(6.1) Relevant law

(6.1.1) Article 6 ECHR – Right to a fair trial

1. In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law. Judgment shall be pronounced publicly but the press and public may be excluded from all or part of the trial in the interests of morals, public order or national security in a democratic society, where the interests of juveniles or the protection of the private life of the parties so require, or to the extent strictly necessary in the opinion of the court in special circumstances where publicity would prejudice the interests of justice.

1. Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law.

3. Everyone charged with a criminal offence has the following minimum rights:

a) to be informed promptly, in a language which he understands and in detail, of the nature and cause of the accusation against him;

b) to have adequate time and facilities for the preparation of his defence;

[…]

(6.1.2) States responding to novel challenges: enhanced co-operation and disclosure of electronic evidence

Second Additional Protocol to the Cybercrime Convention on enhanced co-operation and disclosure of electronic evidence (CETS No. 224) 

Considering the proliferation of cybercrime and the increasing complexity of obtaining electronic evidence that may be stored in foreign, multiple, shifting or unknown jurisdictions, the powers of law enforcement are limited by territorial boundaries. As a result, only a very small share of cybercrime that is reported to criminal justice authorities is leading to court decisions.

The Second Additional Protocol to the Convention on Cybercrime (ETS No. 185) responds to these challenges and provides a series of tools for enhanced co-operation and disclosure of electronic evidence, such as:

• direct requests to registrars in other jurisdictions to obtain domain name registration information
• direct co-operation with service providers in other jurisdictions to obtain subscriber information
• more effective means to obtain subscriber information and traffic data through government-to-government co-operation
• expeditious co-operation in emergency situations
• joint investigation teams and joint investigations
• video conferencing
• a strong system of human rights and rule of law safeguards, including for the protection of personal data

(6.2) The nature of encrypted electronic data and its handling in criminal proceedings

(6.2.1) General principles regarding the nature of encrypted electronic data and its handling

ECtHR, Yüksel Yalçınkaya v. Türkiye, App no 15669/20, 26 September 2023 (Grand Chamber)

This is the first case in which the ECtHR addressed the challenges of the nature of encrypted electronic data stored at the server of an Internet-based communication application (ByLock application).

The ECtHR set out certain general principles regarding the nature of such evidence, the special technologies required for its collection, securing, processing and analysis as well as the distinct reliability issues raised (e.g., destruction, damage, alteration or manipulation).

311. […] the Court wishes to clarify whether the specific nature of the evidence at issue, that is encrypted electronic data stored at the server of an Internet-based communication application, requires it to adapt the application of the relevant guarantees under Article 6 § 1 in any way.

312. The Court […] notes that electronic evidence differs in many respects from traditional forms of evidence, including as regards its nature and the special technologies required for its collection, securing, processing and analysis. Most significantly, it raises distinct reliability issues as it is inherently more prone to destruction, damage, alteration or manipulation. The Court also reiterates that the use of untested electronic evidence in criminal proceedings may involve particular difficulties for the judiciary as the nature of the procedure and technology applied to the collection of such evidence is complex and may therefore diminish the ability of national judges to establish its authenticity, accuracy and integrity. Moreover, the handling of electronic evidence, particularly where it concerns data that are encrypted and/or vast in volume or scope, may present the law enforcement and judicial authorities with serious practical and procedural challenges at both the investigation and trial stages.

[…]

(6.2.2) Evidence and quality of encrypted electronic data

ECtHR, Yüksel Yalçınkaya v. Türkiye, App no 15669/20, 26 September 2023 (Grand Chamber)

The ECtHR examined the applicant’s claim that the data regarding his use of the ByLock application, which had been the decisive evidence to secure his conviction, had been obtained unlawfully and should, therefore, have been inadmissible.

309. The essence of the applicant’s complaint under the present head is that despite their inadmissibility as evidence on account of their unlawful procurement by the [Turkish Intelligence service], the data regarding his alleged use of ByLock were relied on as the decisive element to secure his conviction by the domestic courts, without duly addressing his concerns regarding their integrity and evidential value and in disregard of the principles of equality of arms and adversarial proceedings.

