E-Evidence: Addressing law enforcement needs with strong protection for fundamental rights

EU policymakers have been discussing new rules on cross-border access to digital evidence – known as the e-Evidence Regulation – since 2018. Yet, with discussions between the European Commission, Parliament and Council now approaching the home-strait, several issues remain to be resolved.

These are delicate deliberations, not only because there is an important balance to be struck between giving law enforcement the means to obtain the information they need to keep people safe and protecting citizens’ fundamental rights. But also because of the complex nature of our online world that increasingly demands access to electronic evidence stored in another jurisdiction.

The main aim of the e-Evidence package is to harmonize EU rules on law enforcement access to data, particularly in the context of cross-border requests, which are required in more than half of all investigations today. As a cloud provider that has data centers in many, but not all, European countries, we call on EU legislators to focus on five points specifically:

  1. Strong notice rules: When it comes to data, trust is key. Informing users when their data is being accessed is central to the debate. When ongoing investigations require access to data, service providers should be able to promptly notify affected users, so long as this wouldn’t negatively impact ongoing proceedings. Secrecy orders should be the exception, not the rule.
  2. Directly target enterprise users: Companies that entrust their data to cloud service providers need to have confidence that their data is safe from access. Data should only be requested from service providers when seeking it directly from the enterprise would endanger ongoing investigations. Additional limits should apply in cases where the customer in question is a public authority situated in another jurisdiction.
  3. Require use of EPOs: European Production Orders (EPOs), or other, already existing Union measures, such as the European Investigation Order (EIO), should be used in all cross-border cases, meaning where the issuing authority is in a different Member State than the legal representative or primary establishment of a service provider. It’s important to avoid authorities bypassing the EU framework for cross border scenarios, which would undercut important protections and create barriers to the free movement of services.
  4. Address conflicts of law: Service providers should not be forced to choose between violating either EU or third-country law. Conflicts should be addressed with the same focus on balancing users’ fundamental rights with the needs of law enforcement and respect for third country legislation. Ensuring the mutual respect of privacy laws is of particular importance in the ongoing negotiations for an EU-U.S. agreement on cross-border access to electronic evidence.
  5. Right to contest orders: Service providers should have a clear means to raise concerns about an order to obtain evidence if it seems unlawful, overbroad, or otherwise inappropriate. This second line of defense is important for cases in which only the service provider is in a position to identify problems. Establishing a clear process will not only contribute to more effective orders but will also, in the long run, enable authorities to obtain evidence more quickly.

Finally, on whether and under what circumstances a Member State issuing an EPO should be obliged to notify another Member State, we see two possible alternatives:

First, the issuing state would have an obligation to notify the executing state but only when: (1) the EPO seeks content data; and (2) the issuing state knows or has reason to believe that the target resides in another Member State.

Second, the issuing state would have an obligation to notify the affected state but only when: (1) an EPO seeks either content or traffic data; and (2) the issuing state knows or has reason to believe that the target resides in the affected Member State.

Both options would limit the notification requirement to specific scenarios that are likely to pose the greatest risk to infringing fundamental rights and would help address concerns of overburdening executing Member States. Alternatively, elements of each option could be combined in various ways.

As we approach the finish line for reaching a pan-European agreement on access to digital evidence, it is vital that we don’t yield when it comes to establishing appropriate safeguards.

Learn more on this issue in our recent #TechTalk with Professor Theodore Christakis.

NOTE: This blog was edited on March 18 to refer to European Production Orders (EPOs) and other, already existing Union measures.



Cornelia Kutterer
Senior Director, Rule of Law and Responsible Tech, European Government Affairs, Microsoft

Cornelia is responsible for AI, privacy and regulatory policies in the EU with a focus on digital transformation and ethical implications. She leads a team working on corporate and regulatory affairs, including competition, telecom and content policies. She has long standing experience in Information Society & Internet policies at European level and speaks regularly at regional and international conferences. Previously, Cornelia was Senior Legal Advisor at BEUC, the European Consumer Organisation, heading up the legal department and driving the policy agenda for consumers’ digital life with a focus on intellectual property, data protection and e-commerce. She has also gained experience in a top 10 law firm in the fields of competition law and regulatory affairs and in a German organisation focusing on the freedom of services and labour law. She started her professional career in the European Parliament as a political advisor to an MEP in 1997. Cornelia is a qualified German lawyer, and holds a master’s degree in information technology and telecommunication laws. She studied law at the Universities of Passau, Porto (Portugal), Hamburg and Strathclyde (UK).