In April of this year, the e-Evidence Initiative was published by the European Commission and was devised with the intention of creating a fresh, new framework for EU Member States to access content data and metadata, collectively known as e-evidence, across national borders.
This intiative will provide new tools for law enforcement to obtain data stored across national borders for criminal investigations, and will enable law enforcement institutions to get data directly from providers (even those outside of the EU), and potentially regardless of which entity in the provider’s corporate structure has possession or custody over the data. This bears a similarity to the USA’s Clarifying Lawful Overseas Use of Data (the “CLOUD”) Act. The proposal comes in the form of a directive and a regulation.
The Directive necessitates providers of certain online services to keep a legal representative in the EU. The representative must be able to process orders from authorities in any Member State to preserve or produce electronic data for criminal proceedings, including orders from authorities in Member States where they do not conduct business. If the representative is unable to, both the legal representative and the provider may be subject to sanctions.
The Regulation would create two new legal instruments: a European Production Order (“EPO”) and a European Preservation Order (“EPrO”). Member State authorities could use these orders to compel the preservation or production of data. A variety of technology companies would be covered by this, including electronic communications service providers, cloud providers, social networks, online marketplaces, hosting service providers, and providers of internet infrastructure such as IP address and domain name registries. These instruments could not be used to intercept real-time communications however.
The Regulation would empower authorities in one Member State to use an EPO to directly compel a provider in a second Member State to disclose data. The provider must respond to an EPO within 10 days, or within 6 hours where there is “imminent threat to life or physical integrity of a person or to a critical infrastructure,” subject to certain exceptions.
Authorities may issue an EPO access data for all criminal offenses, but only serious offences can justify a request content or transactional data (such as those with a minimum of a three-year sentence in the issuing Member State, or certain cyber and terrorism-related crimes).
Member State authorities could use an EPrO to directly compel a provider in a second Member State to preserve data (eg. to prevent its deletion), regardless of where the data is stored. Authorities could issue an EPrO for all criminal offenses.
Challenging Production and Preservation Orders
Providers may object to EPOs and EPrOs on several grounds. A provider may oppose an order if it was not issued by a proper issuing authority, if the request cannot be complied with because it is impossible, if the provider is not storing the data in question, if the request is not for services covered by the Regulation, or if it is apparent that the order “manifestly violates” the EU Charter of Fundamental Rights or is “manifestly abusive”. In addition, the proposed Regulation establishes two mechanisms though which a provider could challenge an EPO.
First, the provider may refuse to comply with an EPO because disclosure would force it to violate a third-country law that either protects “the fundamental rights of the individuals concerned” or “the fundamental interests of the third country related to national security or defence.” Where a provider raises such a challenge, issuing authorities can request review of the order by a Member State court. If the court establishes that a conflict exists, it must notify authorities in the third-party country; if that third-party country objects to execution of the order, the court must set it aside.
Second, a provider may refuse to comply with an order because it would force the provider to violate a third-country law that protects interests other than fundamental rights or national security and defence. In such cases, the parties follow the same procedures as above, except that the court, rather than notifying the foreign authorities, conducts a multi-factor analysis to decide whether to enforce the order.
The e-Evidence Initiative would have several important policy consequences, not only for EU-based cloud customers, technology companies, and law enforcement authorities, but also for technology companies and cloud customers based outside of the EU.
By requiring providers within its scope to appoint a legal representative that can comply with Member State production and preservation orders, the Directive would give law enforcement authorities across the EU the ability to compel providers based outside the EU to produce data, potentially even regardless of which entity in the provider’s corporate group has possession or custody over the data. This reading could result in a significant expansion of Member State jurisdiction over digital data held by service providers located outside the EU.