While much recent European data legislation has passed through the legislative process in record time, the electronic evidence framework (the Framework) proposal has been stuck in the pipeline for over five years. After discussions surrounding the Framework heated up during the winter of 2021 and early 2022 (see our blog), it is now on the verge of being adopted.
Now, the Council formally agreed to the European Parliament’s position on the Framework based on a provisional agreement of the trilogues from January 2023. This will simplify cross-border data access requests from foreign law enforcement authorities who will no longer have to go through the mutual legal assistance procedure. In this blog, we provide an overview on the provisions of the final version of the Regulation and the Directive adopted by the European lawmakers and the impact of the Framework on current practices of dealing with cross-border data access requests.
Services in scope of the Framework
The Framework applies to service providers offering their services in the European Union, regardless of the actual location of the service provider’s establishment or of the data processing or storage facility
‘Services’ in the sense of the Framework do not include financial services (eg banking, credit, insurance, payment and investment advice), but instead they comprise the following:
- Electronic communications services such as internet access services, interpersonal communications services (eg instant messaging and e-mail) or machine-to-machine services);
- internet domain name and IP numbering services such as IP address assignment, domain name registry or proxy services; or
- other information society services which provide the ability to communicate with other users (eg online marketplaces and gaming platforms) or where storage of data on behalf of the user is a defining component of the service (eg cloud computing).
Data categories
Under the Framework, there are four data categories that can be subject to the orders:
- Subscriber data, meaning data held by a service provider relating to the subscription to its services (eg name, date of birth, postal address, billing data, email address).
- Data requested for the sole purpose of identifying the user, meaning IP addresses and, where necessary, the relevant source ports and time stamp or technical equivalents of those identifiers and related information.
- Traffic data, meaning data related to the provision of a service offered by a service provider (eg the location of the device, date, time, duration, size, route or the protocol used).
- Content data, meaning data in a digital format other than subscriber data or traffic data (eg text, voice, videos, images and sound).
The Framework generally applies stricter rules when traffic data and content data are subject to an order, as they are in principle more sensitive than subscriber data and data requested for the sole purpose of identifying the user.
Types of requests: European Production Order and European Preservation Order
With the European Production Order and the European Preservation Order, the Regulation provides two legal instruments for law enforcement authorities of member states to produce or preserve data of service providers which fall under the scope. The conditions for European Production Orders are generally higher than for European Preservation Orders since the production of data represents a deeper interference with the rights of the suspected or accused persons. The more sensitive the data category, the higher the requirements for the order.
European Preservation Orders must be necessary for a subsequent request for production of targeted data as they prevent the removal, deletion or alteration of that data. The subsequent request for production can be based on a European Production Order, but also mutual legal assistance or a European Investigation Order.
Issuing authority of the orders
Depending on the type of order and the sensitivity of the data category, the intensity of the interference by law enforcement authorities varies, as do the procedural requirements for issuing the respective order. For example, on the one hand, a European Production Order to obtain subscriber data may be issued by judicial authorities and public prosecutors. European Production Orders regarding content data, on the other hand, are subject to stricter rules, as they can only be issued or validated by judicial authorities.
Other investigating authorities in criminal proceedings may issue orders as well. However, to ensure that fundamental rights are fully protected, these orders shall be validated by judicial authorities (and, where applicable, by public prosecutors). These validations must generally take place prior to the issuance of the order by the investigating authority. However, in validly established emergency cases (e.g. imminent threat to a person’s life or a critical infrastructure) ex post validation can suffice.
Addressees of the orders
Interesting to note though that whereas, as a general rule, the European Production Order shall be addressed directly to the service provider in question, acting as a controller under the GDPR in relation to the relevant data, the Framework allows in certain cases the European Production Order to be directly addressed to the entity processing the data on behalf of the controller (i.e. where the controller cannot be identified despite reasonable efforts or addressing the controller might be detrimental to the investigation).
Furthermore, where the service provider or the legal representative of a service provider does not react to the European Production Order or the European Preservation Order within the deadlines or has not yet been designated, the Framework allows the relevant order to be addressed to any other establishment or legal representative of the service provider in the Union.
What does this mean for the relevant service providers?
Service providers that fall under the Framework will have to review and, where necessary, update their existing data disclosure processes, in particular taking into account the following points:
- Deadlines for compliance with the preservation and production requests: In case of a European Preservation Order, the service provider will have to preserve the relevant data “without undue delay”, suspending their regular deletion or anonymisation processes to comply with the request. In case of European Production Orders, the service provider will have to preserve the relevant data “expeditiously” and will have 10 days for transmitting the requested data to the issuing authority. In emergency cases, the service provider will have to comply with the request without undue delay, at the latest within 8 hours upon receipt of the request. This will require an efficient process, to avoid potential sanctions for delayed production of the requested data under the Framework.
- Grounds for refusal of production or preservation requests: Where the service provider cannot comply with its obligation because the request is incomplete, contains manifest errors or does not contain sufficient information to execute the request, they shall inform the issuing authority without undue delay and seek clarification. However, the Framework does not seem to allow service providers to assess the legality of the relevant production or preservation request (e.g. the proportionality of the request or whether re requested data are necessary in the individual case). This was one of the contentious points during the legislative process of the Framework. The only grounds for objection explicitly mentioned under the Framework are related to potential interferences with immunities or privileges, or rules on the determination or limitation of criminal liability that relate to the freedom of press or the freedom of expression in other media in the enforcing State. Other than that, the service provider will still have the possibility to refer to the “de facto impossibility due to circumstances not attributable to the addressee”.
- User information and confidentiality: Another controversial point during the legislative process concerned the question who should be responsible for informing the person whose data are being sought. As per the final text of the Framework, the responsibility for informing the affected person is with the issuing authority, whereas the service providers shall take the necessary state-of-the-art operational and technical measures to ensure the confidentiality, secrecy and integrity of the relevant request(s) and of the data produced or preserved.
- Sanctions: Non-compliance with the Framework can result in pecuniary sanctions of up to 2% of the total worldwide annual turnover of the service provider’s preceding financial year.
What’s next?
The European Parliament adopted its position regarding the legislative package at first reading on 13 June 2023 and the Council approved the European Parliament’s position on 27 June 2023. Now, the adopted Regulation and Directive must be signed by the Presidents of the European Parliament and Council respectively before they can be published in the Official Journal of the European Union. After these procedural steps, the Regulation will be applicable 36 months after its entry into force, whereas the Directive will need to be transposed by each member state within 30 months of its entry into force.
