Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the execution of custodial sentences following criminal proceedings

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 82(1) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

(1) The Union has set itself the objective of maintaining and developing an area of freedom, security and justice. For the gradual establishment of such an area, the Union is to adopt measures relating to judicial cooperation in criminal matters based on the principle of mutual recognition of judgments and judicial decisions, which is commonly referred to as a cornerstone of judicial cooperation in criminal matters within the Union since the Tampere European Council of 15 and 16 October 1999.

(2) Measures to obtain and preserve electronic evidence are increasingly important for criminal investigations and prosecutions across the Union. Effective mechanisms to obtain electronic evidence are essential to combat crime, and such mechanisms should be subject to conditions and safeguards to ensure full compliance with fundamental rights and principles recognised in Article 6 of the Treaty on European Union (TEU) and the Charter of Fundamental Rights of the European Union (the ‘Charter’), in particular the principles of necessity and proportionality, due process, protection of privacy and personal data and confidentiality of communications.

(3) The Joint Statement of the Ministers of Justice and Home Affairs and representatives of the Union institutions of 24 March 2016 on the terrorist attacks in Brussels stressed the need, as a matter of priority, to secure and obtain more quickly and effectively digital evidence and to identify concrete measures to do so.

(4) The Council conclusions of 9 June 2016 stressed the increasing importance of electronic evidence in criminal proceedings, and the importance of protecting cyberspace from abuse and criminal activities for the benefit of economies and societies, and therefore the need for law enforcement authorities and judicial authorities to have effective tools to investigate and prosecute criminal acts related to cyberspace.

(5) In the joint communication of the Commission and of the High Representative of the Union for Foreign Affairs and Security Policy to the European Parliament and the Council of 13 September 2017 on Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, the Commission emphasised that effective investigation and prosecution of cyber-enabled crime is a key deterrent to cyber-attacks, and that today’s procedural framework needs to be better adapted to the internet age. The speed of cyber-attacks can sometimes overwhelm current procedures, thereby creating particular needs for swift cooperation across borders.

(6) The resolution of the European Parliament of 3 October 2017 on the fight against cybercrime (3) underlined the need to find means to secure and obtain electronic evidence more rapidly, as well as the importance of close cooperation between law enforcement authorities, third countries and service providers active on European territory, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (4) and Directive (EU) 2016/680 of the European Parliament and of the Council (5), and existing mutual legal assistance agreements. That resolution of the European Parliament also highlighted that the currently fragmented legal framework can create challenges for service providers seeking to comply with law enforcement requests and called on the Commission to put forward a Union legal framework for electronic evidence with sufficient safeguards for the rights and freedoms of all concerned, while welcoming the ongoing work of the Commission towards a cooperation platform with a secure communication channel for digital exchanges of European Investigation Orders (EIOs) for electronic evidence and replies between Union judicial authorities.

(7) Network-based services can be provided from anywhere and do not require physical infrastructure, premises or staff in the country where the relevant service is offered. Therefore, relevant electronic evidence is often stored outside of the investigating State or by a service provider established outside of that State, creating challenges regarding the gathering of electronic evidence in criminal proceedings.

(8) Due to the way in which network-based services are provided, judicial cooperation requests are often addressed to States which are hosts to a large number of service providers. Furthermore, the number of requests has multiplied due to the fact that network-based services are being increasingly used. Directive 2014/41/EU of the European Parliament and of the Council (6) provides for the possibility of issuing an EIO for the purpose of gathering evidence in another Member State. In addition, the Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union (7) (the ‘Convention on Mutual Assistance in Criminal Matters’) also provides for the possibility of requesting evidence from another Member State. However, the procedures and timelines provided for in Directive 2014/41/EU establishing the EIO and in the Convention on Mutual Assistance in Criminal Matters might not be appropriate for electronic evidence, which is more volatile and could more easily and quickly be deleted. Obtaining electronic evidence using judicial cooperation channels often takes a long time, resulting in situations where subsequent leads might no longer be available. Furthermore, there is no harmonised framework for cooperation with service providers, while certain third-country providers accept direct requests for data other than content data as permitted by their applicable national law. As a consequence, Member States increasingly rely on voluntary direct cooperation channels with service providers where available, and they apply different national tools, conditions and procedures. For content data, some Member States have taken unilateral action, while others continue to rely on judicial cooperation.

