Article by Prof. Avv. Roberto De Vita published on no. 2/2025 of the Rassegna dell’Arma dei Carabinieri (Carabinieri’s Review).
L’operazione investigativa franco-olandese che ha portato alla raccolta massiva di dati da parte di autorità europee ha stimolato una varia e corposa produzione giurisprudenziale. Al tempo stesso, si è acceso il dibattito sulla materia dell’acquisizione di comunicazioni cifrate da dispositivi criptati e sulle relative implicazioni sui temi del contraddittorio e del controllo giurisdizionale, che ha stimolato numerose riflessioni critiche sul bilanciamento tra efficacia investigativa e garanzie difensive. Infatti, a partire dai casi EncroChat e Sky-ECC, si sono succedute pronunce sovranazionali e nazionali, dalla sentenza della Corte di Giustizia dell’Unione Europea sul caso EncroChat, che ha definito i criteri di legittimità per l’emissione e l’utilizzo dell’Ordine Europeo di Indagine (OEI), fino alle sentenze “gemelle” delle Sezioni Unite della Cassazione del 2024, che hanno indirizzato la recente giurisprudenza italiana e le attività di Autorità Giudiziaria, Polizia giudiziaria, avvocati e consulenti.
The Franco-Dutch investigative operation that led to the mass collection of data by European authorities has triggered a wide and substantial case law. At the same time, it has sparked a debate on the acquisition of encrypted communications from secure devices and its implications on adversarial proceedings and judicial oversight. This debate has prompted numerous critical reflections on the balance between investigative effectiveness and the protection of defendants’ rights. Starting from the EncroChat and Sky-ECC cases, both supranational and national rulings have followed — from the judgment of the Court of Justice of the European Union on the EncroChat case, which established the legitimacy criteria for the issuance and use of the European Investigation Order (EIO), to the 2024 “twin” rulings of the Italian Supreme Court’s United Sections, which have shaped recent Italian case law and the practices of judicial authorities, law enforcement, lawyers, and technical consultants.
Sommario: 1. The EncroChat case. – 2. The ruling of the European Union Court of Justice. – 3. National cases: from EncroChat to Sky-ECC. – 4. The twin rulings of the United Sections of the Court of Cassation.
1. The EncroChat case
The constant technological evolution of encryption systems protecting digital devices has significantly increased, in recent years, the importance of issues related to the methods used to acquire the data stored on them.
In the European context, particular relevance has been given to the judgment delivered on April 30, 2024, by the Court of Justice of the European Union in case C-670/22 – M.N. (EncroChat), following questions referred by a German court (Landgericht Berlin). The case primarily concerned the legitimacy of European Investigation Orders (EIOs) issued by the German Public Prosecutor’s Office to France, requesting data from the EncroChat messaging application collected by French authorities, to be used in criminal proceedings in Germany.
The case[1] stems from a lengthy investigative operation, following which—in 2020—the police forces and judicial authorities of France and the Netherlands (supported by Europol and Eurojust) announced they had dismantled the encrypted communication network in question, which was primarily used by organized criminal groups. During the investigation, millions of messages exchanged via the platform were intercepted and analyzed in real time.
The distinctive feature of these messaging systems lay in the ability to purchase subscriptions (costing thousands of euros) for the use of modified devices provided by vendors, equipped with features designed to reduce traceability. These included the disabling of microphones, GPS, and cameras, automatic deletion of sent messages after just a few seconds, and more. Additionally, users could enable a “dummy mode” that made the phone appear as a standard Android device, as well as a “panic button” to immediately erase the entire contents of the device[2].
Starting from an operation carried out on an EncroChat server located in Roubaix, France, investigators developed a trojan malware that was first injected into the server and then into users’ devices, disguised as an operating system update. Out of 64,134 registered users, 32,477 accounts from 122 different countries were monitored. Among these, 380 were located in France and as many as 4,600 in Germany. Thanks to the chats extracted from EncroChat and those obtained in a similar operation involving Sky-ECC servers in Belgium, over one hundred members of drug trafficking organizations have recently been convicted in Belgium[3].
