Explanatory Memorandum to COM(2018)225 - European Production and Preservation Orders for electronic evidence in criminal matters - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2018)225 - European Production and Preservation Orders for electronic evidence in criminal matters. |
---|---|
source | COM(2018)225 |
date | 17-04-2018 |
1. CONTEXTOFTHEPROPOSAL
• Reasons for and objectives of the proposal
Today, using social media, webmail, messaging services and applications (‘apps’) to communicate, work, socialise and obtain information has become commonplace in many parts of the world. These services connect hundreds of millions of users to one another. They generate significant benefits for the users’ economic and social wellbeing across the Union and beyond. However, they can also be misused as tools to commit or facilitate crimes, including serious crimes such as terrorist attacks. When that happens, these services and apps are often the only place where investigators can find leads to determine who committed a crime and obtain evidence that can be used in court.
Given the borderless nature of the internet, such services can be provided from anywhere in the world and do not necessarily require physical infrastructure, a corporate presence or staff in Member States where the services are offered or in the internal market as a whole. They also do not require a specific location for the storage of data, which is often chosen by the service provider on the basis of legitimate considerations such as data security, economies of scale and swiftness of access. As a result, in a growing number of criminal cases involving all types of crime1, Member State authorities require access to data that might serve as evidence and that is stored outside their country and/or by service providers in other Member States or third countries.
For situations where either the evidence or the service provider is located elsewhere, mechanisms for cooperation between countries were developed several decades ago2. Despite regular reforms, these cooperation mechanisms are under increasing pressure from the growing need for timely cross-border access to electronic evidence. In response, a number of Member States and third countries have resorted to expanding their national tools. The resulting fragmentation generates legal uncertainty and conflicting obligations and raises questions about the protection of fundamental rights and procedural safeguards for persons affected by such requests.
In 2016, the Council called for concrete action based on a common EU approach to make mutual legal assistance more efficient; to improve cooperation between Member State authorities and service providers based in non-EU countries; and to propose solutions to the problem of determining and enforcing jurisdiction3 in cyberspace4. The European Parliament similarly highlighted the challenges that the currently fragmented legal framework can create for service providers seeking to comply with law enforcement requests and called for a
European legal framework, including safeguards for the rights and freedoms of all concerned5.
See Sections 2.1.1 and 2.3 of the impact assessment.
Directive; with third countries, mutual legal assistance (MLA) mechanisms.
In this document, the term ‘enforcement jurisdiction’ makes reference to the competence of the relevant
authorities to undertake an investigative measure.
Conclusions of the Council of the European Union on improving criminal justice in cyberspace,
ST9579/16.
P8_TA(2017)0366.
3
4
5
The present proposal targets the specific problem created by the volatile nature of electronic evidence and its international dimension. It seeks to adapt cooperation mechanisms to the digital age, giving the judiciary and law enforcement tools to address the way criminals communicate today and to counter modern forms of criminality. Such tools are conditional on their being subject to strong protection mechanisms for fundamental rights. This proposal aims to improve legal certainty for authorities, service providers and persons affected and to maintain a high standard for law enforcement requests, thus ensuring protection of fundamental rights, transparency and accountability. It also speeds up the process to secure and obtain electronic evidence that is stored and/or held by service providers established in another jurisdiction. This instrument will co-exist with the current judicial cooperation instruments that are still relevant and can be used as appropriate by the competent authorities. In parallel, the Commission is working to strengthen the existing judicial cooperation mechanisms through measures such as the creation of a secure platform for the swift exchange of requests between judicial authorities within the EU and the investment of EUR 1 million to train practitioners from all EU Member States in mutual legal assistance and cooperation, with a focus on the United States as the third country receiving the largest number
For the serving and execution of orders under this instrument, authorities should rely on the legal representative designated by the service providers. The Commission presents today a proposal to ensure that such legal representatives are effectively designated. It provides a common, EU-wide solution for addressing legal orders to service providers by way of a legal representative.
• Consistency with existing EU legal framework in the policy area and the
Council of Europe Budapest Convention
The current EU legal framework consists of Union cooperation instruments in criminal matters, such as the Directive 2014/41/EU regarding the European Investigation Order in criminal matters7 (EIO Directive), the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union8, Council Decision 2002/187/JHA setting up Eurojust9, Regulation (EU) 2016/794 on Europol10, Council Framework Decision 2002/465/JHA on joint investigation teams11, as well as bilateral agreements between the
of requests from the EU6.
10
https://ec.europa.eu/home-affairs/sites/homeaffairs/files/docs/pages/20170522_non-paper_electronic_evidence_en.pdf
Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters, OJ L 130, 1.5.2014, p.1.
Council Act of 29 May 2000 establishing in accordance with Article 34 of the Treaty on European Union the Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union.
Council Decision 2002/187/JHA of 28 February 2002 setting up Eurojust with a view to reinforcing the fight against serious crime. In 2013, the Commission adopted a proposal for a Regulation to reform Eurojust (Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Criminal Justice Cooperation (Eurojust), COM/2013/0535 final).
Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA. Council Framework Decision 2002/465/JHA of 13 June 2002 on joint investigation teams.
6
8
9
11
Union and non-EU countries, such as the Agreement on Mutual Legal Assistance (‘MLA’) between the EU and the US12 and the Agreement on MLA between the EU and Japan13.
By introducing European Production Orders and European Preservation Orders, the proposal makes it easier to secure and gather electronic evidence for criminal proceedings stored or held by service providers in another jurisdiction. The EIO Directive, which has to a large extent replaced the Convention on Mutual Assistance in Criminal Matters, covers any investigative measure14. This includes access to electronic evidence but the EIO Directive does not contain any specific provisions on this type of evidence15. The new instrument will not replace the EIO for obtaining electronic evidence but provides an additional tool for authorities. There may be situations, for example when several investigative measures need to be carried out in the executing Member State, where the EIO may be the preferred choice for public authorities. Creating a new instrument for electronic evidence is a better alternative than amending the EIO Directive because of the specific challenges inherent in obtaining electronic evidence which do not affect the other investigative measures covered by the EIO Directive.
To facilitate cross-border gathering of electronic evidence, the new instrument will build on the principles of mutual recognition. An authority in the country where the addressee of the Order is located will not have to be involved in serving and executing the Order directly, except if there is non-compliance, in which case enforcement will be required and the competent authority in the country where the representative is located will intervene. The instrument therefore requires a set of robust safeguards and provisions, such as validation by a judicial authority in each case. For instance, European Production Orders to produce transactional or content data (as opposed to subscriber and access data) may only be issued for criminal offences punishable in the issuing State by a custodial sentence of a maximum of at least 3 years, or for specific cyber-dependent, cyber-enabled or terrorism-related crimes as referred to in the proposal.
Personal data covered by this proposal is protected and may only be processed in accordance with the General Data Protection Regulation (GDPR)16 and the Data Protection Directive for Police and Criminal Justice Authorities (Law Enforcement Data Protection Directive)17. The GDPR will enter into application on 25 May 2018, while the Law Enforcement Data Protection Directive has to be transposed by the Member States by 6 May 2018.
Union of the Agreement on extradition between the European Union and the United States of America
and the Agreement on mutual legal assistance between the European Union and the United States of
America.
