EUROPEAN COMMISSION

Brussels,17.4.2018

SWD(2018) 118 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT

Accompanying the document

Proposal for a Regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters
and
Proposal for a Directive of the European Parliament and of the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings

{COM(2018) 225 final}

{COM(2018) 226 final}
{SWD(2018) 119 final}

Table of Contents

1.Introduction: Political and legal context

1.1.Introduction

1.2.Political and legal context

2.Problem definition

2.1.What is the problem?

2.1.1.    Definition and magnitude    

2.1.2.    Cross-border dimension    

2.1.3.    Why is it a problem    

2.1.4.    Who is affected and how    

2.2.What are the problem drivers?

2.2.1.    It takes too long to access e-evidence across borders under the current judicial cooperation procedures, rendering investigations and prosecutions less effective    

2.2.2.    Inefficiencies in public-private cooperation between service providers and public authorities hamper effective investigations and prosecutions    

2.2.3.    Shortcomings in defining jurisdiction can hinder effective cross-border investigation and prosecution    

2.3.How will the problem evolve?

3.Why should the EU act?

3.1.Legal basis

3.2.Subsidiarity: necessity of EU action

3.3.Subsidiarity: added value of EU action

4.Objectives: What is to be achieved?

4.1.General objective

4.2.Specific objectives

5.What are the available policy options?

5.1.Scope of policy measures

5.2.Description of policy measures

5.2.1.    Non-legislative action    

5.2.2.    Legislative action    

5.3.Measures discarded at an early stage

5.4.Description of the policy options

5.4.1.    Option O: baseline    

5.4.2.    Option A: non-legislative action    

5.4.3.    Option B: option A + international agreements    

5.4.4.    Option C: option B + direct cooperation legislation    79

5.4.5.    Option D: option C + direct access legislation    

6.What are the impacts of the policy options?

6.1.Qualitative assessment

6.1.1.    Social impact    

6.1.2.    Economic impact    

6.1.3.    Fundamental rights impact    

6.2.Quantitative assessment

7.How do the options compare?

7.1.Qualitative comparison

7.2.Quantitative comparison

8.Preferred option

9.How will actual impacts be monitored and evaluated?

Annex 1: Procedural information

1.Lead DG, Decide Planning/CWP references

2.Organisation and timing

3.Consultation of the RSB

4.Evidence, sources and quality

Annex 2: Stakeholder consultation

Annex 2.1: surveys

Annex 2.2: meetings

Annex 2.3: conferences

Annex 3: Who is affected and how?

1.Practical implications of the initiative

2.Summary of costs and benefits

Annex 4: Analytical methods

1.Qualitative assessment of policy measures

2.Qualitative comparison of policy options

3.Quantitative assessment of policy measures

Annex 5: List of relevant legislation and policies

Annex 6: Additional information on the problem drivers

Annex 7: Additional information on the policy measures

Measure 1: practical measures to enhance judicial cooperation

Measure 2: practical measures to enhance direct cooperation

Measure 3: multilateral international agreements

Annex 8: Additional information on early discarded measures

Annex 9: Additional information on the baseline

Annex 10: US DOJ proposal on cross-border access to e-evidence

Annex 11: Additional data on the size of the problem

Annex 12: WHOIS database

Annex 13: SME Test280

Glossary

1.Introduction: Political and legal context

1.1.Introduction

Cross-border data flows are rising together with the growing use of social media, webmail, messaging services and apps to communicate, work, socialise and obtain information, including by criminals. An increasing number of criminal investigations therefore rely on electronic evidence that is not publicly available, e.g. information on the holder of an email account, messages exchanged via Facebook messenger or information on the timing of WhatsApp calls.

Law enforcement and judicial authorities often experience difficulties in accessing electronic evidence relevant to an investigation. Electronic evidence is increasingly available only on private infrastructures, which may be located outside the investigating country, owned by service providers established outside the investigating country, or both. For such cross-border situations, traditional mechanisms for cooperation between authorities are slow compared to the fast pace at which data can be moved, changed or deleted. In addition, they are under increasing strain with the growing number of cross-border cases. Furthermore, authorities have begun to question whether a mechanism designed to protect the sovereignty of another country is apt for today’s situations where the connection of the crime to the requested country is often limited.

In addition, information that is publicly available and easily accessible to law enforcement might move into systems requiring special credentials to access. This development notably concerns the general world-wide lookup tool for owners of web site domain names, known as "WHOIS" 1 .

Direct cooperation with US service providers has developed as an alternative channel to judicial cooperation, but is limited to non-content data and is voluntary from the perspective of US law. In the face of these developments, a number of countries have begun to explore under what conditions authorities may request access to data using their own domestic tools. The Yahoo! 2 and Skype 3 decisions in Belgium are examples of recent court cases which focus on the legitimacy of the use of domestic production orders for companies whose main seat is outside the requesting country but which provide a service in the territory of that country. The resulting fragmentation may generate legal uncertainty, as well as concerns on the protection of fundamental rights and procedural safeguards for the persons related to such requests.

In addition, there have been a number of court cases in the US on whether US authorities have the right to request the production of data stored abroad by a service provider whose main seat is in the US, including notably the “Microsoft Ireland” case 4 . 

Improving cross-border access to e-evidence is a pressing issue concerning almost any type of crime. In particular, the recent terrorist attacks have underlined the need, as a matter of priority, to find ways to secure and obtain e-evidence more quickly and effectively.

1.2.Political and legal context

The Commission committed in the April 2015 European Agenda of Security 5 to review obstacles to criminal investigations into cyber-enabled crimes, notably on cross-border access to electronic evidence. In April 2016 6  the Commission undertook to propose solutions by summer 2017, including legislation if required.

There have been repeated calls for action both from the EU Member States and the European Parliament. The Council supported the Commission´s commitment in its June 2016 Conclusions on improving criminal justice in cyberspace 7 and endorsed a set of practical measures to be taken forward. Specifically, the Council called on the Commission to take concrete actions based on a common EU approach to make mutual legal assistance more efficient, to improve cooperation between Member States’ authorities and service providers based in non-EU countries, and to propose solutions to the problems of determining and enforcing jurisdiction 8 in cyberspace. The Review Report of the 2016 EU-US MLA Agreement, which was finalised at the same time as the Council Conclusions, contained several recommendations to improve access to electronic evidence 9 . In its final report on the seventh round of mutual evaluations on prevention and combating cybercrime 10 , the Council also recommended that the EU and its Member States consider the development of an EU framework on law enforcement access to data held by service providers.

President Juncker committed to put forward a legislative proposal in 2018 in his September 2017 Letter of Intent 11 . The European Parliament adopted a resolution on the fight against cybercrime in October 2017 12 , which acknowledges the difficulties of public authorities in accessing electronic evidence across borders and underlines the need for a common European approach to criminal justice in cyberspace, as a matter of priority. It calls on the Commission to put forward a European legal framework for electronic evidence, including harmonised rules to determine the status of a provider (domestic or foreign), and to impose an obligation on service providers to respond to requests from Member States that are based on due legal process.

The legal and policy environment surrounding this initiative is complex because:

1) The initiative touches upon several areas:

·while cross-border access to evidence by public authorities in the framework of criminal investigations is governed by the acquis in the area of judicial cooperation in criminal matters, the initiative also involves exchange of personal data, so the data protection and ePrivacy frameworks are also relevant;

·there are many co-existing levels of regulation: EU law, rules at Member State level governing criminal investigations, international conventions and bilateral agreements. US law also plays an important role, as major service providers holding relevant evidence operate under US jurisdiction.

2) Some aspects of the legal environment are currently subject to changes:

·several EU instruments are currently under revision, such as the ePrivacy Directive, and new proposals are being prepared;

·work has recently started on an additional protocol to the Council of Europe Budapest Convention on Cybercrime, the main international framework governing access to electronic evidence by public authorities;

·like the EU and its Member States, the US is trying to address the issues created by cross-border access to e-evidence through legislative initiatives.

A detailed list of relevant legislation and policy can be found in Annex 5.

2.Problem definition

Table 1 shows the intervention logic (problem, drivers, objectives and options) that will be described in detail in the following sections 2 to 5:

Table 1: problem, drivers, objectives and options (intervention logic)

2.1.What is the problem?

2.1.1.Definition and magnitude

The problem is that some crimes cannot be effectively investigated and prosecuted in the EU because of challenges in cross-border access to electronic evidence.