310. The Court considers at the outset that, having regard to its limited role in determining the admissibility of a piece of evidence or reviewing its assessment by national courts, it is not necessary, for the purposes of its present examination under Article 6, to determine whether the contested evidence was actually obtained lawfully in terms of domestic law and was admissible, or whether the domestic courts made any substantive errors in their assessment of the relevant evidence. Its task under Article 6 § 1 is rather to assess the fairness of the proceedings as a whole […]. The Court notes in this regard that there is a distinction between the admissibility of evidence – that is to say the question of which elements of proof may be submitted to the relevant court for its consideration – and the rights of the defence in respect of evidence which in fact has been submitted to the court […]

311. Turning to the facts of the present case, […] the applicant’s conviction for membership of an armed terrorist organisation rested decisively on the finding that he had used the ByLock application, which finding was primarily based on the data obtained by the [Turkish Intelligence service], the remaining evidence serving only as a source of corroboration. In these circumstances, the quality of the evidence in question […] [was] all the more important. […]

[…]

314. According to the applicant, the detailed requirements set out in Articles 134 and 135 of the [Code of Criminal Procedure] […] regarding the collection of electronic data pursued the aim of protecting against abuse and ensuring the authenticity and integrity of such data. He claimed, on that basis, that the fact that the State intelligence service had obtained and processed the relevant ByLock data in total secrecy and without any judicial oversight or other procedural guarantees envisaged under the Code of Criminal Procedure had put into question the reliability of the data.

315. The Court notes that electronic or other data collected by intelligence services, whose activities in that regard may or may not be subject to the standard rules of procedure applicable to the collection of evidence, may be increasingly resorted to in criminal proceedings as direct or indirect evidence. […]

316. It is not for the Court to pronounce on whether and in what circumstances and format intelligence information may be admitted in criminal proceedings as evidence. […] [This] is a matter that primarily remains within the discretion of national courts and other competent authorities […]. It acknowledges, however, that in cases where the collection or processing of such information is not subject to prior independent authorisation or supervision, or a post factum judicial review, or where it is not accompanied by other procedural safeguards or corroborated by other evidence, its reliability may be more likely to be called into question.

317. […] [I]t transpires from the information in the case file that sections 4 (1) and 6 (1) of the Law on Intelligence Services, invoked by the domestic courts and the Government as the legal basis for the [Turkish Intelligence service’s] conduct, do not envisage procedural safeguards akin to those set out under Article 134 of the Code of Criminal Procedure with respect to the collection of electronic evidence, including independent authorisation or oversight. Moreover, nothing in the case file suggests that the Ankara Fourth Magistrate’s Court’s subsequent order for the examination of the ByLock data pursuant to Article 134 of the Code of Criminal Procedure entailed a post factum judicial review of the [Turkish Intelligence service’s] data collection activity. […]

318. The Court […] considers that it is not in a position to assess whether those measures presented sufficient guarantees of integrity and reliability, given in particular that the domestic courts did not engage in such an assessment.

[…]

323. […] [A]lthough [the Court] recognises that the circumstances in which the ByLock data was retrieved by the Turkish Intelligence service did prima facie raise doubts as to their “quality” in the absence of specific procedural safeguards geared to ensuring their integrity until the handover to the judicial authorities, the Court does not have sufficient elements to impugn the accuracy of those data – at least to the extent that they established the applicant’s use of the ByLock application.

(6.2.3) Principles of equality of arms and adversarial proceedings: the ability to verify the reliability and integrity of encrypted electronic evidence and challenge it in criminal proceedings

ECtHR, Yüksel Yalçınkaya v. Türkiye, App no 15669/20, 26 September 2023 (Grand Chamber)

The Court discusses the following questions:

• Does an individual have a right to have access to raw, encrypted electronic data so as to verify their reliability and integrity and, thus, be able to contest the veracity of the arguments made against them?
• Is the disclosure of evidence an absolute right under the right to a fair trial?
• If it is not an absolute right, what are the obligations of national authorities/courts in order to comply with the guarantees of a fair trial?

[…]

306. [..] a fundamental aspect of the right to a fair trial is that criminal proceedings, including the elements of such proceedings which relate to procedure, should be adversarial and that there should be equality of arms between the prosecution and defence. The right to an adversarial trial means, in a criminal case, that both prosecution and defence must be given the opportunity to have knowledge of and comment on the observations filed and the evidence adduced by the other party. [….]