European Union and Japan on mutual legal assistance in criminal matters.
Except for joint investigation teams (See Art. 3 EIO Directive); not all Member State participate in the
EIO Directive (Ireland, Denmark).
Except for a reference to the identification of a person holding an IP address in Art. 10(2)(e), for which
double criminality cannot be invoked as a ground for refusal to recognise and execute the request.
protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC.
protection of natural persons with regard to the processing of personal data by competent authorities for
the purposes of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA.
12
3
4
5
6
17
The Council of Europe’s Budapest Convention on Cybercrime (CETS No 185), ratified by most EU Member States, establishes international mechanisms for cooperation against cybercrime18. The Convention deals with crimes committed via the internet and other computer networks. It also requires Parties to establish powers and procedures to obtain electronic evidence and to provide each other mutual legal assistance, not limited to cybercrimes. In particular, the Convention requires Parties to put in place production orders to obtain computer data from service providers in their territory and subscriber data from service providers offering services in their territory. Moreover, the Convention provides for preservation orders where there are grounds to believe that the computer data is particularly vulnerable to loss or modification. The service and enforceability of national production orders against providers established outside the territory of a Party to the Convention raises further issues. In that regard, further measures to improve cross-border access to electronic evidence are currently under consideration19.
• Summary of the proposed Regulation
The proposed Regulation introduces binding European Production and Preservation Orders. Both Orders need to be issued or validated by a judicial authority of a Member State. An order can be issued to seek preservation or production of data that is stored by a service provider located in another jurisdiction and that are necessary as evidence in criminal investigations or criminal proceedings. Such Orders may only be issued if a similar measure is available for the same criminal offence in a comparable domestic situation in the issuing State. Both Orders can be served on providers of electronic communication services, social networks, online marketplaces, other hosting service providers and providers of internet infrastructure such as IP address and domain name registries, or on their legal representatives where they exist. The European Preservation Order, similarly to the European Production Order, is addressed to the legal representative outside of the issuing Member State’s jurisdiction to preserve the data in view of a subsequent request to produce this data, for example via MLA channels in case of third countries or via an EIO between participating Member States. Unlike surveillance measures or data retention obligations set out by law, which are not provided for by this Regulation, the European Preservation Order is an Order issued or validated by a judicial authority in a concrete criminal procedure after an individual evaluation of the proportionality and necessity in every single case. Like the European Production Order, it refers to the specific known or unknown perpetrators of a criminal offence that has already taken place. The European Preservation Order only allows preserving data that is already stored at the time of receipt of the Order, not the access to data at a future point in time after the receipt of the European Preservation Order.
Both Orders can be used only in criminal proceedings, from the initial pre-trial investigative phase until the closure of the proceedings by judgment or other decision. The Orders to produce subscriber and access data can be issued for any criminal offence whilst the Order for producing transactional or content data may only be issued for criminal offences punishable in
18
19
In the 2013 Cybersecurity Strategy of the European Union, the Budapest Convention was recognised as the main multilateral framework for the fight against cybercrime - Joint Communication of the Commission and the High Representative of the European Union for Foreign Affairs and Security Policy on a Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, JOIN(2013) 1 final.
At its 17th Plenary (June 2017), the Cybercrime Convention Committee (T-CY) adopted the Terms of Reference of the preparation of a second additional protocol to the Convention (‘Second Additional Protocol’) to be prepared and finalised by the T-CY by December 2019. The aim is to move away from data storage location as a decisive factor.
the issuing State by a custodial sentence of a maximum of at least 3 years, or for specific crimes which are referred to in the proposal and where there is a specific link to electronic tools and offences covered by the Terrorism Directive 2017/541/EU.
Given the different levels of intrusiveness of the measures imposed in relation to the data pursued, the proposal sets out a number of conditions and safeguards. These include the obligation to obtain ex-ante validation of orders by a judicial authority. The proposal applies only to stored data. Real-time interception of telecommunication is not covered by this proposal. The measure is limited to what is necessary and proportionate for the purposes of relevant criminal proceedings. It also allows service providers to seek clarifications from issuing authorities where necessary. If these issues cannot be solved and the issuing authority decides to pursue enforcement, service providers may use the same reasons to oppose enforcement by its own authorities. In addition, a specific procedure is set up for situations where the obligation to provide data conflicts with a competing obligation arising from a third country law.
EU legislation protects the rights of the suspects and the accused in criminal proceedings, and there are already rules to protect personal data. However, for the persons whose data is being sought, these additional safeguards in the proposal provide procedural rights for these persons in or outside of the criminal proceedings. This includes the possibility to challenge the legality, necessity or the proportionality of the Order without restricting the grounds for the challenge in accordance with national law. The rights under the law of the enforcing State are fully respected by ensuring that immunities and privileges which protect the data sought in the Member State of the service provider are taken into account in the issuing State. This is especially the case where they provide for a higher protection than the law of the issuing State.
The Orders under the proposed Regulation are enforceable in the same manner as comparable domestic orders in the jurisdiction where the service provider receives the order. The Regulation provides that Member States should have effective and proportionate sanctions in place.
2. LEGALBASIS, SUBSIDIARITYAND PROPORTIONALITY
• Legal basis
The legal basis to support action in the field is Article 82(1) of the Treaty on the Functioning of the European Union. Article 82(1) provides that measures may be adopted in accordance with the ordinary legislative procedure to lay down rules and procedures for ensuring recognition throughout the Union of all forms of judgments and judicial decisions. Measures may also be adopted to facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions.
This legal basis applies to the mechanisms covered by this Regulation. Article 82(1) ensures mutual recognition of judicial decisions by which a judicial authority in the issuing State addresses a legal person in another Member State and even imposes obligations on it, without prior intervention of a judicial authority in that other Member State. The European Production or Preservation Order can lead to the intervention of a judicial authority of the executing State when necessary to enforce the decision.
• Choice of the instrument
Article 82(1) TFEU gives the Union’s legislator the possibility to adopt regulations and
directives.
As the proposal concerns cross-border procedures, where uniform rules are required, there is no need to leave a margin to Member States to transpose such rules. A regulation is directly applicable, provides clarity and greater legal certainty and avoids divergent interpretation in the Member States and other transp osit ion p roblem s that the Framework Decisions on mutual recognition of judgments and judicial decisions have encountered. Furthermore, a regulation allows for the same obligation to be imposed in a uniform manner in the Union. For these reasons the most appropriate form to be used for this mutual recognition instrument is considered to be a regulation.
Subsidiarity
Given the cross-border dimension of the problems addressed, the measures included in the proposal need to be adopted at Union level in order to achieve the objectives. The crimes for which electronic evidence exists frequently involve situations where the infrastructure in which the electronic evidence is stored and the service provider running the infrastructure are under a different national legal framework, within the Union or beyond, than the national legal framework of the victim and perpetrator of the crime. As a result, it can be very time-consuming and challenging for the competent country to effectively access electronic evidence across borders without common minimum rules. In particular, Member States acting alone would have difficulty addressing the following issues:
• Fragmentation of legal frameworks in Member States, which was identified as a major challenge by service providers seeking to comply with requests based on different national aws;
• Better expediency of judicial cooperation on the basis of existing Union legislation, notably via the EIO.
