Legally and politically important
Not cleared from scrutiny; further information requested; drawn to the attention of the Home Affairs Committee, the Justice Committee and the Committee on Exiting the European Union
(a) Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters
(b) Proposal for a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings
(a) Article 82(1) TFEU, ordinary legislative procedure, QMV
(b) Articles 53 and 62 TFEU, ordinary legislative procedure, QMV
(a) (39631), 8110/18 + ADDs 1–3, COM(18) 225;
(b) (39630), 8115/18 + ADDs 1–2, COM(18) 226
3.1The proliferation of electronic means of communication in the digital age presents a challenge for law enforcement authorities. According to the European Commission, more than half of criminal investigations have a cross-border dimension because electronic evidence (information stored electronically) which can help to identify a criminal suspect or prove involvement in criminal activity is stored in remote servers hosted on the Internet (the “cloud”) or held on a server or by a service provider located in a different jurisdiction. The Commission considers that current procedures for obtaining this type of evidence are too slow, given that data can be altered, transferred or deleted at the click of a mouse. It is therefore proposing new rules to make it easier and quicker for law enforcement authorities to secure and obtain electronic evidence stored in another EU Member State or outside the EU.
3.2A new fast-track procedure would enable the judicial authorities in the Member State investigating criminal activity to serve a European Preservation Order and/or a European Production Order directly on a service provider (or legal representative) offering services within the EU but based in a different jurisdiction. Other instruments for obtaining evidence within the EU (principally the European Investigation Order—“EIO”) or from a third country (under mutual legal assistance mechanisms) require the involvement of judicial and law enforcement authorities in the investigating country and the country in which the service provider is based and so take longer to execute (up to 120 days for the EIO and even longer under other mutual legal assistance arrangements). Under the proposed Regulation—document (a)—a service provider would be required to preserve the electronic data specified in the European Preservation Order (regardless of where they are stored) and to produce them within 10 days of receiving a European Production Order (or six hours in emergency cases). These Orders would only be available in cases where there is a cross-border dimension, not for purely domestic situations where the service provider is based or represented in the Member State carrying out the criminal investigation.27
3.3The proposed Regulation builds on the principle of mutual recognition and depends on “a high level of mutual trust” between Member States.28 It incorporates important safeguards, requiring European Preservation and Production Orders to be validated by a judicial authority, and is underpinned by EU legislation establishing minimum standards on procedural rights in criminal proceedings, EU data protection laws and the EU Charter of Fundamental Rights. As the proposal is a criminal law measure, it is subject to the UK’s Title V (justice and home affairs) opt-in Protocol, meaning that it will only apply to the UK if the Government decides to opt in.
3.4The Commission has put forward a separate but related proposal which would require online service providers offering services within the EU to designate a legal representative in the EU responsible for ensuring compliance with European Preservation and Production Orders or other law enforcement requests for evidence needed for criminal proceedings. The proposed Directive—document (b)—is not a criminal law measure as its principal objective, according to the Commission, is to remove obstacles to the provision of services within the EU by establishing “a level playing field for all companies offering the same type of services in the EU, regardless of where they are established or act from”.29
3.5The Commission anticipates that both proposals will take effect six months after they have been adopted and entered into force. Even if negotiations are not concluded before 29 March 2019, the date when the UK is expected to leave the EU, the proposals are likely to be adopted and take effect within the transition/implementation period agreed as part of the UK’s exit negotiations. Under the draft Withdrawal Agreement setting out the terms on which the UK will leave the EU, most EU laws will continue to apply to the UK as if it were a Member State until the transition/implementation period ends on 31 December 2020.30 However, new EU laws in the justice and home affairs field which are not “binding upon and in the UK” on exit day will not apply during the transition/implementation period unless they “amend, build upon or replace” an existing measure in which the UK participates. This means that the proposed Directive (which is not a justice and home affairs measure) almost certainly will have to be implemented into UK law during the transition/implementation period, but the proposed Regulation may not apply if adopted after 29 March 2019.
3.6The Minister for Policing and the Fire Service (Mr Nick Hurd) says that the Government supports efforts to make cross-border access to data within the EU more efficient and less burdensome and time-consuming for law enforcement authorities. He adds, however, that the UK has “a mature domestic system in place for accessing cross-border e-evidence” and has cautioned against further EU legislation, “given that there are existing tools both within the EU and being developed internationally to tackle similar issues”. The Government will examine the benefits of participating in the proposed Regulation and evaluate whether it would “provide the UK with additional tools to support criminal investigations” or provide greater access to data than existing domestic capabilities.
