Abstract
The recently enacted EU e-Evidence Regulation improves efficient access to electronic evidence by allowing authorities in one Member State to send orders for electronic evidence directly to service providers in another Member State. Because this direct access mechanism is based on mutual trust, the law has minimum fundamental rights safeguards. This article argues that these safeguards are properly balanced with efficiency so long as there is mutual trust in the rule of law in all Member States. However, if there is no mutual trust, the notification requirements fall short of protecting fundamental rights, especially combined with the limited grounds of refusal available to the service provider. Mutual trust is on rocky ground in the EU, as ongoing concerns over illiberalism in some Member States demonstrate. Therefore, further fundamental rights protections are needed.
Keywords
Introduction
The nature of electronic evidence 1 has fundamentally changed criminal investigations. Traditionally, criminal procedure laws focus on the location of the evidence as the relevant territorial nexus for the application of the law. 2 But in the cloud computing era, data are often stored and moved through network infrastructure that is outside the territory of the user by a service provider who also may be domiciled outside of the territory. Scholars have termed this ‘the unterritoriality of data’ 3 and data’s ‘loss of location’. 4 In this paradigm, data are also highly volatile – it is easily moved, deleted, intermingled and divisible. 5 The new EU e-Evidence Regulation is intended to address these challenges. 6
The e-Evidence Regulation covers ‘electronic evidence’, defined as data that are electronically stored by a ‘service provider’. The e-Evidence Regulation covers service providers that provide electronic communications, internet domain name and IP numbering services, and other ‘information society services’ – broadly defined as the provision of services at a distance by electronic means. 7 This broad scope covers nearly every service provider who offers some type of service over a network (such as the internet), except for financial services. 8 Thus, ‘electronic evidence’ is often evidence of communications over a network, but it may also be data in file storage, data processed as a component of user services, and internet domain names and IP addresses.
To address the unique challenges posed by electronic evidence, the e-Evidence Regulation allows law enforcement authorities in one Member State to send preservation and production orders for electronic evidence directly to service providers established in another Member State, without routinely involving the authorities in the second Member State. 9 This article refers to this procedure as a ‘direct access’ mechanism. To support direct access, the e-Evidence Regulation relies on the principles of mutual recognition and mutual trust, which includes ‘a presumption of compliance by Member States with Union law, the rule of law and, in particular, with fundamental rights, which are essential elements of the area of freedom, security and justice within the Union’. 10 This mutual trust is not absolute, however, and the state where the service provider is established or represented (the ‘enforcing state’) may refuse to enforce the order on limited grounds.
Direct access mechanisms for electronic evidence are gaining traction in other states as well. The first direct access agreement between states was entered into by the United Kingdom and the United States in October 2019 and came into force on 3 October 2022. 11 The UK–US Data Access Agreement, as it’s known, is likewise premised on the mutual trust between the United Kingdom and United States on matters of criminal justice and fundamental rights. 12 The agreement nonetheless involves important reservations on the part of both states, including: (1) limitations on direct access for data targeting persons within their territory (United Kingdom) or citizens and residents (United States), 13 and (2) requiring additional assurances regarding specific fundamental rights on which these states do not share mutual trust. 14 As will be argued in this article, these reservations serve as additional safeguards for fundamental rights protection and show that mutual trust is not absolute.
This article argues that the fundamental rights safeguards in the e-Evidence Regulation are appropriately balanced with efficiency so long as there is mutual trust between Member States. There are essential minimum safeguards in the e-Evidence Regulation, such as provisions related to immunities and privileges, ne bis in idem, double criminality, minimum seriousness of offences, and objections based on fundamental rights grounds. But the protection of fundamental rights largely depends on the national law of the issuing Member State. Thus, where there are concerns over ‘rule of law backsliding’ 15 in some Member States, the e-Evidence Regulation should include further fundamental rights protections for orders issued by those Member States, given the breakdown in mutual trust.
To make this argument, the article proceeds as follows. The article begins by briefly setting out the evolution of mechanisms for law enforcement to obtain cross-border data, considering mutual legal assistance treaties (MLATs), the European Investigation Order Directive (EIO Directive) and the new e-Evidence Regulation. Next, the article studies the safeguards in the e-Evidence Regulation, focusing on the problems posed by Member States with rule of law backsliding and the effects on this mutual trust-based framework. These issues call into question the suitability of the safeguards in the regulation, especially because in most cases, the enforcing authority will not be notified of the order or involved in its execution. The limited role of the enforcing Member State improves the efficiency with which law enforcement can obtain digital evidence but bypasses safeguards.
The article concludes that while minimal notice requirements improve efficiency, that efficiency must be properly balanced against safeguards when mutual trust is eroded, for example, by the rule of law backsliding in some Member States. In particular, the role of the service provider as a safeguard in the notice regime should not be diminished. The article concludes that because mutual trust in fundamental rights protection in some Member States is in question, stronger safeguards are essential to protect fundamental rights and should be prioritised over efficiency for these states.
Mechanisms for obtaining cross-border data
Mutual legal assistance and the European investigation order
Traditionally, methods for obtaining data across borders tend to be time-consuming. While ad hoc assistance through diplomatic channels or joint investigation teams may move quickly, those methods are relatively fast precisely because they are rarely used. 16 For routine and systematic access to cross-border data, law enforcement authorities have traditionally relied on MLATs, which can involve a lengthy and cumbersome process. 17
MLATs require law enforcement authorities in the investigating state to send a request for evidence through their central processing authority to the state where the evidence is located (the ‘receiving state’). 18 The receiving state then uses its domestic legal processes to obtain an order for the evidence. This may involve additional steps within the receiving state. This process can be lengthy. In the United States, for example, an MLAT request can take ten to twelve months to be fulfilled. 19
Within the EU, the European Convention on mutual assistance in criminal matters of 29 May 2000 has been largely replaced by the EIO Directive. 20 Based on the principle of mutual recognition as set out in TFEU Article 82, the EIO Directive requires the judicial decision of one Member State to be enforced in another Member State nearly automatically, subject to very limited grounds for refusal. 21 Mutual recognition thus decreases the legal discretion of national authorities but improves efficiency. 22
Among other safeguards, Article 11 allows the executing state to refuse an EIO where ‘there are substantial grounds to believe that the execution of the investigative measure indicated in the EIO would be incompatible with the executing State’s obligations in accordance with Article 6 TEU and the Charter’. Although there is a presumption that Member States comply with EU law and fundamental rights, it may be rebutted, 23 showing that ‘blind mutual trust’ is not the basis for the EIO. 24
While the EIO may be used to obtain digital evidence, it was not created expressly with digital evidence in mind. Given the unique qualities of digital evidence – namely its unterritoriality and volatility – the EU Commission undertook an assessment to determine if a separate directive or regulation was needed for digital evidence. The resulting e-Evidence legislative package was proposed before the EIO was fully in force, so the EIO was not necessarily inadequate in practice. However, the EU Commission claimed that legislation specifically to address electronic evidence was necessary, among other reasons, to provide the disclosure time frames necessary to address the volatility of data. 25 The e-Evidence regulation also harmonises the jurisdictional scope of preservation and production orders from divergent national laws, bringing more service providers within the scope of European orders for electronic evidence than was possible under some national laws. 26
The e-Evidence proposal
The European Commission’s 2018 legislative proposal on e-Evidence in criminal investigations consisted of a regulation and a directive to facilitate efficient law enforcement access to digital evidence within the EU. 27 After 5 years of negotiations, the final compromise text between the European Commission, Council and Parliament was released on 20 January 2023, 28 and the regulation and directive became law on 12 July 2023.
