Austrian Supreme Court addresses (in)admissibility of evidence obtained by infiltrating mobile phones

Recent developments in Austria

The question of whether authorities should be permitted to authorise the interception of encrypted mobile phones' messages through covertly installed software (a "Trojan horse" ["Bundestrojaner"]) has been hotly debated for years (similar to the seizure and examination of mobile data and data carriers [cf newsletter dated 21 November 2024]). Such measures had already been in force, but in December 2019, their implementation was deemed to be unconstitutional by the Constitutional Court because the serious interference with Article 8 ECHR was not adequately counterbalanced with its protection. In addition, the Court criticised the lack of safeguards ensuring that the surveillance measures would be used solely for investigating and prosecuting serious criminal offences.

Since then, the need to have these measures (re)installed in a constitutional way for combatting crime has been a constant topic of discussion.

It seems clear that it would also be unlawful for Austrian authorities to use evidence obtained through such software by foreign authorities and subsequently provided to them for use in criminal proceedings. Recent decisions by the Austrian Supreme Court shed some light – up to a point:

Supreme Court suggests inadmissibility…

In two separate decisions by separate senates (14 Os 107/24b and 11 Os 129/24s), the Supreme Court suggested that it might be unlawful for Austrian authorities to use evidence obtained by foreign authorities (in the case at hand from an EU Member State), which installed decryption software on encrypted mobile phones ("crypto-phones") without the user's knowledge.

This follows from the ECJ's interpretation in ECJ, C-670/22, M.N. [EncroChat]), to which the Supreme Court referred. In it, the ECJ stated that a measure entailing the infiltration of terminal devices for the purpose of gathering traffic, location and communication data of an internet-based communication service constituted an "interception of telecommunications". Accordingly, under Article 31 (1) of Directive 2014/41/EU, such a measure must be notified to the respective authority of the Member State on whose territory the subject of the interception was located.

In such a case, the Austrian Public Prosecutor's Office, which had not participated in the measures in question, would have been obliged to notify the foreign authorities within 96 hours that the interception in Austria must not have been carried out or was to be terminated, and that the results of the interception already collected must not have been used ("no enforcement"). This mechanism is outlined in Para 55d (7) of the Judicial Cooperation in Criminal Matters with the Member States of the European Union (EU-JZG).

Under Austrian law, the prohibition on the use of evidence (Beweisverwendungsverbot) results in the nullity of the judgment should it be used in the trial. It is noteworthy to add that this prohibition does not have a "remote effect" (Fernwirkung) insofar as evidence obtained on the basis of inadmissible evidence would also be inadmissible (no "fruit of the poisonous tree" doctrine).

Ultimately, the Supreme Court did not make a final decision on the matter at hand because it was unclear whether the foreign authorities (i) had obtained the data in a manner that would constitute an obstacle to enforcement, and (ii) informed the Austrian authorities about this. This will have to be assessed in the next round of the proceedings.

… but not in any case

Shortly prior to decision 11 Os 129/24s, another decision (14 Os 14/24a) was rendered by the same senate competent for decision 14 Os 107/24n. While the facts of the case may appear comparable at first, the outcome is strikingly different.

In the case at hand, foreign authorities smuggled mobile phones equipped with an encryption software into suspected criminal organisations as (supposedly) tap-proof but were able to decrypt them ("ANOM-phones"). In a different operation, they then seized the server of a communications provider that had provided its customers with mobile phones containing encryption software ("SKY ECC-phones"), which made the communications conducted via it accessible. Once again, the Austrian authorities were not involved in the measures in question, but were subsequently provided with the data, which they used in criminal proceedings in Austria, leading to the conviction of a perpetrator.

Contrary to the decisions discussed in the previous chapter, this time the Supreme Court determined that the evidence could have been used in the proceedings and could have led to the perpetrator's sentencing. This seems surprising at first. But there are crucial differences.

As regards the smuggling of mobile phones with encryption software, the foreign authorities were from outside of the EU (USA and Australia). Thus, the elaborations undertaken by the Supreme Court based on the Directive, EU-JZG and the ECJ do not apply, nor do (other) Austrian law or the respective Treaty between Austria and the USA or Australia provide for such consequences as Para 55d (7) EU-JZG. The Supreme Court elaborated at length that evidence obtained abroad without the involvement of Austrian authorities in a manner contrary to Austrian law was not necessarily inadmissible – at least as long as no fundamental procedural principle was violated (such as evidence obtained by torture) and the suspect was granted the right to be heard.

As regards the seizure of the server, this occurred in France and the server was provided to the Austrian authorities by the French authority. Crucially, the Supreme Court appears to distinguish between surveillance through the infiltration of mobile phones and the seizure of a server. In the latter case, the mechanism provided for particularly in Para 55d (7) EU-JZG again does not apply.

Conclusion

The current legal framework addressing the (in)admissibility of evidence obtained through the infiltration of encrypted mobile phones is not easy to untangle. Whereas infiltration leading to interception in Austria and the EU would lead to evidence being inadmissible, this does not seem to be the case if a non-EU-authority is at work – even though, the lawful usage of such evidence is not generally provided for under Austrian law.

It remains to be seen whether discussions on this topic will continue and whether a clear legal framework will soon be established to resolve the current uncertainties.

author: Oliver Michael Loksa