Through this operation, between April and June 2020, French authorities were able to collect various types of data: device IMEI codes, users’ email addresses, date and time of communications, the location of the antennas used to access the network, as well as the textual and multimedia contents of ongoing conversations. They also managed to access the entire memory of the intercepted devices, including messages sent before the start of the investigation that had not yet been deleted. These actions led to numerous arrests[4], even in countries that had not been directly involved in the investigation but where the use of encrypted phones was particularly widespread among criminal organizations. The interception operation concluded on June 13, 2020, when EncroChat realized its systems had been compromised and sent an alert message to all its users.
The defendant in the case brought before the CJEU was also a user of the platform, which he used to manage drug trafficking operations. He faced fourteen charges related to drug dealing and four for possession of narcotics, including 188 kilograms of marijuana and 3.5 kilograms of cocaine, all within the period between April and May 2020. The proceedings were initiated after the BKA (Bundeskriminalamt)[5] acquired data related to German users, obtained through cooperation with the joint Franco-Dutch investigative team. Only at a later stage did the German authorities issue a European Investigation Order (EIO) to officially use the data provided by the Gendarmerie as part of their investigation.
Since this method of data acquisition was considered to conflict with the safeguards provided by German and European law, the Regional Court of Berlin deemed it appropriate to refer the matter to the Court of Justice of the European Union to assess its legality and admissibility.
2. The ruling of the European Union Court of Justice
In its judgment, the CJEU based its reasoning on the provisions of Directive 2014/41/EU[6] concerning the European Investigation Order (EIO) in criminal matters.
First, the Court focused on the authority competent to issue an EIO aimed at obtaining the transmission of evidence already in the possession of the competent national authorities. It clarified that this authority does not necessarily have to be a judge, provided that this is in accordance with the legal provisions of the issuing Member State. In Germany, for instance, an order for the transmission of already collected data may be issued by a public prosecutor—unlike an order for data interception, which must be issued by a judge. In the case at hand, therefore, a public prosecutor could validly issue an EIO requesting the transmission of EncroChat data already gathered by the executing State (in this instance, the French authorities).
Secondly, the public prosecutor may issue an EIO for the transmission of evidence already held by the authorities of the executing State, even if such evidence was obtained through the interception of encrypted telecommunications by the authorities of the issuing State, as long as the investigative order complies with all conditions that may be required under the law of the issuing State for the transmission of such evidence in a purely domestic case.
Where such a measure is not permitted in a comparable domestic case, the notification allows the competent authority of the notified State to indicate that the interception cannot be carried out or must be terminated, or, where applicable, that the material already intercepted cannot be used or may only be used under certain conditions. This not only ensures respect for the sovereignty of the notified State, but also safeguards the rights of individuals involved in the interception.
Finally, the Court stated that the obligation to exclude information and evidence obtained in breach of EU law requirements arises only if a court concludes that the EIO was issued unlawfully. In any case, the rules concerning the admissibility of evidence and the assessment of information in criminal proceedings fall within national law. However, the rights of the defence and the right to a fair trial must be guaranteed: if a defendant is unable to examine or challenge important information or evidence obtained through the EIO, and such evidence is likely to have a decisive influence on the facts and on the judge’s decision, it must be excluded from criminal proceedings by national courts.
3. National cases: from EncroChat to Sky-ECC
In Italy, the Court of Cassation reviewed a decision by the Rome Tribunal, which had rejected a defendant’s request to disclose the methods used by the police to acquire and decrypt data from Sky-ECC[7], a platform based on encrypted phones similar to EncroChat[8].
The Tribunal had argued that, since the material had been obtained by Europol and foreign judicial authorities on the basis of a European Investigation Order (EIO), the information could be used without further verification, relying on the presumption that the interception had been carried out lawfully.
The Court of Cassation, however, ruled that encrypted messages obtained by Europol and foreign authorities could not be used unless prosecutors explained how such evidence had been acquired.
