EU to Require Tech Firms to Provide Overseas Emails, Texts and Stored Data

New “e-Evidence Regulation” Gives Direct Police Access to Data Across EU Borders and Abroad

The European Union will require tech companies to provide data to European investigators stored in another EU country or even outside the EU under a new e-Evidence Regulation proposed by the European Commission on April 17. The EU has planned for some time to streamline the legal mechanisms for sharing electronic evidence within the 28-nation bloc, but the Commission’s final proposal extends the new powers to also cover service providers based outside the EU. The EU’s proposal comes just as the US is adopting the CLOUD Act, which will allow US authorities to acquire data that is stored in other countries without obtaining a local court order. The e-Evidence Regulation is another example of the trend in extraterritorial application of government access laws.

Easier access for investigators to a wide range of electronic evidence

Criminal and terrorism investigations in Europe increasingly depend on rapid access to electronic data held in another country. The Commission’s proposal would create a new “European production order” allowing EU investigators to ask service providers in other European countries to provide phone numbers, emails, messages, location data, credit card numbers, and stored data without obtaining a court order in the country where the company or data is located. The European production order allows a judge or prosecutor in one EU Member State to request electronic evidence directly from a service provider offering services in the EU and established or represented in another Member State, regardless of the location of data. Investigators could also require that certain data not be deleted through use of a “European preservation order.”

Additional safeguards – such as a judicial warrant – would be required for access to content data, such as emails, messages, audio, video and pictures.

Short deadlines would be imposed: 10 days for responding to most requests, with only six hours in the case of an emergency. Acquiring data under current European mutual legal assistance arrangements can take months. Sanctions could be imposed for failure to respond to a production or preservation order.

Applicable to many types of online services regardless of the provider’s location

The e-Evidence Regulation also ensures that investigators have access to the latest types of electronic information by applying the requirements to entities beyond traditional telecom and Internet access providers. The new rules will apply to VoIP and messaging apps and other OTT services with chat or calling features in a manner similar to recent updates in EU communications law (the European Electronic Communications Code and the e-Privacy Regulation). However, the e-Evidence Regulation goes even further by requiring a range of apps and Internet-based services without communication features to respond to cross-border requests from investigators:

• Online services “for which the storage of data is a defining component,” which includes
  • social media platforms,
  • online marketplaces (e-commerce sites), and
  • hosting services (cloud storage services)
• Internet domain names and numbering services.

The Regulation will also apply on an extraterritorial basis. Services without a presence in the EU would still need to provide data to investigators if the service can be used in Europe and there is a connection to the EU that is more than incidental. Service providers will be subject to the Regulation where there are a “significant number of users in one or more Member States, or the targeting of activities toward one or more Member States.” Like under the GDPR, a service will be deemed to be targeted at EU users if a European currency or language is used, goods or services can be ordered, an app is available in a European app store, or local advertising is included.

Legal representatives required for non-EU companies

Service providers offering services in the EU from outside the EU would be required to appoint a legal representative located in the EU. The representative could be a person or a legal entity, provided that they are based in one of the EU countries that fully participate in the EU’s judicial cooperation mechanisms.

EU regulations are increasingly requiring non-EU companies to appoint local representatives if they do business in Europe. A representative is required under the GDPR, the NIS Directive and the proposed ePrivacy Regulation.

Under the e-evidence proposal, the representative would be responsible for responding to cross-border data requests and preservation orders and would be subject to full liability for the service provider’s failure to provide the requested data (which is of particular concern given the short deadlines for production). To allow providers to centralize handling cross-border orders, EU national governments would be blocked from requiring a non-EU service provider to have more than one representative within the EU.

Next steps

The Commission’s proposal now starts a long legislative process with reviews by the European Parliament and the EU Member State governments. Work will need to be completed quickly in order to adopt the new rules before the summer of 2019 when the European government’s term ends.

As with the GDPR, online providers that make their services available in the EU will need to monitor the progress of the new e-evidence rules and assess whether they may be subject to its extraterritorial reach. Given the broad scope of services captured by the new requirements, companies that might not otherwise be subject to EU law will need to carefully analyze their potential obligations.