By allowing the authorities in a Member State to send orders for data directly to service providers in another Member State, the e-Evidence Regulation is the most efficient mechanism yet for cross-border evidence gathering in the EU. The Regulation joins a small, but growing, number of instruments that facilitate direct access to digital evidence across borders, including the UK–US Data Access Agreement and the Second Additional Protocol to the Council of Europe Cybercrime Convention. 29 While the Second Additional Protocol’s direct access mechanism is limited to subscriber information and domain name information (showing that the type of data and its implications for privacy rights may limit mutual trust), the UK–US Data Access Agreement is very similar to the e-Evidence Regulation in that it allows direct access for all types of data and even goes so far as to include live interception of communications, which is excluded from the Regulation.
The e-Evidence Regulation creates a preservation order (EPOC-PR) and a production order (EPOC) that may be served directly by the issuing authority in the investigating Member State (the ‘issuing state’) on a service provider established in another Member State (the ‘enforcing state’). 30 Thus, the orders bypass the judicial authorities in the enforcing state, creating a more efficient process for obtaining data from service providers than provided for in the EIO Directive. In the event of non-compliance, the order will still be enforced by the Member State where the service provider is located, 31 and as will be discussed in the section on notice, in some types of cases, the issuing state will notify the enforcing state of the order when it is issued. 32
Under the e-Evidence Regulation, an EPOC may order ‘a service provider offering services in the Union, to produce or preserve electronic evidence, regardless of the location of data’. 33 Thus, the Regulation recognises the loss of location of the data and bases jurisdiction over the evidence on a territorial connection to the service provider that possesses or controls the data. This territorial connection is determined by whether the service provider is ‘offering services in the Union’, which means that service providers enable a service to be used by persons in at least one Member State and that service providers have ‘a substantial connection’ to the EU. The substantial connection may entail either an establishment in the EU, a significant user base in the EU, or targeting of activities towards a Member State. 34 In practice, this means that unless a service provider does not intend for its service to be used by persons in the EU and the number of users in the EU is minimal, then the service provider must comply with an EPOC.
This expansive jurisdictional scope may lead to a conflict of laws with a third country. 35 The e-Evidence regulation attempts to address this conflict through a comity analysis in Article 16. This comity provision will be discussed further in the section on notice as it could factor into the protection of fundamental rights.
The bases of the regulation are the principles of mutual recognition and mutual trust that also underpin the EIO. 36 However, the e-Evidence framework arguably relies on even greater mutual trust than the EIO, as it ‘effectively extends a Member State’s jurisdiction into the territory of another Member State and . . . involves a mutual cessation of sovereignty between the states involved’. 37 Nonetheless, the enforcing state may refuse to enforce an order on limited grounds, discussed further in the next section.
Safeguards in the e-Evidence Regulation
There are many basic safeguards in the e-Evidence Regulation. An EPOC must be necessary and proportionate for the purpose of a criminal proceeding, taking into account the rights of the target of the order, and be available in a similar domestic case. 38 There are other standard safeguards (similar to MLATs and the EIO Directive), including provisions related to immunities and privileges, ne bis in idem, double criminality, minimum seriousness of offences for some types of data, and a limited objection available to the enforcing state on fundamental rights grounds which will be discussed further below. 39 While the e-Evidence Regulation is built upon the mutual trust between Member States, these grounds for refusal show that it is still a qualified mutual trust.
The e-Evidence Regulation allows the enforcing authority to refuse to enforce an order on fundamental rights grounds, but this ground for refusal is more limited than the EIO. Furthermore, it should be noted that these safeguards can only be effective if an order requires enforcement, which is not the case if the service provider complies with the order. Given the potential sanctions for non-compliance may be as high as 2 percent of global annual turnover of a service, service providers are likely to comply with most orders.
40
The enforcing authority may refuse an order when:
in exceptional situations, there are substantial grounds to believe, on the basis of specific and objective evidence, that the execution of the Order would, in the particular circumstances of the case, entail a manifest breach of a relevant fundamental right.
41
This wording appears narrower than the ground for refusal in the EIO Directive, which was available for ‘incompatibility’ with fundamental rights. For the e-Evidence Regulation, refusal is limited to ‘a manifest breach’ of a fundamental right.
Possible evidence of a manifest breach includes situations where a Member State is under investigation for rule of law backsliding. 42 Recital 64 sets out that a manifest breach may include ‘a reasoned proposal by one third of Member States, by the European Parliament, or by the European Commission adopted pursuant to Article 7(1) TEU’ of a clear risk of systematic rule of law violations on account of concerns over the judicial independence in a Member State and its impact on fair trial rights. 43 The enforcing authority must then engage in a specific assessment as to ‘the concerned person’s personal situation, as well as to the nature of the offense for which the criminal proceedings are conducted’ to determine that ‘there are substantial grounds for believing that that person will run such a risk of breach’ of their fair trial rights. 44
Recital 64’s requirement of a case-by-case assessment is consistent with the jurisprudence of the Court of Justice of the European Union (CJEU) in the European Arrest Warrant 45 (EAW) context. 46 In several EAW cases, the CJEU has confirmed that after an assessment of systemic or generalised deficiencies in the extraditing state, the executing authority must conduct a specific assessment of whether there is ‘a real risk’ 47 or ‘substantial grounds to believe’ 48 that the individual concerned will suffer a violation of their rights if extradited. 49 In the LM case, the Irish High Court referred a question to the CJEU concerning whether it should comply with an EAW from Poland after the EU Commission had triggered the Article 7(1) investigation into the independence of Poland’s judiciary. 50 The CJEU reiterated its earlier judgements that mutual trust should be presumed except in ‘exceptional circumstances’, but held that the Irish court could refuse the EAW if there were ‘a real risk’ that the individual concerned would suffer a violation to his right to a fair trial. 51 In Openbaar Ministerie, the CJEU clarified that this specific assessment cannot be presumed solely on evidence of systemic or general deficiencies concerning the independence of the judiciary (again in Poland). 52 To find otherwise, the Court said, ‘would amount to extending the limitations that may be placed on the principles of mutual trust and mutual recognition beyond “exceptional circumstances”’. 53
Much of the CJEU deference to mutual trust in the EAW context may be owed to the fact that the EAW framework does not allow specifically for refusal to execute a warrant based on fundamental rights grounds. 54 Nonetheless, while the EAW may be distinguished from the e-Evidence Regulation in this respect, it is worth noting that the requirements of Recital 64 are nearly identical to the CJEU’s holding in LM. 55
It follows then that in the e-Evidence context, like the EAW and EIO, the starting point is a presumption (albeit rebuttable) of mutual trust. But the rule of law backsliding in Member States such as Poland and Hungary calls into question the basic organising principle of mutual trust in the EU. As Pech and Scheppele have observed, EU institutions, including the CJEU, ‘must recognise that the EU faces new challenges that call for adjustment of existing doctrine created in better times’. 56
The withdrawal or suspension of mutual trust at the EU level most likely relies on the Council imposing sanctions under Article 7 TEU. 57 Before sanctions may be imposed under Article 7(2) or 7(3) TEU, the Commission or Parliament must trigger an Article 7(1) TEU investigation, which requires the Council to determine if a Member State is guilty of a serious and persistent breach of the values laid out in Article 2 TEU, which includes, among other values, respect for human rights, democracy and the rule of law. 58 Article 7(1) TEU allows the Council to give a warning to the Member State investigated – known as the preventative mechanism. Article 7(2) TEU allows the Council to suspend the rights of the Member State, including its vote on the Council – known as the sanctioning mechanism.
