The European Union intends to make it easier for EU law enforcement and judicial authorities to access privately stored cross-border electronic evidence in criminal matters. Currently, cross-border requests for judicial information often take months and involve the participation of multiple authorities and responses to disclosure requests. The intention of the new regulation is to speed up this process to 10 days and sometimes even six hours in emergency cases.
The draft Regulation on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, the working title it has been given, will have important consequences for service providers offering services in the EU. Organizations that are in scope under the new regulation can be compelled to preserve and/or produce electronic evidence, irrespective of where data are stored (including if data are stored outside the EU) and irrespective of whether personal information is involved. The involvement of personal information can put service providers in a tight spot under GDPR, as we will explore further in this alert.
Which organizations will be subject to the new rules?
The new rules are intended to apply to all service providers offering services in the EU. Under the current draft, an organization is considered to offer services in the EU if (i) the provider enables users in one or more Member States to use its services, or (ii) it has a substantial connection to the EU (e.g., establishment in the EU). By including a new ground for applicability in addition to an organization being established in the EU, the proposed regulation will (at least in theory) capture service providers located outside the EU. This is a significant expansion over the current framework.
Service providers are understood to include (a) electronic communications providers (such as telecommunications providers), (b) providers of information society services (which includes online marketplaces and cloud services), and
(c) internet domain name and IP numbering services.
What types of information are covered?
The new rules apply to electronic evidence, meaning data stored in electronic form and which are relevant in criminal proceedings, irrespective of the nature of the data or the place of data storage (whether within or outside the EU). This too is a significant departure from the current framework and introduces extra-territorial application. It is uncertain to what extent this aspect of the law will be enforced in practice.
The new rules are intended to cover four categories of electronic evidence, namely (i) subscriber data, (e.g., name, birth date, address, email, phone number), (ii) access data (e.g., log in and log off timestamps, IP address), (iii) transactional data (e.g., source and destination of message, device location), and (iv) content data (e.g., text, voice, video, images, sounds). Each category is subject to different requirements for a valid request, but they all include personal information where applicable.
What types of requests can authorities make?
The proposed regulation provides for two types of requests, namely a “production order” and a “preservation order.” Upon receipt of a production order, service providers will be required to make available a copy of the requested electronic evidence. Preservation orders, in turn, will require organizations to preserve and maintain information for a period of 60 days, in anticipation of a production order. Both types of requests are subject to specific requirements on the part of the requesting authority, and legally binding on the service provider upon which they are served. As an example of specific requirements, an order to produce transactional or content data is limited to certain cybercrimes and terrorism-related offences or crimes that otherwise meet a minimum threshold.
What are the time periods for responding to a request for production?
Under the new rules, organizations will have to respond to requests for production within 10 days and, in case of an emergency, within six hours. This is a significant deviation from the existing framework. Currently, cross-border requests typically involve the participation of multiple authorities and responses to disclosure requests and can take up to 120 days for requests within the EU and up to 10 months for requests served on non-EU service providers under Mutual Legal Assistance Treaties (MLATs).
What are the risks under GDPR?
The new rules explicitly include personal information and are without regard to a service provider’s qualification as a data controller or processor under GDPR. In its opinion on the new regulation, the European Data Protection Board criticized this approach and suggested that the new rules should either apply only to controllers or include an obligation for processors to inform the respective controller accordingly. So far, the EU legislature is not yet on board with this suggestion and its decision is still uncertain. Where service providers qualify as processors under GDPR, they may be under contractual limitations with their customers to provide personal information to law enforcement authorities. Responding to requests under the proposed regulation may therefore present contractual challenges under their customer contracts.
What’s more, before complying with a request, service providers will also want to verify the validity of a request. The recitals to the draft regulation provide that service providers remain liable for their GDPR compliance, even if they comply with a request in good faith. This means that, in practice, a service provider will want to verify the validity of any request under the proposed regulation, such as whether the request has been issued and/or validated by a competent authority, or whether the criminal offence cited justifies a production request under the new rules. Moreover, when responding to valid requests, organizations will still need to ensure GDPR compliance throughout the entire disclosure and preservation process, including ensuring adequate security and confidentiality for the information.
What are the next steps?
The new rules are still being negotiated within the EU lawmaking framework, and the definitive version will depend on a final agreement among the three legislative bodies (i.e., the Commission, the EU Council and the EU Parliament). Currently, the EU Parliament is formulating its position. Once its decision has been made, formal negotiations can commence. And while further changes to the draft new rules are therefore still possible, it is clear that the EU is moving ahead with streamlining cross-border access to electronic evidence.