A Berlin court has raised serious doubts about the legality of using data from 120 million messages obtained by police when they hacked into an encrypted phone service. The Landgericht Berlin, the largest criminal court in Germany, ruled that text messages intercepted by French police from the EncroChat network can’t be used to prosecute a person for drug trafficking in Germany.
This decision challenges the assumption that evidence gathered by one European country can automatically be used in others under the mutual recognition principle. As a result, the ruling could impact how future hacking efforts by law enforcement in Europe are treated, according to defence lawyer Christian Lödden.
EncroChat is one of several encrypted communication platforms infiltrated by law enforcement agencies in Europe since 2020. This operation led to numerous arrests and significant seizures, all linked to organized crime, drug trafficking, and money laundering.
French and Dutch police managed to harvest messages from 4,600 EncroChat users in Germany and thousands more across Europe by breaking into servers in France in a coordinated operation. A major investigation over three years resulted in 6,500 arrests worldwide and the confiscation of nearly €900 million in cash and assets.
However, the Berlin court’s recent ruling questioned the legality of how this data was obtained. During the trial, the court learned that French authorities didn’t gather data from a central server but directly from the phones of EncroChat users located on German territory. As per German law, this meant prosecutors should’ve obtained approval from local courts to use the French-supplied data.
The judges found that prosecutors hadn’t requested judicial approval, and it wouldn’t have been granted under German law. The court’s decision also highlighted the need for formal notifications and due process when one country’s law enforcement acts on behalf of another.
The Berlin court posed questions to the European Court of Justice (CJEU) regarding whether sharing these hacked messages was lawful. The CJEU stated that France should have formally informed Germany about the interceptions and given them a chance to object within a specified timeframe.
The European court emphasized that protections under the European Investigation Order (EIO) Directive aim to defend the rights of individual users, not just the interests of countries involved. This contradicted earlier German court rulings that viewed the directive as solely about state sovereignty.
The ruling means that the principle of mutual trust among EU member states doesn’t erase Germany’s obligation to determine if the French hacking operation complied with its laws. The presiding judge noted that a German court would have likely rejected the hacking operation since the criteria for suspecting serious crimes weren’t met.
Moreover, the judge pointed out that prosecutors hadn’t proven that less intrusive methods could not have been used to gather the required evidence. The cooperation principle within Europe must prioritize the privacy rights of citizens in different member states, the judge asserted.
While the CJEU allowed German prosecutors to request EncroChat data from France, it did not grant blanket approval to use this data without a court’s permission.
The court also recognized that the hacking was not just a French police operation; it involved collaboration with other EU states. Although France notified its partners in advance, it failed to comply with the necessary procedures for informing Germany about the operation.
German defence lawyer Lödden emphasized that this ruling could set a precedent for similar cases in Germany and affect the use of evidence across Europe. Defence lawyers in the Netherlands, Montenegro, and Italy have expressed hopes that the decision may influence their legal proceedings as well.
A written version of the ruling is still pending, and German prosecutors are likely to appeal to the Supreme Court.