Electronic evidence: the Commission takes steps to improve cross-border access

Digital evidence of criminal activity is increasingly relied on by prosecutors and courts in the fight against crime. However, existing mechanisms for collecting electronic evidence have proven to be inadequately slow and authorities have historically faced complex processes in their attempts to receive data stored in other countries.

In April 2018, the Commission attempted to address this by publishing new rules on obtaining electronic evidence.

The proposed Regulation intends to:

• create a European Production Order, allowing a judicial authority in one Member State to obtain electronic evidence (e.g. emails, text or messages in apps) directly from a service provider, such as Facebook or Twitter, in another Member State. The service provider will be obliged to respond within 10 days (or 6 hours in cases of emergency). This is incredibly rapid in contrast with the existing European Investigation Order, which requires responses within 120 days, and the Mutual Legal Assistance procedure which provides for an average of 10 months for responses.
• create a European Preservation Order, allowing a judicial authority in one Member State to request that specific data be preserved.
• include strong safeguards on fundamental rights, including the right to protection of personal data.
• provide legal certainty for businesses and service providers.

Additionally, the proposed Directive requires that service providers designate a legal representative in the Union to receive, comply with and enforce decisions and orders.

The above proposal is the result of a two-year preparation, during which consultations were held with law enforcement, judiciary, civil society, academics and others. In making the proposal the Commission sought to prevent the misuse associated with the “exponential increase in use of online services and apps”. The proposed system will circumvent Mutual Legal Assistance treaties, which have been criticised for being too slow.  

The Commission will also work on implementing practical measures, such as supporting cooperation with service providers and US authorities, as well as establishing a secure platform to rapidly exchange requests within the EU.

The proposed system will clearly have a big impact on tech companies, as law enforcement authorities will be able to demand data from them and they will be obliged to comply within a short timeframe. This has led to controversy, with privacy advocates criticising the level of power authorities will have over user data retained by companies. Under the rules, companies will have the option to appeal legal orders but will face sanctions if they refuse to respond to demands. 

The Regulation can be found in full here, and the Directive can be found here.