The e-Evidence Package: A New Regime for Cross-Border Law Enforcement Requests
In 2020, we published a briefing considering the existing law enforcement requests regime. Since then, the final text of the anticipated e-Evidence Package, comprising Regulation (EU) 2023/1543 (“the e-Evidence Regulation”) and Directive (EU) 2023/1544 (“the e-Evidence Directive”) has been agreed. This briefing outlines key elements of the new regime, which is to apply in 2026.
Legal Framework
Parallel Application of Legislation
- The Law Enforcement Directive (the “LED”) applies specifically to the processing of personal data by “competent authorities” (public authorities competent for law enforcement purposes), relating to criminal offences and penalties. As such, it runs in parallel with the General Data Protection Regulation (the “GDPR”) at European level, applying to data controllers processing personal data for any number of purposes.
- As a result, when an organisation receives a law enforcement request, it must comply with the GDPR, while the organisation that issued the request must comply with the LED.
International Requests
- Irish organisations may receive either domestic or international law enforcement requests, with the latter currently made pursuant to a mutual legal assistance treaty (“MLAT”) as provided by the Criminal Justice (Mutual Assistance) Act 2008 (as amended). Such instruments must contain appropriate safeguards as required under the LED, on which the European Data Protection Board has recently issued guidelines. The Minister for Justice and Equality, acting as the “Central Authority” for mutual legal assistance, confirms the validity of such requests.
- As the process has proven to be relatively time-consuming, organisations have seen the increasing prevalence of direct requests from authorities occurring outside the regime, which have greater associated risks for organisations. Due to these issues arising from the absence of an effective regime, the European Commission set out to establish a comprehensive new set of rules for cross-border requests for evidence, culminating in the e-Evidence Package.
E-Evidence Package
Legislative Reform
The e-Evidence Package aims to implement a more efficient alternative mechanism to the current regime for cross-border law enforcement requests in the European Union. In setting out significantly reduced periods for data production on valid requests, the e-Evidence Package proposes to considerably expediate the production of requested data when compared to current periods.
The e-Evidence Regulation
Application to Service Providers
The e-Evidence Regulation, which will apply from 18 August 2026, sets out the rules under which a judicial authority of a Member State can, in criminal proceedings, issue European Production and Preservation Orders to service providers in other Member States regarding electronic evidence it stores or holds, regardless of the location of the data. It applies to service providers offering services in the EU, including electronic communication services, and other information society services such as e-messaging services and social media platforms.
Data in Scope
The Regulation differentiates between subscriber, traffic and content data. For traffic and content data to be the subject of a valid order request, the criminal offence that is the subject of proceedings must be punishable by a custodial sentence of at least three years in the issuing Member State or relate to terrorism, sexual abuse of children, non-cash payment instrument fraud or certain cybercrime offences. It applies only to data that has already been stored. The e-Evidence Regulation does not apply to data allowing live monitoring or future data.
Key Mechanisms
- European Production Order: Where a production order is made, the service provider is obliged to comply with the order within a period of ten days (or eight hours in emergency cases) and produce the data requested, namely emails, text, or messages in apps. This is in contrast to the average of 10 months for a current mutual legal assistance procedure.
- European Preservation Order: A judicial authority can make this order to request that a service provider in another Member State preserves specific data for 60 days (extendable by an additional 30-day period) in view of a subsequent request to produce this data via a European Production Order or mutual legal assistance.
Enforcement
A service provider itself can seek clarification from the issuing authority on a European Production Order and can raise two legal grounds not to comply; immunities and privileges, and where there is a conflict with an obligation under the applicable law of a third country. On notification by the service provider, the enforcing authority in the enforcing Member State can additionally raise the following grounds for refusal; immunities and privileges, manifest breach of fundamental rights, ne bis in idem (double criminality). Conversely, the enforcing authority must also ensure enforcement of legitimate orders, and the service provider can face penalties for non-compliance with either order of up to 2% of the total worldwide annual turnover in the preceding financial year in its established Member State.
Implementation in Ireland
The suggested domestic procedures to obtain European Preservation and Production Orders under the e-Evidence Regulation are set out in the General Scheme of the Criminal Justice (Protection, Preservation of and Access to Data on Information Systems) Bill 2024, published earlier this year by the Department of Justice. The Bill assigns District Court judges as the authorising authority for both domestic and European production and preservation orders on application.
The Bill also gives effect to a number of provisions in the 2001 Council of Europe Convention on Cybercrime, known as the Budapest Convention. These provisions relate to orders for law enforcement purposes to preserve and produce data held on information systems, and corresponding mutual assistance provisions. It also amends the Online Safety and Media Regulation Act 2022 to give Coimisiún na Meán powers to issue penalties for infringements of the EU Terrorist Content Online Regulation 2021/784.
The e-Evidence Directive
The Directive, which is required to be transposed by Member States by 18 February 2026, complements the e-Evidence Regulation by prescribing rules for the appointment of ‘legal representatives’ by service providers, who will have substantial obligations and responsibilities for receiving and responding to European Production and Preservation Orders for the purposes of gathering evidence in criminal proceedings. This ensures that all service providers offering services in the EU are subject to the same obligations, even if their headquarters are in a third country.
Practical Outlook
In light of the current prevailing practice regarding penalties for data protection breaches of EU law, the establishment of fines based on annual worldwide turnover for non-compliance with the orders is a substantial consideration for service providers. As such, service providers should take steps now to implement effective internal processes to meet the significantly shorter deadlines for data transfer than the current mutual legal assistance regime.
Present Considerations
In the absence of an efficient existing process, in the interim period before the application of the e-Evidence Package in 2026, organisations should ensure they have policies and procedures in place to address how they handle direct law enforcement requests. (These are discussed in detail in our previous briefing, Staying on the Right Side of the Law: Responding to Law Enforcement Requests in Compliance with the GDPR).
Organisations should additionally begin preparations now for the future application of the e-Evidence Package, by reviewing existing internal processes and revising these where necessary to facilitate effective and expeditious provision of data under the new system.
The author would like to thank Cathal Kelleher for his contribution to the article.