3.7The Minister expects negotiations on both proposals to progress rapidly. He anticipates that the three-month deadline for opting into the proposed Regulation is likely to expire around 22 August. The Government is considering whether the legal base for the proposed Directive is appropriate but accepts that the UK will be bound unless it is amended to include a Title V (justice and home affairs) legal base. Both measures would require changes to UK law.
3.8It is difficult to gauge from the Minister’s Explanatory Memorandum how the Government intends to approach negotiations on the proposed Regulation and Directive. We ask him to clarify the Government’s position on the need for further EU legislation, the legal base for the proposed Directive, the factors informing the Government’s opt-in decision on the proposed Regulation, and the wider Brexit implications.
3.9Given the Government’s “cautious” approach to new legislation in this area, we are disappointed that the Minister’s Explanatory Memorandum does not include a subsidiarity assessment setting out the Government’s position on the need for further legislative action at EU level. We ask the Minister whether he considers that the proposed Regulation and Directive would “add value” and meet the threshold for the EU to act instead of Member States.
3.10We would welcome further information on the Government’s evaluation of existing tools and mechanisms—whether domestic, EU or international—for obtaining electronic evidence which is stored in a different jurisdiction. We ask the Minister whether he shares the Commission’s view that they are too slow and too fragmented to be effective or, conversely, whether he is confident that electronic evidence can be preserved and obtained under these mechanisms within the timescales envisaged in the proposed Regulation.
3.11We infer from the Minister’s Explanatory Memorandum that the Government is considering whether the proposed Directive—document (b)—should cite a Title V (justice and home affairs) legal base, giving the UK the option of deciding whether it wishes to participate. We ask the Minister for his views on the following matters:
3.12If the legal base remains unchanged, the UK will be bound by the proposed Directive but may decide not to participate in the proposed Regulation. We ask the Minister to explain the practical implications of being bound only by the Directive and how this might affect requests for electronic evidence made under other EU criminal law instruments in which the UK participates, such as the European Investigation Order. Would these requests also have to be addressed in the first instance to the service provider’s designated legal representative in the EU?
3.13The Minister sets out the factors which will inform the Government’s opt-in decision on the proposed Regulation—document (a). We would welcome further information on the progress made in negotiating a UK-US Data Access Agreement, its main provisions, and how UK participation in the proposed Regulation might affect the operation of the Agreement.
3.14The Minister indicates that one factor weighing on the Government’s opt-in decision will be the impact of the proposals “on wider law enforcement and national security Brexit negotiations”. We ask the Minister to explain what progress has been made on these wider negotiations and how significant opt-in decisions taken in the months remaining until exit day are likely to be in shaping the UK’s future relationship with the EU in this area.
3.15Under Article 122(1)(a) of the draft Withdrawal Agreement, only EU justice and home affairs laws that are “binding upon and in the UK” by the date on which the Withdrawal Agreement enters into force—expected to be 29 March 2019—will apply to the UK during a post-exit transition/implementation period. We ask the Minister whether “binding upon and in the UK” means that these laws will only apply during this period if:
3.16Pending further information, the proposed Regulation and Directive remain under scrutiny. We ask the Minister to confirm the three-month deadline for opting into the proposed Regulation at the earliest opportunity and to provide regular updates on the progress of negotiations. We draw this chapter to the attention of the Home Affairs Committee, the Justice Committee and the Committee on Exiting the European Union.
(a) Proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters: (39631), 8110/18 + ADDs 1–3, COM(18) 225. (b) Proposal for a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings: (39630), 8115/18 + ADDs 1–2, COM(18) 226.
3.17The European Investigation Order is the principal mechanism for obtaining evidence (including electronic evidence) needed for a criminal investigation from another EU Member State.31 Under the EIO, a request for evidence must be validated by a judicial authority before it is transmitted to the law enforcement authorities in the Member State where the evidence is located. These authorities are responsible for executing the request and should give the EIO the same priority as a similar request in a domestic case. An EIO should be executed “without delay” and not take longer than 120 days. There is no provision for third (non-EU) countries to participate in the EIO.
3.18Member States depend on Mutual Legal Assistance agreements to obtain evidence from countries outside the EU. The EU has only concluded two Mutual Legal Assistance agreements—with Japan and with the United States. The agreement with Japan stipulates that requests for mutual assistance should be executed “promptly” without specifying any deadlines. Under both agreements, requests have to be channelled through a central coordinating authority in the issuing (EU) country and executing country (Japan or US) before being transmitted to the judicial or law enforcement authority responsible for taking the action requested. The Commission estimates that a typical request to obtain electronic evidence from a service provider in the US takes on average ten months.32 Because of these delays, law enforcement authorities have sought to establish voluntary cooperation arrangements with service providers based in the US (the country hosting the main service providers). The Commission considers that the absence of a clear legal framework undermines transparency and accountability and creates uncertainty.
