EU: E-evidence package - streamlining production and preservation of electronic evidence in a cross-border context
In this Insight article, Tim Van Canneyt and Eliot Sanam, from Fieldisher, analyze the groundbreaking electronic evidence (e-evidence) package, delving into its implications for streamlining cross-border e-evidence collection. They examine the changes this legislative framework brings to the realm of online law enforcement.
The online world is often compared to the Wild West as a realm where anything is possible, from opportunities to grow businesses to developing life-changing tools.
Just like in the Wild West, many bad actors roam the digital streets. They know very well how to commit their crimes while remaining incognito or hiding abroad. Unlike law enforcement, cybercriminals need not concern themselves about physical borders. They can easily steal money from a Luxembourgish grandma while enjoying a coffee in Stockholm.
According to the European Commission, over half of all criminal investigations today require access to electronic evidence like texts, emails, or messaging apps that may be located abroad. However, unlike cybercriminals, law enforcement is inherently bound by the borders that delineate their jurisdiction. Furthermore, service providers, with valid grounds or not, may refuse to help gather evidence, fearing being responsible for data breaches or commercial reputation damages (especially with regard to their customers).
In fact, the digital landscape introduces complexities that render evidence gathering more difficult than commonly perceived. Law enforcement authorities encounter various obstacles in this regard:
- Complexity: digital evidence is often complex and can be difficult to understand and analyze, especially for those without technical expertise. Such evidence can take many forms, encompassing social media posts, chat messages, metadata, lines of code, etc.
- Authenticity: it can be challenging to establish the authenticity of digital evidence. The ease with which digital data can be manipulated means that it is important to verify that the evidence has not been tampered with or altered in any way. Editing tools are now easily accessible to anyone and produce professional-like edited images and other visual content. Due to this, the evidence gathered and brought can easily be doubted.
- Privacy: there are also privacy concerns associated with digital evidence. In some cases, digital evidence may contain personal information that is protected by privacy laws. It is important to handle this information appropriately to avoid violating privacy rights. The GDPR or rules around the secrecy of communications can be a hurdle when trying to collect evidence through the service providers.
- Encryption: encrypted data can be difficult or impossible to access without the correct decryption key, which can make it difficult to analyze or use as evidence. Indeed, some service providers may have implemented some encryption measures and may not be inclined to decrypt the data.
Moreover, complications can arise when service providers are located in a different country from the enforcement authorities. If the service providers are located outside of the European Economic Area (EEA) or in a country lacking a Mutual Legal Assistance Treaty (MLAT), it can be almost impossible to obtain a positive response in due course.
These challenges are exactly what the European Commission wanted to address when it proposed the e-evidence package in 2018. This package consisted of a proposal for a regulation on European Production and Preservation Orders for electronic evidence in criminal proceedings and the execution of custodial sentences following criminal proceedings (the e-evidence Regulation). Additionally, the package entailed a proposal for laying down harmonized rules on the designation of designated establishments and the appointment of legal representatives, all aimed at facilitating the collection of electronic evidence in criminal proceedings (the e-evidence Directive).
Following a long legislative process, on June 13, 2023, the European Parliament officially ratified the e-evidence package.
The e-evidence package represents just one component of EU legislation addressing online law enforcement actions. For example, the Digital Services Act (DSA) requires intermediary service providers to comply with orders to act against or to provide information about illegal content online. Similarly, the Online Terrorist Content Regulation (OTCR) applies to providers of hosting services that allow users to upload and disseminate content to the public. These hosting service providers are bound by a duty of care to address the misuse of their platform to disseminate terrorist content and an obligation of expeditious removal or disabling of access.
However, a key factor distinction exists between EU regulations such as the DSA or the OTCR and the e-evidence package. While the DSA and OTCR essentially require intermediary service providers to remove illegal online content, the e-evidence package requires service providers, under specific circumstances, to either retain online evidence or furnish it to law enforcement authorities. Furthermore, the e-evidence package is meant to facilitate cooperation between EU countries and to provide investigation tools to member state authorities in charge of criminal proceedings (specifically for pre-trial and trial phases). It is important to note that the new provisions exclusively apply to criminal proceedings, in contrast to the broader scope of application observer in the European Investigation Orders mechanism.