According to the Court, the principle of adversarial proceedings implies a dialectical process that concerns not only the content of the acquired material, but also the methods by which it was obtained. Therefore, the defendant should be able to challenge not only the substance of the evidence, but also the process of its acquisition, in order to ensure the full right to defense and to assess the relevance, reliability, and probative value of the evidence[9].
However, following that ruling, in 2023 the same Italian Court of Cassation issued other judgments concerning encrypted communication platforms such as Sky-ECC and EncroChat, departing from the aforementioned principles. Instead, it confirmed the validity and admissibility of data acquired in criminal proceedings through European Investigation Orders (EIOs), adopting a stance aimed at preserving investigative results rather than upholding guarantees related to adversarial scrutiny of evidence acquisition methods[10].
4. The twin rulings of the United Sections of the Court of Cassation.
In particular, the twin rulings of 2024 (nos. 23755 and 23756) established a series of legal principles regarding European Investigation Orders (EIOs) and the cross-border transmission of evidence within the Union—principles that may serve as an important interpretive benchmark, at least within Italy[11].
Regarding the legal classification, the Court clarified that such operations cannot be considered as a “seizure of documents and computer data stored abroad” (Article 234-bis of the Italian Code of Criminal Procedure). This provision was deemed incompatible with the legal framework governing the EIO, as it does not entail any form of cooperation with judicial authorities of other States. Furthermore, Recital 35 of the Directive explicitly states that the EIO takes precedence over any other international instrument applicable in the same field.
As a result, when relying on the EIO, the guarantees provided for the collection of evidence through this instrument must be respected. Chief among these is the principle of equivalence, which requires that the investigative act requested through an EIO must be admissible under the same conditions as would apply in a comparable domestic case. Another key element is the principle of proportionality, which demands that any restrictions on fundamental rights be limited strictly to what is necessary, without undermining their essential content.
The central issue concerns the application of these principles to evidence already independently collected by foreign authorities, which was gathered in accordance with the laws of the country of origin, rather than following the procedural rules of the domestic legal system.
Since neither the Directive nor Legislative Decree No. 108 of 21 June 2017[12] (which implemented the EIO by transposing the Directive) provides specific guidance on this matter, the relevant legal reference becomes Article 78 of the implementing provisions of the Italian Code of Criminal Procedure. This article governs the acquisition of documentation relating to acts carried out by a foreign judicial authority within a criminal proceeding, according to Article 238 of the Code of Criminal Procedure (which regulates the transfer of evidence from one proceeding to another within the same legal system). Although originally conceived at a time when the only international cooperation tool for evidence gathering was the letter rogatory, this provision is considered applicable to the EIO as well.
From this rule, the Italian Supreme Court’s United Sections derived a general principle that underpins their entire reasoning: in cases involving evidence already collected abroad prior to the issuance of the EIO, equivalence with domestic proceedings must not be assessed based on how the evidence was formed, but rather in terms of how it circulates between different proceedings.
It follows that, according to the Court of Cassation, the only evidentiary rules relevant to the acquisition in Italy of evidence gathered abroad are those provided under Article 238 of the Italian Code of Criminal Procedure (c.p.p.), as referenced by Article 78 of its implementing provisions. Additionally, if the evidence was obtained through wiretapping or interceptions, Article 270 c.p.p., which governs the use of intercepted communications in other proceedings, also applies[13].
The United Sections of the Court further ruled out the need for prior judicial authorization from the issuing State when an EIO is used to acquire encrypted communications that have already been autonomously collected abroad.
If, at the national level, the transfer of evidence between proceedings does not require prior judicial authorization, then the same principle applies to the EIO. In fact, neither Article 238 nor Article 270 c.p.p. imposes such a requirement.
By virtue of the principle of equivalence, the Court of Cassation thus held that an EIO of this kind may be issued directly by the public prosecutor, even when the evidence has been collected abroad through interceptions or the acquisition of call data records.
