SkyECC, EncroChat & ANOM: The Global Legal Reckoning

A survey of landmark rulings on the admissibility of encrypted communications evidence — from national courts to the European Court of Justice

SkyECC, EncroChat & ANOM

Across Europe and beyond, courts are confronting a common set of questions: can evidence derived from mass interception of encrypted communications — obtained without individualised suspicion, by foreign authorities, using covert malware — ground a criminal conviction? The answers are increasingly sceptical, and the legal architecture underpinning these prosecutions is under unprecedented scrutiny.

The operations targeting SkyECC, EncroChat, and ANOM were unprecedented in scale. The SkyECC harvest alone swept data from approximately 170,000 users over 21 months, coordinated through Europol and Eurojust without any concrete suspicion attaching to individual users. Defence lawyers have been challenging the legality of these operations in various national courts as well as before the ECHR and the Court of Justice of the EU — and are winning ground. An overview of the most important pending cases.

European Court of Human Rights

SILGIR V. GERMANY — APPLICATIONS NOS. 27618/21 & 22234/2 (EncroChat)

Communicated — status: pending

Murat Silgir was arrested in 2020 on the basis of EncroChat data and convicted in 2021 by the Landgericht Bremen of gang drug trafficking in 26 counts, receiving a sentence of 12.5 years. The data derived from a covert French operation during which the encrypted EncroChat network was remotely infiltrated between April and June 2020. They were transmitted to German authorities via a European Investigation Order and used as the principal evidence. Every German appeal up to and including the Federal Constitutional Court failed.

Before the ECtHR, the first application challenges a violation of Arts. 5 and 8 ECHR on the ground that pre-trial detention was premised exclusively on data alleged to be unlawfully obtained. The second application adds Art. 6 ECHR: the technical details of the interception were withheld from the defence, making it impossible to verify authenticity and reliability. Additionally, the entire correspondence between Silgir and his defence counsel during pre-trial detention was monitored, violating the right to confidential lawyer-client communication.

  COMMUNICATED — no judgment yet 

See more here.

ISHA AND EMMEN v. NORWAY - APPLICATIONS NOS. 7905/25 AND 9417/25 (EncroChat & SkyECC)

Communicated — status: pending

The ECtHR has communicated a further significant set of cases concerning SkyECC and EncroChat material obtained from French authorities and subsequently used in domestic prosecutions. The Norwegian cases shift the focus from the legality of the underlying interception to the downstream fair trial implications: the Court asks specifically whether the encrypted evidence was decisive for conviction, whether sufficient safeguards existed to verify integrity and authenticity, whether the defence had a genuine opportunity to challenge the material, and whether domestic courts adequately assessed reliability. The inability to examine the chain of custody, access original interception infrastructure, or review filtering procedures raises what defence teams across Europe increasingly describe as the “black box” problem — evidence that arrives packaged from foreign authorities and cannot be independently verified by either the defence or the domestic court.

  COMMUNICATED — no judgment yet 

See more here.

RAAL v. ESTONIA (ANOM)

Communicated — status: pending

The ANOM proceedings before the ECtHR raise structurally analogous Article 6 concerns. ANOM differs from EncroChat and SkyECC in that the platform was reportedly invented and operated in cooperation with law enforcement, generating additional questions concerning investigative provocation, operational control, and disclosure obligations. The underlying fair trial questions — effective challenge of evidence, independent verification of authenticity, equality of arms — overlap substantially with the SkyECC and EncroChat litigation.

  COMMUNICATED — no judgment yet 

See more here.

European Court of Justice

EU GENERAL COURT — T-1180/23 (BW v EUROPOL & EUROJUST)

25 February 2026

For the first time, the SkyECC mass data collection — 170,000 users, 21 months, without individualised suspicion — is before the CJEU. The EU General Court declared the action against both Europol and Eurojust admissible. The substantive question — whether the operation violated EU law — remains open. On appeal, the Grand Chamber of the CJEU will decide conclusively.

  ADMISSIBILITY CONFIRMED — substance pending 

See more here.

COUR DE CASSATION REFERRAL TO CJEU (SkyECC)

16 September 2025

The French Cour de cassation referred preliminary questions to the CJEU concerning whether French law provides an effective remedy for nationals of other EU member states to challenge evidence originating from France. The background is stark: a suspect was turned away in both Germany and France on the ground that he lacked standing to review the lawfulness of the evidence — neither in the receiving state nor in the source state. The CJEU is now asked to resolve this due-process gap.

  REFERRAL PENDING — CJEU 

See more here.

The Netherlands — Hoge Raad

HOGE RAAD

14 April 2026 — ECLI:NL:HR:2026:650

In a significant doctrinal shift, the Dutch Supreme Court held that Art. 31 of the EIO Directive protects not only the sovereignty of Member States but also the procedural rights of individual suspects. This corrects the Hoge Raad's own 2023 case law and aligns it with the CJEU judgment of 30 April 2024 (C-670/22).

The practical consequences turn on the method of data collection. In the EncroChat case before it, the data were obtained by a French hack on all individual phones and as far as this was affecting phones on Dutch territory, there was an authorization by the Dutch judge. This authorization is now what at least has to be possible to be reviewed in any Dutch EncroChat-case. SkyECC is different, as well from a technical perspective (the data were harvested through a wiretap, in combination with a hack) as on the legal perspective (there was no authorization upfront, by a Dutch judge). Suspects may accordingly invoke Art. 31 as a personal subjective right and demand that a court concretely review whether the notification obligation was observed — and therefore whether the entire evidentiary basis is lawful.

  EncroChat: admissible (JIT)  |  SkyECC: Art. 31 review required 

See more here.

