The E-Evidence Proposals: Cross-Border Criminal Investigation Data

Just as the effective date for the GDPR’s data privacy mandates looms nearer, there’s another potential cross-border discovery law to monitor.

On the heels of the U.S.’s adoption of the CLOUD Act, the European Commission has released its E-Evidence Proposals, a Regulation and Directive that would provide criminal investigators in the EU with prompt access to electronic evidence such as emails and text messages. The European Commission states that these proposed rules are intended to level the field with criminals and terrorists who “exploit modern and electronic communication technologies to hide their criminal actions and evade justice.”

The E-Evidence Proposals

The proposed rules would require all “service providers that offer services” in the EU to turn over data in response to a member nation’s law enforcement request. Any service provider that extends its services to residents of the EU could be subject to these requirements, regardless of where it is headquartered or where it actually stores data.   Each service provider must appoint a representative who can accept and comply with requests for preservation or production of electronic evidence. Representatives must respond within 10 days for standard requests or within a mere six hours for emergency requests — or face sanctions.

There are four types of data encompassed under the proposed rules:

  • subscriber data, such as the name and date of birth of a customer;
  • access data, including when a customer accessed a service or what IP address that customer used;
  • transactional data, such as a message’s source and destination; and
  • content data, or the full text of any messages, images, videos, or other electronic content.

Much of that sounds like personal data subject to the GDPR, right? While the European Commission claims that “personal data covered by this proposal is protected” under the GDPR, the interplay between these two requirements is not yet clear.

Preservation orders can issue from any member nation’s law enforcement authority without judicial oversight, as can production orders for subscriber or access data. Production orders for transactional records or content data are somewhat more restricted, as they are limited to crimes such as terrorism or child sexual exploitation and must be issued by a court, not merely a law enforcement agency. Otherwise, these orders can issue regardless of whether the crimes being investigated are serious.

The upshot of all this is that, under the proposed rules, a court in any EU member state could obtain emails, text messages, and other electronic evidence — and the sender’s identifying information — “directly from a service provider or its legal representative.” Requested “data must be preserved and produced, irrespective of the place of data storage.”

While the proposals provide a means for service providers to challenge orders, their practical ability to do so is questionable.

If the E-Evidence Proposals are passed, expect a tremendous volume of criminal investigation data requests. The European Commission states that investigators need electronic evidence in “around 85% of criminal investigations,” and that over half of those law enforcement investigations “involve a cross-border request to access electronic evidence.”

What’s Next?

At this point, these rules are only proposals, pending their review by the EU member countries and the European Parliament. But with widespread ramifications, the E-Evidence Proposals bear close observation.