(9) The fragmented legal framework creates challenges for law enforcement authorities and judicial authorities as well as for service providers seeking to comply with legal requests for electronic evidence, as they are increasingly faced with legal uncertainty and, potentially, conflicts of law. Therefore, there is a need to provide for specific rules as regards cross-border judicial cooperation for preserving and producing electronic evidence, which address the specific nature of electronic evidence. Such rules should include an obligation on service providers covered by the scope of this Regulation to respond directly to requests stemming from authorities in another Member State. This Regulation will therefore complement the existing Union law and clarify the rules applicable to law enforcement authorities and judicial authorities as well as to service providers in the field of electronic evidence, while ensuring full compliance with fundamental rights.

(10) This Regulation respects fundamental rights and observes the principles recognised by Article 6 TEU and the Charter, by international law and by international agreements to which the Union or all the Member States are party, including the European Convention for the Protection of Human Rights and Fundamental Freedoms, and in Member States’ constitutions, in their respective fields of application. Such rights and principles include, in particular, the right to liberty and security, the respect for private and family life, the protection of personal data, the freedom to conduct a business, the right to property, the right to an effective remedy and to a fair trial, the presumption of innocence and right of defence, the principles of legality and proportionality, as well as the right not to be tried or punished twice in criminal proceedings for the same criminal offence.

(11) Nothing in this Regulation should be interpreted as prohibiting the refusal of a European Production Order by an enforcing authority where there are reasons to believe, on the basis of objective elements, that the European Production Order has been issued for the purpose of prosecuting or punishing a person on account of the person’s gender, racial or ethnic origin, religion, sexual orientation or gender identity, nationality, language or political opinions, or that the person’s position could be prejudiced for any of those reasons.

(12) The mechanism of the European Production Order and of the European Preservation Order for electronic evidence in criminal proceedings relies on the principle of mutual trust between the Member States and on a presumption of compliance by Member States with Union law, the rule of law and, in particular, with fundamental rights, which are essential elements of the Union’s area of freedom, security and justice. Such a mechanism enables national competent authorities to send such orders directly to service providers.

(13) The respect for private and family life and the protection of natural persons regarding the processing of personal data are fundamental rights. In accordance with Article 7 and Article 8(1) of the Charter, everyone has the right to respect for their private and family life, home and communications and to the protection of personal data concerning them.

(14) When implementing this Regulation, Member States should ensure that personal data are protected and processed in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680, as well as Directive 2002/58/EC of the European Parliament and of the Council (8) including in the event of further use, transmissions and onward transfers of data obtained.

(15) Personal data obtained under this Regulation should only be processed when necessary and in a manner that is proportionate to the purposes of prevention, investigation, detection and prosecution of crime or enforcement of criminal penalties and the exercise of the rights of defence. In particular, Member States should ensure that appropriate data protection policies and measures apply to the transmission of personal data from relevant authorities to service providers for the purposes of this Regulation, including measures to ensure the security of the data. Service providers should ensure that the same safeguards apply for the transmission of personal data to relevant authorities. Only authorised persons should have access to information containing personal data which can be obtained through authentication processes.

(16) The procedural rights in criminal proceedings set out in Directives 2010/64/EU (9), 2012/13/EU (10), 2013/48/EU (11), (EU) 2016/343 (12), (EU) 2016/800 (13) and (EU) 2016/1919 (14) of the European Parliament and of the Council should apply, within the scope of those Directives, to criminal proceedings covered by this Regulation as regards the Member States bound by those Directives. The procedural safeguards under the Charter should also apply.

(17) In order to guarantee full respect of fundamental rights, the probative value of evidence gathered in application of this Regulation should be assessed in trial by the competent judicial authority, in accordance with national law and in compliance with, in particular, the right to a fair trial and the right of defence.

(18) This Regulation lays down the rules under which a competent judicial authority in the Union may, in criminal proceedings, including criminal investigations, or for the execution of a custodial sentence or a detention order following criminal proceedings in accordance with this Regulation, order a service provider offering services in the Union to produce or to preserve electronic evidence through a European Production Order or a European Preservation Order. This Regulation should be applicable in all cross-border cases where the service provider has its designated establishment or legal representative in another Member State. This Regulation is without prejudice to the powers of national authorities to address service providers established or represented on their territory in order for them to comply with similar national measures.