The breakdown of the rule of law in certain Member States has been the subject of debate now for many years – since at least 2012. 59 After years of debate concerning whether Article 7 TEU should be used, Article 7(1) TEU investigations were triggered into Poland in 2017 60 and Hungary in 2018. 61 Until 2017, even triggering an Article 7(1) TEU investigation was considered by some to be ‘the nuclear option’. 62 Sanctions under Article 7(2) TEU would be even more exceptional, especially considering that Article 7(2) TEU sanctions require a unanimous vote of the Council. This is politically unlikely due to the agreement between Hungary and Poland to veto any Article 7(2) or 7(3) TEU sanctions against the other. 63 Given then that a suspension of mutual trust at the EU level is unlikely, the e-Evidence Regulation should have included stronger provisions to account for the breakdown of the rule of law in these states, and consequently, the breakdown of mutual trust.
For example, the Parliament draft would have introduced stronger safeguards for EPOCs issued by Member States that are under Article 7(1) TEU investigations, allowing for a blocking presumption against orders issued by such a Member State. 64 The order would only be executed with the consent of the enforcing state. 65 This provision would have addressed the ‘adjustment of existing doctrine’ needed given the breakdown of mutual trust in Member States under Article 7(1) TEU investigations, but it was not adopted in the compromise text. Instead, the compromise text requires specific assessments on a case-by-case basis, rather than a general blocking presumption.
Importantly, whether any of these safeguards will work in practice is dependent upon whether an enforcing authority has notice of the order. The EPOC is designed to bypass the enforcing authority to improve efficiency. A notice mechanism may slow this efficiency down. Nonetheless, some notice provisions are required, and in light of the rule of law backsliding problems in some Member States, further notice provisions should be required to balance fundamental rights with efficiency properly. Proposals for stronger notice provisions, along with an analysis of the current notice regime, will be discussed further in the next section.
Notice of orders
Types of notification procedures in the e-Evidence Regulation
There are three types of notification procedures that may occur under the e-Evidence Regulation: (1) notice from the issuing authority to the target of the investigation; (2) notice from the issuing authority to the enforcing authority; and (3) notice from the service provider to the issuing authority or enforcing authority regarding an issue with or objection to an order.
The first type of notification to the target of the investigation is important, especially for the protection of the target’s fundamental rights. The e-Evidence Regulation provides that the issuing authority must notify the target ‘without undue delay’, but it allows some delay, restriction or omission of notification in accordance with national law. 66 These provisions for notice to the target are consistent with standards set by the European Court of Human Rights (ECtHR), which has held that prior notice will not always be required if it may jeopardise the investigation. 67 Ultimately, the legality of the notice regime for targets will rely on national laws, which in the EU should comply with the Charter of Fundamental Rights and the European Convention on Human Rights (ECHR). Thus, the specifics of these regimes are outside the scope of this article, which is focused on the balance between safeguards and efficiency in the Regulation itself. But it can be noted that given the broad discretion granted to states regarding notice to the targets of investigations, other types of notice and safeguards may be vital to ensuring the protection of fundamental rights.
The second type of notification is from the issuing authority to the enforcing authority for certain types of data. No notice is required for subscriber data or traffic data that is used for identification purposes. 68 For other traffic data and content data, Article 8(1) requires the issuing authority to notify the enforcing authority of an EPOC. Article 8(2), however, makes an exception for cases in which the criminal offence has been or is likely to be committed in the issuing state and the target is in the issuing state. 69 Thus, Article 8 notification is only required in cases where the issuing authority is seeking traffic data (for non-identification purposes) or content data for an investigation where either the target of the investigation is located outside of the issuing state or part of the crime has been or is likely to be committed outside of the issuing state. Therefore, in most domestic cases, the enforcing state will not have notice of an order from the issuing state. 70
If the issuing state does not notify the enforcing authority, the enforcing authority may nonetheless be notified of the order if the service provider raises an issue. This is the third type of notification. The service provider may notify the enforcing authority directly if it believes the order ‘could interfere with immunities or privileges, or with rules on the determination or limitation of criminal liability that relate to the freedom of press or the freedom of expression in other media, under the law of the enforcing State’. 71 If the service provider objects to the order on a procedural ground – that is, the order is ‘incomplete, contains manifest errors or does not contain sufficient information to execute’ – the service provider notifies the issuing authority. But if the issuing authority disagrees with the service provider’s objection, the responsibility for enforcing the order moves to the enforcing State, providing notice at that point.
The service provider’s role in this regard could be significant, especially if the issuing state may not be trusted to follow notice requirements. However, the role is limited. Under the regulation, the service provider may not challenge an order if the EPOC appears to breach a target’s fundamental rights. The debate over the proper role of the service provider in this regard is explored further in the next section.
The role of the service provider and fundamental rights
Early drafts of the e-Evidence Regulation allowed service providers to challenge orders on fundamental rights grounds. 72 This provision led to criticism that the proposed e-Evidence Regulation in effect privatised the public responsibility of states to review orders, essentially deputising service providers to act as judicial authorities. 73 Mitsilegas noted that the Regulation, in setting up direct cooperation between a public authority and the private sector, ‘delegat[es] fundamental rights scrutiny to the private sector’. 74 Gless and Pfirter went further and asserted that the regulation amounted to ‘governments hand[ing] over responsibility and power to a private stakeholder that is in the business of profiting from cloud computing and, in all likelihood, lacks any experience in applying the law’. 75 Tosza argued that the regulation would create a new position for service providers who, ‘whether they like it or not, would become extended arms of law enforcement replacing their national authorities in the task of not only receiving and complying with but also assessing the orders’. 76
After the ground for challenging based on fundamental rights grounds was removed from the Regulation, scholars continued to critique the framework as a system of mutual recognition by private actors. 77 In a later article, Tosza argued that service providers would be placed in an onerous role in which they must ‘recognise’ the order in terms of the quality and correctness of the order, as well as the applicability of immunities and privileges. 78 In this way, the service provider becomes the ‘first filter’ of the orders (in place of the judicial authority of the enforcing state), a role ‘from which [service providers] will not be able to abstain’. 79
There are several issues with these critiques, however. First, the service provider does not replace national authorities in assessing orders, nor do they ‘recognise’ the order as would the judicial authority in the enforcing state. Second, service providers as third-party intermediaries routinely scrutinise and determine whether to comply with orders demanding data – this is not a new role. Finally, the Regulation should not require service providers to assess fundamental rights compliance (which would arguably place public duties on private service providers). However, the Regulation should allow service providers to challenge EPOCs that appear to violate fundamental rights. Without this ground for challenge, the Regulation leaves rights less protected. The rest of this section considers each of these three issues in turn.
First, the service provider does not ‘replace’ the national authorities in assessing orders, and this is true regardless of whether the service provider can object on fundamental rights grounds. The issuing state’s authority will continue to evaluate and issue the orders subject to procedures in national law. The critiques noted above confuse the role of the service provider as an intermediary with the previous ‘executing state’ role under the EIO or MLAT. The e-Evidence framework simply minimises the role of the executing/enforcing state’s authority, relying on the issuing state’s authority under national criminal procedure laws to ensure orders are properly issued (as if the evidence was located in the issuing state).