The European Production Order and the European Preservation Order
The e-evidence package tackles the problem of accessing electronic evidence, which takes the form of digital data, across different countries via two measures. First, the e-evidence package introduces two new legal instruments: the European Production Order and the European Preservation Order, aimed at facilitating the acquisition of electronic evidence. These tools are represented by certificates, respectively the EPOC and the EPOC-PR. Secondly, the e-evidence package imposes an obligation on service providers to appoint a designated establishment or a legal representative to ensure the "receipt of, compliance with, and enforcement of decisions and orders."
The e-evidence Regulation has a broad scope ratione personae, due to the broad definition of 'service providers.' As a result, it will apply to information society service providers, providers of data processing services, and communications services, among others, that render services within the EU. These services are offered in the EU when users in the EU are enabled to use the service or when the service provider has a substantial connection with the EU (e.g., having an establishment in the EU, or the existence of significant outreach of the service among the EU population). Where a service provider falls under the territorial scope of the e-evidence Regulation, it is important to note that this applies only to data concerning services offered in the EU, and not data concerning services outside of the EU.
Based on the e-evidence Regulation, authorities in one Member State (e.g., a court, an investigating judge, or any other competent authority acting as an investigating authority in criminal proceedings) will be able to collect electronic evidence located in other Member States, either because the electronic evidence is hosted in another Member State or because the service provider is established there. These authorities are referred to as 'issuing authorities' and may address EPOC and EPOC-PR directly at the service providers, unless circumstances necessitate notifying the 'enforcing authorities' in the Member State where the service provider is situated, as per Article 8 of the e-evidence Regulation.
For the e-evidence Regulation, 'electronic evidence' means subscriber data, traffic data, or content data stored by a service provider or on their behalf, in electronic form. Furthermore, the e-evidence Regulation introduces a distinct category of data: data requested for the sole purpose of identifying the user (e.g., IP addresses, source ports, and timestamps). The e-evidence Regulation acknowledges the fact that this type of data, which often qualifies as personal data and/or traffic data, is often granted special protection under EU or national laws. However, due to its essential role in criminal investigations, it is considered necessary. By default, this data is subject to the same regime under the e-evidence Regulation. However, if this data is requested not solely for identification purposes but rather for its probative value, it will adhere to the same regulations as traffic data.
Subscriber data and data requested for the sole purpose of identifying the user can be requested for all types of criminal offenses, as well as for the execution of a custodial sentence or detention order of at least four months. This request must be based on a decision issued by a criminal court, with the condition that the decision "was not rendered in absentia, in cases where the person convicted absconded from justice."
EPOC for traffic data or content data is limited to specific offenses punishable within the issuing state by a custodial sentence of a maximum duration of no less than three years. These offenses are either directly linked to a limited list of offenses committed wholly or partly through information systems (e.g., fraud, counterfeiting of non-cash means of payment, terrorism, and attacks against information systems), or they are requested for the purpose of executing a custodial sentence or detention order of at least four months imposed for specific criminal offenses.
If there is a risk that the electronic evidence may be removed, deleted, or altered, the issuing authority may issue an EPOC-PR to facilitate subsequent requests for the production of this data via mutual legal assistance (MLA), a European Investigation Order, or an EPOC. The EPOC-PR is a measure that requires the service provider to safeguard electronic evidence in view of potential future requests to provide the evidence. In that case, the service provider shall, without undue delay, preserve the electronic evidence for 60 days. This preservation period can be extended by an additional 30 days.
Furthermore, an EPOC-PR can also be initiated for all categories of criminal offenses, and it can serve to carry out a custodial sentence or detention order of no less than four months when the individual convicted of the offense has evaded legal proceedings.
In no circumstances should the EPOC-PR be interpreted as a general obligation on service providers to retain data in anticipation of potential investigations.
The issuance of EPOC and EPOC-PR can be issued directly against a designated establishment or directed at the legal representative designated by the service provider, pursuant to the proposed Directive (refer to the subsequent section). In case of emergency, where the addressee fails to respond within the stipulated deadline, the order can be addressed to any other establishment or legal representative within the Union.
