IT as a Challenge and Opportunity for Gathering Evidence in Punitive Proceedings

On 7 May 2024, we hosted our “International Conference on IT as a Challenge and Opportunity for Gathering Evidence in Punitive Proceedings”. This conference, organised within the framework of the ELEVADMIN project, welcomed over 60 participants from diverse academic, professional and personal backgrounds.

The Dean of the Faculty of Law, Economics and Finance (FDEF), Professor Katalin Ligeti, warmly welcomed the attendees. Professor Ligeti emphasized the University’s dedication to advancing knowledge in crucial legal domains and its role as a reliable partner for EU institutions. She saluted the broad overview of current technological challenges in collecting evidence presented during the conference.

Stanislaw Tosza, Associate Professor at the University of Luxembourg and lead organiser of the conference, provided the introduction. He presented how Information Technologies create new opportunities to gather evidence in punitive proceedings. The increasing digitalization of human activities produces large amounts of data which can be collected to serve as evidence in punitive – administrative or criminal – proceedings.

Stanisław Tosza ©Sophie Margue

High-profile speakers from the fields of academia, EU institutions, the private sector, and practitioners’ were present to discuss gathering electronic evidence in criminal and administrative proceedings, gathering evidence in virtual worlds and by means of artificial intelligence, as well as on challenges in acquiring and using financial data.

The main takeaways from each panel are:

1^st panel – Gathering electronic evidence for criminal and administrative investigations: new solutions and remaining challenges

The inaugural panel of the event delved into the nuanced landscape of regulatory solutions for gathering electronic evidence and the persistent challenges within.

• Prof. Vanessa Franssen (University of Liège and KU Leuven) commenced by unveiling the implications of the new E-evidence Regulation, facilitating direct cooperation between national law enforcement authorities and (online) service providers across EU Member States. Despite this harmonized framework, the text remains limited: national law will continue to apply to address its gaps. For instance, the text applies only to cross-border situations, to two types of orders (production and preservation), and to a limited personal scope. However, it may catalyse a shift in approach, fostering dialogue between service providers and enforcing authorities. Prof. Franssen also highlighted the Regulation’s tethering to national data retention regimes for effective implementation.

• Marta Laszuk (European Anti-Fraud Office – OLAF) presented the challenges faced by OLAF to gather evidence for administrative investigations. Despite the necessity to include IT opportunities to gather evidence, the legal basis for OLAF’s investigations has not much evolved since its creation. Particularly, no specific provision mandates online service providers to provide data. Nevertheless, the powers of OLAF still enable access to all types of data. Still, practical challenges remain, such as the differentiation between public and private devices used for business purposes, privileges and immunities, or digital forensics operations.

• Salomé Lannier and Martina Siclari (University of Luxembourg) presented the preliminary results from the ELEVADMIN project. The EU report investigated, on one side, the powers of EU-level administrative authorities responsible for enforcing relevant rules at the EU level; and on the other side, EU rules governing investigative powers for national competent administrative authorities at the national level, such as under the GDPR. Under these frameworks, administrations can receive extensive investigative powers, including some provisions dedicated to gather recordings of telephone conversations, electronic communications, or traffic data. The national reports highlighted that administrative bodies can impose significant fines, which may qualify as criminal sanctions under the European Court of Human Rights (ECtHR) case law, thus requiring significant safeguards. Some countries provide for a general framework on administrative proceedings with dedicated guarantees, while others diversely refer to each sectorial framework. To gather electronic evidence, some administrative authorities benefit from dedicated provisions, particularly based on EU law, while most investigatory powers enable to generally request any kind of documents or information.