307. The right to an adversarial trial also requires, in a criminal case, that the prosecution authorities disclose to the defence all material evidence in their possession for or against the accused. […]

308. However, the entitlement to disclosure of relevant evidence is not an absolute right. In any criminal proceedings there may be competing interests, such as national security or the need to keep secret police methods of investigation of crime, which must be weighed against the rights of the accused. […] In some cases, it may be necessary to withhold certain evidence from the defence so as to preserve the fundamental rights of another individual or to safeguard an important public interest. That said, in principle, only such measures restricting the rights of the defence which are strictly necessary are permissible under Article 6 § 1. Moreover, in order to ensure that the accused receives a fair trial, any difficulties caused to the defence by a limitation on its rights must be sufficiently counterbalanced by the procedures followed by the judicial authorities […]

[…]

324. The Court reiterates that a review of the overall fairness of the proceedings must also incorporate an assessment as to whether the applicant was given the opportunity of challenging the evidence and of opposing its use in circumstances where the principles of adversarial proceedings and equality of arms between the prosecution and the defence were respected […]. It is stressed that the question whether the applicant’s challenges to the evidence were properly examined by the domestic courts, that is whether the applicant was truly “heard”, and whether the courts supported their decisions with relevant and adequate reasoning, are also factors to be taken into account in conducting this assessment. […]

325. The applicant [..] claimed that it was essential for him to have access to [the data collected by the Turkish Intelligence service from the ByLock server] so as to verify their reliability and integrity, as well as to access potentially exculpatory information, and to contest the veracity of the arguments […] that were relied on by the domestic courts in support of his conviction […]

326. The Court notes, as also pointed out by the Government, that the applicant had available to him all the ByLock reports relied on by the domestic courts in the criminal proceedings, and that the accuracy of the ByLock data pertaining to him had been verified on the basis of data obtained from other sources. The Court further notes that a technical report produced in 2020 explained that it was not possible to sort the raw data on a user ID basis without first processing them […]

327. The Court reiterates in this connection that the requirement of disclosure to the defence of “all material evidence” for or against the accused, which is an aspect of the right to adversarial proceedings […], cannot be construed narrowly […]

328. […] the ByLock data in question were critical in the applicant’s case […] It may, moreover, not be excluded that the ByLock material potentially contained elements which could have enabled the applicant to exonerate himself, or to challenge the admissibility, reliability, completeness or the evidential value of that material […]

329. The Court must nevertheless emphasise that the entitlement to disclosure of evidence is not an absolute right. […] [T]here may be a variety of reasons which may require the withholding of evidence from the defence, including concerns over national security […]

330. That said, even in such circumstances, the Court must examine whether any prejudice sustained by the applicant on account of the non-disclosure of the relevant ByLock data was counterbalanced by adequate procedural safeguards and whether he was given a proper opportunity to prepare his defence, as required by Article 6 […]

331. The Court notes firstly that according to the information in the case file, the reasons advanced by the Government before the Court […] to justify the non-disclosure of the relevant data to the applicant were never actually adverted to in the domestic courts’ judgments […]; the applicant’s request that the data be admitted to the case file simply went unanswered. The complementary analysis report submitted by the Government to the Court, which provided further insight into how the ByLock user lists had been drawn up and why the raw data pertaining to individual ByLock users could not be isolated and shared with the relevant users, was similarly not available to the applicant during the course of the criminal proceedings against him. […] Accordingly […] the Court […] cannot but note that the applicant was given no explanation by the domestic courts as to why, and upon whose decision, the raw data – particularly to the extent that they concerned him specifically – were kept from him. He was therefore deprived of the opportunity to present any counter-arguments, such as to contest the validity of those reasons or to dispute that all efforts had been made to strike a fair balance between the competing interests at play and to ensure the rights of the defence. […]

332. Secondly, the applicant’s request that the raw data be submitted to an independent examination for the verification of their content and integrity was also not entertained by the domestic courts. […]

333. That said, given in particular the absence of any concrete information in the case file to suggest that the data in question had at any point been subjected to examination for verification of their integrity […] the Court considers that the applicant had a legitimate interest in seeking their examination by independent experts and that the courts had the duty of properly responding to him. […]