This conclusion is also supported by the judgment of the Court of Justice in the EncroChat case[14], which confirmed that the public prosecutor is among the authorities authorized to issue an EIO, provided they are competent, in a comparable domestic case, to order an investigative measure aimed at obtaining evidence already held by national authorities.
According to the Court, even though prior judicial authorization is not required for issuing an EIO to acquire encrypted communications already collected abroad, this does not mean that all forms of judicial oversight in the issuing State can be excluded. In fact, the EIO system necessarily entails judicial control to ensure compliance with fundamental rights and the principle of proportionality. It is also essential to guarantee that the investigative acts requested can be challenged through mechanisms equivalent to those available in domestic cases[15].
As a result, the issuing State must still provide for judicial oversight, even if it occurs at a later stage. The Court of Cassation considers that such review falls to the national judge who is called upon to use the evidence gathered abroad via an EIO—such as the trial judge or the judge deciding on a precautionary measure—who has the authority to assess whether the conditions for admitting and using that evidence are met. Moreover, this ex post review would be sufficient to safeguard the right to challenge provided under Article 14 of the Directive.
The position taken by the United Sections in these recent rulings has not been without criticism. As noted in academic commentary, the real issue is not the existence of judicial oversight per se, but rather its limitations—since the rules governing the admissibility of evidence obtained via EIOs in domestic proceedings remain unclear.
Indeed, despite the existence of a common legal framework for EIOs, Member States have thus far been unable to agree on harmonized rules regarding the admissibility of evidence, which continues to pose a significant barrier to effective European judicial cooperation[16].
Moreover, this implies that, if the principle of equivalence in terms of evidentiary forms and guarantees were to be applied strictly, most of the evidence would end up being inadmissible in domestic proceedings—particularly in cases like these, where the evidence was gathered well before, and independently of, the issuance of an EIO[17].
However, several commentators have pointed out that the actions carried out by the French judicial police would never have been admissible in an Italian trial if conducted under the rules of Italian domestic law. In effect, the operation amounted to mass surveillance without specific targets, resulting in a dragnet impact on all users involved[18]. Moreover, the model of deferred judicial oversight is unconvincing to some, appearing more like a mere opportunity to “have a say,” lacking any real effectiveness, and bearing little resemblance to the adversarial and immediate formation of evidence typically expected in a fair trial[19].
Following the twin rulings of the United Sections, the Court of Cassation confirmed the aforementioned approach and went even further, also allowing the use of IMSI Catcher technology in criminal investigations. This tool enables monitoring of mobile devices within a specific area by identifying the unique IMSI (International Mobile Subscriber Identity) code of SIM cards. It does not intercept the content of communications, but rather identifies the devices operating within the area—making it a useful and preparatory step for subsequent interceptions.
Although this activity closely resembles the acquisition of phone records in terms of the information obtained, the Court held that it should instead be classified as a proactive act of the judicial police and not as an evidentiary tool. It ruled that it does not constitute a means of obtaining evidence, but merely the “operational basis for the interception of conversations”[20].
The European Court of Human Rights (ECtHR), however, takes a different view. It found a violation of Article 8 of the ECHR in cases where information capable of identifying an individual user (in the specific case, data linked to an IP address) was obtained without proper safeguards. In particular, the Court emphasized the lack of protection against arbitrary interference, abuse, or the absence of independent oversight of police operations[21].
The impact of the recent rulings by the Court of Cassation is beginning to emerge in the operational practices of judicial authorities. Notably, newly published guidelines from the Public Prosecutor’s Office of Rome address the seizure of mobile phones and other digital devices[22]. These guidelines, taking into account the substantial case law on the matter, include the position that “the seizure of IT devices and their subsequent analysis may be ordered by the public prosecutor without prior judicial authorization.”
