E-Evidence Regulation: Facilitating Cross-Border Access to Electronic Evidence

Written By Nicoletta Kouvara

In today's dynamic digital landscape, where the majority of crime-related evidence is found online, quick and seamless access to electronic evidence is pivotal in criminal investigations. This is particularly crucial considering the surge in online payment transactions and the use of digital platforms. However, it appears that law enforcement and judicial authorities lack the necessary tools to investigate and prosecute cyber-enabled crime and other similar activities.

Recognising the need for seamless access to electronic evidence to combat financial crime and to establish a procedural framework aligned with the digital age, the European Union (EU) has introduced the e-evidence legislative package. This package comprises the EU Regulation on European Production and Preservation Orders (the "E-Evidence Regulation") and the EU Directive laying down harmonised rules on the designation of designated establishments and the appointment of legal representatives (the "Directive"). The E-Evidence Regulation enables judicial authorities to directly request relevant data from service providers offering their services in the EU, while the Directive mandates that service providers appoint a legal representative or designate a designated establishment for the execution of orders related to electronic evidence. The E-Evidence Regulation will be applicable from August 18, 2026, and the Directive shall be transposed by EU Member States into national law by February 18, 2026.

The primary objective of this regulatory framework is to enhance cross-border access to electronic evidence for judicial authorities involved in criminal proceedings. This article explores the implications of the E-Evidence Regulation for service providers, shedding light on key provisions and their significance in ensuring effective investigations.

Challenges Faced by Law Enforcement in this Digital Era

Currently, to obtain cross-border electronic evidence, law enforcement and judicial authorities resort to judicial cooperation channels such as the processes laid down by the Convention on Mutual Assistance in Criminal Matters and the Directive 2014/41/EU regarding the European Investigation Order in criminal matters. Such processes lack a harmonised legal framework, leading to uncertainty and proving to be ineffective when dealing with volatile electronic evidence that can be easily deleted, resulting in the loss of leads for law enforcement authorities. This uncertainty can also complicate compliance for service providers with their data protection obligations under the General Data Protection Regulation (EU) 2016/679 (“GDPR”) before disclosing any data to law enforcement authorities across the globe upon receipt of a request issued through the aforementioned channels. With the introduction of the E-Evidence Directive, the EU Commission intends to eliminate such challenges faced by both law enforcement and service providers within this fragmented legal framework.

Significance of E-Evidence Regulation in Criminal Investigations

In the realm of modern criminal investigations, electronic evidence serves as a crucial tool, providing valuable insights into various criminal activities such as online fraud, money laundering, terrorism, and the identification of perpetrators. The E-Evidence Regulation shall streamline the process of accessing electronic evidence for investigating financial crimes. With the new regulation, law enforcement authorities will be able to directly request data from service providers, and service providers will be able to share requested data with law enforcement authorities seamlessly by following appropriate and harmonised procedures. By expediting the investigation process, the E-Evidence Regulation aims to ensure the swift detection and prosecution of financial crimes, providing a streamlined mechanism that aligns with GDPR compliance requirements.

Scope of Application

The E-Evidence Regulation applies to service providers offering their services within the EU. This includes electronic communication services, such as internet access services, messaging services, and email services. It also covers internet domain name and IP numbering services, as well as other information society services that enable users to communicate or process data, such as social media platforms, online marketplaces, online gaming platforms, and online gambling platforms. It is noted that service providers providing financial services, such as banking, credit, insurance and re-insurance, occupational or personal pensions, securities, investment funds, payment, and investment, including the services listed in Annex I to Directive 2006/48/EC, are excluded from the scope of the regulation. The regulation applies not only to service providers established within the EU but also to those without a physical presence in the EU if they offer their services to users within the EU. This ensures that cross-border access to electronic evidence is not limited by the geographical location of the service provider.

Types of Data Covered

The E-Evidence Regulation covers various categories of data essential for criminal investigations. The term ‘electronic evidence’ under the E-Evidence Regulations covers subscriber data, traffic data, or content data stored by or on behalf of a service provider, in an electronic form, at the time of the receipt of a European Production Order Certificate (EPOC) or of a European Preservation Order Certificate (EPOC-PR).

The Regulation distinguishes between the following categories of data:

  • Subscriber data: Information held by a service provider relating to the subscription to its services pertaining to the identity of a subscriber (e.g., name, address, email, payment data) and the type of services and its duration (e.g., data about the interfaces used by the subscriber at the time of registration).

  • Traffic data: Data on usage behaviour (e.g., location of device, date, time).

  • Content data: Any data in a digital format such as text, speech, videos, images, and sound recordings.

  • Data requested for the sole purpose of identifying the user: This includes IP addresses and relevant source ports and timestamps required for identifying users in specific criminal investigations.

All data categories outlined above contain personal data which shall be protected accordingly under GDPR rules. However, the impact on fundamental rights, especially when it comes to the protection of personal data, varies among the different categories, necessitating more stringent safeguards for some categories. For example, while subscriber data and data requested for the sole purpose of identifying the user can be useful for first leads in an investigation about the identity of the suspect, traffic data and content data can constitute probative material. Therefore, additional requirements are imposed for law enforcement authorities when they request to obtain the latter category of data. It is also important to note that the new regulation will only apply to data that has already been stored by service providers and does not cover data that will be created in the future.