334. […] The Court notes […] that other than confirming the lawfulness of the data collection procedure […] the domestic courts did not address the separate matter of how the integrity of the data obtained from the server had been ensured in all respects – that is, beyond the issue of the applicant’s individual use […]. Nor did they refer to any other judgments or procedures where this matter was addressed. […]

335. [W]hile it may not have been possible to share the raw data with the applicant, the requirement of “fair balance” between the parties would have at least required the proceedings to be conducted in a manner that would enable the applicant to comment on the full extent of the decrypted material concerning him, including, in particular, the nature and content of his activity over that application. […]

341. The Court considers, in the light of the foregoing, that there were not enough safeguards in place to ensure that the applicant had a genuine opportunity to challenge the evidence against him and conduct his defence in an effective manner and on an equal footing with the prosecution […]. Moreover, the domestic courts’ failure to respond to the applicant’s specific and pertinent requests and objections raised a legitimate doubt that they were impervious to the defence arguments and that the applicant was not truly “heard”. In view of the importance of duly reasoned decisions for the proper administration of justice, the domestic courts’ silence on vital matters that went to the heart of the case also raised well-founded concerns on the applicant’s part regarding their findings and the conduct of the criminal proceedings “as a matter of form” only […].

[…]

346. In the Court’s view, the foregoing considerations are sufficient to lead to the conclusion that the criminal proceedings against the applicant fell short of the requirements of a fair trial in breach of Article 6 § 1 of the Convention.

(6.2.4) Right to have adequate time and facilities for the preparation of one’s defence (Art 6(3)(b) ECHR)

ECtHR, Rook v. Germany, App no 1586/15, 25 July 2019

One of the relevant questions in this case was whether the State should bear the cost for the expensive special forensic-data-analysis programme which was used by authorities to encrypt the applicant’s data.

3. The applicant alleged that, during the criminal proceedings against him, he and his counsel had not been provided with sufficient and adequate access to audio files, text messages and electronic files (specifically emails and other text documents) which the investigating authorities had seized throughout the investigation. He relied on Article 6 § 1 and 3 (b) of the Convention.

8. During searches of the applicant’s home and of other premises between 13 July 2011 and 1 February 2012, some 14 million electronic files (for example emails and other text documents), stored on a range of data devices, for example hard discs, were seized. The files of each device were copied as a single “image file”, the devices were returned to the rightful holders, including the applicant, afterwards. Each image file was a full digital clone of each data device, readable with a program available free of charge online. However, the image files were subsequently entered into a special forensic-data-analysis program, after which their content could be retrieved only using that special program, available for 4,031.72 euros (EUR). After the data had been entered into that program, in order to be able to read the data with a program available free of charge online, the data had to be exported from the special forensic-data-analysis program and converted back into an image format. The above-described processing of the data, in particular feeding them into the special forensic-data-analysis program, was finished by the end of February 2012; they were stored at the Bavarian Office of Criminal Investigation in Munich.

9. The data were analysed by the police; around 1,100 of these electronic files were considered as relevant to the case and were printed and subsequently included in the paper files.

[…]

Disclosure of the electronic files

70. The Court observes that the applicant’s lawyer could have accessed – but never did – the entirety of the electronic files on the premises of the criminal police as of the end of February 2012, when he must also have been aware of the fact that electronic files – apart from his own – had been retrieved […]. The Court furthermore observes that, after the applicant had only on 3 April 2012 […] requested disclosure of the entirety of the electronic files, the authorities did not object in principle, but were ready to allow for examination. In this connection, the Court notes that on 22 May 2012 the authorities provided the applicant’s lawyer with a copy of the entirety of the electronic files. This copy was, however, readable only with an expensive software which lawyers and private individuals appear to not usually have at their disposal […]. Therefore, the events following the request of 3 April 2012, in particular the dispute concerning the question whether the state should bear the cost for the expensive special forensic-data-analysis program […], disclose practical difficulties in view of the encryptment of an enormous amount of data. The Court moreover notes that only in July 2012, the defence asked to be provided with a copy in a format readable with freely available software, a request to which the authorities agreed on short notice […]. The applicant’s lawyer provided two hard discs at the end of July 2012, and the data was provided on 4 September 2012 […]. Moreover, even if the Court does not consider it necessary for the applicant to explain his defence strategy, the Court observes that the applicant has, neither in the domestic proceedings nor before the Court, specified in what particular manner the invoked restrictions had interfered with his opportunity to defend himself.