Electronic evidence – which can be relevant for any crime – is often stored outside the country whose authorities need access. Determining the location of the data may be difficult, and even where it is possible, data can be moved quickly and effortlessly 13 . Once a cross-border element is or might be present, authorities have to rely on one of the three channels existing today to access e-evidence across borders:

1.judicial cooperation between public authorities,

2.direct cooperation between a public authority and a service provider and

3.direct access to electronic evidence by a public authority.

These channels suffer from a number of shortcomings that can be summarised as follows:

·judicial cooperation is often too slow for timely access to data and can entail a disproportionate expense of resources;

·direct cooperation can be unreliable, is only possible with a limited number of service providers which all apply different policies, is not transparent and lacks accountability;

·legal fragmentation abounds, increasing costs on all sides; and

·the size of the problem is steadily increasing, creating further delays 14 .

Figure 1 describes the main parties and channels to access e-evidence across borders today. The main parties are the public authorities requesting access to evidence, the public authorities receiving the request and the service provider that has access to the evidence.

Figure 1: the main parties and the three channels for cross-border access to e-evidence

1)Judicial cooperation

·Judicial authorities of country A contact the competent judicial authorities of the country where the service provider is established, formally requesting through judicial cooperation channels (i.e. MLA request or European Investigation Order, EIO) the evidence to which the service provider has access.

·Within the EU, the legal framework on judicial cooperation for obtaining cross-border access to electronic evidence is the EIO Directive. The EIO, based on mutual recognition of judicial decisions, provides for direct communication between judicial authorities rather than going through central authorities, supported by deadlines, standardised forms and limited possibilities to refuse recognition and execution of requests.

·Judicial cooperation with countries outside the EU is mainly based on international agreements, notably the Budapest Convention. Besides that, there are bilateral agreements concluded by the EU (notably, the Agreement with the United States on mutual legal assistance 15 ) and by the Member States, most frequently with the US, followed by Canada and Australia.

2)Direct cooperation

·In direct request situations, the public authorities of country A directly contact the service provider established in country B with production orders/requests pursuant to national rules of criminal procedure, and request evidence to which the service provider has access, typically data on a user of the services it provides.

·This concerns some service providers established in the US and, to a more limited extent, in Ireland, which reply directly to requests from Member States' law enforcement authorities on a voluntary basis, as far as the requests concern non-content data.

·For WHOIS data, service providers make data directly available to authorities through a centralised search system which does not rely on individually reviewed requests. 16

3)Direct access

·"Direct access" refers to cases where authorities access data without the help of an intermediary, for instance following the seizure of a device ("extended search") or following the lawful acquisition of login information ("remote search"). The national law in at least 20 Member States empowers authorities, subject to judicial authorisation, to seize and search a device and remotely stored data accessible from it, or to use credentials for an account to access and search data stored under that account. This tool becomes more relevant as data is now regularly stored not on the local device but on servers in a different location, possibly outside of the Member State concerned or even outside of the EU.

·Often, the location of this data is not known to law enforcement (so-called "loss of knowledge of location"), and it may be practically impossible to determine, such as in cases where the data is hosted on Darknet services that use multiple layers of IP relays to disguise their location. As a result, it can be difficult to determine whether such searches have a cross-border component

·Member States have different approaches to direct access and the data storage location (see section 2.2.3).

The requesting public authorities, the receiving public authorities and the service provider, and the e-evidence can all be located in different countries. The general problem that figure 1 describes encompasses multiple specific cases depending on whether each of these countries is located in the EU or not:

Table 2: mapping of possible situations in cross-border access to electronic evidence

With regard to the location of the evidence (i.e. country C):

·it is not always known;

·data is volatile and can be moved quickly across borders, so country C can change rapidly, inside and outside the EU;

·data can be split between countries (e.g. data shards, inside and outside the EU);

·there can be copies in multiple countries (inside and outside the EU).

Scope of the problem

The problem affects all types of data, from basic information about the subscriber to a given service, to logs showing when a specific user or IP address accessed a service, to metadata and content data. They reflect different levels of relevance of the gathered e-evidence: subscriber data is useful to obtain leads in the investigation about the identity of a suspect; access logs can help connect a user to an action; metadata and content data can be most relevant as probatory material. Challenges affect both access to data at rest (stored data) and to data in transit.

The problem affects all types of crime that can leave a digital trace: it is relevant for many types of serious crimes, but also for a number of lower-impact, high-volume crimes such as spreading of malicious software (e.g. ransomware), but also when the only digital element is some form of electronic communication. It is relevant for the gathering of evidence for specific and individual criminal investigations and for specific and limited data access, rather than for other purposes that might require bulk data access.

Most of the relevant information is held by a number of service providers including electronic communications service providers and information society service providers, providers of internet infrastructure services and digital marketplaces. Both relevant data and relevant service providers could potentially be anywhere in the world, as the relevant services are provided at a distance and are independent of national borders.

In this context, it is important to note that the problems this initiative seeks to tackle have not been created by previous EU instruments. Rather, new technological developments require new answers (and may require them also in the future). The internet is largely privately owned and borderless for everyone except authorities pursuing criminal investigations. States de facto have no control over data as it crosses borders into or from their territory. Accordingly, their purported sovereign interest in maintaining control over any authority's access to that data has been growing more and more limited over time. 

This fundamental challenge of data moving swiftly across jurisdictions is unrelated to any existing policy but rather a consequence of the business models of service providers that have evolved organically. The data minimisation principle inherent in data protection laws and the lack of data retention obligations also result in less data being available for shorter periods of time. Data protection rules also create requirements that must be satisfied, e.g. as regards user notification (which arise under the GDPR and the Police Directive).

Size of the problem

It is not possible to determine exactly the number of crimes that cannot be effectively investigated and prosecuted in the EU because of challenges in cross-border access to electronic evidence. Data at this level of detail is not collected by public authorities. There is no precise data available on the number of requests for judicial cooperation, direct cooperation, direct access or WHOIS lookups.

For judicial cooperation requests, based on available data on the European Arrest Warrant and from the European Judicial Network, it can be estimated that there are around 13,000 MLA/EIO requests per year on e-evidence between Member States (including all types of data). Also, based the figures collected during the 2016 EU-US MLA Review exercise, it can be estimated that the outgoing requests for e-evidence by EU public authorities to the US authorities amount to approximately 1300 per year (mainly requests for content data).

For direct cooperation, the main source of data is the transparency reports that some service providers publish concerning the requests they receive from public authorities. The transparency reports do not distinguish whether the request came directly from the Member State in which it originated (direct cooperation request) or it came from the public authorities of a Member State that was asked to cooperate with the one in which the request originated (judicial cooperation request). They concern mostly requests for non-content data.

Given these limitations, the Commission estimated the magnitude of the problem, using two main sources of information:

·a survey addressed to public authorities in Member States 17 ; and

·the transparency reports from the main service providers (Facebook, Google, Microsoft, Twitter and Apple 18 ), which contain information on the number of requests received from public authorities and the percentage of requests fulfilled 19 .

The results were broken down in three stages:

1)Percentage of investigations including a request to cross-border access to e-evidence.

·E-evidence in any form is relevant in around 85% of total (criminal) investigations.

·In almost two thirds (65%) of the investigations where e-evidence is relevant, a request to service providers across borders (based in another jurisdiction) is needed.

·Combining the two percentages above results in 55% of total investigations that include a request to cross-border access to e-evidence.

·Requests for non-content data outnumber those for content within the EU and beyond. Non-content data from electronic communications is most commonly requested.

The transparency reports provide an idea of the number of requests that the above percentages refer to. The figure below shows that the number of requests to the above service providers has increased by 70% in the last 4 years:

Figure 2: evolution of number of Member States' requests 20 to the main service providers 21  

Other insights from the transparency reports of these providers include (see Annex 11):

·Three Member States, Germany (35,271 requests), the UK (28,598) and France (27,268), accounted for more than 75% of the total number of requests from the EU to the five main service providers in the last year.

·Google and Facebook accumulated more than 70% of the total number of requests from Member States to the five main service providers in the last year.

2)Percentage of requests to service providers that are fulfilled.

·The table below summarises the responses to the survey of public authorities in Member States on the percentage of investigations where the request to service providers was fulfilled, using judicial and direct cooperation channels.

·The table shows that the requests for content are comparatively the most difficult to fulfil and the requests for subscriber data the least difficult to fulfil, regardless of whether the requests is within the EU or with non-EU countries. Nonetheless, even the requests for subscriber data remain unfulfilled in a significant percentage of cases, more than half for requests to non-EU countries, which are particularly relevant, as shown in point 1) above.