• Natacha Trunkwald (POST Luxembourg) presented some insights on the collection of electronic evidence from an operator perspective. She first presented the corporate environment of the POST group, which acts as a multi-operator. Particularly, the group has a clear distinction between the network infrastructure services and the digital services, such as for telecommunication or cloud services. The Legal Department of POST Luxembourg acts as a single point of contact for law enforcement authorities to process the order of production, while it regularly impacts more than 100 employees of the group. Then, Madam Trunkwald delineated the meticulous paralegal process undertaken to validate and respond to production orders and gave examples of types of data that can be produced. She finally mentioned some upcoming challenges, such as a proposal of law on data retention, and the future implementation of the E-evidence regulation.

2^nd panel – Gathering evidence in virtual worlds

The second panel of the conference convened four experts to discuss evidence collection in virtual worlds.

• Prof. Stanisław Tosza (University of Luxembourg) provided an overview of challenges and opportunities in virtual worlds, drawing from the forthcoming report of the Innovation Friendly Regulations Advisory Group. He illustrated how virtual worlds impact many public sectors, including healthcare, education, and public safety. While some challenges are similar to those in current social media platforms (such as discrimination, negative impact on health, and content moderation), unique issues arise due to the immersive nature of virtual environments, such as data interoperability and digital identity. He also raised concerns about the regulation of evidence gathering in virtual worlds, touching on issues of territoriality, safeguards, and the involvement of private entities.

• Senior Lecturer Nóra Ní Loideáin (University of London) focused on data protection challenges in virtual worlds. On that regard, she differentiates online experience of virtual worlds (for instance, through a headset) and physical space linked to a digital immersive experience (such as a concert room). Current challenges might continue to apply, such as in the implementation of the GDPR, which led, for instance, to elevate standards on data integrity and confidentiality. However, new challenges might develop, linked to new power dynamics based on increased immersive experience, and the difficulty to protect privacy in virtual worlds. She presented a new legislative framework which will be of particular interest to regulate virtual worlds: the EU AI act. Yet, the text does not solve all issues. For instance, it remains to be seen how “significant harm” will be interpreted to prohibited certain AI systems. Access to data is still challenged as they rest in hand of private compagnies or as they can be encrypted.

• Prof. Eldar Haber (University of Haifa) presented his forthcoming paper on “The Criminal Metaverse”. This paper proposes a taxonomy of criminal behaviors in virtual worlds. Based on the element of harm, he categorized behaviors based on their resemblance to real-life criminal offenses, noting that while some actions, like fraud or child pornography, are unequivocally criminal, others, such as drug use, may not be. He highlighted the grey area of behaviors like avatar killing or virtual sexual crimes, acknowledging their impact on individuals while noting distinctions from real-world equivalents.

• Assistant Prof. Annelieke Mooij (Tilburg University) addressed the prevention of money laundering in the Metaverse. After defining money laundering, she discussed how virtual environments introduce new avenues for the placement and integration of laundered money. One question on enforcement, already mentioned throughout the panel, regards jurisdiction. More specifically, the prevention of money laundering might involve differently custodian and non-custodian wallet providers. The former type is regulated as a financial service provider, and thus must supervise and flag suspicious transactions. The latter type creates more risks as it allows anonymous transactions. Prof. Mooij then proposes to attach an algorithm as supervisor of every wallet, which would answer based on the German partial legal personality theory.

• 

  Natacha Trunkwald ©Sophie Margue

• 

  ©Sophie Margue

• 

  John A.E. Vervaele ©Sophie Margue

3^rd panel – Evidence for criminal investigations and AI

The third panel of the event delved into the role of artificial intelligence (AI) in evidence gathering.

• Dominik Brodowski (University of Saarland) discussed the use of AI evidence in post-inquisitorial criminal trials. He outlined three primary roles of AI in this context: filtering data (e.g., forensic analysis), producing measurements or evaluations (e.g., speed monitoring), and generating data (e.g., generative AI). He highlighted concerns regarding the use of filtered data, particularly regarding the selection process and the potential for bias. He also noted challenges with the reliability of AI evaluations and the tendency of judges to place undue trust in AI outputs, which can affect the fairness of proceedings. He emphasized the need for greater guarantees for the defense to challenge AI evidence effectively.