This is the defining feature of the e-Evidence regulation as a mutual trust framework – because the enforcing state trusts the issuing state, it does not need to review or execute the order. By removing what should be a redundant check (given the mutual trust between states), the Regulation improves timely access to evidence and creates an efficient mechanism for obtaining electronic evidence. However, as Tosza, Mitsilegas and others noted, this is a radical departure from previous mutual recognition frameworks in the EU. 80
In fact, many argued against the Regulation on the ground that the EU lacked the competence to create a direct access framework on the basis of mutual recognition. 81 For the most part, the arguments over whether mutual recognition is the correct legal basis for the Regulation are out of the scope of this article. 82 Nonetheless, it is worth noting the critique because one reason behind the notice provisions may be to ‘save’ mutual recognition as a legal basis by requiring the involvement of judicial authorities in the enforcing Member State (at least in certain situations). 83 Thus, the service provider remains in the same position that it always has been as a third-party intermediary, subject to sanctions for non-compliance with the order. The service provider does not take on the public role of the enforcing state’s judicial authority (which is saved by the notice). While being a communications intermediary has public interest consequences, compliance with legal orders for communications data is not an inherently public decision. 84 In situations when the enforcing authority is bypassed in favour of the direct access mechanism, then no second authority – public or private – is in the ‘recognition’ role.
To be sure, as noted by Mitsilegas, the service provider’s position is not one of equal power but of a subordinate position. 85 This makes the need for actual mutual trust underlying direct access mechanisms even more necessary. As Tosza suggests, this framework ‘seems to require a quantum leap of mutual trust’. 86 This quantum leap of mutual trust may not be warranted given the concerns with rule of law backsliding in certain Member States, as discussed in the section on safeguards.
Turning to the second issue identified above, Gless and Pfirter asserted that the regulation creates a situation where ‘governments hand over responsibility and power to a private stakeholder that . . . in all likelihood, lacks any experience in applying the law’. 87 However, service providers regularly ‘apply the law’ to determine whether to comply with an order for data from a government authority. Service providers as intermediaries routinely review orders to ensure that authorities followed the correct legal procedures to avoid liability for divulging confidential information without proper legal process. 88 This is not a new position. In 2015, the ECtHR recognised that this intermediary position of the service provider is ‘one of the important safeguards’ against abusive state surveillance practices. 89
Finally, early critiques noted that the Regulation, in allowing service providers to challenge orders on fundamental rights grounds, ‘delegat[e] fundamental rights scrutiny to the private sector’. 90 This critique tends to imply that the earlier drafts of the e-Evidence regulation required service providers to assess orders specifically for possible rights’ violations when it gave them the option to raise challenges on this ground. 91 The option to challenge orders on fundamental rights grounds differs from a requirement that the service provider scrutinise and review orders for this purpose. The compromise text instead removes the ability for service providers to make a challenge in situations where an order raises fundamental rights concerns. Some service providers have expressed that they want to be able to raise issues concerning fundamental rights, if the issue is apparent on the face of the order. 92 It is important to note that these providers would not investigate or look behind the order, and it is arguable whether the order itself would even reveal potential fundamental rights abuse. 93 However, the Regulation should allow service providers to raise issues with orders that on their face appear to violate fundamental rights. This does not mean that states should abdicate their responsibilities to protect rights and transfer those obligations to private actors. The critiques discussed throughout this section are correct in noting that private service providers will be motivated by their own business interests rather than the common good. 94 Nonetheless, allowing service providers the option to challenge on fundamental rights grounds would strengthen the Regulation’s fundamental rights protection.
The service provider may still be able to raise a fundamental rights concern if the right in question is protected by an applicable law of a third country with which the service provider must comply. This is the final ground on which the service provider can refuse to comply with an order – a conflict with the applicable law of a third country. 95 If a service provider raises this challenge, then the e-Evidence Regulation’s comity provisions apply.
The comity provisions in Article 17 require judicial review when an order would conflict with a service provider’s legal obligation under the law of a third country. 96 If the competent court in the issuing state determines there is a conflict, then the court assesses whether the order should be upheld in light of several factors, including ‘the interest protected by the relevant law of the third country, including fundamental rights. . .’. 97 Therefore, if there is a conflict with a fundamental rights protection available in a third country, the service provider’s objection to the order may allow for the protection of fundamental rights through the comity analysis. In fact, Recital 74 acknowledges that one of the purposes of Article 17 is ‘to protect the individual concerned’. Oddly, this could mean that there is better protection for fundamental rights of persons outside the EU, than inside.
The service provider’s role as an intermediary can act as an important safeguard for the protection of fundamental rights. The service providers should be capable of raising a challenge to an order on this basis, not just in a conflict of laws situation. This option would not require or even necessarily authorise a private investigation that looks behind the order (nor would service providers likely want that responsibility) but would instead allow service providers to flag concerns to the relevant authorities when those concerns are clearly raised on the face of the order.
As noted above, the service provider would raise any issues concerning immunities or privileges and freedom of press or expression with the enforcing authority. 98 If the service providers were to be able to challenge on other fundamental rights grounds, it would make sense for this issue to also be taken directly to the enforcing authority. But regardless, if the service provider refuses to comply for any reason, the enforcement of the order falls on the enforcing State, which then provides notice to that authority. Therefore, allowing service providers the option to challenge on fundamental rights grounds generally may provide one potential avenue for greater scrutiny of orders from Member States whose judicial independence, fair trial rights, and rule of law protections have led to a breakdown in mutual trust.
Despite these benefits, the service provider should not be the most important safeguard, given their limited capabilities and business priorities. Service providers are hardly incentivised by the Regulation to resist orders – as mentioned earlier, the consequence of non-compliance to the service provider is a pecuniary sanction of up to 2 percent of annual global turnover of the service. As Tosza has explained, even if the enforcing state were to agree with a service provider’s objection on fundamental rights grounds, the issuing Member State may still be able to impose sanctions on the service provider. 99 For these reasons, the other notification procedures for notifying either the enforcing state or the state where the target of the order resides may be important, as will be discussed in the next section.
The function of the notice regime
Fundamental rights protection in respect of the grounds for refusal in the e-Evidence Regulation largely depends on notice to the enforcing state. However, the function of notice in the e-Evidence Regulation is not just intended to protect fundamental rights but also to protect territorial sovereignty. As noted in the previous section, notice also ‘saves’ the legal basis for mutual recognition by involving the judicial authorities of the enforcing state. 100 This section considers these functions of the notice regime in the Regulation to show how notice can be improved to protect fundamental rights and strike the right balance between efficiency and rights protection.
Mutual legal assistance treaties have historically had a dual purpose of protecting territorial sovereignty and fundamental rights. 101 The notice provisions of the e-Evidence Regulation, situated within this context, appear consistent with previous trends in mutual legal assistance and mutual recognition instruments. It is important to consider the purpose of notice as it highlights how much the e-Evidence Regulation relies on mutual trust, and therefore, how important it is that the Regulation include special safeguards for fundamental rights when that trust breaks down.
In previous mutual legal assistance frameworks, notice is given – or more accurately, the request or order is sent – to the state where the evidence is located. This procedure is necessary to respect the principle of territorial sovereignty. As the Lotus court said, ‘the first and foremost restriction imposed by international law upon a state is that – failing the exercise of a permissive rule to the contrary – it may not exercise its power in any form in the territory of another state’. 102 MLATs recognise this fundamental principle of international law. Criminal investigations cannot be carried out by one state’s agents on the territory of another state without the consent of that state. 103
MLATs also usually contain safeguards for fundamental rights, consistent with a state’s sovereign obligation to protect the fundamental rights of persons within their jurisdiction. For example, most MLATs will include provisions on double criminality, grounds for refusal and minimum seriousness of offenses. 104 But it is questionable whether states can refuse an MLAT request based on a general concern that fulfilling the request for evidence may lead to a breach of the fundamental rights of the target. 105 Currie has raised the possibility that requested states may be able to refuse based on an ordre public exception (if included) in the relevant MLAT but concluded, ‘[i]t is by no means clear, for the most part, that human rights norms must take precedence over international criminal co-operation treaties’. 106 In other words, MLAT’s function was primarily to protect territorial sovereignty (which is obviously inherently tied to fundamental rights protection as well). 107
While the EIO Directive improved the efficiency of mutual legal assistance in the EU, it also recognised territorial sovereignty limitations. The EIO Directive requires that the act of executing the investigative measures is taken by the agents of the executing state. The issuing state’s agents can request to be involved in the execution of the measures, but the executing state’s agent must be present. 108 While it appears the e-Evidence Regulation takes a big step forward in consent of foreign state action within the territory, it is limited to sending EPOCs to service providers and the providers sending the data to the issuing state. No boots of foreign agents are on the ground, so to speak, which is possible because the regulation is limited to electronic evidence.