·The table shows that the requests for access to e-evidence within the EU are comparatively fulfilled more easily than with non-EU countries, regardless of the type of data.

Table 3: percentage of requests to service providers that are fulfilled (survey data)

·The median of the above responses is 45%.

The transparency reports include data on the requests from the Member States that are answered, so it is possible to compare this data with the one from the survey:

Figure 3: evolution of the % of requests from Member States answered by service providers

·The graph above shows that the response rate has remained under 50% in the 2013-2015 period and was more than 50% only in 2016.

·The transparency reports contain information on the number of requests answered, which might not be necessarily the same as fulfilled. The percentage of requests fulfilled is likely to be lower than the percentage of requests answered.

·The number of outgoing MLA requests to the US is still much smaller than the number of unsuccessful direct cooperation requests. This means that in case a direct cooperation request is unsuccessful, it is only rarely followed-up by a MLA request. In these situations, the evidence will not be available for the investigation.

·The period 2013-2016 is likely to have shaped the most the perception of public authorities and their responses to the survey. The median of the percentage of requests answered by service providers in the 2013-2016 period is 45%, which is indeed the same estimate obtained in the survey.

The transparency reports and the targeted survey to Member States indicate that a request could remain unfulfilled for a variety of reasons, including that the request is sent to a provider who does not hold the data, it is excessively broad or unclear, it fails to specify an (existing) account or sought information, it does not have a valid legal basis or the data sought no longer exists.

3)Percentage of crimes involving cross-border access to e-evidence that cannot be effectively investigated or prosecuted.

·The table below summarises the responses to the survey on the percentage of investigations involving requests to access e-evidence across borders that are negatively affected or cannot be pursued:

Table 4: percentage of investigations involving requests to access e-evidence across borders that are negatively affected or cannot be pursued

·The table shows that the lack of timely access is more significant when using judicial cooperation channels, in particular with non-EU countries.

·Direct cooperation seems to be a more efficient channel than judicial cooperation, in particular with service providers based in non-EU countries. Since this channel is based on voluntary cooperation, public authorities indicated that they tend to limit their direct cooperation requests to the service providers that they know are willing to cooperate, which might also explain the relatively low percentage of investigations negatively affected. In the rest of the cases, judicial cooperation is the only channel left to request access to data across borders, which might also explain the higher percentage of investigations negatively affected.

·In addition, direct cooperation is typically limited to non-content requests, whereas judicial cooperation includes also content requests, which are more problematic (see the problem drivers in section 2.2.).

·The median of the above responses is 65%: almost two thirds of crimes 25 involving cross-border access to e-evidence cannot be effectively investigated or prosecuted.

2.1.2.Cross-border dimension

This initiative covers a variety of crimes with an increasing cross-border dimension. To illustrate this, consider Hans, a German prosecutor who has to deal with cases such as 26 :

·Terrorism: after a terrorist attack in Germany, the German police find connections of the suspect terrorist to a cell that has been involved in other terrorist attacks in France, Belgium and Spain. The suspect has spent time in Syria, Turkey and Morocco. The German police have indications that the terrorists communicated through email drafts: one terrorist drafted an email and instead of sending it, saved it to the draft folder, accessible online from anywhere in the world. The other terrorist opened the same account and read the message. As the email was never sent, it was not possible to track. The Microsoft server hosting the account is in Ireland. Hans prepares an MLAT request to the Irish authorities in order to gather more information about the suspect terrorist’s email account contents.

·Child sexual abuse: after having infiltrated a website for exchanging child sexual abuse material in the Darknet for more than a year, the Australian police have gathered information on more than one million users globally, which they have started to distribute to law enforcement around the world. Some of the child victims appear to be in Germany. The investigation has revealed the offender's Facebook profile; Hans prepares a production request (direct cooperation) to Facebook (based in the US) in order to gather more information about the possible offender's exact location using his Facebook account.

·Human trafficking: a Syrian national is arrested in Germany, near the Austrian border, accused of human trafficking. The suspect was taking advantage of the refugee crisis to facilitate illegal border crossing from Turkey to Germany through the Balkan route (Turkey, Greece, Former Yugoslav Republic of Macedonia, Serbia, Croatia, Slovenia, Austria and Germany). The smart phone of the human trafficker was seized by the German police. It contains not only the contact information of other members of the criminal organisation he belongs to, but also indications that the human trafficker used WhatsApp. Although the WhatsApp conversations were deleted from the phone, a backup exists in the cloud, accessible via the seized mobile device. The German police, under Hans' supervision, directly access these conversations to dismantle the organised crime network.

·Cybercrime: a network of millions of infected computers worldwide is controlled by a central server (a so-called "command and control" server) and used to distribute spam and malicious software, such as ransomware and spyware, on victims' computers. The command and control server moves from one domain to the next every five minutes, without regard to national boundaries. In a first investigative step, Hans and his colleagues search the domain name WHOIS system to obtain information on the owners of the domain names used by the command and control server.

Even crimes that may appear as having no cross-border dimension can actually have one because of e-evidence. Consider for example an assault case in which a German national assaults a German victim in Germany. Hans investigates the case and arrests a suspect. A witness has doubts when asked to identify the person arrested, but reports that she saw the perpetrator made selfies of himself and the assaulted victim lying on the ground with his mobile. Hans confiscates the suspect's phone but finds no relevant pictures on the mobile. The suspect had installed Dropbox and had secured it with a password. Hans needs access to those pictures which, he knows, are stored in the US. He prepares an MLA request to the US, as the German legislation does not allow him to access directly that data in the US.

In general, crime has an increasing cyber component, and with it an increasingly prominent cross-border dimension. Whereas the data storage location is still considered as a relevant factor to assert jurisdiction, it is determined for the vast majority of cases by the provider alone, on the basis of business considerations. This choice makes cross-border cooperation necessary in cases which may have no other connection across borders.

2.1.3.Why is it a problem

The fact that some crimes cannot be effectively investigated and prosecuted in the EU is a problem because it results in criminals enjoying impunity, victims being less protected and EU citizens may feel increasingly threatened by criminal activity 27 . In general, it hinders the accomplishment of an area of freedom, security and justice in the EU.

In particular, when some crimes cannot be effectively investigated and prosecuted because of challenges in cross-border access to e-evidence, there are negative consequences at all stages:

1.Before the crime is committed: when electronic evidence is difficult to obtain across borders the perception of impunity is reinforced.

2.While the crime is being committed: when a crime is ongoing and public authorities are investigating it, effective and timely access to electronic evidence can save lives or prevent serious damage. For example, in terrorism cases with hostages or in ongoing child sexual abuse situations, the time that law enforcement requires to get to the victims can determine whether they survive or not.

3.After the crime has been committed: electronic evidence is volatile and can be transmitted, altered or deleted easily. Public authorities therefore need effective and timely access to it to be able to prosecute criminals and prevent future crimes. There are no mandatory data retention rules in the US (where some of the most important service providers are based) or at EU level, since the Data Retention Directive 28 was declared invalid by the European Court of Justice in 2014 29 . At the same time, data minimisation requirements force service providers to delete data more quickly. This contributes to the volatility of e-evidence and reinforces public authorities' need for timely access in criminal investigations. Timely access is also important as investigations often have to proceed step by step, identifying first leads and then following further indications provided by those leads, which often necessitate repeated, iterative requests for access to electronic evidence across different service providers and jurisdictions. If the first requests are fulfilled slowly, the chances to find any data in response to further requests decrease significantly.

2.1.4.Who is affected and how

The following parties are affected by the challenges in cross-border access to e-evidence in criminal matters:

·Society in general: the fact that some crimes cannot be effectively investigated and prosecuted in the EU damages the secure environment and the effective application of the rule of law required for a society to thrive.

·Victims of crime (natural and legal) suffer the negative consequences (e.g. economic, physical, psychological) of a delayed (or even an impossible) investigation and prosecution of the crime they have become victims of.

·Suspects in criminal investigations: the procedures that regulate cross-border access to electronic evidence must provide legal certainty, transparency, accountability and respect of fundamental rights and procedural guarantees of the suspects in criminal investigations.

·Users of the services offered by service providers: the procedures that regulate cross-border access to electronic evidence must provide legal certainty, transparency, accountability and respect of fundamental rights of the users of the services offered by service providers, to the extent that they may become part, inadvertently, of a criminal investigation.

