This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
viewpoints
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
| 2 minute read

The e-Evidence Regulation: A New EU Legal Framework for cross-border access to Electronic Evidence

In a little under two years from now, the Regulation (EU) 2023/1543 (e-Evidence Regulation) will come into effect. Together with the Directive (EU) 2023/1544, this legislative package aims to establish a unified European legal framework for the preservation and cross-border disclosure of electronic evidence in criminal proceedings for the first time.

Despite imposing significant legal requirements on affected companies, the e-Evidence legislative acts have received little media attention compared to other EU digital legislation such as the Digital Services Act or the AI Act. Many companies have therefore not even considered whether the e-Evidence regulations could be relevant for them. This article provides a brief overview of the e-Evidence Regulation and its key features.

Key Features

The e-Evidence Regulation establishes two new legal instruments: the European Preservation Order for Electronic Communications (EPOC) and the European Production Order for Electronic Communications (EPOC-PR). These orders require service providers to immediately preserve certain data categories upon receipt of the order and to disclose them within ten days. In emergencies, this 10-day deadline can even be shortened to eight (!) hours.

The Directive complements the Regulation by requiring that service providers offering services in the EU appoint or designate a recipient for receiving, complying with, and enforcing orders. This ensures that service providers that are not established in the EU but offer services in the EU have a designated representative in the EU.

Scope of Application

Due to the lack of media attention, many companies are currently unaware that they fall within the scope of the Regulation. The Regulation applies to a wide range of service providers that offer services in the EU, regardless of their place of establishment (e.g. in the EU or in third countries such as the USA).

The term 'service provider' is broadly defined and includes:

  1. electronic communications services, for example internet access services, email, or internet telephony services;
     
  2. internet domain name and IP numbering services, such as IP address assignment, domain name registry, domain name registrar, and domain name-related privacy and proxy services; or
     
  3. other information society services as defined in Article 1(1), point (b), of Directive (EU) 2015/1535, namely those that:
    • allow their users to communicate with each other; or
    • enable the storage or other processing of data on behalf of the users of the service, as long as the storage of data is an essential part of the service offered to the user;

The third alternative in particular affects a large number of operators of online services. This means that, besides online marketplaces, other hosting services that have communication functions as a minor ancillary feature (for example chat or comment sections), as well as cloud computing services such as platforms for online games and gambling, are covered by the Regulation.

Take away:

Companies should assess whether they fall within the scope of the e-Evidence legislative package and, if so, establish suitable procedures for dealing with EPOC and EPOC-PR requests. Service providers that fail to comply with the Regulation may face fines of up to 2% of their global annual turnover in the previous financial year.

Over the coming months, we will be taking a closer look at various aspects of the e-Evidence legislation. Stay tuned!

E-evidence in any form is relevant in around 85% of total (criminal) investigations.

Tags

eevidence, criminal law, service provider, digitalization, epoc, epoc-pr, eu, cybercrime, emerging technologies