The stance taken by the Rome Prosecutor’s Office enters a highly debated area, especially in light of the controversial legislative process[23] currently underway to establish a more systematic legal framework for the seizure of digital devices (Bill No. C. 1822[24]). Contrary to much of the case law (including international precedents) and the approach adopted in the abovementioned guidelines, the intention of the legislature appears to be to require a judicial order issued by the preliminary investigations judge upon request of the public prosecutor.
In this context, a comprehensive legislative intervention is highly desirable—one that brings clarity to a regulatory field which, both in Italy and abroad, has seen significant divergence in legal doctrine and case law. So far, this has not produced a fully coherent approach that adequately respects the principles of adversarial proceedings and the right of the accused to a proper defense.
References
[1] Cfr. Roberto De Vita, Marco Della Bruna, EncroChat: il rinvio pregiudiziale alla Corte di Giustizia dell’Unione Europea, in DEVITALAW, 8 aprile 2023, https://www.devita.law/encrochat-rinvio/.
[2] Gareth Corfield, Euro police forces infiltrated encrypted phone biz – and now ‘criminal’ EncroChat users are being rounded up, in The Register, 2 luglio 2020, https://www.theregister.com/2020/07/02/encrochat_op_venetic_encrypted_phone_arrests.
[3] Tribunal de première instance francophone de Bruxelles, 46e chambre correctionnelle, n. 2024/6283, 29 ottobre 2024.
[4] Nei soli Paesi Bassi, centinaia di investigatori hanno utilizzato i dati estratti dalle chat per arrestare oltre 100 persone, smantellare 19 laboratori di droghe sintetiche, e sequestrare ingenti quantità di cocaina, crystal meth, armi, veicoli e milioni di euro in contanti.
[5] BKA, https://www.bka.de/DE/Home/home_node.html.
[6] In particolare, sui considerando 2, da 5 a 8, 19 e 30 e artt. 1, 2, 4, 6, 14, 30, 31, 33.
[7] Cfr. sulla vicenda complessiva, Marcello Daniele, OEI e messaggi digitali già acquisiti all’estero, Riflessioni a partire dal caso Sky ECC, Testo della relazione, ampliata e corredata di note, svolta nell’ambito del corso La cooperazione giudiziaria in materia penale nel quadro dei processi europei di digitalizzazione della giustizia (Napoli, 9-11 dicembre 2024), organizzato dalla Scuola Superiore della Magistratura, in Sistema Penale, 27 marzo 2025,
https://sistemapenale.it/it/articolo/daniele-oei-e-messaggi-digitali-gia-acquisiti-allestero.
[8] Per approfondire, si veda Antonio Laudisa, Marco Della Bruna, Sky-ECC: il diritto di difesa e il contraddittorio sulle modalità di acquisizione di chat criptate. Nota a Cassazione penale n. 32915 del 07.09.2022 , in DEVITALAW, 8 ottobre 2022, https://www.devita.law/sky-ecc/.
[9] Cass. Pen., Sez. IV, 15 luglio – 7 settembre 2022, n. 32915.
[10] Cfr. ad esempio, Cass. Pen., Sez. VI, 26 ottobre – 21 novembre 2023, n. 46833, in ordine alla utilizzabilità di documentazione di atti compiuti autonomamente da autorità giudiziarie straniere in diversi procedimenti penali.
[11] Cass. Pen., SS.UU., 29 febbraio – 14 giugno 2024, n. 23755 e Cass. Pen., SS. UU., 29 febbraio – 14 giugno 2024, n. 23756. In senso conforme, cfr. Cass. Pen., Sez. III, 26 settembre – 3 dicembre 2024, n. 44046; Cass. Pen., Sez. IV, 21 maggio – 22 agosto 2024, n. 32961; Cass. Pen., Sez. IV, 10 aprile – 3 luglio 2024, n. 25912; Cass. Pen., Sez. III, 22 gennaio – 3 marzo 2025, n. 8865 che, sulla base dei principi espressi dalle Sezioni Unite, ha ribadito, tra gli altri, il “principio della presunzione di legittimità delle misure mediante la quali lo Stato di esecuzione ha raccolto le prove e di conformità ai diritti fondamentali dell’attività svolta dall’autorità giudiziaria estera nell’ambito di rapporti di collaborazione ai fini dell’acquisizione di prove, e dell’onere per la difesa di allegare e provare il fatto dal quale dipende la violazione denunciata“.