[…]

(6.3) The rights to remain silent and not to incriminate oneself: forcing suspects to unlock their electronic devices

(6.3.1) Criteria for the lawful use of compulsory powers to obtain material from a suspect

ECtHR, Saunders v the United Kingdom, App no 19187/91, 17 December 1996 (Grand Chamber)

• According to the ECtHR, the right not to incriminate oneself is primarily concerned with respecting the will of an accused person to remain silent.
• However, this right does not extend to the use in criminal proceedings of material which may be obtained from the accused through the use of compulsory powers that has an existence independent of the will of the suspect (e.g., documents, breath, blood and urine samples and bodily tissue acquired pursuant to a warrant, breath, blood and urine samples and bodily tissue)
• The crucial question is to decide when an action is independent of the will of the suspect.

68. […] although not specifically mentioned in Article 6 of the Convention, the right to silence and the right not to incriminate oneself are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6. Their rationale lies, inter alia, in the protection of the accused against improper compulsion by the authorities thereby contributing to the avoidance of miscarriages of justice and to the fulfilment of the aims of Article 6 […]. The right not to incriminate oneself, in particular, presupposes that the prosecution in a criminal case seek to prove their case against the accused without resort to evidence obtained through methods of coercion or oppression in defiance of the will of the accused. In this sense the right is closely linked to the presumption of innocence contained in Article 6 para. 2 of the Convention.

69. The right not to incriminate oneself is primarily concerned, however, with respecting the will of an accused person to remain silent. As commonly understood in the legal systems of the Contracting Parties to the Convention and elsewhere, it does not extend to the use in criminal proceedings of material which may be obtained from the accused through the use of compulsory powers but which has an existence independent of the will of the suspect such as, inter alia, documents acquired pursuant to a warrant, breath, blood and urine samples and bodily tissue for the purpose of DNA testing.

(6.3.2) Forcing the biometric unlocking of a smartphone?

Dutch Supreme Court, 9 February 2021, ECLI: SR:HR:2021:202 (in Dutch) (unofficial translation)

• The case concerned the forced biometric unlocking (by engaging suspect and placing his thumb on fingerprint scanner of the confiscated smartphone of the suspect) so as to gain access to content for investigative purposes.
• The Court found, in this case, that the material obtained existed independently of the will of the suspect and could be obtained under duress.
• The Court also distinguished this scenario (forcing biometric unlocking) from forcing a suspect to give the access code of his phone, which requires a statement and likely violates the right not to be self-incriminated.

In this context, the question arises whether placing the thumb of the suspect on the iPhone without his consent/co-operation is contrary to the nemo tenetur principle. This principle concerns the right of a suspect not to be forced (actively) to cooperate in his own conviction. It follows from the case-law of the European Court of Human Rights (the ECHR) that this mainly concerns the making of declarations under duress. The right of suspect not to [incriminate] himself is “primarily concerned with respecting the will of an accused person to [be] silent” […]. A suspect is obliged to (passively) undergo and tolerate investigation measures. Material that exists independently of the will of the suspect may be obtained under duress, such as blood and urine samples ([…] ECHR 17 December 1996, NJ 1997/699 (Saunders/United Kingdom)).

Unlike the situation in which the defendant is forced to give the access code of his phone, which requires a statement from a suspect, placing the thumb of the suspect on his iPhone in the opinion of the court does not infringe the nemo tenetur principle. This concerns the tolerance of an investigative measure that does not require the active cooperation of the suspect. In addition, the fingerprint is obtained with a very small degree of coercion. The fact that with the placing of the suspect’s thumb on the iPhone access to possible will-dependent and incriminating data does not make this any other in the opinion of the court.

Read: A Pivaty, Suspects’ privilege against self-incrimination not violated when made to unlock smartphone with fingerprint, Dutch Supreme Court rules, Fair Trials, 19 February 2021