Given the diversity of legal approaches, the number of policy areas concerned (security, fundamental rights including procedural rights and protection of personal data, economic
issues), and the large range of stakeholders, Union-level legislation is the most appropriate
means to address the identified problems.
Proportionality
The proposal lays down rules under which a competent authority in the Union may order a service provider offering services in the Union and not established in the same Member State, to produce or preserve electronic evidence. Key features of the proposal, such as the material scope of the European Production Order, conditions ensuring comity, the sanctioning mechanism and the system of safeguards and legal remedies, limit the proposal to what is necessary to achieve its main objectives. In particular, the proposal is limited to requests for stored data (data from real-time interception of telecommunications is not covered) and to orders issued in criminal proceedings for a specific criminal offence under investigation. It therefore does not cover crime prevention or other types of proceedings or infringements (such as admini strativ e proceedings for infringements of the rules of law) and does not require providers to systematically collect or store more data than they do for business reasons or for compliance with other legal requirements. Moreover, while the Orders to produce subscriber and access data can be issued for any criminal offence, the Order for producing transactional
or content data may only be issued for criminal offences punishable in the issuing State by a custodial sentence of a maximum of at least 3 years, or for specific cyber-dependent and cyber-enabled offences defined in the proposal and terrorism related crimes. Finally, the proposal clarifies the procedural rules and safeguards applicable to cross-border access to electronic evidence but does not go as far as harmonising domestic measures. It is limited to what is necessary and proportionate to address the needs of law enforcement and judicial authorities in the digital age.
3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER
Contents
- CONSULTATIONS
- In the Union, mutual recognition mechanisms, now based on the European Investigation Order
- Council Decision 2009/820/CFSP of 23 October 2009 on the conclusion on behalf of the European
- Council Decision 2010/616/EU of 7 October 2010 on the conclusion of the Agreement between the
- Except for joint investigation teams (See Art. 3 EIO Directive); not all Member State participate in the
- Except for a reference to the identification of a person holding an IP address in Art. 10(2)(e), for which
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
- Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the
- Given the diversity of legal approaches, the number of policy areas concerned (security, fundamental rights including procedural rights and protection of personal data, economic
- In view of
- This Article
- Persons whose data was sought without them being suspects or accused persons in criminal proceedings shall also have a right to a legal remedy in the issuing State. All these rights are
ANDIMPACTASSESSMENTS
• Stakeholder consultations
Over a year and a half the Commission consulted all relevant stakeholders to identify problems and ways forward. This was done through surveys, ranging from an open public consultation to targeted surveys with the relevant public authorities. Group expert meetings and bilateral meetings were also organised to discuss the potential effects of EU legislation. Conferences discussing cross-border access to electronic evidence were also used to gather feedback on the initiative.
By and large, survey respondents perceived the increased use of information services to be a challenge for law enforcement, as the relevant authorities are often ill equipped to deal with evidence online. The lengthy process to obtain evidence is also recognised as one of the main obstacles. Other key issues public authorities highlighted include the lack of reliable cooperation with service providers, lack of transparency, and legal uncertainty surrounding jurisdiction for investigative measures. Direct cross-border cooperation between law enforcement and digital service providers was considered to add value in a criminal investigation. Service providers and some civil society organisations indicated the need to ensure legal certainty when cooperating with public authorities and to avoid conflicts of law. On concerns about how new EU legislation could affect rights, stakeholders felt specific safeguards should be guaranteed as a necessary condition for any cross-border instrument.
Feedback gathered from the inception impact assessment showed that stakeholders believed addressing the shortcomings of the current MLA system would make it more effective and improve legal certainty. Some civil society organisations were against EU-level legislation on direct cooperation. They preferred to limit EU action to improving mutual legal assistance procedures. This idea will be taken forward as part of the practical measures endorsed by the Council in June 2016.
Through a targeted survey to public authorities in the Member States, it was also revealed that there was no common approach on obtaining cross-border access to electronic evidence, as each Member State has its own domestic practice. Service providers also react differently to requests from foreign law enforcement authorities, and response times vary depending on the requesting Member State. This creates legal uncertainty for all stakeholders involved.
In general, the stakeholder consultation indicated that the current legal framework is fragmented and complex. This can lead to delays during the execution phase and a lack of effective investigation and prosecution of crimes involving cross-border access to electronic evidence.
• Impact assessment
The Regulatory Scrutiny Board issued a positive opinion on the impact assessment supporting this proposal20 and made various suggestions for improvement21. Following this opinion, the impact assessment was amended to further discuss fundamental rights issues associated with the cross-border sharing of data, in particular the links between the various measures that are part of the preferred option. The assessment was also modified to better reflect the views of stakeholders and Member States and how they were taken into account. Moreover, the policy context was reviewed to include additional references to various aspects, such as discussions in expert groups that helped to shape the initiative. The complementarity between different measures (in particular the EIO Directive, negotiations of an additional protocol to the Budapest Convention and the joint review of the EU-US MLA Agreement) was clarified in terms of scope, timing and depth, and the baseline scenario was revised to better reflect developments that are likely to occur independently from the adoption of the proposed measures. Finally, flowcharts were added to better describe the workflows for data sharing.
Four main policy options were considered besides the baseline scenario (Option O): a number of practical measures to improve both judicial cooperation procedures and direct cooperation between public authorities and service providers (Option A: non-legislative); an option combining the practial measures of Option A with international solutions at bilateral or multilateral level (Option B: legislative); an option combining the previous measures contained in Option B with a European Production Order and a measure to improve access to databases that provide subscriber information on a query basis, such as the Domain Name Whois (Option C: legislative); and an option combining all previous measures contained in Option C with legislation on direct access to remotely stored data (Option D: legislative)22.
If no measure is taken (Option O), an increasing number of requests will worsen the situation. All other options help to achieve the objectives of the initiative but to varying degrees. Option A would improve the efficiency of current processes, for example by improving the quality of requests, but the room for improvement would be limited by the structural shortcomings of the current system.
Option B would lead to more improvements by providing for internationally accepted solutions, but the outcome of these international solutions would to a large extent depend on third States. The solutions are therefore uncertain and unlikely to be as effective and offer as many safeguards as a Union solution.
Option C would clearly add value compared to the previous options by also providing for an intra-EU instrument on direct cooperation with service providers that would address most of the issues identified when there is a service provider that holds the data concerned.
22
Commission Staff Working Document – Impact Assessment accompanying the Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters and the Proposal for a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, SWD(2018) 118. European Commission Regulatory Scrutiny Board – Opinion on the Impact Assessment – Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters and the Proposal for a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, SEC(2018) 199. For details, cf. the Commission Staff Working Document – Impact Assessment accompanying the Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters and the Proposal for a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, SWD(2018) 118.
20
21
Option D is the most comprehensive package of solutions. In addition to the previous measures, it involves a legislative measure on direct access for situations where the involvement of a service provider is not needed.
The present legislative initiative that the Commission is proposing is based on the findings of the impact assessment. This legislation will be complemented by the practical measures as described in the impact assessment and by continued work towards an additional protocol to the Budapest Convention. Based on its legislative proposal, the Commission will also discuss with the US and other third countries the possibility of future bilateral or multilateral agreements on cross-border access to electronic evidence with accompanying safeguards. For measures on direct access and the access to databases, which form part of Option D, the Commission is at the moment not proposing any legislation, but will reflect further on the best way forward on these two issues.
