On July 28, 2023, more than five years after the Commission’s original proposal, the EU e-evidence Regulation and Directive were published in the Official Journal of the European Union, signalling the end of the legislative process for this file.
In summary, the Regulation establishes a regime whereby law enforcement authorities (“LEAs”) in one EU Member State will be able to issue legally-binding demands for certain data from certain categories of service providers (namely providers of electronic communications services, domain name and IP registration services, and information society services that enable users to communicate or store data) that are established or have a legal representative in a different EU Member State, or demand such service providers to preserve such data.
The Regulation also sets out the procedures that LEAs must comply with to issue these “European Production Orders” and “European Preservation Orders”, which differ depending on the category of data at issue. For example, an LEA wishing to issue a European Production Order to obtain the content of a user’s communications or associated metadata (that will not be used solely to identify the user) must, among other things, obtain prior authorization from an independent judicial authority, and may only issue such an Order in relation to a crime that is punishable by a maximum custodial sentence of three years or more. The requirements for European Production Orders for other data, and for European Preservation Orders for any data, are less onerous—for example, a competent public prosecutor can approve such Orders. Non-compliance with a valid Order can lead to financial penalties of up to 2% of the worldwide annual turnover of the service provider.
The Regulation also covers other matters relevant to these Orders, including the grounds on which a provider may refuse to comply, procedures for the Member State of establishment (the “enforcing authority”) to review and object to certain Orders, and a process for resolving situations where compliance with an Order would conflict with the requirements of third-country law. Of specific relevance to cloud service providers, the Regulation requires LEAs to address European Production Orders to companies that act as the controller of the personal data (as defined in the GDPR), unless the controller cannot be identified or issuing the order to the controller might be detrimental to the investigation. In some cases, therefore, LEAs will need to issue European Production Orders to cloud services’ customers (acting as controllers of the data in question), not to the providers themselves.
The Directive aims to ensure that all service providers covered by the Regulation—i.e., those that offer covered services to users in the EU—comply with it, even if they are not established in the EU. To do so, it requires covered providers to designate at least one addressee for the receipt of, compliance with, and enforcement of European Production Orders and European Preservation Orders.
The Regulation will apply in full from 18 August 2026, and Member States must transpose the Directive into national law by 18 February 2026.
* * *
The Covington team will continue to monitor developments related to the e-evidence package, and would be happy to answer any questions about the issues raised above.