·Service providers: as the parties with access to electronic evidence, they receive requests to access e-evidence from public authorities, either directly or through MLAT procedures. They invest resources in responding to those requests, which can be significant as the number of requests keeps increasing and the framework to regulate cooperation with public authorities has room for improvement.

·Public authorities (judiciary, law enforcement) from the country issuing the request: they require access to e-evidence to investigate or prosecute crimes. Often, electronic evidence is the only significant lead for investigators, so without access to that evidence the investigation may have to be abandoned, with the negative consequences that this brings for the victims, future victims and society at large, due to the perception of impunity and the weakening of the rule of law.

Public authorities from the country receiving the MLAT request are also important parties in this process. As MLAT requests are likely to keep on increasing, the improvement of the current procedures is important so that they can fulfil the requests for cooperation in a timely and effective manner.

2.2.What are the problem drivers?

The three problem drivers identified are:

1.It takes too long to access e-evidence across borders under existing judicial cooperation procedures, rendering investigations and prosecutions less effective.

2.Inefficiencies in public-private cooperation between service providers and public authorities hamper effective investigations and prosecutions.

3.Shortcomings in defining jurisdiction can hinder effective cross-border investigations and prosecutions.

The following sections summarise the analysis of the problem drivers. A deeper and more detailed analysis is available in Annex 6.

2.2.1.It takes too long to access e-evidence across borders under the current judicial cooperation procedures, rendering investigations and prosecutions less effective 

Judicial cooperation procedures were designed to ensure respect for the sovereignty of foreign countries on whose territory an investigative or enforcement action needed to be performed. Usually there was a substantial connection to that territory. This substantial connection has become increasingly virtual in the context of e-evidence. Sometimes, the data storage location in a server park or the establishment of a service provider is the only factor connecting an investigation to a given foreign country.

In many cases, data is no longer stored on a user's device but made available on cloud-based infrastructure for access from anywhere. Service providers do not need to be established or to have servers in every jurisdiction but rather use centralised systems to provide their services. Cross-border requests have multiplied accordingly, resulting in increased delays in responses. At the same time, data minimisation requirements lead to shorter data storage periods for some types of data; delayed requests risk not finding any data left.

In parallel, a number of countries are questioning the appropriateness and usefulness of mutual legal assistance procedures in these circumstances, especially when it comes to less sensitive data categories. Some have not invested sufficient resources to keep up with the growth in foreign demand, given that there is no own interest in the relevant investigations and the service is provided out of courtesy to the foreign country. This has further contributed to the delays in responses.

Within the EU

The EIO Directive, in application since May 2017, covers the gathering and transfer of evidence between Member States, based on mutual recognition of judicial decisions. The EIO Directive provides for deadlines of 120 days (30 days for the executing authority to make a decision on the recognition or execution of the EIO and 90 days to carry out the investigative measure 30 ), which is faster than the MLA procedure. This improvement is still considered insufficient by Member States’ experts for accessing e-evidence in criminal investigations, for which the EIO process would still be too long and therefore ineffective.

The time for accessing electronic evidence is a crucial factor in any investigation:

1.In the absence of retention obligations, providers have no incentive to store data – in particular metadata – for longer than necessary. Data storage is a cost factor.

2.The data minimisation principle inherent in data protection rules obliges providers to store data only for as long as it is necessary.

3.Investigations proceed in an iterative manner. In a typical case, an authority might first contact a service provider to obtain an IP address used to access a service, then turn to the internet access provider to determine who used that IP address at the relevant point in time. If the first step takes more than a few days, then the information on who used the IP address will most likely have been deleted already.

In certain cases the EIO Directive allows for shorter time-limits. The issuing authority can indicate in the EIO that a shorter deadline is necessary "due to procedural deadlines, the seriousness of the offence or other particularly urgent circumstances" (cf. Art. 12(2)). Article 32(2) provides for a 24-hour deadline to decide on provisional measures. Nevertheless, these shorter deadlines cannot address the specific needs of e-evidence with its high relevance for criminal investigations: the first is an exception rather than the general rule, requiring reasons for urgency in every case, and the second is specifically aimed at preservation of the data only. Preservation of data alone would not solve the issue: timely access is important as outlined above.

Requests for mutual legal assistance (currently up to 5000 per year 31 ) and for recognition and execution of the EIO, follow-up correspondence and enquiries for information are often still sent by traditional means, i.e. by post or fax, contributing to the time the current process takes.

All Member States participate in the EIO Directive except Ireland and Denmark, which continue to rely on MLA channels 32 . For Ireland, where a number of service providers have their European headquarters, stakeholders have reported an increase in the time needed to access e-evidence, presumably due to the high number of requests to Irish authorities. Since the EIO deadlines do not apply, this increase might continue to grow. 

The problem to access electronic evidence has become so pressing that despite the imminent entry into force of the EIO Directive, the Council has repeatedly called upon the Commission in 2016 to take action.

With non-EU countries

The main legal instruments that Member States use to request access to e-evidence stored in non-EU countries are MLA requests. These formal procedures ensure that the right authorities are involved and that appropriate safeguards are taken into account in both countries when there is a sovereign interest of more than one country. The procedures were designed at a time before the internet, when volumes of requests were a fraction of today’s, and are ill equipped to handle today’s numbers 33 . In addition, the legal framework for mutual legal assistance is fragmented and complex: practitioners are faced with a high number of bi-lateral and multi-lateral conventions and have to ensure compliance with the specific requirements of recipient countries’ legal systems that they are often less familiar with (e.g. probable cause in the US, as will be explained below).

Box 1: judicial cooperation on e-evidence

The main recipient of MLAT requests from Member States (and from around the world) for access to e-evidence is the US, where the largest service providers are headquartered. This is why the impact assessment focuses on the US situation, but many of the structural problems of MLA cooperation are similar when it comes to other non-EU countries. In many cases, the requests received have little or no connection to the US besides the seat of the service provider. This forces US authorities to provide thousands of full checks for cases, giving them essentially the same attention as domestic cases, in the absence of any specific US interest in the solving of that concrete crime.

The MLAT process with the US takes an average of 10 months 34 , which is considered as too much time by all stakeholders. There have been repeated calls for reform within the stakeholder consultation for this initiative and before 35 .

There were extensive consultations in the EU and the US to determine the reasons that explain the long duration of the MLAT process. The stakeholders identified the high volume of requests to access e-evidence as the main factor that has put the MLAT system under enormous strain, and has shown its weakness to deal effectively with the current needs. The number of requests has increased 10 fold over the last decade, reaching around 1600 MLA requests from around the world last year, most of which come from the EU.

Other reasons that the stakeholder identified are:

1.Quality of the request, which can make the response time vary significantly. The higher the quality, the fewer the iterations required between the two countries, and the faster the process can be. The most common issue is unclear probable cause (e.g. the connection between the criminal activity and the account) for requests for content and other missing information such as the timeframe relevant to the e-evidence sought.

2.Type of request: the requests for content take much longer than the requests for non-content, as the former require higher standards such as proving probable cause and undergo more complex procedures such as search warrant and filtering or data minimisation (review of all the content to determine what is relevant to the offence and can be forwarded to the requesting country).

Emergency requests usually can be answered effectively, within 24h. The problem is that authorities in the EU are unfamiliar with the mechanism 36 .

3.Service providers’ internal procedures. The time that a service provider takes to process a request varies depending on its internal procedures. Member State authorities pointed out the lack of transparency of these procedures.

2.2.2.Inefficiencies in public-private cooperation between service providers and public authorities hamper effective investigations and prosecutions

Given the limitations of the judicial cooperation channel described above, Member States regularly obtain non-content data through direct cooperation with service providers on a voluntary 37  basis. This option is supported by the US Department of Justice (DOJ) as the preferred one, as evidenced by letters from the DOJ to Member States. Direct cooperation has become the main channel for authorities to obtain non-content data, as both authorities and service providers acknowledged during the consultations, and as reflected by the significant number of this type of requests (more than 120 000 in 2016) 38 .

This section analyses the inefficiencies in this type of public-private cooperation, which prevent direct cooperation from being a fully satisfactory solution.

Within the EU

In close to all EU Member States, the telecommunications framework prohibits national telecommunications providers from responding directly to requests from foreign authorities. In addition, there is no legal framework allowing direct cooperation in other communication sectors. Therefore, it is rare to non-existent and mainly used in emergency situations. Only service providers based in Ireland provide non-content data on a voluntary basis. When public authorities address requests for direct cooperation to US service providers operating in the EU, unless the service providers are based in Ireland, they typically get redirected to the US, where the service provider holds the data or where the management of these requests within the company takes place.