The initiative is expected to enable more effective and efficient investigations and prosecutions while improving transparency and accountability and ensuring respect of fundamental rights. It is also expected to foster trust in the digital single market by improving security and reducing the perception of impunity for crimes committed on or through networked devices.
For public authorities, the initiative is expected to generate initial implementation costs, which in the long term would be offset by savings in recurrent costs. National authorities would have to adapt to new procedures and undergo training. However, after that authorities would benefit from the streamlining and centralisation and the clear legal framework governing requests for access to data, as these should generate efficiency gains. Similarly, as the preferred option would take pressure off judicial cooperation channels, countries receiving requests should see a reduction in the number of requests they are required to process.
Service providers would need to adapt to a new legislative framework by putting (new) procedures in place and training their staff. On the other hand, a harmonised framework could reduce the burden on those providers currently responding to requests for non-content data which have to assess them under the different laws of all Member States. Legal certainty and standardisation of procedures should also have a positive impact on small and medium-sized businesses, since they would alleviate administrative burden and favour competitiveness. Overall, the initiative is also expected to generate savings for them.
Fundamental rights
The proposal could potentially affect a number of fundamental rights:
• rights of the individual whose data is accessed: right to protection of personal data; right to respect of private and family life; right to freedom of expression; right of defence; right to an effective remedy and to a fair trial;
• rights of the service provider: right to freedom to conduct a business; right to an effective remedy;
• rights of all citizens: right to liberty and security.
Taking into account the relevant data protection acquis, sufficient and important safeguards are included in the proposed Regulation to ensure that the rights of these persons are protected.
Since the Orders can only be issued in criminal proceedings and if there are comparable national situations, both during the pre-trial and trial phase, all criminal law procedural safeguards are applicable. This includes in particular the right to a fair trial enshrined in Article 6 ECHR and Articles 47 and 48 of the Charter of Fundamental Rights. It also includes the relevant legislation at EU level on procedural rights in criminal proceedings: Directive 2010/64/EU on the right to interpretation and translation in criminal proceedings, Directive 2012/13/EU on the right to information about rights and charges and access to the case file, Directive 2013/48/EU on the right of access to a lawyer and communication with relatives when arrested and detained, Directive 2016/343 on the strengthening of certain aspects of the presumption of innocence and the right to be present at one’s trial, Directive 2016/800 on the procedural safeguards for children and Directive 2016/1919 on legal aid for suspects and accused persons in criminal proceedings and for requested persons in European arrest warrant proceedings.
More specifically, the prior intervention of a judicial authority when the Order is issued ensures that the legality of the measure and its necessity and proportionality to the case in question has been checked. This also ensures that the Order does not unduly impinge on fundamental rights, including the effects of legal principles such as the lawyer-client privilege. The issuing authority is required to ensure in the individual case that the measure is necessary and proportionate, including in view of the gravity of the offence under investigation. The proposal also includes thresholds for transactional and content data, ensuring that the European Production Order will only be used for more serious forms of crimes in relation to such data.
The right to an effective remedy for persons whose data is being requested is also explicitly addressed. Immunities and privileges of certain professions such as lawyers granted as well as fundamental interests of national security or defence in the State of the addressee must also be taken into account during trial in the issuing State. The review by a judicial authority serves as a further safeguard here.
As the Order is a binding measure, it also affects the rights of service providers, in particular the freedom to conduct a business. The proposal includes a right for the service provider to raise certain claims in the issuing Member State, for example if the Order has not been issued or validated by a judicial authority. If the Order is transmitted for enforcement to the enforcing state, the enforcing authority may decide not to recognise or enforce the Order if upon receipt any of the limited grounds for opposition are apparent, and after consulting with the issuing authority. In addition, should the procedure for enforcement be initiated, the addressee itself will be able to oppose the Order before the enforcing authority on the basis of any of such limited grounds. This includes, for example, cases where it is apparent that the Order was not issued or validated by a competent authority or where compliance would manifestly violate the Charter or be manifestly abusive. This does not preclude the right of the addressee to an effective judicial remedy against a decision imposing a sanction.
A potential issue related to EU measures in this area is the possibility that it could lead to third countries introducing reciprocal obligations for EU service providers which are not consistent with EU fundamental rights conditions, including the high level of data protection ensured by the EU acquis. The proposal addresses this situation in two ways: first, by providing a measure that contains strong safeguards and explicit references to the conditions and safeguards already inherent in the EU acquis, thus serving as a model for foreign legislation; and secondly, by including a specific ‘conflicts of obligations’ clause that allows service providers to identify and raise conflicting obligations they face, triggering a judicial
review. This clause is designed to ensure respect both for general blocking statutes, such as for example the U.S. Electronic Communications Privacy Act (ECPA), which prohibits disclosure in relation to content data within its geographic scope except in limited circumstances, as well as for laws that do not generally prohibit the disclosure but may do so in individual cases. For cases relating to ECPA, access to content data might be prevented in certain situations at present, and MLA should therefore remain the main tool to access such data. However, with the changes brought about by the adoption of the U.S. CLOUD Act23, the blocking statute could be lifted if the EU were to conclude an agreement with the US. Additional international agreements with other key partners may further reduce conflicts-of-law situations.
the above, the measures in this proposal are compatible with fundamental rights.
4. BUDGETARYIMPLICATIONS
The legislative proposal for a Regulation does not have an impact on the Union’s budget.
5.
OTHERELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
The Regulation is directly applicable in the Union. It will be directly applied by practitioners, without the need to modify internal legal systems.
The Regulation will be evaluated and the Commission will submit a report to the European Parliament and the Council at the latest 5 years after its entry into force. Based on the findings of the report, in particular on whether the Regulation leaves any gaps which are relevant in practice, and taking into account technological developments, the Commission will assess the need to enlarge the scope of the Regulation. If necessary, the Commission will submit proposals to adapt this Regulation. Member States will provide the Commission with the information necessary for the preparation of the report. Member States will gather the data necessary for the yearly monitoring of the Regulation.
The Commission will, if necessary, issue guidance for service providers to comply with obligations under the Regulation.
Detailed
explanation of the specific provisions of the proposal
REGULATION | ||
Article | Recital | |
I. Subject matter, definitions and scope | 1. Subject matter | 1-15 |
2. Definitions | 16-23 | |
3. Scope | 24-27 |
23
On 23 March 2018, the Clarifying Lawful Overseas Use of Data (CLOUD) Act was adopted in the United States. The CLOUD Act is available here.