3.19The proposed Regulation is a criminal law measure based on Article 82(1) of the Treaty on the Functioning of the European Union (TFEU) concerning judicial cooperation in criminal matters. It would operate alongside the European Investigation Order but is narrower in scope.33 Whilst the EIO establishes a procedure for requesting a wide range of investigative measures, the proposed Regulation would apply only to requests for electronic evidence (evidence stored in electronic form). The Commission identifies four types of data covered by the proposal:
3.20The Commission describes the first three categories as “non-content data”, an important distinction as the current legal framework in the US and in many EU Member States allows service providers to share non-content data with foreign law enforcement authorities on a voluntary basis.34
3.21The proposed Regulation would apply to the providers of electronic communications or information society services as well as the providers of internet infrastructure (such as IP addresses and domain name registries) who offer services within the EU and have “a substantial connection” to one or more Member States, regardless of the place where the data are stored.35 Factors demonstrating a substantial connection include establishment within the EU, a significant number of users, or the targeting of services towards one or more Member States.36 The Commission emphasises that the storage of data must be “a defining component” or “main characteristic” of the services provided.37 The proposed Regulation would not create a general obligation to retain data or authorise the interception of data.38
3.22A European Preservation Order may be issued for any criminal offence. Its purpose is to preserve electronic evidence by preventing a service provider from removing, deleting or altering data pending a further request to produce the evidence.39 If issued by an investigating authority, it must be validated by a judge or prosecutor.
3.23The European Preservation Order should be sent directly to the service provider (via a designated legal representative in the EU) and the electronic evidence specified in it preserved for 60 days (or longer if a request to produce the evidence has been initiated before the 60 days expire).
3.24The purpose of a European Production Order is to compel a service provider outside the jurisdiction of the investigating state to produce electronic evidence. It may be issued for any criminal offence if the evidence sought concerns subscriber or access data and must be validated by a judge or prosecutor. A higher threshold applies for transactional or content data—the Order must be validated by a judge and concern more serious crimes (those punishable by a maximum custodial sentence of at least three years), or certain other cyber-related or cyber-enabled crimes or terrorism.40 Unlike the European Preservation Order, a European Production Order may only be issued if a similar measure would be available for the same criminal offence in a comparable domestic case (where there is no cross-border dimension).41
3.25The European Production Order should be sent directly to the service provider (via a designated legal representative) and the evidence disclosed within 10 days—or six hours in emergency cases where there is “an imminent threat to the life or physical integrity” of an individual or to critical infrastructure.
3.26The proposed Regulation seeks to reduce the time taken to obtain electronic evidence by providing for the direct transmission of European Preservation and Production Orders to service providers (via their designated legal representatives in the EU). Should they fail to comply with an Order, the issuing authority may transfer responsibility for enforcing the Order to the Member State in which the service provider’s designated legal representative is based. The usual rules on mutual recognition would apply, meaning that the Order would be recognised and enforced “without further formalities” unless one of a limited number of grounds for opposing enforcement applies. They include:
3.27As the proposed Regulation would apply to service providers offering services in the EU, even though they may be established or the data stored outside the EU, compliance with a European Production Order could give rise to conflicts of law. The proposal therefore includes a review procedure (involving the courts of the Member State that has issued the Order) to establish whether the law of a third country applies in the specific circumstances of the case and whether that law would prohibit the disclosure of the data requested. There are three possible outcomes:
3.28The proposed Regulation requires Member States to ensure that effective remedies are available to individuals whose data have been obtained under a European Production Order. The right to an effective remedy must be exercised in the court of the Member State issuing the Order.
3.29The Commission notes that there is no general requirement for online service providers offering services in the EU to establish a physical presence within the EU. Nor are there harmonised rules determining how service providers should handle requests for information made by law enforcement or judicial authorities responsible for investigating and prosecuting crime. This has led to divergent national approaches and fragmentation which, the Commission believes, “creates legal uncertainty for those involved and can put service providers under different and sometimes conflicting obligations and sanctioning regimes […], depending on whether they provide their services nationally, cross-border within the Union or from outside the Union”.44 It says that harmonised rules are needed to reduce obstacles to the freedom to provide services and “ensure a better functioning of the internal market in a way which is coherent with the development of an area of freedom, security and justice”.45
3.30The proposed Directive would require Member States to ensure that online service providers offering services in the EU designate at least one legal representative within the EU to receive and act on decisions or orders issued by national law enforcement or judicial authorities for the purpose of gathering evidence for criminal proceedings. The designated legal representative must be based either in the Member State in which the online service provider is established or in a Member State in which the services are offered. Often, the decisions or orders issued by national law enforcement or judicial authorities will be based on EU criminal law judicial cooperation instruments in which not all Member States participate (Denmark has a general opt-out and the UK and Ireland are only bound by the instruments they have opted into). The proposed Directive therefore requires that, for these instruments, the service provider’s designated legal representative must be based in a participating Member State.