With non-EU countries

Given the inefficiencies of the current MLA procedures, the 2016 Review Report of the EU-US MLA Agreement encouraged Member States to cooperate directly with US service providers in order to secure and obtain e-evidence more quickly and effectively. This approach is actively supported by US authorities, as mentioned above.

The US law that allows US based service providers to cooperate directly with European public authorities 39 with regard to non-content data 40 is section 2701(2) of the Electronic Communications and Privacy Act 1986 (ECPA) 41 . This cooperation is voluntary 42 . Thus, providers have created their own policies or decide on a case-by-case basis on whether and how to cooperate. The analysis below reflects the main concerns raised by stakeholders from their various perspectives. It necessarily abstracts from companies' individual policies and procedures and may therefore not apply to all situations in an identical manner 43 .

Stakeholders expressed general and practical concerns:

·General:

1)transparency of the process;

2)reliability of stakeholders;

3)accountability of stakeholders;

4)admissibility of evidence;

5)unequal treatment of Member States;

6)reimbursement of service providers’ costs;

·Practical:

7)for authorities, how to identify and contact the relevant service provider;

8)for service providers, how to assess authenticity and legitimacy of requests.

Annex 6 contains a detailed analysis of each of these concerns.

2.2.3.Shortcomings in defining jurisdiction can hinder effective cross-border investigation and prosecution

The previous two drivers have shown, respectively, the challenges that the judicial cooperation and direct (voluntary) cooperation with service providers present for Member States when trying to access e-evidence across borders. These challenges prevent these channels from working properly and being sufficient to address the current needs.

In the face of these challenges, Member States have developed two mechanisms to define their jurisdiction over the e-evidence and try to access it across borders:

1)Domestic production orders, in which the Member State asserts jurisdiction through various connecting factors over the data held by a service provider and mandates it to release the data.

2)Direct access to data, in which the Member State asserts jurisdiction over data for which it is not possible to determine its location, and accesses it directly from an information system within its territory, without the assistance of an intermediary (e.g. a service provider or other public authorities).

These measures are partially grounded in the conviction, apparent throughout the expert consultations, that a case presenting no links to the country/countries where the service provider has its main seat or where it has chosen to store the relevant data does not necessitate (full) involvement of that country's authorities.

1)Domestic production orders: connecting factors 44

A fundamental challenge highlighted by stakeholders across all three channels to access electronic evidence lies in the fact that stakeholders and legal frameworks disagree as to what constitutes a "cross-border" situation, which makes it difficult to determine when a country can exercise jurisdiction.

Based on the results of a questionnaire to Member States, the most common connecting factors used include:

·the storage or processing location of the data 45 (i.e. where the infrastructure used for the storage or processing of the data is located)  46 . While most Member States’ laws attach importance to the storage location of the data, this has proven very difficult in practice as a connecting factor (e.g. while Facebook operates a large data centre in northern Sweden, Sweden has always been asked to send its request to Facebook’s headquarters in the United States). As a result, there has been a trend to move away from data storage location in several Member States and internationally 47 . This is also the preliminary result of a global multi-stakeholder exercise to determine principles for cross-border access to data 48 ;

·the location of the seat of a service provider;

·the place where a service provider has any another establishment;

·the place where a service provider is offering services 49 ;

Other connecting factors that have been considered include the nationality of the suspect and the nationality of the victim 50 .

The use of different connecting factors not only creates legal uncertainty for authorities, but also for service providers receiving the requests. In particular, service providers active in multiple countries highlighted during the consultations conflicting regulations of those different countries. It is not always obvious to the service providers which legal regime applies and at times the service providers might be unable to produce data due to conflicting laws between countries 51 . As a result, service providers called for a more streamlined process, facilitating lawful access to data in ways that ensure protection of fundamental rights, and reducing situations where they are faced with conflicting rules 52 . As it is unclear to what extent a service provider is obliged to respond to a request based on different connecting factors, the legal uncertainty may also interfere with rights of the persons to which the requested evidence relates, including their right to privacy. A number of legislative instruments even employ different connecting factors depending on the type of e-evidence, usually granting larger domestic competences for non-content data than for content data. At the same time, there is no common understanding of how to categorise the specific types of e-evidence 53 . For example, while some service providers consider the IP address used at the time of creation of an account as basic subscriber information, others view it as transactional data. Other types of electronic evidence for which no legal definitions are available may also be of relevance for criminal investigations, including data unrelated to communications. All of these categories may contain personal data 54 .

The absence of certainty as to which data category applies can lead to an uneven application of procedural safeguards, as legal procedures and safeguards vary across different categories of e-evidence. It may also result in conflicts of law as regards the scope of measures. At a more practical level, it may lead to misunderstandings between requesting authority and executing authority or service provider addressed.

In general, the use of different connecting factors in different countries can be an obstacle to cross-border investigations and prosecutions and create tensions between countries.

The use of different connecting factors and the resulting challenges led the Parties to the Council of Europe Budapest Convention on Cybercrime to initiate discussions on an additional protocol to the Convention (see policy measure 3 in section 5).

Although the use of the approaches outlined above to address cross-border situations may provide for a domestic legal mandate for direct cooperation of a service provider, it does not necessarily provide for effective means to oblige a service provider to execute it. Despite a few court decisions 55 about the obligations of service providers, execution in case of non-compliance remains a challenge unless the service provider is established in the relevant country. National authorities rely on conventional enforcement mechanisms, including issuing fines and criminal penalties at national level where non-compliant service providers are located in another country. They also may rely on the country where the relevant service provider is established to ensure the execution of the domestic production order, using MLAT, which contradicts the original intention behind the use of a domestic production order (i.e. to be an alternative to MLAT procedures).

For the specific case of WHOIS data that is made available by service providers through a credentialed-access system, domestic legislation might not provide for this possibility. Stakeholders highlighted the importance of swift access for investigative purposes. One head of a Member State national cybercrime unit estimated that his team alone makes around 50,000 WHOIS look-ups per week.

Box 2: The Domain Name WHOIS System

2)Direct access to data: asserting jurisdiction

For direct access to e-evidence, public authorities require no technical help from a service provider or other public authorities. Data is now regularly stored not on the local device but on servers in a different location, possibly outside of the Member State concerned or even outside of the EU, possibly using dynamic storage systems and rotating locations. Often, it is neither feasible nor possible for an authority to determine the location of the data (i.e. "loss of knowledge of location" or “loss of location”).

Box 3: What is loss of location and why does it matter?

In these situations, when law enforcement has access to the data without knowing its precise location, there can be a risk of losing it as it may be moved or deleted. Also, when the data subject is made aware of the investigation, as is typically the case for an open search measure, he or she can delete the data from another device within seconds. In addition, the circumstances of a particular investigation may not allow timely determination of the location of infrastructure for the storage or processing of e-evidence, for instance in emergency situations.

Based on the responses to a questionnaire (targeted survey 1), Member States have developed or considered two types of direct access to e-evidence:

1)Extended access, i.e. use of a device of a suspect or witness seized as part of an investigation (e.g. with a search and seizure warrant) to access the data accessible from the device (which can include the cloud). Most Member States allow their public authorities to carry out this type of direct access.

2)Remote access to data with lawfully obtained credentials, i.e. a search from an authority's computer, usually not disclosed to the target until later. Only a few Member States allow their authorities to perform remote searches, although the number is increasing. Remote searches are often relevant in the context of investigations on the dark web, where there are no legitimate service providers whose cooperation could be obtained.

Although the use of extended or remote access as an investigative measure can be strictly domestic in nature, a cross-border situation is likely, e.g. where the infrastructure used for the data processing or the provider are in another country. The expert consultation process found that Member States have adopted different approaches to balancing the need for effective investigations of crime and possible extraterritoriality:

·when the storage location is unknown, (i.e. when there is loss of location and it is not possible to determine whether access to data would have a cross-border component), several Member States assume that the direct access takes place in a purely domestic context and permit securing the data, e.g. by copying it 58 ; other Member States take the opposite approach and assume that the data is elsewhere and that access may have an effect in another country (although the data might in fact be domestically available) 59 . They will use an MLA request if able to identify the correct country.