To support the idea that notice is intended to have a dual function of protecting both sovereignty and fundamental rights, it is helpful to consider one type of notice that is not included in the e-Evidence regulation, which is notice to the Member State where the target of the investigation resides (if not the issuing or enforcing state). The LIBE Committee report suggested additional notice requirements when the target permanently resides outside both the issuing and enforcing states. 109 In such a case, the issuing state would notify the Member State where the target normally resides, which could notify the enforcing state of any concerns. If notice in the e-Evidence Regulation was primarily intended to protect fundamental rights, it would seem important to include this type of notice as the state of residence may have ‘a stronger interest and motivation’ in protecting the rights of its own citizens or residents. 110 But the e-Evidence Regulation is based on mutual trust, arguably making this type of notice superfluous (as compared to previous mutual legal assistance arrangements).
Nonetheless, some direct access mechanisms based on mutual trust still incorporate notice to the state where the data subject resides. As mentioned in the introduction, in the UK–US Data Access Agreement, the United Kingdom and United States do not permit direct access to data targeting their own persons – for the United States, this category comprises citizens and residents; for the United Kingdom, this is persons within the territory. 111 Further, the US CLOUD Act (the basis for the UK–US Agreement) requires any mutual trust agreement for direct access to data with the United States to exclude data of US persons. If data is needed for an investigation involving a person in these categories, then the authorities must revert to the MLAT process to obtain the data. This means that if UK authorities need data for a criminal investigation targeting a US resident, the UK request for data moves through the MLAT process discussed earlier, requiring US authorities at the Department of Justice and a US magistrate judge to approve of the request. Thus, notice is effectively provided to the state where the data target resides (for US persons) or is located (for UK persons), acting as an additional safeguard even after mutual trust has been established between the United Kingdom and United States.
But a major distinction between the contexts of the UK–US Agreement and the e-Evidence Regulation is the application of fundamental rights protections to data targets outside of the territory. The United States does not necessarily extend fundamental rights protections to data targets in the United Kingdom (or anywhere outside US territory), unless the targets have ‘substantial connections’ to the United States. 112 Similarly, the UK Investigatory Powers Tribunal has held that the right to privacy in Article 8 of the ECHR does not apply when UK authorities obtain data of foreign data targets. 113 In contrast, EU Member States are obligated to protect the rights of all data targets in the EU regardless of location or citizenship.
This distinction highlights the unique position of Member States in the EU in the history of mutual legal assistance. Pursuant to the EU Charter of Fundamental Rights, Member States are obliged to respect and protect the rights of the target regardless of nationality. 114 Thus, the protection of fundamental rights should be guaranteed throughout the Union, and at least in theory, the enforcing state should have just as much motivation to protect the rights of an individual in a different Member State as people within their own territory. Of course, there is a difference between theory and reality.
Scholars rightly raise concerns that issuing Member States will prioritise their own criminal investigations over the interests of other Member States, including fundamental rights protections for targets in a different Member State. 115 While the EU’s unique legal position and mutual trust should theoretically guarantee a stronger mutual trust than that between the United Kingdom and United States, for example, the reality may be different. The e-Evidence Regulation, based on a high degree of mutual trust, is being implemented at a time when mutual trust in the EU is ‘questioned with increased intensity’. 116
Critics draw particular attention to the differing standards of protection in the issuance of orders between Member States. 117 A target of an EPOC may expect that their rights are protected under the Member State’s law in which they reside (if not the issuing State) or under the enforcing Member State’s law where the service provider is located. As mentioned earlier, however, the standards in the issuing Member State are applied to the issuance of the order. Because notice is limited (to cases involving traffic and content data for the investigation of cross-border criminality or a target in a different State), the protections offered by the standards of the enforcing State are likewise limited. 118 Sachoulidou observes that prior to the Regulation ‘domestic legal approaches have been fragmented regarding issues related not only to the necessary link to each national legal order for adopting investigative measures with cross-border effects but also to the procedural guarantees available to individuals affected’. 119 The Regulation does not address this fragmentation, again showing the critical role played by mutual trust in fundamental rights protection.
The e-Evidence Regulation follows the notice model of previous mutual legal assistance frameworks in the EU that, for sovereignty reasons, required cooperation with the state where the evidence was located, rather than the state where the target of the order was located. Because of the ‘loss of location’ and ‘unterritoriality’ of data discussed at the beginning of this article, the relevant ‘location’ for the evidence in the e-Evidence Regulation is now the location of the establishment or representative of the service provider. Thus, the relevant location for the e-Evidence Regulation is something of a legal fiction – the place that a service provider deems it most advantageous to have an office or representative. But what about the Member State where the target habitually resides (if different)? Should that State have an interest in enforcing the order as suggested by the LIBE Committee?
If notice is only routinely required in cases involving a cross-border crime or target, then it may normatively make more sense to send notice to the Member State where the target normally resides (if known). First, the service provider is likely to have a territorial connection with that Member State that would bring it within the jurisdictional applicability of the e-Evidence Regulation anyway. 120 Second, this model would spread out the burden of responding to notice more evenly amongst Member States, rather than concentrating the review in states like Ireland and Luxembourg. Third, this notice may also allow the target to have access to more effective remedies by engaging with their own national authorities. 121 Finally, notice to the Member State where the target normally resides would recognise that the state of residence may also have a sovereignty interest in preventing disclosure of the data apart from the fundamental rights implications for the target. For example, Christakis has highlighted possible trade secret or national security concerns based on the identity of the target. 122 Further, for similar reasons, questions related to the application of immunities and privileges would seem better addressed to the Member State where the target resides (so long as that Member State was also permitted grounds for objection to the enforcing State based on similar safeguards in Article 12). But the e-Evidence Regulation instead adheres to the previous paradigm of MLATs and the EIO for the function of notice, focusing on notice to the state where the evidence is located, or in this case, the location where the service provider who possesses or controls the evidence is located.
Notice’s dual function highlights how some sovereignty functions seem to have been prioritised in the e-Evidence Regulation, but it is questionable whether the enforcing state has the strongest sovereign connection to the data for users located outside its own territory. Thus, perhaps it is more accurate to say that choosing to direct notice to the enforcing state rather than the state of residence is more about efficiency, than sovereignty. A streamlined notice procedure that directs all required notice to the state where the service provider is located may improve efficiency as this location should always be known, whereas the location of residence of the target of the order may not be known.
This prioritisation of efficiency comes at a cost to the protection of fundamental rights. As shown here, by directing notice to the enforcing state, rather than the potentially more interested state where the target is located, fundamental rights may be less protected in practice, despite the theoretical principles of mutual trust and non-discrimination applicable in the Union. This prioritisation of efficiency is especially concerning in cases involving Member States under Article 7 investigations, as discussed in the section on safeguards. While the Parliament draft’s proposal to require notice to the enforcing state for all orders from these Member States would have introduced inefficiencies to the evidence-gathering process, the friction is necessitated by the potential abuse of fundamental rights. The balance between efficiency and rights protection must shift when mutual trust is in doubt. Similarly, the LIBE Committee proposal to direct notice to the state where the target normally resides would also introduce potential inefficiencies but offer stronger safeguards for the target of the order.
