In order to improve the access of investigating authorities to electronic evidence, the Commission presented EU rules on cross-border issuing and securing of electronic evidence in 2018. After a year and a half of intense negotiations, on Tuesday the EU Parliament and Council have found a political agreement on the core elements of the framework for collecting and securing the so-called e-evidence.
In the coming weeks, EU negotiators will agree on the final technical points of the legislative package before the final texts for the regulation and the associated directive can be adopted by the Parliament and the Council later in the year.
Birgit Sippel, S&D home affairs spokesperson and Parliament’s negotiator:
“As everyday life moves online, criminal activity also takes place more online. E-evidence plays an increasingly important role in investigations and criminal proceedings. With evidence often stored in service providers like social networks that are based in other Member States, access to evidence can be a lengthy and cumbersome process and data is too often deleted in the process.
The provisional agreement reached today represents a major paradigm shift in police and judicial cooperation with service providers in the EU: for the first time, national investigating authorities may make a direct request to service providers in other Member States to hand over or secure electronic evidence, through surrender orders with clear deadlines and uniform rules across the EU. Despite improving the efficiency of cross-border criminal investigations, direct cooperation between the authorities of one EU country and the service provider of another also poses a number of risks related to fundamental rights, in particular privacy and data protection, but also to procedural rights due to the differences in criminal law across the EU.
As a long-standing advocate for the notification of orders, above all when personal data is at risk, I fought hard to secure safeguards so that investigating authorities have to inform the authorities of the other Member State and give them an opportunity to refuse an order in specific circumstances, in particular where fundamental rights are at stake. Parliament’s insistent position throughout the negotiations will mean that more efficient criminal investigations and the protection of fundamental rights will go hand in hand and that personal data is safely only transmitted for specific purposes in criminal investigations.”
Note to editors
As part of the negotiations on e-evidence rule, Parliament achieved the following important safeguards:
- As part of the new rules, in surrender orders for content data and traffic data, where such data is not requested solely for the identification of a person, the Member State in which the service provider is located will be informed at the same time as the service provider is addressed (through so-called “notification”) unless the accused person of the crime has its permanent residence in the issuing State and the crime was or is likely to have been committed exclusively in the issuing State. The notified authority may then refuse the order within 10 days, or 8 hours in case of emergency, based on a list of reasons. The service provider must secure the data during this period, but would not be able to release it until the deadlines have expired and there is no refusal.
- If the crime under investigation is not a crime in the service provider’s country, this would be included in the list of possible grounds for refusal. Similarly, if handing over the data would constitute a violation of the fundamental rights enshrined in the Charter and the EU Treaties, this would also be grounds for refusal. As violations of fundamental rights are more likely by authorities under an ongoing rule of law procedure, such as Poland and Hungary and the so-called Article 7 procedure, special provisions underline that in these cases a surrender order can be refused on the basis of an assumed violation of fundamental rights.
- Under the provisional rules, service providers can also bring surrender orders not only to the attention of the issuing authority, but also to the authorities of the country in which they are located, for example if they restrict media freedom.
- With Parliament’s pressure, the package has been brought into line with existing EU data protection law. For example, orders have to be sent to data controllers, in principle, and can only be addressed to data processors under certain conditions. Especially when it comes to sensitive data like health records, this is crucial.
Finally, the co-legislators generally agreed on the framework for an EU-wide platform through which the orders to the service providers, but also the data sent to the authorities, will be transmitted. Such an EU platform is the only way service providers can be sure that an order is genuine and not falsified, and to guarantee confidential data is safely and securely shared with investigating authorities.