Austria — Constitutional Court

VERFASSUNGSGERICHTSHOF

Oral hearing — 11 March 2026

The Austrian Constitutional Court conducted the first constitutional-level review of EncroChat, SkyECC, and ANOM evidence in Europe. The central question is whether decrypted crypto-chat data obtained abroad may be used in national criminal proceedings without the defence being able to effectively verify provenance, integrity, and completeness.

The VfGH structured its review along three axes: the statutory basis for evidentiary use (the principle of legal certainty, Bestimmtheitsgebot); the technical verifiability of data integrity including the Trojan/MITM methodology; and effective defence rights in relation to officially processed raw data. The court also examined whether foreign investigative methods may be used where they would not meet domestic procedural standards, what compensatory obligations arise when the source state offers inadequate legal protection, and whether unprocessed raw data must be made available to the defence under Art. 6 ECHR. A judgment with signal effect for Germany and other EU legal orders is anticipated.

  DECISION PENDING — historic first 

See more here.

Switzerland

Swiss courts have been among the boldest in Europe in excluding SkyECC evidence. The operative theory is straightforward: the MITM (man-in-the-middle) interception method applied by French and Belgian authorities constituted an unlawful extraterritorial act on Swiss sovereign territory. Because no Swiss judicial authorisation existed, the evidence falls under the absolute exclusionary rule of Art. 141 para. 1 CPC — no balancing exercise, no exception.

BEZIRKSGERICHT DIETIKON

19 June 2025

The District Court of Dietikon was the first Swiss court to address the issue head-on. It found that the MITM methodology used to intercept SkyECC communications violated the territorial sovereignty principle. The absence of any Swiss judicial authorisation rendered the evidence absolutely inadmissible under Art. 141 para. 1 CPC.

  INADMISSIBLE — Art. 141 abs. 1 StPO 

OBERGERICHT ZÜRICH

15 August 2025

The Zürich Court of Appeal confirmed and expanded on the Dietikon ruling. It identified three independent grounds for exclusion. First, the MITM interception violated territorial sovereignty, triggering absolute inadmissibility under Art. 141 para. 1 CPC. Second, the surveillance measures lacked the requisite reasonable suspicion under Art. 269 para. 1 lit. a CPC, resulting in inadmissibility by analogy to the absence of judicial authorisation (Art. 281 para. 4 in conjunction with Art. 277 para. 1 and Art. 141 para. 1 CPC). Third, the court noted the absence of raw data, but left open the legal consequence of that finding.

  INADMISSIBLE — three independent grounds 

The ruling is currently on appeal before the Swiss Federal Supreme Court (Bundesgericht).

See more here.

APPELLATIONSGERICHT BASEL-STADT

3 October 2025

The Basel-Stadt Court of Appeal went furthest. In addition to confirming the territorial sovereignty violation and the reasonable suspicion deficit, it expressly characterised the underlying surveillance as an impermissible fishing expedition. Given its scale, the court also found a violation of Swiss ordre public. On the raw data question — unlike Zürich — it did not leave the consequence open: it found absolute inadmissibility under Art. 141 para. 1 CPC independently on this ground as well.

  INADMISSIBLE — incl. ordre public violation 

The ruling is currently on appeal before the Swiss Federal Supreme Court (Bundesgericht).

See more here.

Also notable in the Swiss context: in November 2025, the Federal Administrative Court ruled that mass surveillance of cross-border communications by the Swiss intelligence service is itself unlawful — a structurally cognate finding that reinforces the judicial scepticism toward indiscriminate data collection.

Germany

NATIONAL COURTS — CURRENT POSITION

German courts have so far been the most resistant to exclusion arguments. As illustrated by Silgir, the Federal Constitutional Court declined to exclude EncroChat evidence. The Hoge Raad’s reversal on Art. 31 EIO, the pending ECHR proceedings in Silgir, and the expected Austrian VfGH decision will all bear directly on the German landscape. The French Cour de cassation referral to the CJEU arose precisely from the double-door lock-out experienced by a suspect in German and French proceedings.

  CURRENTLY ADMISSIBLE — subject to pending EU/ECHR review 

Italy

IMPERIA, CATANZARO, ROME — 2024–2025

Three Italian courts have each taken a different approach to challenging the evidence, cumulatively mapping out the key lines of attack. In Imperia, a court-appointed expert concluded that the data were not original: incomplete, not attributable to a specific user, and pre-filtered by France. The evidence was provisionally excluded. In Catanzaro, the defence was granted the right to bring an effective EIO challenge, and a fresh EIO was issued to France seeking disclosure of the surveillance measures. In Rome, where France refused to allow its officers to testify, the court responded by opening a written-questions channel via mutual legal assistance.

The legal foundation across all three proceedings is CJEU C-670/22 and Art. 14(7) of Directive 2014/41/EU.

  MIXED — exclusion, disclosure orders, MLAT procedures 

See more here.

United States — Eastern District of New York

UNITED STATES v. GOGIC, 22-CR-493 (JMA)

31 October 2025

Gogic is charged with international narcotics trafficking (MDLEA). The prosecution relies on SkyECC data transmitted from France via MLAT, collected through a JIT.

Suppression was denied: the Fourth Amendment does not apply extraterritorially absent a prior connection to the United States, even given the scale of the surveillance operation.

On authentication, however, the court found the Sky Evidence fundamentally different from ordinary business records. The French Certificate of Authenticity was too vague and conclusory, no witness with personal knowledge of the seizure or decryption process was available, and anomalies in the spreadsheets — duplicates, AI-processing indicators, post-seizure modifications — went unexplained. The bulk of the proposed exhibits was excluded. Only messages that a testifying cooperating witness can confirm from their own device are admissible.

 SUPPRESSION DENIED — bulk of SkyECC evidence excluded for lack of authentication