3.31The Minister supports the EU’s efforts to improve cross-border access to data, “particularly where this can improve security cooperation, prevent crime and terrorism, and close legal gaps”, as well as the safeguards included in the proposed Regulation which reflect “the different levels of intrusiveness of the measures imposed in relation to the data pursued.”46 He notes that the UK participates in the European Investigation Order and in other EU mutual legal assistance measures, but adds:
“However, as the EIO, a measure which seeks to tackle a similar issue, has only been operating for nine months in the UK and is yet to be implemented by all relevant Member States, its effectiveness cannot be fully evaluated yet.
“In addition, the UK already has a mature domestic system in place for accessing cross-border e-evidence. Our approach to this work stream previously has been to caution against EU legislation, given there are existing tools both within the EU and being developed internationally to tackle similar issues.
“We will examine any benefits to the UK in participating in this measure, and in particular whether it would provide the UK with additional tools to support criminal investigations, whether it could provide for greater access to data beyond what our domestic capabilities offer, including through evaluating this measure against existing tools such as the EIO and MLA. In addition, we will assess the likely level of usage of the new system by UK law enforcement agencies.”47
3.32The Minister is unable at this stage to confirm when the three-month deadline for deciding whether to opt into the proposed Regulation will expire but anticipates that it is likely to be around 22 August.48 He reiterates the Government’s position that all opt-in decisions are taken “on a case-by-case basis, putting the national interest at the heart of the decision-making process” and says that relevant factors include:
3.33The Minister confirms that the proposed Directive will be legally binding on the UK as it “does not trigger the opt-in”. It would require changes to UK law:
“[…] to impose an obligation on services providers established in the UK or offering services here to create the necessary legal presence in the Union (whether in the UK or elsewhere). For cases where, under the Directive, a service provider has decided to appoint a legal representative in the UK, changes to UK law would be necessary to create a mechanism for ensuring the legal representative complies with orders when required to do so.”49
3.34The Government will “analyse what impact the Directive is likely to have on UK service providers operating in the EU and what enforcement mechanism the UK will need to put in place to ensure compliance with the Directive”.50
None on this document.
27 See the Commissions infographic—Security Union: facilitating access to electronic evidence.
28 See recital (11) of the proposed Regulation.
29 See p.3 of the Commission’s explanatory memorandum accompanying the proposed Directive.
30 See Article 122 of the draft Withdrawal Agreement.
31 See Directive 2014/41/EU regarding the European Investigation Order in criminal matters. Member States had to implement the Directive by 22 May 2017.
32 See the Commission’s fact sheet, New rules to obtain electronic evidence.
33 See recital (61) and Article 23 of the proposed Regulation.
34 See recital (20) of the proposed Regulation.
35 See Articles 1, 2(3) and (4) and 3.
36 See recital (28) of the proposed Regulation.
37 See p.14 of the Commission’s explanatory memorandum accompanying the proposed Regulation.
38 See recital (19) of the proposed Regulation.
39 A follow-up request to produce the evidence may take the form of mutual legal assistance, a European Investigation Order or a European Production Order.
40 Certain offences relating to fraud and counterfeiting of non-cash means of payment, child pornography and the sexual abuse of children, attacks against information systems and terrorism may fall below the threshold (a maximum custodial sentence of at least three years) but would still be covered by the proposed Regulation.
41 See Article 5(2) of the proposed Regulation.
42 See Article 14 of the proposed Regulation.
43 See Article 16 of the proposed Regulation. Relevant factors include the degree of connection to each jurisdiction, the third country’s interest in preventing disclosure, the degree of connection between the service provider and third country, the interest of the investigating country in obtaining the evidence (including the gravity of the offence) and any sanctions that may be imposed on the service provider for complying with a European Production Order.
44 See p.3 of the Commission’s explanatory memorandum accompanying the proposed Directive.
45 See p.4 of the Commission’s explanatory memorandum accompanying the proposed Directive.
46 See para 21 of the Minister’s Explanatory Memorandum.
47 See paras 23–5 of the Minister’s Explanatory Memorandum.
48 This is based on the last language version of the proposed Regulation being published on 23 May.
49 See paras 11 and 18 of the Minister’s Explanatory Memorandum.
50 See para 27 of the Minister’s Explanatory Memorandum.
Published: 22 May 2018