·when the storage location abroad is known, a few Member States allow their authorities to access the data stored remotely regardless of the place of storage 60 ; several Member States access the data and contact or notify the authorities of the other country before deciding on how to proceed with the data  61 ; and other Member States do not access the data directly and use formal or direct cooperation channels 62 .

·Member States also have different approaches to conditions and safeguards. While all require judicial authorisation, conditions vary and can include a limit to cases of specific, e.g. serious forms of crime, reasonable grounds to assume that traces of a criminal act may be found on the device. These conditions also extend to the actions permitted: while all Member States permitting direct access allow for copying of the evidence, in some countries data may not be removed or only in exceptional cases.

While this diversity may reflect different legal cultures, it becomes an issue when a Member State allows its authorities to access data in a way that is perceived by another State as affecting its sovereignty/territoriality. Moreover, the level of rights of the persons whose data is accessed also varies considerably. In general, these different approaches to direct access in different countries may hamper investigations and prosecutions.

2.3.How will the problem evolve?

The main factors that will determine the evolution of the problem are the exponential growth of electronic data, the increasing need to access e-evidence across borders and changing systems for accessing data that would require updates to legislation.

1) The exponential growth of electronic data.

The digital age has brought exponential growth of electronic data:

   Figure 4: estimated worldwide data storage in zettabytes (trillions of gigabytes)

Source: OECD

This exponential nature not only brings exponential possibilities for economic and social development but also for crime, in two ways:

·Directly: all things being equal, cybercrime will continue to generate important economic benefits for criminals, justifying the amount of research and development hours required to produce malware, the main tool to carry out cybercrime (every day, more than 300,000 new malware samples are detected) 63 . The data related to cybercrime becomes electronic evidence that public authorities would need to access.

·Indirectly: by 2020 it is expected that up to 50 billion new devices (cars, homes, medical devices, buildings, mobile phones, dishwashers, toys…) could be connected to the Internet 64 . This “Internet of Things” will generate massive amounts of information, which will translate into electronic evidence in the crimes that involve these devices and their users.

2) The increasing need to access e-evidence across borders.

As more and more countries join the technology revolution and more people around the world get connected to the Internet, the need to access e-evidence across borders will increase. Globalisation also implies globalisation of criminal evidence. Furthermore, the Internet does not only provide training materials to commit cybercrime or other crimes but also the necessary tools to commit crimes through the crime-as-a-service model 65 . More people connected unfortunately also means more potential criminals that could take advantage of those training materials and tools, likely at a low risk, as the challenges to cross-border access to e-evidence would remain untackled.

3) Changing systems for access that require updates to legislation (see Annex 12).

WHOIS data that was formerly publicly available is increasingly moving into systems that prevent unauthorised access by granting logins to legitimate users only, for individual look-ups in the context of criminal investigations. While authorities are considered as legitimate users and therefore would be granted access to the systems, this is only part of the picture. From an authority's perspective, any action needs to have a basis in law, and many national laws, including those of EU Member States, do not provide for one. In the absence of a specific legal basis, the database lookup might have to be replaced by a request or production order for each lookup.

In the absence of EU intervention, the problem drivers are likely to evolve as follows:

1. Too much time would still be required to access e-evidence across borders under the judicial cooperation procedures, reducing the effectiveness of investigations and prosecutions.

   The exponential growth in electronic data will likely cause the number of request to continue increasing. If no action is taken to preserve the ability of authorities to perform WHOIS look-ups, these lookups may have to take the form of individualised requests that need to be reviewed individually. Given that such a lookup is often the first step in an investigation, a conservative estimate would put the number in the tens of thousands per week across the EU. In the absence of a legal basis permitting direct lookups, this procedure would significantly slow down investigative measures: the number of resources to deal with the requests throughout the process is not likely to increase accordingly (e.g. in MLAT requests to the US, public officials from requesting authorities, US Department of Justice officials, US judges and court officials, FBI agents, service providers’ staff). This would likely result in even longer response times to MLAT (and EIO) requests. At the same time, data minimisation requirements force service providers to delete data more quickly, increasing the number of cases where data will no longer be available when the request reaches the service provider.

The 2016 Review Report of the EU-US MLA Agreement concluded that there was no need to revise the Agreement, but included recommendations to make the Agreement work better in practice, including on electronic evidence. These include recommendations to seek direct cooperation from US service providers and consider other means to reduce the pressure of the volume of MLA requests to the U.S. for e-evidence, and to train and build capacity for public authorities, including on emergency procedures. The Commission has been encouraging Member States to implement the recommendations contained therein, and is helping to set up training (which is one of the practical measures proposed here), but practitioners and Member States agree that these recommendations are not sufficient to address the issues linked to the access to electronic evidence. Similarly as for the EIO, this is based on the consideration that without a fundamental change of the process, MLA procedures will never be as fast as direct cooperation channels. Emergency procedures are reserved for exceptional situations (involving imminent risk of serious injury or death, including in terrorism cases), while electronic evidence is required in a large proportion of all investigations.

2.    Inefficiencies in public-private cooperation between service providers and public authorities would continue hampering effective investigations and prosecutions. As the response times for MLA (and EIO) requests would continue growing, public authorities would increasingly try to reach out directly to service providers, while these would be receiving more and more formal requests simultaneously. Without a clear framework for direct cooperation between service providers and foreign public authorities it is likely that investigations and prosecutions involving e-evidence would become more and more challenging.

3.    Shortcomings in defining jurisdiction would continue hindering effective cross-border investigation and prosecution. In the absence of EU intervention, the use by criminals of encryption, anonymisation tools, virtual currencies, the Darknet and other future technologies, or simply the use by service providers of technologies to manage the data that prevent its precise localisation, would continue making it difficult for public authorities to establish the appropriate jurisdiction. This may lead to the adoption by Member States of national legislation on direct cooperation with service providers, on direct access to e-evidence, or on other options such as data localisation, which would lead to a fragmented legal framework that could likely hamper effective cross-border cooperation in investigations and prosecutions.

The evolution of the problem in the absence of EU intervention will be further analysed when describing the baseline option.

3.Why should the EU act?

3.1.Legal basis

The legal bases for EU action are Articles 82(1), 82(2), 53 and 62 of the Treaty on the Functioning of the European Union (TFEU):

·Article 82(1) specifies that judicial cooperation in criminal matters shall be based on the principle of mutual recognition.

This legal basis would cover possible legislation on direct cooperation with service providers (see options C and D), in which the authority in the issuing Member State would directly address an entity (the service provider) in the executing State and even impose obligations on it. This would introduce a new dimension in mutual recognition, beyond the traditional judicial cooperation in the Union, so far based on procedures involving two judicial authorities, one in the issuing State and another in the executing State.

·Article 82(2) would cover possible legislation on direct access (see option D), which would notably establish minimum safeguards and conditions when it comes to cross-border access to data that will protect the rights of subjects whose data is accessed.

·Articles 53 and 62 would provide for the adoption of measures for the coordination of the provisions laid down by law, regulation or administrative action in Member States concerning establishment and provision of services. Specifically, an obligation to appoint a legal representative for the Union would contribute in particular to the elimination of obstacles to the freedom to provide services.

3.2.Subsidiarity: necessity of EU action

A satisfactory improvement of cross-border access to electronic evidence in criminal investigations cannot be sufficiently achieved by Member States acting alone or in an uncoordinated way. In the absence of EU action, Member States would have to update their national laws to respond to current and emerging challenges with the likely consequence of further fragmentation and/or conflicts of law, which would likely hamper cross-border cooperation in criminal investigations and prosecutions. Such individual action would also fail to provide a unified system for direct cooperation with service providers, leaving them to deal with more than 20 different legal systems instead of one harmonised approach.

Both the Member States and the European Parliament have recognised that these challenges require action beyond the national level. The June 2016 Council Conclusions gave a strong mandate to the Commission, and the October 2017 European Parliament Resolution also called for the Commission to put forward legislative proposals. This makes sense in view of the negative consequences of unilateral actions by Member States: if each Member State were to continue or start its own individual approach, then this would further increase the diversity of approaches and lead to possible conflicts related to the different conditions and safeguards for access.