II. European Production Order, European Preservation Order and Certificates, legal representative | 4. Issuing authority | 30 |
5. Conditions for issuing a European Production Order | 28-29, 31-35 | |
6. Conditions for issuing a European Preservation Order | 36 | |
7. Addressee of a European Production Order and a European Preservation Order | 37 | |
8. European Production Order Certificate and European Preservation Oder Certificate | 38-39 | |
9. Execution of an EPOC | 40-41 | |
10. Execution of an EPOC-PR | 42 | |
11. Confidentiality and user information | 43 | |
12. Reimbursement of costs | None | |
III. Sanctions and enforcement | 13. Sanctions | None |
14. Procedure for enforcement | 44-45, 55 | |
IV. Remedies | 15. and 16. Review procedure in case of conflicting obligations from the law of a third country | 47-53 |
17. Effective remedies | 54 | |
18. Ensuring privileges and immunities under the law of the enforcing State | 35 | |
V. Final provisions | 19. Monitoring and reporting | 58 |
20. Amendments to the Certificates and the Forms | 59-60 | |
21. Exercise of delegation | 60 | |
22. Notifications | None | |
23. Relationship to European Investigation Orders | 61 | |
24. Evaluation | 62 | |
25. Entry into force | None |
Chapter 1: Subject matter, definitions and scope
Article 1: Subject matter
This Article sets out the general scope and purpose of the proposal, which is to lay down the rules under which a competent judicial authority in the European Union may order a service provider offering services in the Union to produce or preserve electronic evidence through a European Production or Preservation Order. These instruments can only be used in crossborder situations, that is, in situations where the service provider is established or represented in another Member State.
This Regulation shall give additional tools to investigating authorities to obtain electronic evidence without limiting the powers already set out by national law to compel service providers established or represented on their territory. If the service provider is established or represented in the same Member State, authorities of that Member State shall therefore use national measures to compel the service provider.
The data ordered through a European Production Order should be provided directly to the authorities without the involvement of authorities in the Member State where the service provider is established or represented. The Regulation also moves away from data location as a determining connecting factor, as data storage normally does not result in any control by the state on whose territory data is stored. Such storage is determined in most cases by the provider alone, on the basis of business considerations24.
Moreover, the Regulation is also applicable if the service providers are not established or represented in the Union, but offer services in the Union. This is mirrored in Article 3(1).
When the proposal refers to a service provider established or represented in a Member State via a designated legal representative, the sole designation of a legal representative does not create an establishment of the service provider for the purpose of this Regulation.
Article 1(2) recalls that this Regulation shall not have the effect of modifying the obligation to respect the fundamental rights and legal principles as enshrined in Article 6 of the TEU.
Article 2: Definitions
sets out definitions which apply throughout the instrument.
The following types of service providers fall under the scope of the Regulation: providers of electronic communications services, providers of information society services for which the storage of data is a defining component of the service provided to the user, including social networks to the extent they do not qualify as electronic communications services, online marketplaces facilitating transactions between their users (such as consumers or businesses) and other hosting service providers, and providers of internet domain name and numbering services.
The scope of the Regulation covers providers of electronic communications services as defined [in the Directive establishing the European Electronic Communications Code]. Traditional telecommunication services, consumers and businesses increasingly rely on new
24 The impact assessment contains further explanations.
internet-based services enabling inter-personal communications such as Voice over IP, instant messaging and e-mail services, instead of traditional communications services. These services, along with social networks, such as Twitter and Facebook, which allow users to share content, should thus be covered by this proposal.
In many cases, data is no longer stored on a user’s device but made available on a cloud-based infrastructure allowing in principle access from anywhere. Service providers do not need to be established or to have servers in every jurisdiction but rather use a centralised administration and decentralised systems to store data and provide their services. They do so to optimise load balancing and shorten delays in responding to users' requests for data. Content delivery networks (CDNs) are usually deployed to speed up content delivery by copying content in several servers distributed throughout the globe. This enables companies to serve content from the server which is closest to the user or which can route communication through a less congested network. To take into account this development, the definition covers cloud and other hosting services that provide a variety of computing resources such as networks, servers or other infrastructure, storage, apps and services that make it possible to store data for different purposes. The instrument also applies to digital marketplaces that allow consumers and/or businesses to conclude transactions via online sales or service contracts. Such transactions are made either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace. It is therefore this marketplace that is in possession of electronic evidence that may be needed in the course of criminal proceedings.
Services for which the storage of data is not a defining component are not covered by the proposal. Although most services delivered by providers involve some kind of storage of data, especially where they are delivered online at a distance, services for which the storage of data is not a main characteristic and is thus only of an ancillary nature may be discerned, including legal, architectural, engineering and accounting services provided online at a distance.
Data held by providers of internet infrastructure services, such as domain name registrars and registries and privacy and proxy service providers, or regional internet registries for internet protocol addresses, may be of relevance for criminal proceedings as they can provide traces allowing for identification of an individual or entity involved in criminal activity.
The categories of data that can be obtained with a European Production Order by the competent authorities include subscriber data, access data, transactional data (the three categories commonly referred to jointly as ‘non-content data’) and stored content data. This distinction, apart from the access data, exists in the legal orders of many Member States and also in non-EU legal frameworks.
All categories contain personal data and are thus covered by the safeguards under the EU data protection acquis. The intensity of the impact on fundamental rights varies between them, in particular between subscriber data on the one hand and transactional and content data on the other hand. It is essential that all these categories are covered by the instrument: subscriber and access data are often the starting point to obtain leads in an investigation about the identity of a suspect. While transactional and content data can be the most relevant as probative material. Because of the different levels of interference with fundamental rights, it is justified to attach different conditions to subscriber data on the one hand and transactional and content data on the other, as is done in several provisions in the Regulation.
It is appropriate to single out access data as a specific data category used in this Regulation. Access data as defined here is pursued for the same objective as subscriber data, i.e. to identify the user, and the level of interference with fundamental rights is similar. It should therefore be subject to the same conditions as subscriber data. Hence this proposal introduces a new category of data, which is to be treated like subscriber data if the same aim is pursued.
Article 2 defines the Member States and authorities that could be involved in the procedure. A definition of the issuing authority is included in Article 4.
Emergency cases are exceptional situations that regularly require a timely reaction by service providers and for which special conditions will be applicable. They are therefore defined separately in this Article.
Article 3: Scope
This Article sets out the scope of the proposal. The Regulation applies to all service providers that offer services in the Union, including service providers that are not established in the Union. The active offering of services in the Union, with all the benefits deriving from it, justifies that these service providers are also made subject to the Regulation and creates a level playing field between participants on the same markets. Moreover, not covering these service providers would create a gap and make it easy for criminals to circumvent the scope of the Regulation.
In order to ascertain whether services are being offered, authorities need to assess whether the service provider enables legal or natural persons in one or more Member States to use its services. However, the mere accessibility of the service (which could also derive from the accessibility of the service provider’s or an intermediary’s website or of an email address and of other contact details) should not be a sufficient condition for the application of this Regulation. Therefore, a substantial connection to those Member States is required to ascertain a sufficient conjunction between the provider and the territory where it is offering its services. Such a substantial connection exists where a service provider has an establishment in one or more Member States. In the absence of an establishment in the Union, the criterion of a substantial connection to the Union should be assessed on the basis of the existence of a significant number of users in one or more Member States, or the targeting of activities towards one or more Member States. The targeting of activities towards one or more Member States can be determined on the basis of all relevant circumstances, including factors such as the use of a language or a currency generally used in a Member State. The targeting of activities towards a Member State could also be derived from the availability of an app in the relevant national app store from providing local advertising or advertising in the language used in a Member State, from making use of any information originating from persons in Member States in the course of its activities, or from the handling of customer relations such as by providing customer service in the language generally used in a Member State. A substantial connection is also to be assumed where a service provider directs its activities towards one or more Member States as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters.