(19) This Regulation should regulate the gathering of data stored by a service provider at the time of receipt of a European Production Order or a European Preservation Order only. It should not lay down a general data retention obligation for service providers and it should not have the effect of resulting in any general and indiscriminate retention of data. This Regulation also should not authorise the interception of data or the obtention of data that are stored after the receipt of a European Production Order or a European Preservation Order.

(20) The application of this Regulation should not affect the use of encryption by service providers or their users. Data requested by means of a European Production Order or a European Preservation Order should be provided or preserved regardless of whether they are encrypted or not. However, this Regulation should not lay down any obligation for service providers to decrypt data.

(21) In many cases, data are no longer stored or otherwise processed on a user’s device but made available on a cloud-based infrastructure enabling access from anywhere. To run those services, service providers do not need to be established or to have servers in a specific jurisdiction. Thus, the application of this Regulation should not depend on the actual location of the service provider’s establishment or of the data processing or storage facility.

(22) This Regulation is without prejudice to the investigative powers of authorities in civil or administrative proceedings, including where such proceedings can lead to penalties.

(23) As proceedings for mutual legal assistance might be considered as criminal proceedings in accordance with applicable national law in the Member States, it should be clarified that a European Production Order or a European Preservation Order should not be issued to provide mutual legal assistance to another Member State or a third country. In such cases, the mutual legal assistance request should be addressed to the Member State or third country which can provide mutual legal assistance under its national law.

(24) In the framework of criminal proceedings, the European Production Order and the European Preservation Order should only be issued for specific criminal proceedings concerning a specific criminal offence that has already taken place, after an individual evaluation of the necessity and proportionality of those orders in every single case, taking into account the rights of the suspect or the accused person.

(25) This Regulation should also apply to proceedings initiated by an issuing authority to locate a convicted person that has absconded from justice, in order to execute a custodial sentence or a detention order following criminal proceedings. However, where the custodial sentence or detention order was imposed by a decision rendered in absentia it should not be possible to issue a European Production Order or a European Preservation Order, as the national law of the Member States on judicial decisions rendered in absentia varies considerably throughout the Union.

(26) This Regulation should apply to service providers offering services in the Union, and it should only be possible to issue the orders provided for in this Regulation for data pertaining to services offered in the Union. Services offered exclusively outside the Union should not be included in the scope of this Regulation, even if the service provider is established in the Union. Therefore, this Regulation should not allow any access to data other than data related to the services offered to the user in the Union by those service providers.

(27) The service providers most relevant for gathering evidence in criminal proceedings are providers of electronic communications services and specific providers of information society services that facilitate interaction between users. Thus, both groups should be covered by this Regulation. Electronic communication services are defined in Directive (EU) 2018/1972 of the European Parliament and of the Council (15) and include inter-personal communications services such as voice-over-IP, instant messaging and email services. This Regulation should also be applicable to information society service providers within the meaning of Directive (EU) 2015/1535 of the European Parliament and of the Council (16) that do not qualify as electronic communications service providers but offer their users the ability to communicate with each other or offer their users services that can be used to store or otherwise process data on their behalf. This would be in line with the terms used in the Council of Europe Convention on Cybercrime (ETS No 185), done at Budapest on 23 November 2001 (‘Budapest Convention’). Processing of data should be understood in a technical sense, meaning the creation or manipulation of data, that is to say technical operations to produce or alter data by means of computer processing power. The categories of service providers covered by this Regulation should include, for example, online marketplaces providing consumers and businesses with the ability to communicate with each other, and other hosting services, including where the service is provided via cloud computing, as well as online gaming platforms and online gambling platforms. Where an information society service provider does not provide its users with the ability to communicate with each other but only with the service provider, or does not provide the ability to store or otherwise process data, or where the storage of data is not a defining component, that is, an essential part, of the service provided to users, such as legal, architectural engineering and accounting services provided online at a distance, it should not fall within the scope of the definition of ‘service provider’ laid down in this Regulation, even if the services provided by that service provider are information society services within the meaning of Directive (EU) 2015/1535.

(28) Providers of internet infrastructure services related to the assignment of names and numbers, such as domain name registries and registrars and privacy and proxy service providers, or regional internet registries for internet protocol (‘IP’) addresses, are of particular relevance when it comes to the identification of actors behind malicious or compromised websites. They hold data that could make the identification of an individual or entity behind a website used in a criminal activity, or the victim of a criminal activity, possible.