For the access to e-evidence through online databases such as WHOIS, Member States have recently highlighted its importance in November 2017 Council Conclusions, where they cited "the importance of ensuring a coordinated EU position to efficiently shape the European and global internet governance decisions within the multi-stakeholder community, such as ensuring swiftly accessible and accurate WHOIS databases of IP-addresses and domain names, so that law enforcement capabilities and public interests are safeguarded" 66 . Given that the cross-border aspect cannot be sufficiently addressed by unilateral measures, access to the WHOIS database requires EU action because it also concerns cross-border access to non-public data. Such access creates international legal issues that are difficult to deal with by national legislation, which can by its nature only address national issues. Therefore the EU is well-placed to provide a harmonised solution, even if the ideal solution for any such problem would be at the global level, which is currently unrealistic to achieve and will likely remain so for a while.

EU action is needed on direct access because the systems adapted by various Member States are not coherent and risk creating conflict among Member States: while some impose few limitations on access to data stored abroad, others demand that law enforcement be able to prove that the data is stored in country out of respect for other countries' sovereignty. This impasse cannot easily be bridged at national level but only through coordinated action to define the conditions under which access may be granted.

As described in section 2.3., the current challenges to access e-evidence across borders are likely to keep increasing due to the exponential growth of electronic data, the increasing need to access e-evidence across borders and changing systems for accessing data that would require updates to legislation, as the world becomes more and more interconnected online. EU action to address these increasing challenges is not only necessary but also keenly expected by stakeholders, as repeatedly conveyed during the consultations, and at political level.

3.3.Subsidiarity: added value of EU action

Given the cross-border nature of the problem, the diversity of legal approaches, the number of policy areas concerned by the matter (security, criminal law, fundamental rights including data protection, economic issues) and the large range of stakeholders, the EU seems the most appropriate level to address the identified problems. As previously described, the crimes in which electronic evidence exists frequently involve situations where the victim, the perpetrator, the infrastructure in which the e-evidence is stored and the service provider running the infrastructure are all under different national legal frameworks, within the EU and beyond. As a result, it can be very time consuming and challenging for single countries to effectively access e-evidence across borders without common minimum rules.

The creation of EU cooperation mechanisms in criminal matters also reflects the value of action at EU level in this area. These mechanisms include legislation, such as the EIO Directive and institutions such as Eurojust. The added value of these initiatives in helping Member States access e-evidence across borders was acknowledged multiple times during the stakeholder consultations.

Another important added value of EU action is to facilitate cooperation with non-EU countries, in particular with the US, given that the need to access e-evidence internationally frequently goes beyond EU borders. This cooperation can also be better achieved at EU level than through bilateral agreements of individual Member States.

The objectives of the initiative can also be tackled at international level through instruments such as the Budapest Convention, where negotiations on a second additional protocol addressing e-evidence issues are taking place at the moment. A new set of rules at international level would be an essential but not sufficient element in addressing the issues identified; it would not in itself address the problems identified as effectively as it might in combination with an EU instrument. This is due to expectation that the protocol, first, will not be as far-reaching as it is not based on the same level of mutual trust among the more diverse 50+ parties to the Convention and, secondly, will lack the enforcement mechanisms that EU law has, as it is an international Convention. EU action is therefore necessary.

4.Objectives: What is to be achieved?

4.1.General objective

The general objective is to ensure effective investigation and prosecution of crimes in the EU by improving cross-border access to electronic evidence through enhanced judicial cooperation in criminal matters and an approximation of rules and procedures.

This general objective is in line with the legal basis contained in Article 82(1) TFEU on judicial cooperation in criminal matters, and in Article 82(2) TFEU, which empowers the EU to establish minimum rules concerning mutual admissibility of evidence and the rights of individuals in criminal proceedings to the extent necessary to facilitate mutual recognition of judgements and judicial decisions and police and judicial cooperation in criminal matters having a cross-border dimension.

The general objective addresses the general problem of some crimes not being able to be effectively investigated and prosecuted in the EU because of challenges in cross-border access to electronic evidence.

4.2.Specific objectives

There are 3 specific objectives that address the problem drivers identified in section 2.2.:

Table 5: problem drivers, specific objectives and general objective

5.What are the available policy options?

The following process was applied to determine the policy options:

1)mapping of possible policy measures:

a.The mapping covered the full spectrum of possible EU intervention: no action, non-legislative action and legislative action.

b.Given that the issue at hand is basically a regulatory failure, it was important to lay out the full range of regulatory tools to determine the most proportionate EU response.

c.The mapping stage included a first filter to identify the policy measures to discard at an early stage (section 5.3.).

d.The outcome of the mapping stage was a set of policy measures retained for further elaboration and analysis.

2)description of policy measures retained in the mapping stage (section 5.2.);

3)analysis of the policy measures retained in the mapping stage (Annex 4):

a.This stage included a second filter to identify the policy measures to discard (i.e. the European Production Request and Order, the European Production Request and the recommendation on conditions and safeguards for cross-border online searches).

b.It includes a qualitative analysis using the same assessment criteria as those used to analyse the options. The policy measures retained are therefore those that provide the alternatives that are most feasible (legally, technically and politically), coherent with other EU instruments, effective, relevant and proportional to tackle the problem and its drivers analysed in section 2.

c.The outcome of this stage was the final set of measures for the policy options;

4)description of policy options, formed by combining the retained measures into different groups:

a.The formation of options follows a cumulative logic, with an increasing level of EU legislative action (section 5.4.).

b.The cumulative logic was followed not only because the measures are in general not mutually exclusive and can be combined but also because they are complementary in a number of ways, presenting synergies that the combined options can benefit from.

5)analysis of policy options:

a.The options are analysed in detail in sections 6 (impacts), 7 (comparison of options) and 8 (preferred option).

5.1.Scope of policy measures

The scope of the policy measures for this initiative is the following:

·Data (material scope):

oTypes of data 67 :

§Non-content data:

·Subscriber data, which allows the identification of a subscriber to a service. Examples: subscriber’s name, address, telephone number.

·Metadata, which relates to the provision of services and includes “electronic communication metadata”, as defined in the ePrivacy proposal 68 . Examples: data relative to the connection, traffic or location of the communication. 

·Access logs, which record the time and date an individual has accessed a service, and the IP address from which the service was accessed;

·Transaction logs, which identify products or services an individual has obtained from a provider or a third party (e.g. purchase of cloud storage space).

§Content data. Examples: text, voice, videos, images, and sound stored in in a digital format, other than subscriber or metadata.

The type of data may imply different treatment by existing rules and different procedures to access it. Each of the above categories may contain personal data, and are thus covered by the safeguards under the EU data protection acquis, but the intensity of the impact on fundamental rights varies between them, in particular between subscriber data on the one hand and metadata and content data on the other. Appropriate safeguards need to be provided in accordance with the level of sensitivity. The sensitivity of the data can also depend on the volume requested; large volumes of specific types of metadata can allow for the profiling of individuals, especially with respect to location, and hence require more safeguards as compared to smaller amounts or different kinds of metadata 69 .

   The above categories are all relevant for different purposes. Leaving any of them outside the scope would greatly diminish the effectiveness of the initiative.

oStored vs intercept:

§All the data above refers to electronically stored data that already exists. 

§Intercept data (i.e. data from real-time interception of telecommunications) is out of the scope of this initiative as there are specific and significantly different rules that determine access to that data (see measures discarded at an early stage, section 5.3.).    

oConcrete criminal offence vs mass surveillance:

§This initiative concerns cross-border access to e-evidence in the framework of criminal investigations or criminal proceedings for concrete criminal offences, which ensures the application of procedural guarantees.

§Other situations not linked to a concrete investigation, such as intelligence or mass surveillance, are out of scope.

oAll data areas are within the scope of the initiative.    

oTypes of crimes:

§All crimes in the areas within the scope of the initiative are covered. The initiative is not limited to serious crimes, as the problem of cross-border access to e-evidence in criminal investigations is relevant for all crimes. 70  

·Providers of the following services (personal scope):

oelectronic communications services as defined in the proposal for a Directive establishing the European Electronic Communications Code 71 . The revised definition of electronic communications services covers both traditional telecommunication services (example: voice telephony, SMS, internet access service) as well as new internet-based services enabling inter-personal communications such as voice over IP, instant messaging and web-based email services (Over-the-Top communications services, 'OTTs'). These OTTs are in general not subject to the current EU electronic communications framework (i.e. Directive 2002/21/EC 72 ), including the current ePrivacy Directive, which in general applies only to traditional telecommunication services. In line with the expansion of the EU electronic communications and ePrivacy framework, OTTs should be covered by this initiative as well (e.g. Gmail, WhatsApp);

oinformation society services as defined in the Directive 98/34/EC 73 that store data at the individual request of a recipient of a service; this includes a variety of known services providers such as social networks (e.g. Facebook and Twitter), cloud services (e.g. Microsoft, Dropbox or Amazon Web Services), online marketplaces (e.g. eBay or Amazon marketplace) or other hosting service providers (e.g. Bluehost).

ointernet infrastructure services such as IP address providers and domain name registries and registrars and associated privacy and proxy services (e.g. GoDaddy).