The European Production Order and the European Preservation Order are investigative measures that can be issued only in criminal investigations or criminal proceedings for concrete criminal offences. The link to a concrete investigation distinguishes it from preventive measures or data retention obligations set out by law and ensures the application of
the procedural rights applicable to criminal proceedings. The competence to open investigations for a specific offence is therefore a prerequisite to use the Regulation.
As an additional requirement, the data sought must be related to services offered by the service provider in the Union.
Chapter 2: European Production Order, European Preservation Order and Certificates
Article 4: Issuing authority
When issuing a European Production or Preservation Order, a judicial authority always needs to be involved as either an issuing or a validating authority. For Orders to produce transactional and content data, a judge or court is required. For subscriber or access data, this can be done also by a prosecutor.
Article 5: Conditions for issuing a European Production Order
Article 5 sets out the conditions for issuing a European Production Order. They have to be assessed by the issuing judicial authority.
The European Production Order may only be issued if this is necessary and proportionate in the individual case. Moreover, it should only be issued if a similar measure would be available in a comparable domestic situation in the issuing State.
Orders to produce subscriber data and access data can be issued for any criminal offence. Transactional and content data should be subject to stricter requirements to reflect the more sensitive nature of such data and the correspondingly higher degree of invasiveness of Orders for such data, as compared to subscriber and access data. Orders can therefore only be issued for offences which carry a maximum custodial sentence of at least 3 years or more. Setting a threshold based on the maximum custodial sentence allows for a more proportionate approach, together with a number of other ex ante and ex post conditions and safeguards to ensure respect for proportionality and the rights of the persons affected.
At the same time, a threshold should not undermine the effectiveness of the instrument and its use by practitioners. Member States apply various maxima for sentences that relate to their national system. National criminal codes vary and are not harmonised. This is the case for the criminal offences and for the sanctions applicable to them. National procedural codes also differ regarding the thresholds for obtaining transactional or content data: some Member States do not set out any specific threshold; others provide for a list of offences. A three-year threshold limits the scope of the instrument to more serious crimes, without excessively limiting the possibilities of its use by practitioners. This threshold excludes from the scope a wide range of crimes depending on the criminal code of the Member State (for example in some Member States participation in the activity of an organised criminal group and abduction, but also offences such as petty theft, fraud and assault for which the use of a crossborder production order for more sensitive data may be considered disproportionate). On the other hand, a three-year threshold includes crimes that require a more effective approach, such as membership in a criminal organisation, financing of terrorist groups, supporting or advertising a criminal organisation, training for the commission of terrorist offences, certain offences made with terrorist intent and preparation of an offence to be committed with terrorist intent, or preparation of hostage taking, which would otherwise be excluded if a higher threshold was applied, depending on the Member State. This threshold has been chosen to ensure a balance for all Member States between efficiency of criminal investigations and
protection of rights and proportionality. A threshold also has the advantage of being easily applicable in practice.
In addition, Orders for producing transactional or content data may also be issued for specific harmonised offences listed in the provision for which evidence will typically be available mostly only in electronic form. This justifies the application of the Regulation also in cases where the maximum custodial sentence is less than the above threshold; otherwise those offences could not be investigated properly, which might lead to impunity. The offences are specific provisions of: (i) Council Framework Decision 2001/413/JHA combating fraud and counterfeiting of non-cash means of payment, (ii) Directive 2011/93/EU on combating the sexual abuse and sexual exploitation of children and child pornography and replacing Council Framework Decision 2004/68/JHA and (iii) Directive 2013/40/EU on attacks against information systems and replacing Council Framework Decision 2005/222/JHA. Orders may also be issued for offences listed in Directive 2017/541/EU on combatting terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA. Some of these offences have minimum maximum thresholds of at least 1 year, others of 2 years, but none goes below a maximum threshold of 1 year.
The Article also sets out mandatory information that must be part of the European Production Order to enable the service provider to identify and produce the requested data. The reasoning with the grounds for the necessity and proportionality of this measure are also part of the European Production Order.
The European Production Order is implemented by issuing a European Production Order Certificate (EPOC) (see Article 8), which is translated and sent to the service provider. The EPOC contains the same mandatory information as the Order, except for the grounds for the necessity and proportionality of the measure or further details about the case.
In situations where the data sought is stored or processed as part of an infrastructure provided by a service provider to a company, typically in case of hosting or software services, the company itself should be the primary addressee of a request by the investigating authorities. This may require an EIO or MLA procedure where the company would not be a service provider covered by the scope of this Regulation. The service provider can only be addressed by a European Production Order if it would not be appropriate to address the request to the company, in particular where this would create a risk of jeopardising the investigation, for example where the company itself is under investigation.
Before issuing a European Production Order, the issuing authority also has to take into account potential immunities and privileges under the law of the Member State of the service provider or any impact on fundamental interests of that Member State such as national security and defence. The aim of this provision is to ensure that immunities and privileges which protect the data sought in the Member State of the service provider are taken into account in the issuing State, in particular where they provide for a higher protection than the law of the issuing State.
Article 6: Conditions for issuing a European Preservation Order
A European Preservation Order is subject to similar conditions as the European Production Order. It can be issued for any offence in line with the other conditions set out in Article 6. Its aim is to prevent the removal, deletion or alteration of relevant data in situations where it may take more time to obtain the production of this data, for example because judicial cooperation
channels will be used. Given, for example, that the EIO in general can be issued for any offence without limiting it to any thresholds, the European Preservation Order shall not be limited either. Otherwise, this instrument would not be effective. To enable investigating authorities to act fast and given that the relevant request to produce the data will be the subsequent request where all the conditions will again be scrutinised, European Preservation Orders may also be issued or validated by a prosecutor.
Article 7: Addressee of a European Production Order or a European Preservation Order
European Production Orders and European Preservation Orders should be addressed to a legal representative designated by the service provider for the purpose of gathering evidence in criminal proceedings in accordance with the Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings. The transmission will be in form of a European Production Order Certificate (‘EPOC’) or a European Preservation Order Certificate (‘EPOC-PR’) as referred to in Article 8. This legal representative will be responsible for their reception and timely and complete execution. This leaves service providers the choice of how to organise themselves to produce the data ordered by Member State authorities.
Where no legal representative has been appointed, Orders may be addressed to any establishment of the service provider in the Union. This fall-back option serves to ensure effectiveness of the system in case the service provider has not (yet) nominated a dedicated representative, for example where there is no obligation to nominate a legal representative in accordance with the Directive, because service providers are established and active only in one Member State or in cases where an obligation to nominate a legal representative is not yet in force, before the transposition deadline of the Directive.
In case of non-compliance by the legal representative, there are two situations where the issuing authority may address any establishment of the service provider in the Union: in emergency cases as defined in Article 9(2), and in cases where the legal representative does not comply with its obligations under Article 9 and 10, and where the issuing authority believes that there are clear risks of loss of data.