• Alice Giannini (Maastricht University) examined the challenges of proving negligence-based offenses involving AI. She outlined four key characteristics of AI—complexity, unpredictability, unexplainability, and autonomy—that are pertinent to criminal contexts. These attributes allow AI to engage in offensive actions or facilitate the demonstration of human negligence. Prof. Giannini illustrated her points with examples of AI-driven safety measures that partially replace human decision-making, advocating for meaningful human oversight to address cognitive biases that might lead to undue trust in AI outputs.

• Clare Garvie (National Association of Criminal Defense Lawyers) examined the use of AI in US criminal investigations and its implications for defendants’ rights. She noted that AI evidence is predominantly used in pre-trial stages and often involves outsourcing investigations to private entities. She raised concerns about transparency regarding AI systems used in investigations, citing trade secret protections that hinder defense efforts to question the reliability of evidence. She highlighted the pressure on defense attorneys to navigate these challenges, often leading to plea bargains without thorough consideration of AI-related issues.

4^th panel – Financial data as evidence – Technological challenges

The fourth panel of the conference focused on the role of financial data as evidence in investigations.

• Stéphanie Lhomme (Arendt Regulatory & Consulting) mentioned a broad diversity of challenges faced by corporations. Corporations are heavily investing in AI, yet face challenges posed by legislation, such as the paradox of complying with data protection while responding to regulatory inquiries spanning multiple jurisdictions. Encryption further complicates matters, as evidenced by cases where employees encrypt work computers. The investigative journey heavily relies on technologies like data fusion and analytics to derive actionable insights and identify patterns. However, AI’s limitations in addressing nuanced issues, such as analyzing accounting data, underscore the ongoing complexity. The unclear interplay between technology, data protection, and privacy necessitates further exploration, perhaps through innovations like explainable AI.

• Olivier Voordeckers (University of Luxembourg) presented the new regulatory framework to access financial data in the Open Banking era. Banks are mandated by legal obligations to share transaction data for customer-driven services, to enhance competition in the financial sector. While this data-sharing framework primarily serves customer-centric goals, there is potential to leverage it for compliance purposes. For instance, the new Anti-Money Laundering regulation provides a legal basis for partnerships in information sharing, enabling financial institutions to monitor transactions across borders and jointly ensure compliance. However, challenges exist in repurposing the regulatory framework for mutualized compliance platforms, suggesting the need for further exploration.

• Max Braun (Luxembourg Financial Investigation Unit) presented the role of technology in the practice of FIUs. Effective analysis of financial intelligence begins with collaboration between FIUs and the private sector. Given the impossibility of manually reviewing vast quantities of reports, FIUs rely on IT systems for efficient processing. The integrity of this chain is crucial, as it determines whether law enforcement agencies receive pertinent data for their investigations. However, challenges persist, such as ensuring data quality, navigating GDPR compliance, and addressing concerns about the transparency of AI algorithms. Balancing reliance on expensive tools held by private entities with the development of public authority tools remains a key consideration in optimizing financial intelligence analysis.

• Prof. Maxime Lassalle (University of Burgundy) compared the European and US legal frameworks to access financial data. Concerns over potential interference with individuals’ right to privacy arise in this context. Authorities typically request this information through subpoenas or production orders, with differing approaches between the EU and the US regarding coercion and privacy expectations. While US law historically prioritizes access to such data, recent cases like United States v. Carpenter highlight evolving perspectives on privacy, particularly concerning telecommunication data. As technology advances, considerations regarding the intrusiveness of accessing financial and electronic data, including pending cases such as those involving crypto records, remain pertinent in both legal and societal discussions.

We extend our sincere gratitude to all presenters and participants for sharing their research, insights, and contributing to this successful event!

• 

  ©Sophie Margue

• 

  ©Sophie Margue

• 

  ©Sophie Margue