On July 28, 2023, more than five years after the Commission’s original proposal, the EU e-evidence Regulation and Directive were published in the Official Journal of the European Union, signalling the end of the legislative process for this file.

In summary, the Regulation establishes a regime whereby law enforcement authorities (“LEAs”) in one EU Member State will be able to issue legally-binding demands for certain data from certain categories of service providers (namely providers of electronic communications services, domain name and IP registration services, and information society services that enable users to communicate or store data) that are established or have a legal representative in a different EU Member State, or demand such service providers to preserve such data. 

The Regulation also sets out the procedures that LEAs must comply with to issue these “European Production Orders” and “European Preservation Orders”, which differ depending on the category of data at issue.  For example, an LEA wishing to issue a European Production Order to obtain the content of a user’s communications or associated metadata (that will not be used solely to identify the user) must, among other things, obtain prior authorization from an independent judicial authority, and may only issue such an Order in relation to a crime that is punishable by a maximum custodial sentence of three years or more.  The requirements for European Production Orders for other data, and for European Preservation Orders for any data, are less onerous—for example, a competent public prosecutor can approve such Orders.  Non-compliance with a valid Order can lead to financial penalties of up to 2% of the worldwide annual turnover of the service provider.

The Regulation also covers other matters relevant to these Orders, including the grounds on which a provider may refuse to comply, procedures for the Member State of establishment (the “enforcing authority”) to review and object to certain Orders, and a process for resolving situations where compliance with an Order would conflict with the requirements of third-country law.  Of specific relevance to cloud service providers, the Regulation requires LEAs to address European Production Orders to companies that act as the controller of the personal data (as defined in the GDPR), unless the controller cannot be identified or issuing the order to the controller might be detrimental to the investigation.  In some cases, therefore, LEAs will need to issue European Production Orders to cloud services’ customers (acting as controllers of the data in question), not to the providers themselves.

The Directive aims to ensure that all service providers covered by the Regulation—i.e., those that offer covered services to users in the EU—comply with it, even if they are not established in the EU.  To do so, it requires covered providers to designate at least one addressee for the receipt of, compliance with, and enforcement of European Production Orders and European Preservation Orders.

The Regulation will apply in full from 18 August 2026, and Member States must transpose the Directive into national law by 18 February 2026.

*           *           *

The Covington team will continue to monitor developments related to the e-evidence package, and would be happy to answer any questions about the issues raised above.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Photo of Marty Hansen Marty Hansen

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade…

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade Organization agreements, treaties administered by the World Intellectual Property Organization, bilateral and regional free trade agreements, and other trade agreements.

Drawing on ten years of experience in Covington’s London and DC offices his practice focuses on helping innovative companies solve challenges on intellectual property and trade matters before U.S. courts, the U.S. government, and foreign governments and tribunals. Martin also represents software companies and a leading IT trade association on electronic commerce, Internet security, and online liability issues.

Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.