The notice provisions of the e-Evidence Regulation can be seen to have multiple purposes – sovereignty, efficiency and protection of fundamental rights. The notice provisions do not function solely to provide the most protection possible for fundamental rights. This should not necessarily be a problem given that the EPOC is based on the mutual trust of fundamental rights protection throughout the Union. However, as Pech and Scheppele have observed, EU institutions need to adjust existing doctrine – including mutual trust – to address the challenges posed by Member States with the rule of law backsliding. 123 Such an adjustment should be included in the notice provisions of the e-Evidence Regulation. The function of notice with respect to these countries must be primarily intended to protect fundamental rights. This is necessary to ensure that the mutual trust foundation of the e-Evidence Regulation is based on reality and not on theory.
Conclusion
The purpose of the e-Evidence Regulation was to improve access to electronic evidence, given its unique characteristics that challenge traditional evidence-gathering mechanisms. The Regulation is intended to improve the efficiency of access, which is necessitated by the volatility of the data, and to extend the jurisdictional applicability of investigatory powers to service providers that have a substantial connection to an EU Member State. Of course, the intention was not to sacrifice fundamental rights in this process, but clearly, efficiency was the primarily goal and even the raison d’être for the law. 124
The e-Evidence Regulation proceeds from the starting point that the protection of fundamental rights is already guaranteed by all Member States in compliance with Union law, especially in respect of the Charter of Fundamental Rights. The imposition of strict and onerous safeguards in the regulation is therefore unnecessary and redundant – at least in theory. The reality on the ground however is different, which was also well-known throughout the e-Evidence negotiations. The growing threat of illiberalism within the EU 125 warranted stronger safeguards for states that are under investigation for rule of law backsliding.
If e-Evidence were to work as intended – indeed if it were to be an improvement on the EIO – then minimal notice is necessary to make the shorter time frames for disclosure manageable. Notice in every case would create a burdensome workload for the enforcing state’s authority, given that the review and any further investigation needed into circumstances surrounding the orders must be completed within ten days. Given the foundation of mutual trust, notice for every order should be redundant. Thus, the regulation limits notice from the issuing to the enforcing state to exceptional cases that involve the more privacy intrusive types of digital evidence, with a cross-border element besides the data itself (either the target of the order or some element of the crime occurring outside the issuing state).
The protection of fundamental rights in such a limited notice regime relies heavily on mutual trust – not just trust in the protection of rights generally but also trust that the issuing state will actually send notice in the exceptional cases required in Article 8. The service provider will not be able to challenge an order on fundamental rights’ grounds, so unless there is another issue with the order or it conflicts with the law of a non-EU state, then notice will rely completely on the issuing state’s authority giving notice to the enforcing state’s authority of the EPOC.
The rule of law backsliding in some Member States calls into question this mutual trust. Given how important the role of an independent judiciary is to the protection of fundamental rights in criminal investigations, recognising that the presumption of mutual trust has been at least initially rebutted for these states would be appropriate. Unfortunately, the Regulation does not reflect this situation and includes only minimal safeguards that would hope to address such systematic problems in certain Member States.
The fundamental rights safeguards in the e-Evidence Regulation are properly balanced with efficiency so long as mutual trust on the protection of fundamental rights in the issuing state actually exists. Where it does not, more robust and effective safeguards are needed.
Footnotes
Acknowledgements
I am grateful to Richard Vogler, Richard Glover, Matt Garrod and Keri Grieman for valuable feedback on earlier drafts of this article. Of course, any errors remain my own.
Declaration of conflicting interests
The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author received no financial support for the research, authorship, and/or publication of this article.
1.
The terms ‘electronic evidence’, ‘digital evidence’ and ‘data’ will be used interchangeably throughout this article.
2.
Julia Hörnle, Internet Jurisdiction: Law and Practice (Oxford University Press 2020) 145, 146.
3.
Jennifer Daskal, ‘The Un-Territoriality of Data’ (2015) 125 Yale Law Journal 326.
4.
Ian Walden, ‘Accessing Data in the Cloud: The Long Arm of the Law Enforcement Agent’ in Christopher Millard (ed.), Cloud Computing Law (2nd edn, Oxford University Press 2021) 445.
5.
ibid 443–5.
6.
Commission Regulation (EU) No. 2023/1543 (OJ 2023 L 191, p. 118) (hereinafter ‘e-Evidence Regulation’). Other examples of new criminal procedure rules that reflect data’s unterritoriality and volatility include the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) 2018 and the UK Investigatory Powers Act 2016.
7.
e-Evidence Regulation, article 3(3)(c). ‘Information society services’ is defined in Commission Directive (EU) No. 2015/1535 (OJ 2015 L 241, p. 1).
8.
e-Evidence Regulation, article 3(3).
9.
ibid article 1.
10.
ibid Recital 12.
11.
Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, 3 October 2019 <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/836969/CS_USA_6.2019_Agreement_between_the_United_Kingdom_and_the_USA_on_Access_to_Electronic_Data_for_the_Purpose_of_Countering_Serious_Crime.pdf> accessed 14 February 2024 (hereinafter ‘UK-US Data Access Agreement’); Home Office, ‘Policy Paper: Data Access Agreement – Joint Statement by the United States and the United Kingdom’ (21 July 2022) <
> accessed 14 February 2024.
12.
UK-US Data Access Agreement, Preamble.
13.
See text accompanying note 104.
14.
UK authorities may not directly access data held by US service providers without making assurances that the data accessed will not be used to infringe freedom of speech in accordance with the First Amendment to the US Constitution. Similarly, US authorities may not directly access data held by UK service providers without making assurances that the data accessed will not be used in a death penalty prosecution. UK-US Data Access Agreement, article 8(4). In addition to the agreement itself, these reservations are required by laws in each state: UK Crime (Overseas Production Orders) Act 2019 c 5 (COPO Act) s 16, and US CLOUD Act.
15.
Laurent Pech and Kim Lane Scheppele, ‘Illiberalism Within: Rule of Law Backsliding in the EU’ (2017) 19 Cambridge Yearbook of European Legal Studies 3.
16.
Hörnle, Internet Jurisdiction (n 2) 151–79.
17.
ibid 230–1.
18.
19.
20.
Commission Directive (EU) No. 2014/41 (OJ 2014 L 130).
21.
Valsamis Mitsilegas, ‘The Symbiotic Relationship Between Mutual Trust and Fundamental Rights in Europe’s Area of Criminal Justice’ (2015) 6 New Journal of European Criminal Law 457, 465.
22.
Hörnle, Internet Jurisdiction (n 2) 163–4.
23.
ibid Recital 19.
24.
Carrera and others, Access to Electronic Data (n 18) 54.
25.
Impact Assessment (n 9) 23; e-Evidence Regulation, Recital 8.
26.
See Katalin Ligeti and Gavin Robinson, ‘Sword, Shield and Cloud: Toward a European System of Public-Private Orders for Electronic Evidence in Criminal Matters?’ in Valsamis Mitsilegas and Niovi Vavoula (eds), Surveillance and Privacy in the Digital Age: European, Transatlantic and Global Perspectives (Hart Publishing 2021). While a comprehensive analysis of the jurisdictional scope of the e-Evidence Regulation is outside the scope of this article, it is worth noting that this expansion of jurisdiction addresses the cross-border problem outside the EU even more so than any cross-border issues within the EU, which were arguably addressed already by the EIO.
27.
28.
29.
