New European rules e-evidence: major impact on service providers?

 In IT & Internet

On 7 December 2018 the Council of Ministers of the European Union has approved a proposal for a regulation on electronic evidence in criminal proceedings. Together with a directive, the regulation forms the ‘e-evidence package’. If the proposed rules will also be adopted by the European Parliament, they will enable police and judicial authorities to have access to electronic evidence from abroad more quickly and effectively. Irrelevant to service providers? On the contrary. Under the proposed rules, police and judicial authorities in Europe can issue a European Production Order or a European Preservation Order directly to a service provider. Therefore, the proposed rules will affect every service provider that offers its services in the European Union. What should a service provider do when he receives a European Production Order or a European Preservation Order? Is he obliged to comply with it or may he refuse? And how much impact will the new rules have on service providers?

European Production Order and European Preservation Order

The e-evidence package introduces two new orders: a European Production Order and a European Preservation Order. The service provider will receive such an order directly from the judicial authority of the Member State concerned. When the service provider receives a Production Order he must transfer the requested data. In case of a European Preservation Order, the data must be retained. The service provider must transmit the requested data within 10 days and, in an emergency, even within 6 hours. This is much faster than under the current procedures, which can take up to 120 days or 10 months depending on the procedure.

To which service providers will the new rules apply?

Any service provider providing services for communication purposes within the European Union is subject to the new regulation and directive. These are providers of electronic communications services, social networks (such as Facebook and Twitter), online marketplaces (such as eBay), providers of cloud and hosting services (such as TransIP and Hostnet), and providers of internet infrastructure such as IP addresses and registries of domain names. It makes no difference whether the company’s headquarters are located within or outside of the European Union, or where the data is stored. An order may also be addressed to a service provider in the United States or China for example, as long as it provides services in the European Union. This means that these new rules will affect a huge number of companies worldwide.

To what data will the new rules apply?

The orders may only relate to stored data about a person in concrete criminal proceedings. Think of identifying data, IP addresses, meta data, text messages, e-mails, photos or app messages. ‘Real time’ interception of telecommunications (such as telephone taps or Skype call taps) and future data (such as e-mail messages sent later) are excluded.
Both orders can relate to four categories of data: 1) subscriber data, 2) access data, 3) transactional data and 4) content data. The order to produce subscriber and access data can be issued for any criminal offence – including simple traffic offences – and may be sent without prior intervention of a judicial authority. The order for producing transactional or content data may only be issued for criminal offences punishable in the issuing state by a custodial sentence of a maximum of at least 3 years, or for specific offences related to cybercrime or terrorism. It is unclear to what extent service providers are responsible for checking whether an order adheres to these criteria.

Are service providers obliged to comply with a European Production Order or a European Preservation Order?

Yes, service providers are obliged to comply with such an order. If service providers fail to comply with their obligations, they risk being fined 2% of their annual worldwide turnover.

What if the service provider cannot/will not comply with the order?

In that case he can lodge an objection, but only on the basis of a limited number of grounds. This is possible, for example, if the service provider does not have the requested data or if the order has not been issued by the correct authority. Objection is also possible if an order would violate the Charter of Fundamental Rights of the European Union or if an order would be abusive. The proposed rules are not clear on whether lodging an objection in theses cases is mandatory.

What objections could service providers have against the new rules?

From a service provider’s point of view, there are several objections against the e-evidence package. For starters, it is unreasonable to expect that every service provider is able to check foreign legal orders. This requires extensive knowledge of the law. It’s also not recommended for service providers to blindly rely on the rightness of such an order, because the legal consequences of (accidental) incorrect decisions by service providers are unclear. For example, will service providers be liable to the person whose data they have wrongly provided? Or will they be liable to the issuing authority for damages resulting from a late or wrong decision? If so, they run a liability risk as well as the risk of a substantial fine. There is also a risk to the reputation of the service provider if they transfer data, while the order would be abusive. In addition, the orders will put a great burden on the service provider’s administration, especially considering the short response time. At the very least, a financial compensation would be appropriate. The current proposals, however, do not mention this.

To sum up, the e-evidence package – in its current form – will have a considerable impact on service providers worldwide. It is hoped that the European Parliament will also recognise this and not simply agree to the proposals without any reserves.

We will keep you posted on the developments regarding this topic. If you have any questions in the meantime, please feel free to contact us.

Recent Posts
  • 4 April 2023

    INPLP Activity Report 2022

    Gwendolin van Rooy
    Hereunder you can read the Activity Report 2022 from our network INPLP (International Network of Privacy Law Professionals) of which our firm is a founding member since 2015
    Read More
  • 11 May 2021

    INPLP article May 11, 2021

    Wouter Huisman
    Bob Cordemeyer
    Fine of €475,000 for reporting data breach 22 days to late. According to a press release of April 6 the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a €475,000 fine on because the company took too long to report a data breach to the DPA into compliance with Article 33 GDPR.
    Read More
  • 15 September 2020

    The British Data Protection Authority ICO considers operating systems that are no longer supported inadequate security.

    Bob Cordemeyer
    If systems such as Windows 7 and Windows Server 2008 R2 SP1 are no longer supported by Microsoft, this may result in inadequate security, which could then be seen as an infringement of article 32 GDPR. Huge GDPR fines may be imposed because of this infringement.
    Read More

Leave a Comment