EU breaks down digital borders: New e-Evidence rules facilitate cross-border investigations

In the summer of 2023, the European Union ("EU") adopted two legal acts that are intended to improve cross-border access to electronic evidence for judicial authorities in criminal proceedings. This refers to digital data that can be used to investigate and prosecute criminal offences, such as customer identity information, IP addresses and location data, but also e-mails, text messages or photos.

In June, the European Parliament and the Council of the European Union adopted the Regulation on European Production and Preservation Orders ("e-Evidence Regulation"). Under the provisions of the Regulation, relevant data can be demanded directly from providers of digital services ("service providers") within the EU. Under the simultaneously adopted Directive laying down harmonised rules on the designation of designated establishments and the appointment of legal representatives ("Directive on Representatives"), service providers offering their services in the EU must appoint a legal representative or designate an establishment to which the authorities of the issuing State ("issuing authorities") can address their orders relating to electronic evidence.

The aim of the legislative package is to make it easier for law enforcement authorities and judicial authorities to access electronic evidence abroad, which until now has been time-consuming and complicated, and thus to make the investigation process more efficient. The e-Evidence Regulation will become binding in all Member States in August 2026. The Directive on Representatives must be implemented by the Member States six months beforehand.

Significance in practice

Electronic evidence is becoming increasingly important in criminal investigations. According to the Council of the EU, more than 50% of all criminal investigations in the EU involve a cross-border request to obtain electronic evidence. 

It is time-consuming and complicated for law enforcement agencies to access data located abroad, which makes investigations more difficult when service providers store data on servers abroad, as is often the case. Until now, it has not been easy for national judicial authorities to collect data stored on a server abroad. Usually, a time-consuming request for legal assistance has to be made. Judicial authorities generally do not have direct access to data stored abroad. Apart from the simplified mutual assistance procedures under the Cybercrime Convention, only a few EU Member States currently provide for simplified procedures. In Germany, for example, it is possible to request inventory and usage data from telemedia providers based in the EU in accordance with the provisions of Sections 22 et seq. of the German Telecommunications-Telemedia Data Protection Act ("TTDSG").

Contents of the legislative package

Already in April 2018, the European Commission had presented a draft regulation aimed at making access to electronic evidence faster and easier, regardless of the location of the data. The version that has now been adopted aims to harmonise the procedure for accessing cross-border electronic evidence within the Member States, and to make it more efficient. Unlike the original proposal, the consented e-Evidence Regulation includes an obligation for the issuing authority to notify the enforcing State when issuing a Production Order to obtain content and traffic data.

Due to the adopted Directive on representatives, non-EU service providers will also be affected by the new rules if they offer their services in the EU.

Instruments

The Production Order allows judicial authorities in one Member State to request electronic evidence directly from a service provider who is established or represented in another EU Member State. The service provider then has a period of 10 days, or just eight hours in so-called emergency cases, to comply with the order and hand over the data. Such a Production Order can be issued not only by the judicial authorities, but can also be requested by a suspect or accused person in criminal proceedings under the existing rights of defence. According to the text of the e-Evidence Regulation, orders "may also be issued in proceedings relating to a criminal offence for which a legal person could be held liable or punished in the issuing State". It is quite possible that the judicial authorities will interpret the e-Evidence Regulation in a way that where there is no corporate criminal law (as in Germany), it can also be applied in administrative fine proceedings against corporates in which criminal offences are at issue.

Service providers have national legal remedies against a Production Order. Users whose data is the subject of an order are generally informed immediately about the production of data, and are also given the opportunity to take legal remedies against the order before their national courts. If the affected person is a suspect or accused person, an effective legal remedy can also be filed during the criminal proceedings in which the data is being used. 

The Preservation Order can be issued to oblige a service provider to preserve electronic data that can later be requested in a subsequent request for production, and thus prevent the electronic evidence from being deleted or overwritten. National judicial authorities can use the Preservation Order to direct the retention of data for up to 90 days. 