Article 8: European Production and Preservation Order Certificate
The EPOC and EPOC-PR serve to transmit the Orders to the addressee defined in Article 7. Templates for both Certificates are provided in Annex I and II of the Regulation; they need to be translated into one of the official languages of the Member State where the addressee is located. The service provider may declare that Orders will be accepted also in other official languages of the Union. The aim of the Certificates is to provide all the necessary information to be transmitted to the addressee in a standardised format, minimising sources of error, allowing an easy identification of the data and avoiding as much as possible free text and therefore reducing translation costs. The full reasoning with the grounds for necessity and proportionality or further details about the case shall not be included in the Certificate to avoid jeopardising the investigations. It is therefore only needed as part of the Order itself to later allow the suspect to challenge it during the criminal proceedings.
Some service providers have already established platforms for the submission of requests by law enforcement. The use of these platforms shall not be prevented by the Regulation, as it offers many advantages, including the possibility of an easy authentication and a secure transmission of the data. However, these platforms have to allow for the submission of the
EPOC and the EPOC-PR in the format as provided for in Annexes I and II, without requesting additional data pertaining to the Order.
Platforms established by Member States or Union bodies may also provide secure means of transmission and facilitate authentication of the Orders and the gathering of statistics. Consideration should be given to a possible expansion of the eCodex and SIRIUS platforms to include a secure connection to service providers for the purposes of the transmission of the EPOC and EPOC-PR and, where appropriate, responses from the service providers.
Article 9: Execution of an EPOC
Article 9 obliges addressees to reply to EPOCs, and introduces mandatory deadlines. The normal deadline is 10 days, while authorities may set a shorter deadline where justified. Moreover, in emergency cases, defined as a situation where there is an imminent threat to life or physical integrity of a person or to a critical infrastructure, the deadline is 6 hours.
The provision also ensures the possibility of a dialogue between addressee and issuing authority. If the EPOC is incomplete, manifestly incorrect or does not contain sufficient information for the service provider to execute the EPOC, the addressee shall contact the issuing authority and seek clarification, using the form in Annex III. It shall also inform the issuing authority in cases where it cannot provide the data due to force majeure, or a de facto impossibility. This is the case if, for example, the person whose data is sought was neither a customer of this service or — for example under other privacy obligations — the data has lawfully been deleted by the service provider before it or its legal representative received the Order. The issuing authority would need to be aware of these circumstances to react fast, to perhaps gather the electronic evidence from another service provider and to prevent the issuing authority from initiating an enforcement procedure where this would not make any sense.
If the addressee does not provide the information at all, or not in an exhaustive or timely manner, for reasons other than those mentioned above, it has to inform the issuing authority of the reasons in the form included in Annex III. Addressees can therefore raise any issue related to the execution of the EPOC with the issuing authority. This allows the issuing authority to correct or reconsider the EPOC at an early stage, before the enforcement phase.
Where the data is not produced immediately, in particular where a dialogue is launched between the addressee and the issuing authority, meaning that the deadlines of Article 9(1) will no longer be kept, the service provider has an obligation to preserve the data to avoid losing it, upon receipt of the EPOC, provided that the data can be identified. The preservation may be for the clarified EPOC or a subsequent MLA or EIO request that will be sent instead of the original EPOC.
Article 10: Execution of an EPOC-PR
Execution of an EPOC-PR requires preserving the data available at the time of receipt of the Order. Service providers should preserve the data as long as necessary to produce the data upon request, provided that the issuing authority confirms within 60 days after having issued the Order that it has launched the subsequent request for production. This requires that at least some formal steps have been taken, such as sending a mutual legal assistance request for translation.
On the other hand, preservation requests should only be made or maintained as long as necessary to enable a subsequent request to be made to produce this data. To avoid unnecessary or overly long preservation, the authority that issued the European Preservation Order shall inform the addressee as soon as a decision is taken to refrain from issuing, or to withdraw a production order or a judicial cooperation request.
This provision also ensures the possibility of a dialogue between addressee and issuing authority, similar to the provisions of Article 9. If the EPOC-PR is incomplete, manifestly incorrect or does not contain sufficient information for the service provider to execute the EPOC-PR, the addressee shall contact the issuing authority and seek clarification, using the Form in Annex III. It shall also inform the issuing authority in cases where it cannot provide the data for circumstances that are considered as force majeure, or de facto impossibility, or for other reasons.
Article 11: Confidentiality and user
information
The confidentiality of the ongoing investigation, including the fact that there has been an Order to obtain relevant data, has to be protected. This Article is inspired by Article 19 of the EIO Directive. It provides for the obligation of the addressee and if different, the service provider, to preserve the confidentiality of the EPOC or EPOC-PR, in particular by refraining from informing the person whose data is being sought where requested by the issuing authority in order to safeguard the investigation of criminal offences, in compliance with Article 23 GDPR.
On the other hand, it is important, including for exercising legal remedies, that the person whose data was sought is informed. Where this is not done by the service provider upon request of the issuing authority, the issuing authority shall inform the person in accordance with Article 13 of the Law Enforcement Data Protection Directive once there is no longer a risk of jeopardising the investigation and include information about available legal remedies. Because of the lesser interference with rights involved, such information is not provided for in case of a European Preservation Order, but only for European Production Orders.
Article 12: Reimbursement of costs
If this is provided by the national law of the issuing State for domestic orders in similar domestic cases, service providers may also claim reimbursement of their costs from the issuing State in accordance with the national law of the issuing State. This ensures equal treatment of service providers addressed by a domestic order and those addressed by an EPOC by the same Member State, if that Member State has made the choice to reimburse certain service providers. On the other hand, the proposed Regulation does not harmonise the reimbursement of costs, as Member States have made diverging choices in that respect.
The costs can be claimed either directly by the service provider, or via its legal representative. They can only be reimbursed once.
Chapter 3: Sanctions and enforcement
Article 13: Sanctions
Member States shall ensure that there are effective, proportionate and deterrent pecuniary fines available when service providers do not comply with their obligations under Article 9,
10 or 11. This shall be without prejudice to national laws providing for the imposition of criminal sanctions for such situations.
Article 14: Procedure for enforcement
Article 14 provides for a procedure to enforce the Orders in case of non-compliance with the help of the Member State where the addressee of the transmitted Certificate is located. Depending on the initial addressee, this is either the Member State of the service provider or of the legal representative. The issuing authority transfers the full Order including the reasoning on necessity and proportionality, accompanied by the Certificate, to the competent authority in the enforcing State, which shall enforce it in accordance with its national law using, if necessary, the sanctions mentioned in Article 13. If the Order is transmitted for enforcement to the enforcing State, the enforcing authority may decide not to recognise and enforce the Order if upon receipt it considers that one of the limited grounds for opposition apply, and after consulting with the issuing authority. In addition, should the procedure for enforcement be initiated, the addressee itself will be able to oppose the Order before the enforcing authority. The addressee may do this on the basis of any of such grounds, excluding immunities and privileges but including cases where it is apparent that the Order was not issued or validated by a competent authority or that compliance would manifestly violate the Charter of Fundamental Rights of the European Union or be manifestly abusive. For example, an Order requesting the production of content data pertaining to an undefined class of people in a geographical area or with no link to concrete criminal proceedings would ignore in a manifest way the conditions for issuing a European Production Order set out in this Regulation and would be apparent already from the content of the Certificate itself. Other grounds can only be invoked by the person whose data is being sought, in the framework of their own legal remedies in the issuing State (see Article 17 below). In addition, service providers shall have a legal remedy against the decision of the enforcing authority imposing a penalty on them.