[12] D.Lgs. 21 giugno 2017, n. 108, Norme di attuazione della Direttiva 2014/41/UE del Parlamento europeo e del Consiglio, del 3 aprile 2014, relativa all’ordine europeo di indagine penale.
[13] Cass. Pen., SS.UU., 28 novembre 2019 – 2 gennaio 2020, n. 51; Cass. Pen., Sez. VI, 20 gennaio – 11 giugno 2021, n. 23148; Cass. Pen., Sez. IV, 25 giugno – 8 luglio 2020, n. 20127.
[14] CGUE, C-670/22, cit.
[15] La Corte di Giustizia, nella sentenza Gavanozov II (causa C-852/19, 11 novembre 2021) ha stabilito che deve esistere un mezzo di impugnazione anche quando non è previsto per un caso analogo nel diritto interno, in applicazione del diritto a un ricorso effettivo sancito dall’art. 47 della Carta di Nizza.
[16] Marcello Daniele, Le sentenze “gemelle” delle Sezioni Unite sui criptofonini, in Sistema Penale, 17 luglio 2024, https://www.sistemapenale.it/it/scheda/daniele-le-sentenze-gemelle-delle-sezioni-unite-sui-criptofonini#_ftn9.
[17] Marcello Daniele, OEI e messaggi digitali già acquisiti all’estero, Riflessioni a partire dal caso Sky ECC, cit.
[18] Gian Domenico Caiazza, Il Grande Fratello, l’incubo delle intercettazioni di massa è già realtà: siamo già tutti dentro Minority Report, in Il Riformista, 7 dicembre 2025, https://www.ilriformista.it/il-grande-fratello-lincubo-delle-intercettazioni-di-massa-e-gia-realta-siamo-gia-tutti-dentro-minority-report-448364/.
[19] Luca Marafioti, Sezioni Unite e tirannie tecnologiche: diritto di difesa, contraddittorio e “criptofonini”, in Diritto di Difesa, 18 settembre 2024, https://dirittodidifesa.eu/sezioni-unite-e-tirannie-tecnologiche-diritto-di-difesa-contraddittorio-e-criptofonini-di-luca-marafioti/.
[20] Cass. Pen. 44047/2024 cit.
[21] CEDU, Benedik c. Slovenia, ricorso n. 62357/14, 24 aprile 2018.
[22] Procura della Repubblica presso il Tribunale Ordinario di Roma, n. 1637/2025 Prot. Gab. CIRC. N. 10, 9 giugno 2025, https://www.sistemapenale.it/pdf_contenuti/1749504886_circ-n-10-del-9-giugno-2025-linee-guida-in-materia-di-sequestri-di-telefoni-e-altri-strumenti-informatici.pdf.
[23] A proposito del d.d.l. in materia di sequestro di dispositivi, sistemi informatici o telematici o memorie digitali: le osservazioni del Procuratore nazionale antimafia e del Presidente dell’ANM, Sistema Penale, 25 maggio 2025, https://www.sistemapenale.it/it/documenti/a-proposito-del-ddl-in-materia-di-sequestro-di-dispositivi-sistemi-informatici-o-telematici-o-memorie-digitali-le-osservazioni-del-procuratore-nazionale-antimafia-e-del-presidente-dellanm
[24] Approvata dal Senato il 10 aprile 2024 e trasmessa alla Camera dei Deputati, assegnata alla II Commissione Giustizia, in corso di esame in Commissione https://www.senato.it/leg/19/BGT/Schede/Ddliter/58159.htm. Per approfondire, Roberto De Vita, Valentina Guerrisi, Antonio Laudisa, Marco Della Bruna, La prova digitale nel processo penale, DEVITALAW, Roma, 2 maggio 2025.