At the time of writing, the Council of Europe Cybercrime Convention has 69 state parties, with 44 signatories to the Second Protocol, including the United Kingdom, United States, France, Germany, Spain and many other Member States. See Council of Europe, ‘Chart of Signatures and Ratifications of Treaty 224’ <https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=224> accessed 1 August 2024. Similar direct access agreements to the UK-US Data Access Agreement are now in force between the United States and Australia and being negotiated between the United States and Canada. See US Department of Justice, ‘CLOUD Act Resources’ <> accessed 19 February 2024.
30.
e-Evidence Regulation, article 1.
31.
This explains the change in terminology from the EIO’s ‘issuing state’ and ‘executing state’, as compared to the e-Evidence Regulation’s ‘issuing state’ and ‘enforcing state’.
32.
For more details on the orders and direct access mechanism, see Athina Sachoulidou, ‘Cross-Border Access to Electronic Evidence in Criminal Matters: The New EU Legislation and the Consolidation of a Paradigm Shift in the Area of “Judicial” Cooperation’ (2024) 15 New Journal of European Criminal Law 256.
33.
e-Evidence Regulation, article 1(1).
34.
ibid article 3(4). For targeting criterion, see Recital 30.
35.
Jessica Shurson, ‘Data Protection and Law Enforcement Access to Digital Evidence: Resolving the Reciprocal Conflicts Between EU and US Law’ (2020) 28 International Journal of Law and Information Technology 167.
36.
e-Evidence Regulation, Recitals 1, 12.
37.
Hörnle, Internet Jurisdiction (n 2) 216.
38.
e-Evidence Regulation, articles 5(2), 6(2).
39.
ibid article 12.
40.
ibid article 15.
41.
ibid article 12(1)(b).
42.
Pech and Scheppele, ‘Illiberalism Within’ (n 15).
43.
e-Evidence Regulation, Recital 64.
44.
ibid.
45.
Council Framework Decision 2002/584/JHA (OJ 2002 L 190, p. 1).
46.
Cristina Saenz Perez, ‘What About Fundamental Rights? Security and Fundamental Rights in the Midst of a Rule of Law Breakdown’ (2022) 13 New Journal of European Criminal Law 526.
47.
Case C-216/18, LM, EU:C:2018:586 [60].
48.
Joined Cases C-404/15 and C-659/15, Aranyosi and Căldăraru, EU:C:2016:198 [89], [92–94].
49.
Joined Cases C-354/20 and C-412/20, Openbaar Ministerie, EU:C:2020:1033 [53–56], [69]; LM (n 47); Aranyosi and Căldăraru (n 48).
50.
LM (n 47).
51.
ibid para 60.
52.
Openbaar Ministerie (n 49) [69].
53.
ibid para 43.
54.
And it is highly criticised in this regard: Mitsilegas, ‘The Symbiotic Relationship’ (n 21).
55.
LM (n 47) [79].
56.
Pech and Scheppele, ‘Illiberalism Within’ (n 15) 7.
57.
Consolidated version of the Treaty on European Union, OJ C 202, 7.6.2016, article 7 (hereinafter TEU); see also LM (n 47).
58.
TEU, articles 2, 7; for more on this process, see Dimitry Kochenov and Laurent Pech, ‘Monitoring and Enforcement of the Rule of Law in the EU: Rhetoric and Reality’ (2015) 11 European Constitutional Law Review 512.
59.
ibid.
60.
61.
European Parliament Resolution, 12 September 2018, ‘European Parliament resolution of 12 September 2018 on a proposal calling on the Council to determine, pursuant to Article 7(1) of the Treaty on European Union, the existence of a clear risk of a serious breach by Hungary of the values on which the Union is founded’ (2017/2131(INL)), OJ C 433.
62.
63.
ibid.
64.
65.
ibid article 9(2)(a).
66.
e-Evidence Regulation, articles 13(1) and (2).
67.
Roman Zakharov v Russia App No 47143/06, Judgment, 4 December 2015, paras 233–4.
68.
Subscriber data are data relating to the subscription of services, including name, date of birth, address, billing information, phone number, email address, the type of service used, and dates relating to the use of the service. e-Evidence Regulation, article 3(9). Traffic data are non-content data relating to the provision of service as generated by the service provider, such as the source and destination of a message, the location of devices using the service, and the dates, times, duration, and formats of services used. ibid article 3(11).
69.
e-Evidence Regulation, article 8.
70.
According to Christakis, one major service provider has reported that in 93 percent of cases, the target of the data request is in the same country as the investigating authority. Théodore Christakis, ‘Lost in Notification? Protective Logic as Compared to Efficiency in the European Parliament’s e-Evidence Draft Report’ (Cross-Border Data Forum, 7 January 2020) <> accessed 22 May 2023.
71.
ibid article 10(5).
72.
European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters’, COM(2018) 225 final, 2018/0108 (COD), Strasbourg, 17 April 2018, articles 9(5b) and 14(4f) <> accessed 25 July 2023 (hereinafter ‘Commission Proposal’).
73.
Sabine Gless and Pauline Pfirter, ‘Cross-Border Access and Exchange of Digital Evidence: Cloud Computing Challenges to Human Rights and the Rule of Law’ in Valsamis Mitsilegas and Niovi Vavoula (eds), Surveillance and Privacy in the Digital Age: European, Transatlantic and Global Perspectives (Hart Publishing 2021) 18; Ligeti and Robinson, ‘Sword, Shield and Cloud’ (n 26); Stanislaw Tosza, ‘All Evidence Is Equal, But Electronic Evidence Is More Equal Than Any Other: The Relationship Between the European Investigation Order and the European Production Order’ (2020) 11 New Journal of European Criminal Law 161, 182; Mitsilegas, ‘The Symbiotic Relationship’ (n 21) 264.
74.
Valsamis Mitsilegas, ‘The Privatisation of Mutual Trust in Europe’s Area of Criminal Justice: The Case of e-Evidence’ (2018) 25 Maastricht Journal of European and Comparative Law 263, 264.
75.
Gless and Pfirter, ‘Cross-Border Access and Exchange of Digital Evidence’ (n 73) 18.
76.
Tosza, ‘All Evidence Is Equal, But Electronic Evidence Is More Equal than Any Other’ (n 73) 182.
77.
Stanisław Tosza, ‘Mutual Recognition by Private Actors in Criminal Justice? E-Evidence Regulation and Service Providers as the New Guardians of Fundamental Rights’ (2024) 61 Common Market Law Review 139, 155–6.
78.
ibid 162.
79.
ibid; see also Stanisław Tosza, ‘Internet Service Providers as Law Enforcers and Adjudicators. A Public Role of Private Actors’ (2021) 43 Computer Law & Security Review 105614.
80.
Tosza, ‘Mutual Recognition by Private Actors in Criminal Justice?’ (n 77); Mitsilegas, ‘The Privatisation of Mutual Trust in Europe’s Area of Criminal Justice’ (n 74); Martin Böse, An Assessment of the Commission’s Proposals on Electronic Evidence (Policy Department for Citizens’ Rights and Constitutional Affairs, Directorate General for Internal Policies of the Union, September 2018) 36 <> accessed 14 July 2025.
81.
See Tosza, ‘Mutual Recognition by Private Actors in Criminal Justice?’ (n 77); Böse, Assessment (n 80).
82.
For a full explanation of these arguments and analysis showing mutual recognition likely is the correct legal basis, see Tosza, ‘Mutual Recognition by Private Actors in Criminal Justice?’ (n 77).
83.
ibid.
84.
Contra Tosza, ‘Internet Service Providers as Law Enforcers and Adjudicators’ (n 79).
85.
Mitsilegas, ‘The Privatisation of Mutual Trust in Europe’s Area of Criminal Justice’ (n 74) 264–5.
86.