The enforcement procedure contains several deadlines for the enforcing and issuing authority to avoid further delays during this procedure.
Chapter 4: Remedies
Articles 15 and 16: Review procedure in case of conflicting obligations deriving from the law of a third country
Articles 15 and 16 provide for a review procedure in case service providers headquartered in third countries are faced with conflicting obligations. These provisions are also of great importance to ensure the protection of individual rights and international comity. By setting a high standard, they aim to encourage third countries to provide for a similar level of protection. In the opposite situation, where authorities of a third country seek to obtain data of an EU citizen from an EU service provider, Union or Member States laws protecting fundamental rights, such as the data protection acquis, may similarly prevent disclosure. The European Union expects third countries to respect such prohibitions as this proposal does.
The procedure in Article 15 can be triggered by the addressee if compliance with a European Production Order would cause infringement of the law(s) of a third country that prohibits disclosure of the data on the grounds that this is necessary to either protect the fundamental rights of the individuals concerned or the fundamental interests of the third country related to national security or defence. The addressee is required to inform the issuing authority by reasoned objection of the grounds for its conclusion that there are conflicting obligations.
Such reasoned objection cannot be based on the mere fact that similar provisions do not exist in the law of the third country nor on the only circumstance that the data is stored in a third country. The reasoned objection shall be raised pursuant to the procedure set out in Article 9(5) for notifying intent not to comply, using the form provided in Annex III.
On the basis of this reasoned objection, the issuing authority shall review its own Order. If the issuing authority chooses to withdraw the Order, the procedure ends. If the issuing authority would like to uphold the Order, the case is transferred to the competent court of its Member State. The court then assesses, on the basis of the reasoned objection and taking into account all relevant facts of the case, whether the third country law applies to the specific case at hand and — if it does apply — whether a conflict exists in the specific case at hand. In carrying out this assessment, the court should take into account whether the third country law, rather than being intended to protect fundamental rights or fundamental interests of the third country related to national security or defence, manifestly seeks to protect other interests or is being aimed to shield illegal activities from law enforcement requests in the context of criminal investigations.
If the court determines that there is in fact a conflict with obligations arising from laws protecting fundamental rights of individuals or fundamental interests of the third country related to national security or defence, the court must request an opinion of the relevant third country via the national central authorities of the third country. If the third country consulted confirms the existence of the conflict and objects to the execution of the Order, the court must withdraw the Order.
If the conflict arises on the basis of other third country legislation that does not serve to protect either the fundamental rights of individuals or fundamental interests of the third country related to national security or defence, then the court shall take its decision based on a balancing of the interests in favour of and against upholding the Order.
The conditions set out in Article 9, especially the preservation obligations described in Article 9(6), are also applicable in situations where conflicting obligations deriving from the law of a third country occur. Where the court comes to the determination that the Order is to be upheld, the issuing authority and the service provider are informed with a view to proceeding to its execution. Where the Order is lifted, a separate European Preservation Order may be issued to ensure availability of the data where it might be obtained through a mutual legal assistance request.
Given that the European Preservation Order itself does not result in data disclosure and therefore does not give rise to similar concerns, the review procedure is limited to the European Production Order.
Article 17: Effective remedies
This provision ensures that persons affected by the European Production Order have effective remedies. These remedies are exercised in the issuing State in accordance with national law. For suspects and accused persons, remedies are normally exercised during the criminal proceedings. No specific remedies are made available for the European Preservation Order, which in and of itself does not allow for data disclosure, other than in those cases where it is followed by a European Production Order or another instrument leading to disclosure, which then give rise to specific remedies.
Persons whose data was sought without them being suspects or accused persons in criminal proceedings shall also have a right to a legal remedy in the issuing State. All these rights are
without prejudice to any remedies available under the Law Enforcement Data Protection Directive and the GDPR.
Unlike what is provided for service providers, the Regulation does not limit the possible grounds for all these persons to challenge the legality of the Order. These grounds include the necessity and proportionality of the Order.
The exercise of remedies in the issuing State does not burden affected persons in a disproportionate manner. As is the case with Orders that are enforced through other forms of judicial cooperation, the courts in the issuing State are best-placed to review the legality of European Production Orders issued by their own authorities and to assess the compatibility with their own national law. In addition, during the enforcement stage, addressees can separately oppose the enforcement of the EPOC or of the EPOC-PR in their host Member State on the basis of a list of grounds enumerated in the Regulation (see Article 14 above).
Article 18: Ensuring privileges and immunities under law of receiving State
This provision pursues the same objective as Article 5(7) to ensure that immunities and privileges which protect the data sought in the Member State of the service provider are taken into account in the issuing State, in particular where there are differences between those Member States, as well as fundamental interests of that Member State such as national security and defence. Article 18 provides that the court in the issuing State has to take them into account as if they were provided for under their national law. Because of the differences between Member States when assessing the relevance and admissibility of evidence, the provision leaves some flexibility to the courts as to how to take them into account.
Chapter 5: Final provisions
Article 19: Monitoring and reporting
This article requires the Member States to report specific information related to the application of the Regulation with a view to assist the Commission in the exercise of its duties under Article 24. The Commission shall establish a detailed programme for monitoring the outputs, results and impacts of this Regulation.
Article 20: Amendments to the Certificates and the Forms
The Certificates and the forms contained in Annexes I, II, and III of this proposal will make it easier to execute an EPOC and an EPOC-PR. For this reason, it is necessary in the future to be able to address a possible need to improve the content of the Certificate and the form as quickly as possible. Amending the three annexes through the ordinary legislative procedure does not correspond to this requirement, and they constitute non-essential elements of the legislative acts, the main elements being defined in Article 8. Therefore, a faster and more flexible procedure for amendments through delegated acts is laid down in Article 20.
Article 21: Exercise of
delegation
This article lays down the conditions under which the Commission has the power to adopt delegated acts to provide for necessary amendments to the Certificate and the forms annexed to the proposal. It lays down a standard procedure for adopting such delegated acts.
Article 22: Notifications
Member States are required to notify to the Commission who the competent issuing and enforcing authorities are, and which courts are competent to deal with reasoned objections of service providers in case of a conflict of law.
Article 23: Relationship to European Investigation Orders
This provision clarifies that the Regulation does not prevent Member State authorities from issuing European Investigation Orders in accordance with Directive 2014/41/EU to obtain electronic evidence.
Article 24: Evaluation
This provision sets out that the Commission shall carry out an evaluation of this Regulation in line with the Commission's Better Regulation Guidelines and pursuant to paragraph 22 of the Interinstitutional Agreement of 13 April 201625. The Commission will report to the European Parliament and the Council on the findings of the evaluation, including an assessment of the need to enlarge its scope to services not yet covered but which may become more relevant for investigations, 5 years after the entry into force of the proposed Regulation.
Article 25: Entry into force
The proposed Regulation will enter into force the twentieth day after its publication in the Official Journal. The Regulation will then apply 6 months after its date of entry into force.
25 Interinstitutional Agreement between the European Parliament, the Council of the European Union and
the European Commission on Better Law-Making of 13 April 2016; OJ L 123, 12.5.2016, p. 1–14.