by: Ajith Francis, Director of Policy Programs & Bertrand de La Chapelle, Executive Director, I&JPN
On June 13, 2023, the EU Parliament voted to adopt its Regulation on “European Production and Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings”, also called the E-Evidence Regulation.
The regulation puts in place rules that allow law enforcement and public authorities to obtain stored electronic evidence from service providers located in another state. The regulation is also complemented by a directive requiring all service providers that offer services within the EU but are based outside of the Union to designate a legal representative within an EU member state.
The regulation is the culmination of over five years of intense debate and dialogue and incorporates elements from the different proposals over time (Commission, Council, and LIBE Committee versions) to address some key fundamental issues such as due process, checks and balances, and enforceability. This represents a major milestone to overcome the limitations of the traditional Mutual Legal Assistance Treaty system that is ill-adapted to the scale and transnational nature of cross-border access to electronic evidence.
The I&JPN Secretariat has issued a detailed explanatory document describing in graphic form the main components of this important new regime.
As a first introduction, this blog covers some of the key highlights of the E-Evidence regulation based on the I&JPN Secretariat’s work on the topic of E-Evidence. While the adopted regulation covers both preservation and production orders for electronic evidence to service providers, the highlights below only cover production orders of electronic evidence. The highlights are structured around three pillars: 1) The Regulation Scope, 2) Its General Architecture, and 3) Three Salient Elements Regarding the Final Compromise.
1. Regulation Scope
1.1 Who are the key actors involved?
Issuing State: The state that is investigating a crime and whose law enforcement requires access to the stored electronic evidence.
Service Provider: The company providing services in the Issuing State, but incorporated elsewhere, that stores the data sought. Referred to as “the addressee” in the Regulation.
Enforcing State: The EU Member state where either the service provider is located or where the service provider has designated a legal representative.
Data Subject: The actor whose data is sought by the Issuing State.
1.2 What constitutes Electronic Evidence?
The regulation distinguishes four types of electronic evidence that Issuing State Authorities can obtain from service providers:
Subscriber Data: The identity of a subscriber or customer, including names and birthdates, but also technical information such as the technical measure and interface used by the user at the time of registration or activation, excluding passwords.
Data requested for the sole purpose of identifying the user: Data points such as IP addresses and, where necessary, the relevant source ports and time stamps (date/time), or technical equivalents of these identifiers and related information that can be used solely for identifying a user.
Traffic Data: Data that provides context or additional information such as the source and destination of communications, location data, and time-stamps on communications.
Content Data: Data pertaining to the actual content of communications.
1.3 For what crimes can production orders be issued?
An Issuing State can issue European Production Orders for the following crimes:
- For subscriber data and data requested for the sole purpose of identifying a user. Orders may be issued for all criminal offenses as well as for the execution of a custodial sentence or a detention order of at least 4 months.
For Traffic and Content data, Orders may only be issued for either criminal offenses punishable in the issuing State by a custodial sentence of a maximum of at least 3 years, or a specific set of offenses covered in Article 5.4.
1.4 Who can issue production orders in the Issuing State?
A judge, a court, or an investigating judge competent in the case can issue orders for all types of electronic evidence.
Other designated competent authorities defined by the Issuing State may also issue orders in their capacity as an investigating authority in criminal proceedings. However, orders by such authorities have to be validated by a judge, a court, or an investigating judge in the issuing State.
As an exception, for Subscriber Data and Data requested for the sole purpose of identifying the user, orders can also be issued by a competent public prosecutor. For such orders issued by another competent authority defined by the Issuing State, public prosecutors can also validate them (in addition to a judge, a court, or an investigating judge).
1.5 What is the deadline for disclosure of electronic evidence?
In regular cases, the service provider has 10 days to transmit the requested electronic evidence to the Issuing State.
In emergency cases, the service provider has 8 hours for transmitting the requested electronic data.
2. General Architecture
2.1 Issuing and transmission of Orders:
Specific authorities in the Issuing State can issue production orders to service providers offering services in the EU and located in another Member State pursuant to its own national criminal procedure as long as:
the offense has been committed, is being committed, or is likely to be committed in the issuing State; and
the person whose data are sought resides in the issuing State.
For orders concerning Traffic Data and Content Data, the Issuing State has to evaluate whether the data is protected under immunities and privileges under Enforcing State’s law or it is subject to rules on determination and limitation of criminal liability relating to freedom of press and freedom of expression in other media. It may seek clarification from the Enforcing State before issuing the order.
After such evaluation, all orders (including subscriber data and data for identification of user) are transmitted to the service provider.
An important provision is that for traffic (except for sole identification of the user) and content data unless both the crime and the data subject are located in the Issuing State, the Order has to be simultaneously transmitted to the Enforcing State.
2.2 Service Provider Responsibilities:
In all cases, upon receipt of a Production Order, the Service Provider may additionally seek clarifications or raise challenges against complying with the order.
A Service Provider may seek clarifications from the Issuing State when:
- The Order is incomplete, contains manifest errors, or does not contain sufficient information to enforce it.
The Service Provider cannot comply due to circumstances not attributable to the Service Provider.
