In my last post, I provided a brief overview of the e-Evidence Regulation and Directive (collectively referred to as the “e-Evidence package”) and its key features. Although the regulations will just apply in several months, (online) businesses should start to consider the scope of the e-Evidence package and its possible impact early on. This post aims to provide assistance in this regard and to elucidate both the material and territorial scope of the e-Evidence package.

Scope of Application

The scope of the E-Evidence package is outlined in Article 2 (1) of the Regulation and Article 1 (5) of the Directive. The scope of the Directive and the Regulation is identical. According to Article 2 (1) of the Regulation:

"This Regulation applies to service providers which offer services in the Union."

The definition shows that in order to determine whether a company falls within the scope of the e-Evidence package, both a substantive component ("service provider") and a geographical component ("offering services in the Union") must be considered.

What is a "Service Provider"?

The term "service provider" is not uniformly defined in EU Legislation. The e-Evidence Regulation does not rely on an existing legal term but defines it new in Article 3 no. 3 of the Regulation and Article 2 no. 1 of the Directive as (i) any natural or legal person that (ii) provides one or more of the following categories of services:

1. Electronic Communications Services

This term encompasses services normally provided for remuneration via electronic communications networks, excluding services that provide or exercise editorial control over content transmitted using electronic communications networks and services. The types of services include:

• Internet access services;
• Interpersonal communications services; or
• Services consisting wholly or mainly in the conveyance of signals, such as transmission services used for the provision of machine-to-machine services and for broadcasting.

2. Internet Domain Name and IP Numbering Services

These services include IP address assignment, domain name registry, domain name registrar, and domain name-related privacy and proxy services.

3. Other Information Society Services

Other Information Society Services include any service normally provided for remuneration, at a distance, by electronic means, and at the individual request of a recipient.

Additionally, one or both of the following conditions must be met:

a. Communication Capability

The service must enable its users to communicate with each other. It is not sufficient for users to only communicate with the service provider. The nature of the communication function, whether primary or ancillary, does not matter. For example, a service that provides a comment or messaging function as a secondary feature is sufficient. The recitals of the Regulation explicitly mention online marketplaces that allow consumers and businesses to communicate, other hosting services, including cloud computing services, and platforms for online games and gambling.

b. Data Processing

The service must allow for the storage or processing of data on behalf of the users, provided that data storage is a defining component of the service. Unlike the communication capability, it is not sufficient if data processing is merely an ancillary function.

Offering Services in the European Union

A company must not only fall within the material scope of the e-Evidence package but also within the geographical scope. This requires that the company offers its services in the European Union. Offering services entails two main criteria of which both must be met:

1. Use of Service

The service must enable natural or legal persons in a member state to use it. In the age of ubiquitous internet access, this might seem broad. However, the recitals clarify that mere accessibility is not enough. The service must be tailored for use in the member state and the user must actually be able to use the services. Even a service provider based in the USA can fall within the scope if the service itself can be used by users in the European Union.

2. Substantial Connection

In addition to the use of the service, there must be a substantial connection to the member state, based on specific factual criteria. This connection is considered to exist if the service provider has an establishment in a member state or, in the absence of such an establishment, if there is a significant number of users in one or more member states, or if the service targets activities towards one or more member states.

Each case must be individually assessed to determine if such a connection exists. Factors include the languages offered, the currency used, and the ability to actually order the service. For apps, it is relevant whether the app is available in the national app store. Additionally, local advertising or customer service availability in the member state should be considered.

No Exception for Small Businesses

The e-Evidence package does not set quantitative thresholds regarding turnover for its scope. Therefore, even "small" businesses can fall within its scope. However, Recital 70 clarifies that authorities should consider the specific circumstances of microenterprises when imposing sanctions for non-compliance with de e-Evidence package. For instance, a small company might not be expected to handle an emergency EPOC within 8 hours. These considerations are taken into account at the sanction level, not within the scope of application.

Conclusion

In conclusion, a wide range of online businesses will be affected by the e-Evidence package. Determining whether a company falls within its scope requires a case-by-case assessment. Companies should familiarize themselves with the e-Evidence package as early as possible. National efforts to implement the e-Evidence Directive are progressing. In my next post, I will discuss the first draft of the e-Evidence Directive implementation and the resulting registration obligations.

Follow me on LinkedIn to stay updated on all developments.