Access to data processed and stored by providers of online communication services such as e-mail services, social media chat channels and messaging apps is increasingly important in criminal investigations.
However, service providers are often located outside the country of investigation and data is processed and stored on servers located across several different jurisdictions. Such cross-border considerations become rather complex, in particular in view of the divergent approaches across EU Member States on establishing enforcement jurisdiction for obtaining access to provider data. The result is legal uncertainty both for the public authorities collecting evidence, and for service providers served with cross-border data access requests.
To make it easier and faster for law enforcement and judicial authorities to obtain electronic evidence and to solve the current legal uncertainty for providers, the Commission proposed new rules in 2018, consisting of:
- a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters (Draft e-Evidence Regulation); and
- and a Directive, laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings.
Almost four years later, the proposed new e-evidence framework is still being negotiated between the European Commission, the Council of the European Union and the European Parliament. Two Council Presidency notes published in September 2021 (here and here) and a Presidency progress report published in November 2021 shed some light on the current state of the trilogue negotiations, the issues that are still contentious and a possible compromise position between the European Parliament and the Council.
Challenges for service providers in dealing with cross-border data access requests
Currently, the standard formal procedure for obtaining evidence from service providers located in a different jurisdiction is laid down by international conventions providing for mutual legal assistance (MLA), including the Convention on Cybercrime (the Budapest Convention) which deals specifically with electronic evidence, and the European Investigation Order, a mutual recognition tool used for cross-border requests between EU Member States.
The MLA mechanism provides for a cross-border cooperation between public authorities, ie requiring, as a general rule, the involvement of the authorities located in the requested state in order to receive access to data processed and stored by a service provider located in a different jurisdiction. This makes the process of obtaining cross-border evidence quite cumbersome and, with an average response time of about ten months, very slow. In fact, service providers often do not store their data that long (due to applicable data protection and in particular data minimisation requirements). Thus, law enforcement authorities often find it impossible to get data for investigations. In practice, law enforcement authorities often contact a service provider directly and request access to relevant data, even if there is no enforceable obligation for service providers to disclose.
What will change with the proposed new e-evidence framework?
The current legal uncertainty around cross-border data access requests and the burden currently placed on service providers risking non-compliant data disclosures may soon be addressed by the proposed new e-evidence framework. The framework will introduce a means for direct data requests and provide an alternative to the cumbersome upfront cooperation mechanism currently in place.
Service providers may wish to note the below items in the Draft e-Evidence Regulation, which may have implications for internal cross-border data disclosure policies:
- Direct requests issued by foreign authorities will be binding
The proposed new rules will allow the competent authorities of one Member State to request directly from a service provider established or represented in another Member State access to, or preservation of, electronic data needed for the investigation and prosecution of crimes covered by the regulation. Production and preservation orders for electronic evidence issued under the proposed new e-evidence framework will be binding, hence, service providers will be obliged to produce and/or preserve the requested data (Articles 9, 10 Draft e-Evidence Regulation). - User information
Though the question of who should by default inform the user (ie the issuing authority or the service provider) seems to be still discussed between the negotiating parties (cf. the Council Presidency Note, 16 September 2021, Questions To Delegations, Question 2), the Draft e-Evidence Regulation provides that service providers shall preserve the confidentiality of the preservation order or the production order, in particular by refraining from informing the person whose data is being sought “where requested by the issuing authority” in order to safeguard the investigation of criminal offences. - Sanctions for non-compliance with the production and preservation orders for electronic evidence
In its general approach on the proposed e-Evidence Regulation, the Council proposed to set the level of pecuniary sanctions that can be imposed on service providers in case of non-compliance at up to 2 % of total worldwide annual turnover of the preceding financial year, thereby specifying the sanctions regime for non-compliance with the data disclosure obligations under the e-evidence framework.
Outlook on the legislative process
According to the Council Presidency note from 30 September 2021 a new consolidated draft approach was due to be shared on 6 October 2021. However, based on the Presidency progress report, it seems a compromise regarding the notification block of rules has yet to be found, though the Presidency has noted that it is essential that the Regulation is adopted and implemented “in the foreseeable future” (cf. Presidency progress report, p. 6). It is therefore unclear whether the e-Evidence Regulation will be passed this year.
Digital service providers based or acting in the EU should keep close watch on these new rules and prepare for the impact of the proposed new framework on internal cross-border data disclosure policies.