Digital Evidence in Spain 2026: Supreme Court Case Law

Digital evidence has become the backbone of most current criminal proceedings. WhatsApp messages, geolocations, encrypted communications intercepted by foreign agencies, forensic device extractions and cloud-stored data make up the bulk of the evidential material. As criminal lawyers, this guide summarises the most recent doctrine of the Supreme Court and the Court of Justice of the EU, focusing on the grounds of nullity the defence must articulate.

WhatsApp and Instant Messaging as Evidence

The consolidated Supreme Court doctrine requires three requirements for a WhatsApp screenshot to have full evidential value: authenticity (unequivocal identification of sender and recipient), integrity (proof the message was not edited, deleted or fabricated — a cryptographic hash of the message database is the standard), and a chain of custody. The Supreme Court has expressly warned of the risk of manipulating screenshots, requiring "evidential surplus" when the screenshot is questioned. If the device the screenshot comes from is not provided for expert analysis, the evidence loses force.

EncroChat, Sky ECC and ANOM: Cross-Border Encrypted Evidence

The major operations against organised crime in Europe have rested on the mass interception of encrypted messaging services. The doctrine has evolved:

• CJEU, judgment of 30 April 2024 (case C-670/22): the CJEU validates the admissibility of the EncroChat data transmitted by France to other Member States through a European Investigation Order, but requires the national court to examine whether the rights of the defence have been respected. If the information is not sufficient for the accused to comment effectively, it must be excluded.
• Spanish Supreme Court: case law has admitted EncroChat evidence provided there is an authorising judicial decision and EIO cover; but the mere table of conversations provided by Europol is not enough — the original judicial decision and the traceability of the material must be obtainable.

The defensive strategy involves requesting the original judicial decision, challenging the presumption of technical reliability if the method is not identified, and invoking the fruit of the poisonous tree doctrine (Art. 11.1 of the Judiciary Act).

Digital Chain of Custody and Forensic Extractions

The Supreme Court requires a seizure record identifying the device, a complete forensic image (bit-by-bit cloning) using validated tools, a cryptographic hash (at least SHA-256) calculated at origin and verified at each step, analysis on copies and not on the original, and full traceability. A break in the chain does not automatically imply nullity, but it shifts to the prosecution the burden of proving the evidence has not been altered.

Geolocation: Traffic Data and Fundamental Rights

Obtaining location data affects the right to the secrecy of communications and data protection. The current doctrine requires prior judicial authorisation, even for past data, in line with the CJEU criterion. The Supreme Court has confirmed that the mere transfer of data by the operator to the police without a prior judicial decision — save for defined urgent cases (Art. 588 ter j LECrim) — determines the nullity of the measure.

Cross-Border Cloud Services and E-Evidence

Relevant data increasingly resides on cloud servers located outside Spain. Cross-border access is governed by the Budapest Convention on Cybercrime and its Second Additional Protocol, and by Regulation (EU) 2023/1543 on European Production and Preservation Orders for electronic evidence (E-Evidence), fully applicable from August 2026, which allows Spanish judicial authorities to address providers in any Member State directly, with response deadlines of 10 days (8 hours in urgent cases). Obtaining data through informal channels or without the E-Evidence guarantees may determine nullity.

Grounds of Evidential Nullity: the Defence's Catalogue

1. Lack of judicial authorisation for the interception of communications, geolocation or device access.
2. Insufficient or stereotyped reasoning of the authorising order; lack of proportionality.
3. Break in the chain of custody: an unverified hash, copies without traceability.
4. Lack of transparency of the method: foreign interceptions without access to the technical protocol.
5. Breach of the right of defence: the impossibility of expert contradiction because the original material is not provided.
6. Obtaining outside the E-Evidence or MLAT framework for cross-border cloud data.
7. Indications of manipulation (screenshots, deepfakes, edited messages).
8. Connection of unlawfulness (Art. 11.1 of the Judiciary Act): reflex nullity over derived evidence.