The Service Provider is unable to comply fully or within the deadline.
The Enforcing State is also informed of requests for clarification if it was already notified of the issuance of the Order because the crime or the data subject were outside of the Issuing State.
A Service Provider may challenge the execution of an order, if:
Based solely on the Order, the service provider considers that the execution would interfere with the immunities and privileges or is subject to rules on determination and limitation of criminal liability relating freedom of press and freedom of expression in other media.
The Service Provider considers that compliance with the order would conflict with applicable laws of a third country.
For such challenges, the Service provider would notify both the Issuing State and the Enforcing State, even when the offense and the data subject are located within the Issuing State.
2.3 Enforcing State:
The Enforcing State has two responsibilities:
1. Evaluation of orders for which it is notified
When notified, the Enforcing State has ten days to evaluate the Order and raise grounds for refusal of the Order. If it decides to refuse the execution of the order, it may seek clarifications from the Issuing State prior to objection. It also notifies both the Service Provider and the Issuing State within the deadline if it decides to object.
If the Enforcing State does not raise objections and does not notify the Service Provider of non-objection, the Service Provider can comply with the order at the latest at the end of the deadline.
The grounds for refusal include:
The data requested is protected by immunities and privileges granted under the law of the enforcing State, or the data requested is covered by rules on the determination or limitation of criminal liability that relate to the freedom of press or the freedom of expression in other media.
The execution of the Order would, in the particular circumstances of the case, entail a manifest breach of a relevant fundamental right as set out in Article 6 TEU and the Charter.
The execution of the Order would be contrary to the principle of ne bis in idem;
The conduct for which the EPOC has been issued does not constitute an offense under the law of the Enforcing State, unless it concerns an offense listed within the categories of offenses set out in Annex IIIa, as indicated by the issuing authority in the EPOC if it is punishable in the issuing State by a custodial sentence or a detention order for a maximum period of at least three years.
2. Conducting enforcement procedures on service provider
In situations where the Service Provider has not complied with the Order within the deadline and has not raised any challenges, the Issuing Authority can request the Enforcing State to enforce the order on the Service Provider located in its jurisdiction.
In these cases, the Enforcing State can choose to recognize the order or raise grounds for refusal after receiving clarifications from the Issuing State.
The grounds for such refusal include:
The European Production Order has not been issued or validated by an issuing authority;
The European Production Order has not been issued for an offense provided for by the regulation;
The addressee could not comply with the Order because of de facto impossibility due to circumstances not attributable to the addressee, or because the EPOC contains manifest errors;
The European Production Order does not concern data stored by or on behalf of the service provider at the time of receipt of the Order;
The service is not covered by this Regulation;
The data requested is protected by immunities and privileges granted under the law of the enforcing State, or the data requested is covered by rules on the determination or limitation of criminal liability that relate to the freedom of press or the freedom of expression in other media, which prevent execution or enforcement of the Order;
If the Enforcing State does recognize the order, the Service Provider is required to comply with the order but may raise grounds for challenging the order.
3. Three Salient Elements of the Final Compromise
3.1 No Service Provider objection regarding manifestly abusive orders
The Regulation limits the due-diligence done by Service Providers to the aforementioned set of clarifications and challenges based on immunities and privileges, and conflicts with third-country laws. It does not provide for the Service Provider to evaluate the order based on any other elements such as the legality and due-process of the actual order. This was a point of contention during the negotiations. Previous proposals gave Service Providers the ability to challenge the order based on its evaluation of whether the Order was manifestly abusive or exceeding its purpose. This has been excluded in the final compromise.
3.2 Notification to Data Subject
Per the adopted regulation, the data subject is informed without undue delay by the Issuing State of the data production, ie. in any case after the data has been obtained. The Issuing State can also choose to delay the notification in accordance with national law, for a limited period. Previous iteration of the regulation proposals envisaged user information by the Service providers unless the Issuing State explicitly requested confidentiality. This was not retained in the final compromise.
3.3 Conflict with Third Country Laws
The adopted regulation also provides for procedures to deal with third-country laws. The onus of identification of potential conflicts lies with the Service Provider who notifies the Issuing State of such conflicts. If the Issuing State wants to pursue the data disclosure still, it must initiate a review by its own judiciary to evaluate such conflicts. Based on this review and potential communication with the third country, the judiciary in the Issuing State decides to uphold the order or strike it down.
Conclusion
This ambitious regulation is an elaborate architecture, with many interlocking parts. It reflects the complexity of the issue and the difficult balancing between increasing efficiency in criminal investigations and ensuring high due process guaranties. Significant capacity building will be needed before it fully comes into force, in order to inform the respective actors of its implications. Based on its more than 10 years of work on this issue, the I&JPN Secretariat will provide useful material and resources to support this effort.
Finally, the issue of cross-border access to electronic evidence will remain a challenge for many countries around the world and still needs to be addressed to avoid the proliferation of data localization measures. Important lessons can be drawn from the architecture developed in the EU that can inform further discussions in that regard in other regions. Some of the previous work stemming from the dedicated I&JPN Data & Jurisdiction Contact Group can further help in that regard.