The new EU regulation on electronic evidence will enable law enforcement authorities from one EU member state to order service providers in other EU member states to surrender digital evidence. Providers who fail to comply within ten days or, in urgent cases, within eight hours, could face fines of up to two percent of their global group turnover.
We manage our calendars online, store photos in the cloud, many of us haven’t seen the inside of a bank building for a long time, AI systems answer all our questions and physical letters are reserved for exceptional situations. Our lives are increasingly taking place in the digital space, both privately and professionally. A natural consequence of this trend is the steady rise in the number of cases of cybercrime. Be it phishing, hate postings or cyber-stalking, electronic evidence plays a decisive role in the detection of such crimes. Especially IP addresses are often an important starting point for investigations.
Increasing relevance of electronic evidence
Electronic data often provides powerful evidence even for traditional crimes such as assault, theft or fraud. The relevance of such data is well known, think of chat messages by politicians or the Instagram stories of a terrorist. According to statistics from the Council of the European Union, digital data is already used in 85 % of all criminal investigations in Europe. This trend is likely to intensify in the future. Combined with the increasing internationalization of crime, this poses new challenges for law enforcement authorities.
Data stored in foreign countries pose difficulties
Criminal investigations in connection with electronic evidence that has no connection to a foreign country can regularly be carried out on the basis of the criminal procedure law of the respective country. However, if the data is located abroad, it can only be obtained on the basis of international treaties. This can sometimes take ten months or longer, if the required data is at all available by then.
In place since 2017, the European Investigation Order enables courts and public prosecutors in EU member states to request evidence from authorities in other member states. Yet it does not offer a satisfactory solution either. This is because up to 120 days may elapse between the issuing of the investigation order and its execution. The European Commission recognized this problem and drafted a proposal for an E-Evidence Regulation back in 2018. The final text of the regulation has now been adopted.
Directly addressing providers
The cornerstones of the E-Evidence Regulation are the European Production Order and the European Preservation Order, which are addressed directly to service providers (e.g., online platforms or telecommunications providers). Where the data is located plays no role. The orders cover all providers that offer their services in the EU and have a branch or registered office or a significant number of users in the EU, or direct their activities towards users in the EU.
One groundbreaking feature of the regulation is the obligation of providers to respond within ten days of receiving the order. In emergency cases, they must respond in as quickly as eight hours. This can significantly speed up investigation procedures.
Powers with limitations
Electronic evidence may include subscriber data, traffic data and content data. This may cover, for example, the identity of users, IP addresses, location data, but also messages or photos. The scope of application is therefore very broad, but the regulation is only intended to apply to criminal proceedings and the tracing of convicted criminals. Preventive investigations, for example in connection with suspected terrorist attacks, are not covered.
The production order is issued by a judicial authority to a foreign-based service provider and orders the surrender of electronic evidence. There is also the possibility of issuing a preservation order in order to prevent the data in question from being deleted.
Service providers may refuse to follow a production or preservation order for a number of reasons, for example if it conflicts with the freedom of the press or legal provisions of a non-EU country or if compliance is de facto impossible. However, refusing to comply generally poses a major risk for service providers. Refusal without an adequate justification can result in a penalty of up to two percent of the worldwide annual group turnover.
Service providers should therefore think twice before refusing to comply with an order, even if there is an obvious reason for refusal. This is a potential gateway for misuse of data. Orders that are overstepping the mark or are in breach of the regulation are more likely to be complied with given the threat of enforcement.
Significant potential of misuse
The question of the compatibility of the planned regulation with the EU Charter of Fundamental Rights is also giving rise to controversy, in particular the rights to respect for private and family life and to the protection of personal data. As a general rule, the surrender or preservation of evidence must be ordered by a judge or a public prosecutor. In emergency cases, however, the police may take action on their own initiative. In these cases, the legality of the order may only be reviewed retroactively. This harbors considerable potential for misuse.
It is also questionable how effective the legal protection mechanisms envisaged in the E-Evidence Regulation will prove to be in practice. The regulation provides for the establishment of effective legal remedies before a state court. However, the specific form of these legal remedies is left to the individual member states. It remains to be seen whether these rules will actually result in effective legal remedies, particularly in Member States where there is a deficit in the rule of law.
Uncertain legal landscape
For service providers, the E-Evidence Regulation entails substantial costs and new compliance risks. Service providers can only claim compensation for the costs of data transmission or data backup if the law of the issuing state provides for reimbursement of costs for comparable domestic orders. If this is not the case, service providers are left to bear the costs. Imposing the costs of criminal prosecution on service providers is, however, not in line with the fundamental right to property and the freedom to conduct a business. Against this backdrop, it is unclear why the EU legislator has not regulated the obligation to reimburse costs in a uniform manner.
The new regulation also addresses the risk of claims for damages by data subjects against service providers by way of an exclusion of liability. This applies in the event that the damage results from good faith compliance with a production or preservation order. However, it is again unclear from the text of the regulation where the limit of good faith lies. Combined with the financial risk in the event of non-compliance with an order, this poses a considerable challenge for service providers.
The regulation will enter into force on August 18, 2026. All in all, it raises a number of problems. There is obvious potential for misuse of data, fundamental rights are not effectively protected and service providers will have to face a high number of orders.
By Lukas Feiler, Partner IP Tech, Mark Nemeth, Associate IP Tech, and Ariane Mueller, Law Clerk IT Tech, Baker McKenzie