A view from Brussels: e-Evidence implementation deadline looms

Back in 2023, the European Union adopted a package of measures with a directive and a regulation pertaining to cross-border access to electronic evidence. Said otherwise: the EU e-Evidence regulation will apply in three months — beginning 18 Aug.

According to the European Commission, more than half of all criminal investigations include a cross-border request to access electronic evidence such as texts, emails or messaging apps. Electronic evidence is needed in more than 80% of criminal investigations, according to the Commission. 

The number of requests introduced by law enforcement authorities to access e-evidence increased by 70% between 2013 and 2016.  The need for harmonization of rules across Europe was definitely there; so was facilitating international exchange among trusted partners — a conversation that ran in parallel, including with the U.S.

Yet despite the sense of importance and urgency, this process has been a decade in the making, dating back to 2015 when the Commission started to review issues related to cross-border access to e-evidence. 

The novelty of it is the European production order to enable a judicial authority in one member state to obtain e-evidence directly from a service provider — or its representative — in another member state. The time window to respond to new orders will be dramatically shortened, from 120 days on average today, to 10 days maximum for standard requests, possibly down to eight hours for emergency cases.

It also creates a European preservation order which allows authorities to request that e-evidence be preserved for 60 days, or longer if a subsequent request for production follows. 

The new framework will apply to electronic communications services, domain name and IP registration services, and digital services either enabling communication — like social media platforms, online marketplaces — or storing/processing data — such as, typically, cloud services providers. It has extraterritorial application, extending to providers based outside the EU but which serve European customers. 

The definition of e-evidence encapsulates among others: subscriber data, including debit or credit card information, personal unblocking key codes and basic information such as name, birthdate, etc.; IP address data; traffic data — call attempts, geographical coordinates of the base station servicing the call; and content data such as contact list, voicemail dump, device backup, etc.

During the negotiations, many thorny issues led to complex debate: how to balance the often-necessary secrecy of orders with the trust and transparency obligations that bind service providers to their customers and preserving fundamental rights; whether to direct the request to the service providers, that is cloud provider, or to the entity that is using their service; and how to empower an order's recipient to assess its legality and contest it as needed. 

The e-evidence package is one of many legislative, judicial and regulatory instruments that create a complex net of requirements for companies facing data requests from law enforcement authorities.