The e-Evidence Regulation also requires the implementation of a decentralised IT system that will enable communication between authorities and service providers, as well as the supply of the data.

Scope of application 

The e-Evidence Regulation applies to service providers offering services in the Union.

In detail, these are: 

• Electronic communications services – these primarily include Internet access services and interpersonal communications services, such as messaging services, e-mail services and Internet telephony services (Voice over IP); 
• Internet domain name and IP numbering services, such as IP address allocation, domain name registry, domain name registrar, and domain name-related privacy and proxy services;
• Other information society services (i.e. any service normally provided for remuneration, at a distance, electronically and at the individual request of a recipient of services), which enable their users to communicate with each other, or which enable users to store or otherwise process data (e.g. "social media" platforms). 

While it is not necessary for the service provider to be located in the EU for the regulations to apply if the service provider offers its services within the EU, it must designate a designated establishment or appoint a legal representative in the EU. This allows access to service providers located in non-EU countries as well.

The e-Evidence Regulation covers data that has already been stored, but not data that will be created in the future or real-time monitoring. The e-Evidence Regulation differentiates between subscriber data (data on the identity of a subscriber), traffic data (data on usage behaviour) and content data (data in a digital format such as text, speech, videos, images and sound recordings). 

In order for content and traffic data to be handed over, it is necessary that the criminal offence that is the subject of the proceedings is punishable by a custodial sentence of at least three years in the issuing EU Member State, or it must relate to certain offences connected with terrorism, or sexual abuse of children, or fraud relating to non-cash payment instruments, or certain cybercrime offences when committed using an information system. When authorities request content and traffic data, they must notify the authority of another Member State ("enforcing authority") for reasons of transparency ("notification obligation").

Refusal by the service provider

The service provider may refuse to produce or preserve data only if the enforcing authority in the notified State asserts a ground for refusal, or the service provider refuses execution in another permissible manner.

The enforcing authority may refuse to provide data if the data requested are specifically protected by immunities, or if the act on which the proceedings are based is not punishable in the enforcing notified State (principle of mutual criminality). The service provider may raise arguments that the execution of the order would result in the manifest violation of a relevant fundamental right enshrined in Article 6 of the Treaty on European Union ("TEU") and the Charter of Fundamental Rights of the European Union (the Charter), so that the enforcing authority could consider presenting this as a reason for refusal for enforcement of the Production Order. There is no explicit obligation on the part of the service provider to check whether the preconditions of the order to produce data have been met – this is different from, for example, the regulations in Germany on the production of user and usage data under the TTDSG.

If an enforceable order is not complied with even though there is no permissible ground for refusal, the service provider faces sanctions of up to 2% of the total worldwide annual turnover of the preceding financial year in the Member State in which it is established, or its representative is appointed.

Outlook and Conclusion

The legislative package is expected to increase the cross-border exchange of evidence within the EU and make direct access the rule. It is important to note that non-EU based corporates will also fall within the scope of the package if they choose to offer their services in the EU.

Concerns have been raised about the extensive authority to issue orders, which means that a court order or a decision by the public prosecutor's office is not required in an emergency case – the police can request immediate data transfer from service providers, and court examination of this data transfer will only take place retrospectively. 

In practical terms, costs for data transmission and / or data backup and the associated effort to ensure appropriate personnel capacities, as well as costs for legal advice, are to be expected on the part of the affected service providers. Reimbursement is only possible if the law of the issuing State provides for corresponding reimbursement of costs for similar domestic orders. 

Furthermore, the short deadlines for the transfer of data may pose a challenge for the service providers, given that significant amounts of data may be involved. Violations can also result in fines based on the annual worldwide turnover, and which can thus be quite substantial. Given the current sanctioning practice of the EU Commission and the Member States in the event of breaches of EU law (e.g. in the area of data protection or antitrust law), significant fines can certainly be expected in the case of violations.

It is recommended that appropriate internal processes are put in place at an early stage. Considering the short deadlines, well-established technical processes, as well as a trained and technically skilled team, are required.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2023 White & Case LLP}