Tosza, ‘Mutual Recognition by Private Actors in Criminal Justice?’ (n 77) 156.
87.
Gless and Pfirter, ‘Cross-Border Access and Exchange of Digital Evidence’ (n 73) 18.
88.
Global Network Initiative, ‘The GNI Principles at Work: Public Report on the Third Cycle of Independent Assessments of GNI Company Members 2018/2019’, p. 56 <https://globalnetworkinitiative.org/wp-content/uploads/2020/04/2018-2019-PAR.pdf> accessed 20 August 2022 (eg, Google ‘assesses the legal validity of the request, both in terms of the authority of the issuing entity, and the application of the relevant local law’). See also the privacy policies of several large service providers, which confirm that the service providers scrutinise orders from law enforcement authorities to ensure they are legally valid: Apple Privacy Policy (October 2021) <https://www.apple.com/uk/legal/privacy/en-ww/> accessed 23 August 2022; Google Privacy Policy (February 2022) <https://policies.google.com/privacy?hl=en-US> accessed 23 August 2022; Meta Privacy Policy (July 2022) <https://www.facebook.com/privacy/policy/?section_id=0-WhatIsThePrivacy> accessed 22 August 2022; and Microsoft Privacy Statement (June 2022) <> accessed 23 August 2022.
89.
Zakharov v Russia (n 67) para 269.
90.
Mitsilegas, ‘The Privatisation of Mutual Trust in Europe’s Area of Criminal Justice’ (n 74) 264.
91.
The EU Commission’s draft Article 9(5) read, ‘In case the addressee considers that the [EPOC] cannot be executed because based on the sole information contained in the [EPOC] it is apparent that it manifestly violates the Charter of Fundamental Rights of the European Union or that it is manifestly abusive, the addressee shall also [notify] . . . the competent enforcement authority in the Member State of the addressee’. Commission Proposal (n 83). The EU Council’s draft deleted this language. See Council of the European Union, ‘Regulation of the European Parliament and Council on European production and preservation orders for electronic evidence in criminal matters – general approach’, 11 June 2019, 10206/19 <> accessed 6 June 2023.
92.
93.
Marcin Rojszczak, ‘e-Evidence Cooperation in Criminal Matters from an EU Perspective’ (2022) 85 The Modern Law Review 997.
94.
Tosza, ‘Mutual Recognition by Private Actors in Criminal Justice?’ (n 77) 163.
95.
e-Evidence Regulation, article 17(1).
96.
ibid Recital 74.
97.
ibid article 17(6).
98.
ibid article 10(5).
99.
Tosza, ‘Mutual Recognition by Private Actors in Criminal Justice?’ (n 77) 164.
100.
See further explanation in Tosza, ‘Mutual Recognition by Private Actors in Criminal Justice?’ (n 77).
101.
Hörnle, Internet Jurisdiction (n 2) 159.
102.
SS Lotus (1927) PCIJ Series A No. 10, 18–19.
103.
James Crawford, Brownlie’s Principles of Public International Law (9th edn, Oxford University Press 2019) 462.
104.
Hörnle, Internet Jurisdiction (n 2) 155.
105.
Robert J Currie, ‘Human Rights and International Mutual Legal Assistance: Resolving the Tension’ (2000) 11 Criminal Law Forum 143.
106.
ibid 160, 164.
107.
Böse, Assessment (n 80) 37; see also Case C-670/22, MN, EU:C:2024:372 [124].
108.
EIO Directive, articles 9(1), (4), (5). When an EIO authorises live interception, the issuing state must provide notice to ‘Member States where the subject of interception is located’, even if no assistance is required from that Member State to complete the intercept. ibid article 31. This could affect the protection of a target’s fundamental rights and it also impacts sovereignty because some element of the communication being intercepted is happening on the territory of the state where the target is located. See MN (n 107) [124].
109.
European Parliament Committee on Civil Liberties, Justice and Home Affairs, ‘Draft Report on the proposal for a regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters’ (COM(2018)0225 – C8-0155/2018 – 2018/0108(COD)), Rapporteur: Birgit Sippel, 24 October 2019, Amendment 43 <> accessed 25 July 2023. This language was not included in the final Parliament draft.
110.
Christakis, ‘Lost in Notification?’ (n 70).
111.
UK-US Data Access Agreement (n 14) articles 1(6), (12), 4(3). The discrepancies are due to European non-discrimination provisions applicable in the United Kingdom, which prohibit discrimination on the basis of citizenship. EU Charter of Fundamental Rights (2000) OJ C 364/1, article 21(1) and TFEU article 18 (in force in the United Kingdom at the time the UK-US Agreement was drafted); and European Convention on Human Rights, article 14.
112.
United States v Verdugo-Urquidez, 494 US 259 (1990); see also Agency for International Development v Alliance for Open Society International Incorporated, 140 SCt 2082 (2020).
113.
Human Rights Watch and Others v Secretary of State for the Foreign & Commonwealth Office [2016] UKIPTrib 15_165-CH, 2016 WL 02641960 at [60]. Although a recent European Court of Human Rights judgment calls this holding into question. In Wieder and Guarnieri v UK, the Fourth Section of the Court held that the right to privacy applies at the place where the data was ‘intercepted, searched, examined, and used’, regardless of the territorial location of the data subject. Case of Weider and Guarnieri v UK App Nos 64371/16 and 64407/16, Merits and Just Satisfaction, 12 September 2023. It is however unclear whether this applies if the interception itself takes place outside of the United Kingdom, as it might be considered to do in a direct access mechanism.
114.
EU Charter of Fundamental Rights, article 21.
115.
Theodore Christakis, ‘From Mutual Trust to the Gordian Knot of Notifications: The EU E-Evidence Regulation and Directive’ in Vanessa Franssen and Stanisław Tosza (eds), The Cambridge Handbook of Digital Evidence in Criminal Matters (Cambridge University Press 2025).
116.
ibid; Tosza, ‘All Evidence Is Equal, But Electronic Evidence Is More Equal Than Any Other’ (n 73).
117.
See Böse, Assessment (n 80) 39–42; see generally, Sachoulidou, ‘Cross-Border Access to Electronic Evidence in Criminal Matters ‘(n 32) (noting that the Regulation ‘does not ensure a prior, comprehensive approximation of national legislations on procedural issues’).
118.
This may be especially concerning in the context of application of immunities and privileges – such as cases involving diplomatic protection or professional privileges between doctor-patient, lawyer-client, or journalist-source. See e-Evidence Regulation, Recital 47. The enforcing State may refuse to enforce an order that violates its law on immunities and privileges, which may not be adequately considered by the issuing State. Again, at least theoretically, the fundamental rights underlying these immunities and privileges should be protected consistently throughout the EU.
119.
Sachoulidou, ‘Cross-Border Access to Electronic Evidence in Criminal Matters’ (n 32) 266.
120.
Given the broad jurisdictional scope of the e-Evidence Regulation and the presence of one of its users in the state likely indicates that there are more users within that state. See text accompanying notes 33–4.
121.
See suggestion in Tosza, ‘All Evidence Is Equal, But Electronic Evidence Is More Equal Than Any Other’ (n 73) 178. Though this would depend on the target having notice of the order, as well as mechanisms in place for the target to challenge the disclosure in their own state, rather than challenging the use of the evidence in the prosecution proceedings.
122.
Christakis (n 115).
123.
Pech and Scheppele (n 15) 7.
124.
See e-Evidence Regulation, Recitals 3, 6, 8.
125.
See Gábor Halmai, ‘Illiberalism in East-Central Europe’ in András Sajó, Renáta Uitz and Stephen Holmes (eds), Routledge Handbook of Illiberalism (Routledge 2021).