until we are able to open the box and take a look in the Metz Court of Appeal.

But, although rejected, ground 1 should not be forgotten. It may have more intriguing parallels to proceedings in the UK. Whereas the French need not distinguish between data ‘stored’ on the device or being ‘transmitted,” the courts in England & Wales do and have done so.

In the UK, the section 56 of the Investigatory Powers Act (‘IPA’) 2016 effectively excludes evidence from “interception,” but not evidence from “equipment interference.” As such, the Court of Appeal was at pains to distinguish warrants for TI (Targeted Interception) from TEI (‘Targeted Equipment Interference’). The warrants obtained in the UK were for the latter. On the information available to it the Court of Appeal held that was correct; because data was being “stored” at the time it was taken and not ‘transmitted’ (see R v A and others [2021] EWCA Crim 128).

These are the legal interpretations of national courts on the meaning of terms according to national legislation. Direct legal analogies may not be possible. But they are, factually, based on the same thing: EncroChat data and the technical information underlying it. The French court’s implicit acceptance that captured data was “transmitted” is an interesting backdrop to the UK proceedings at the Investigatory Powers Tribunal (‘IPT’).

At the IPT the basis on which TEI’s were granted continues to be challenged. If evidence at that hearing reveals information different to that on which R v A & Ors [2021] relied we may see another visit to the Court of Appeal.

Something similar seems to be happening in Germany where, on 19 October 2022, a Berlin Regional Court referred questions to the Court of Justice of the European Union (‘CJEU’). Questions included issues of legality on which the Federal and other ‘higher’ courts had already ruled. But they were said to have made assumptions which documents subsequently served may undermine.[iii]

The French case is yet another step in the long litigation of EncroChat which continues across Europe. Another significant, but not yet decisive step with the factual background not as certain as lawyers might prefer. Ultimately, it may be that once domestic avenues are exhausted, the European Court of Human Rights has its say. So sit tight, and keep an eye on Metz.

[i] For decision of the Constitutional Court Décision n° 2022-987 QPC, 8 April 22, please click here.

[ii] For the ruling of the Court of Cassation, Criminal Chamber, 11 October 2022, Appeal No. 21-85.148, please click here or here.

[iii] For Decision of the Berlin Regional Court, 19 October 2022, (525 KLs) 279 Js 30/22 (8/22), please click here. See for example para. 31