Electronic evidence: Council confirms agreement with the European Parliament on new rules to improve cross-border access to e-evidence

EU member states’ ambassadors today confirmed the agreement reached between the Council presidency and the European Parliament on the draft regulation and the draft directive on cross-border access to e-evidence. The agreed texts will make it possible for the relevant authorities to address judicial orders for electronic evidence directly to service providers in another member state.

With this agreement we respond to a key request by our judicial authorities. More and more crimes are planned or committed online and our authorities need the tools to prosecute them as they do for crimes offline. The new rules will allow judges and prosecutors to quickly access the evidence they need, regardless of where it’s stored, before it disappears.

Gunnar Strömmer, Swedish Minister of Justice

The regulation on European production and preservation orders for e-evidence in criminal proceedings seeks to introduce an alternative mechanism to the existing international cooperation and mutual legal assistance tools. It specifically addresses the problems stemming from the volatile nature of e-evidence and the ‘loss of location’ aspect by establishing new procedures for quick, efficient and effective cross-border access.

The regulation creates European production and preservation orders that can be issued by judicial authorities in order to obtain or preserve e-evidence regardless of the location of the data. These orders may cover any category of data, including subscriber, traffic and content data. A threshold has been established for traffic data (except for data requested for the sole purpose of identifying the user) and for content data. These can only be requested for crimes punishable in the issuing country by a maximum custodial sentence of at least three years, or for specific offences relating to cybercrime, child pornography, counterfeiting of non-cash means of payment or terrorism.

There is a mandatory deadline of 10 days to respond to a production order. In duly established emergency cases, the deadline may be reduced to eight hours. Service providers may face penalties if they do not comply with an order. Financial penalties may be imposed of up to 2% of their total worldwide annual turnover for the preceding financial year.

Except in cases where the issuing authority believes that the offence has been or will probably be committed in the issuing country and/or the person whose data is sought resides in its own territory, a notification system for traffic data (except for data requested for the sole purpose of identifying the user) and for content data will be created. This notification is intended to inform the enforcing state and give it an opportunity to assess and, where appropriate, raise one or more of the grounds for refusal set out in the legislation, for example, that the requested data is protected. The enforcing state will have 10 days or, in emergency situations, 96 hours, to raise the grounds for refusal. If this happens, the service provider will have to stop the execution of the order and not transfer the data and the issuing authority will withdraw the order. If, in emergency situations, the data has already been transferred, the issuing authority will delete or otherwise restrict the data or comply with given conditions when using the data.

The directive on the designation of designated establishments and appointment of legal representatives for gathering electronic evidence in criminal proceedings will be an essential instrument in applying the regulation. It establishes the rules applicable to the appointment of service providers’ legal representatives or designation of their designated establishments who are responsible for receiving and responding to such orders. This is necessary because of the lack of a general legal requirement for non-EU service providers to be physically present in the EU. In addition, the legal representatives or designated establishments appointed under this directive could also be involved in national procedures.

Background

More and more criminals are using technology to plan and commit offences. As a result, the authorities must increasingly rely on e-evidence to track them down and convict them.

However, gaining access to e-evidence can be a lengthy and complicated process, especially if the data is stored abroad. That is why, following calls from the European Council and the Council, the Commission proposed new rules in April 2018 to improve access to e-evidence.