Designated Establishment and Legal Representative

The E-Evidence Regulation mandates that service providers offering their services in the EU appoint at least one legal representative or designate a designated establishment, also called the “addressee”, by 18 August 2026, in accordance with the requirements of the Directive.

Service providers that start offering services in the EU after that date shall designate a designated establishment or appoint at least one legal representative within 6 months from the date they start offering services in the EU. The legal representative or designated establishment will serve as the point of contact for receiving, complying with, and enforcing European Production and Preservation Orders. Although service providers are free to choose in which Member State they designate their designated establishments or appoint their legal representatives, the designated establishments and legal representatives shall be established or reside (as applicable) in a Member State where the service provider provides services or is established.

Failure to comply with an order addressed to a designated establishment or a legal representative can result in legal consequences for both the designated establishment or legal representative and the service provider itself.

A decentralised IT system operated by each Member State will be introduced to provide for efficient and secure communication and data exchange for the purposes of the E-Evidence Regulation between competent authorities and designated establishments or legal representatives of service providers.

European Production and Preservation Orders

Under the E-Evidence Regulation, issuing authorities (i.e. a competent authority in the Member State in which an order is issued) can directly request relevant data from service providers within the EU through European Production Orders which can be transmitted through a European Production Order Certificate (EPOC) (as per Annex I of the E-Evidence Regulation) addressed to the designated establishment or legal representative of the service provider in question. When issuing authorities request content data and traffic data from service providers, they must also notify the enforcing authority in question (i.e. an authority in the Member State in which the designated establishment is established or legal representative resides to which an order is transmitted) at the same time as they transmit the EPOC. Further, the issuing authority shall, without undue delay, inform the person whose data are being requested, an essential element of data protection rights.

To prevent the deletion or alteration of electronic evidence, issuing authorities can issue European Preservation Orders which can be transmitted through a European Preservation Order Certificate (EPOC-PR) (as per Annex II of the E-Evidence Regulation) addressed to the designated establishment or legal representative of the service provider in question. These orders oblige service providers to preserve the data for a specified period and shall be necessary for and proportionate to the purpose of preventing the removal, deletion or alteration of data with a view to issuing a subsequent request for production of those data through mutual legal assistance, a European Investigation Order (EIO) or a European Production Order.

Timelines for the Transmission and Preservation of Data

The E-Evidence Regulation sets specific timelines for the transmission of data and the preservation of evidence. In regular cases, service providers must transmit the requested electronic evidence to the issuing authority within 10 days of receiving the EPOC. In emergency cases, the time frame is reduced to eight hours. For European Preservation Orders, service providers are required to preserve the data for 60 days, with the possibility of an additional 30-day extension by the issuing authority where necessary. This ensures that the evidence remains intact and available for future requests.

Issuance and Refusal of Orders

European Production Orders may be issued by competent judges, courts and investigating judges to obtain data of any category whereas competent public prosecutors only have authority to issue such orders to obtain subscriber data and data requested for the sole purpose of identifying a user. Preservation Orders may be issued by competent judges, courts, investigating judges and public prosecutors for the preservation of data of any category. Both types of orders can also be issued by any other competent authority if these are validated by a judge, a court, an investigating judge or a public prosecutor in the issuing Member State.

These orders are issued based on the necessity and proportionality to the criminal case at hand. The issuing authority must consider the rights of the suspect or accused person and ensure that the order could have been issued under similar conditions in a domestic case.

In the event that the service providers consider that an EPOC should not be executed because, for instance, doing so would interfere with immunities or privileges, the EPOC is incomplete, contains insufficient information or manifest errors or there is a de facto impossibility in doing so, it shall inform the issuing authority (and the enforcing authority if notification took place) without undue delay. The issuing authority will review the order and may set a new deadline for the production of the data.

Additionally, where an issuing authority has notified an enforcing authority, because the order relates to the production of content data and traffic data, the enforcing authority may, as soon as possible and within 10 days following receipt of the notification (in emergency cases at least within 96 hours), raise certain grounds for refusal. These grounds include that the data is protected by immunities or privileges,  the conduct on which the proceedings are based is not punishable in the enforcing state, execution of the order would entail a manifest breach of fundamental rights and execution of the order would be contrary to the ne bis in idem principle.

Compliance and Penalties

Compliance with the E-Evidence Regulation is crucial for service providers as well as designated establishments or legal representatives and service providers themselves as both can be held liable if they fail to comply with European Production and Preservation Orders. Member states are required to implement penalties for non-compliance and shall ensure that penalties of up to 2% of the total worldwide annual turnover of the service provider’s preceding financial year can be imposed. Service providers will however be able to claim reimbursement from the issuing state, if this is reflected in the national law in question, to cover their costs for responding to such orders.

The potential penalties underscore the importance of establishing internal processes and technical capabilities to ensure smooth compliance with the regulation. Service providers should allocate resources to handle requests for electronic evidence and develop robust systems to preserve and transmit data securely.

More information

In an aim to contribute to the overarching goal of creating a safer digital environment and protecting customers from fraudulent activities but also in view of being prepared for when any orders may come their way in the future, service providers should prepare for the E-evidence Regulation and the Directive by establishing appropriate internal processes. If you would like to learn more about your obligations as a service provider, please contact Aptus Legal by clicking here or send an email to info@aptuslegal.com

Nicoletta Kouvara
Previous

PSD3 & PSR: advancing the payments market in Europe
Next

Online Marketplaces: Navigating the Regulatory Landscape for Seamless Transactions