The service providers receiving an EPOC are obligated to promptly take action to preserve the specified data. Upon receipt of the EPOC, service providers must produce the data requested within different timeframes: 10 days, when notification to the enforcing authority is required under Article 8; eight hours, in case of emergency; or 'rapidly,' with the ultimate deadline being 10 days when no notification to an enforcing authority is required, or if notification is given but the service provider considers that there are no grounds for refusal.
Service providers possess the right to contest the EPOC and EPOC-PR under specific circumstances if the order could disrupt immunities or privileges contravene regulations on the determination or limitation of criminal liability tied to freedom of the press or expression in other media; or, exclusively for EPOC, if there is a conflict with applicable laws of a third country. Additionally, service providers can request clarification if the order is incomplete, contains errors, or lacks necessary information.
If compliance is impossible due to circumstances beyond the recipient's control, the recipient must inform to both the issuing and enforcing authorities, and the order no longer needs to be executed if the issuing and enforcing authority reaches the same conclusion. If the recipient fails to provide the requested information within the deadline, it must inform the issuing and enforcing authorities and provide reasons. The issuing authority will review the order and may set a new deadline if necessary.
The EPOC presents certain challenges from a data protection point of view: when a service provider provides electronic evidence to a competent law enforcement authority, information about the individual to which the electronic evidence relates will necessarily also be disclosed. Interestingly, the initial proposal of the e-evidence Regulation was more focused on safeguarding individual privacy, stipulating that service providers must avoid prejudicing the privacy of data subjects. However, despite its adoption, Article 13 of the e-evidence Regulation still tries to balance the need for law enforcement to access electronic evidence with the protection of privacy. Indeed, service providers are allowed to delay or restrict notification in certain circumstances. Moreover, the e-evidence Regulation emphasizes the importance of informing individuals and providing information about available remedies. Additionally, the obligation to ensure the confidentiality and integrity of data and the order itself is a positive measure for privacy protection.
The e-evidence Regulation requires that Member States establish regulations to penalize the non-execution of the EPOC and EPOC-PR. These sanctions include administrative fines, which can amount to a maximum of 2% of the total worldwide annual turnover of the service providers.
Designated establishment and legal representative
Finally, the Directive complements the Regulation and aims to ensure that orders issued by the competent authorities of a Member State to obtain electronic evidence are received by the service providers providing services in the EU, complied with, and subject to enforceable measures in cases of non-compliance action.
The Directive applies to orders and decisions to obtain electronic evidence, whether under MLA, EU law, or national law. In terms of geographical scope, it aligns with the e-evidence Regulation, applying to service providers that offer their services within the EU. However, an exception is made for service providers established in a single Member State and exclusively providing services within the territory of that same Member State.
The Directive requires Member States to enact regulations that impose an obligation upon service providers to notify a central authority (according to Article 6 of the e-evidence Directive) in the Member State where they have an establishment or where they have a legal representative. This notification should encompass details regarding the designated establishment or legal representative, as well as the official language to communicate with it. The designated establishment or legal representative will be the point of contact and ensure compliance with orders and/or decisions. Furthermore, Member States shall publish and update the information on the "dedicated web page of the European Judicial Network in criminal matters." This facilitates accessibility for issuing authorities operating within the scope of the e-evidence Regulation.
The Regulation combined with the Directive will bring a tremendous change in the way EU cross-border criminal investigations are conducted. It will give great powers to the issuing country to ensure that their investigations can move forward rapidly despite obstacles prevalent in other jurisdictions. The incorporation of sanctions in national law to hold service providers accountable should ensure a sufficiently deterring power to obtain a quick response to an issued order.
However, this improvement comes with associated risks. Firstly, the issuance of EPOC and EPOC-PR could potentially clash with fundamental rights within the EU, such as freedom of expression or freedom of the press. Additionally, service providers may frequently find themselves grappling with national sensitivities that vary across jurisdictions. Lastly, the deterring effect of the sanctions might push providers to act hastily and potentially infringe on their users' rights.
These recent legal initiatives have shown the EU's determination to shift the paradigm and to create a better-regulated online world, where information society services providers will no longer be a bystander but a leading actor. The new paradigm will force service providers to allocate resources for handling requests and ensuring compliance.