Service providers include both data controllers and data processors, as defined in Article 4(7) and 4(8) respectively of the General Data Protection Regulation.

·SMEs:

oSMEs are also among the service providers covered. For effectiveness reasons, no general exemption for SMEs from the scope is proposed (see Annex 13).

·Geography:

oAll situations described in table 2 and figure 1, except the one in which countries A, B and C are outside of the EU (or A=B=C, in which case it is a national issue).

oIn particular, the initiative covers data regardless of where it is stored.

oThe initiative takes into account situations where the requesting public authority is from a non-EU country only with regard to reciprocity considerations.

5.2.Description of policy measures

The following sections summarise the description of the policy measures. More detailed descriptions are available in Annex 7.

5.2.1.Non-legislative action

Measure 1: practical measures to enhance judicial cooperation

a) Judicial cooperation with the US (MLA)

The expert consultation process identified the following practical measures to enhance judicial cooperation between public authorities in the EU and the US, on the basis of the existing mutual legal assistance procedures:

1)Organise regular technical dialogues with the US Department of Justice to continue to improve the process, speed and success rate of MLA requests.

2)Facilitate regular contacts between the EU Delegation to the US, the Commission and liaison magistrates of Member States in the US to discuss MLA process issues.

3)Provide opportunities for the exchange of best practice and further training for EU practitioners on applicable rules in the US relate to the MLA procedure. The Commission has made available EUR 500 000 under the Partnership Instrument 74 for this.

b) Judicial cooperation within the EU (EIO)

This measure proposes to facilitate the implementation of the EIO Directive through a set of measures that could improve the speed of judicial cooperation requests within the EU:

1)An electronic user-friendly version of the forms in the annexes of the EIO Directive.

2)A secure online platform for electronic exchanges of EIO/MLA requests and replies between EU competent authorities (including on e-evidence) to allow for swift and secure exchanges of requests between competent authorities of different Member States.

Measure 2: practical measures to enhance direct cooperation

1)Creation of single points of contact (SPOC), both on the public authorities’ side and on the service providers’ side:

·On the public authorities’ side in the Member States, it could significantly improve the direct cooperation between those authorities and service providers by e.g. ensuring the quality of outgoing requests and building relationships of confidence with providers, as they know their counterpart.

·On the service provider's side, the creation of a single point of entry could also improve the direct cooperation between those authorities and service providers, by, e.g., helping to clarify the provider’s policies.

2)Streamline procedures on both the public authorities’ and the service providers’ side:

·On the public authorities’ side, the standardisation and reduction of forms used by law enforcement and judicial authorities could facilitate the creation of requests by law enforcement and increase the confidence of service providers when it comes to the identification of authorities and proper forms used.

·On the service providers’ side, significant improvements could be made through streamlining service providers' policies to reduce the heterogeneity of approaches, notably regarding procedures and conditions for granting access to the requested data.

3)Provide opportunities for the exchange of best practice and training of public authorities in the EU on cooperation with US-based providers.

·All stakeholders indicated that additional training for law enforcement and judicial authorities could support the functioning of direct cooperation between those authorities and service providers. The Commission has made available EUR 500 000 under the Partnership Instrument 75 for improving direct cooperation.

·Several stakeholders suggested the establishment of an online information and support portal at EU level to provide support to investigations, including information on applicable rules and procedures. It could leverage the work of existing initiatives such as Europol's SIRIUS platform to facilitate online investigations, including the direct cooperation between authorities and service providers 76 .

5.2.2.Legislative action

International agreements

The EU could seek to conclude international agreements coherent with EU-internal solutions to provide a basis for closer international cooperation with safeguards comparable to those of the EU-internal solution with regard to individuals' rights, including judicial redress. These agreements could cover judicial cooperation, direct cooperation and/or direct access.

The objectives of these measures on improving cross-border access to electronic evidence through international agreements are:

·to ensure international comity;

·to ensure appropriate conditions and safeguards; and

·to institute mutually compatible approaches and reduce conflicts of law.

Box 4: what is international comity and why does it matter?

These measures consider the negotiation of two types of international agreements: multilateral and bilateral.

Measure 3: multilateral international agreements

Multilateral international agreements ideally create a common framework across a wide number of countries affected by the same challenge. In the field of cyber-enabled crime, the 2001 Council of Europe Convention on Cybercrime (the Budapest Convention) is the main multilateral framework 78 .

The parties to the Budapest Convention recently decided to negotiate an additional protocol to the Convention by September 2019 79 . The scope may expand the existing framework allowing for direct cooperation with service providers in other jurisdictions (possibly including subscriber information, preservation requests, and emergency requests), as well as create a clear framework and safeguards for cross-border access to information.

The interest for the EU to follow closely the negotiation of this Additional Protocol is threefold:

1)Some non-EU countries which are also Parties to the Budapest Convention (e.g. the US) are very important in improving cross-border access to e-evidence.

2)While the scope is unlikely to extend to content data, it may include elements that are already covered by existing acquis at EU level, including on Mutual Legal Assistance or in relation to the European Investigation Order.

3)It may help address some of the reciprocity issues that a possible EU legislative initiative could generate (see option C, in particular Box 5).

The negotiations are closely linked with a possible EU proposal on e-evidence: if a proposal is made, consistency will have to be ensured, and there will also be a clear competency for the EU and obligation for the Member States to defend a common position. Whereas these negotiations will proceed regardless of EU action, the EU has the option to take a more or less active role in them. The main added value of an EU mandate to take an active role in these negotiations would be to ensure coherence and complementarity with a possible EU proposal on cross-border access to e-evidence.

Measure 4: bilateral international agreements

The EU could aim to conclude bilateral agreements to provide for production request/orders and direct access on a reciprocal base, possibly including rules for the enforcement of production orders. As the large majority of requests are sent to the US, an agreement with the US would have priority.

The US and the UK have been exploring the conclusion of a bilateral agreement to permit reciprocal direct requests to service providers for access to content data, subject to specific conditions and safeguards. This agreement requires a number of legislative changes, which are pending in the US.

The EU could aim to conclude a similar agreement with the US to allow direct requests to service providers for content data that currently cannot be disclosed by US service providers under the voluntary cooperation regime. Such an agreement would fall within the scope of application of, and would thus have to comply with, the EU-US Umbrella Agreement 80 .

Beyond the US, further bilateral cooperation with countries member of European Economic Area and with other countries such as Canada could also be contemplated.

Legislation on direct cooperation

These measures focus on addressing through a new legislative instrument problem drivers 2 (section 2.2.2.) and 3 (section 2.2.3.), which concern direct cooperation with service providers (i.e. situations in which the service provider has access to the data sought). It would indirectly also address problem driver 1 (section 2.2.1.), as an improved channel for direct cooperation would take pressure off the MLAT and EIO channels, saving them for those requests that require judicial cooperation mechanisms.

The new legislation in these measures would tackle the specific issues described in sections 2.2.2. (e.g. improving transparency, reliability, accountability and admissibility of evidence) and the issues concerning domestic production orders described in 2.2.3. (e.g. ensuring legal certainty, reducing conflicts of law, fragmentation and complexity, and protecting fundamental rights through procedural safeguards). It would indirectly also help reduce the time required for judicial cooperation procedures, an issue described in section 2.2.1., by creating a new channel for requests.

For data access with individual review by the service provider, there are basically two ways in which legislation on direct cooperation with service providers can go:

·Production requests are non-mandatory instructions made by a public authority in a Member State directly to a service provider to disclose data under its control, without the involvement of the public authorities of the country where the service provider is based. The service provider can voluntarily provide the requested information. If the

request is not complied with, there is no possibility of ensuring execution.

As described in section 2, this is the type of direct cooperation that takes place with service providers headquartered in the US, albeit without a specific legal basis in most Member States.

·Production orders, in contrast, are mandatory instructions made by a public authority in a Member State directly to a service provider to disclose data under its control, without the involvement of the public authorities of the country where the service provider is based, and within a set deadline. Service providers can be obliged to execute them on the territory of the Member State in which they are issued and, depending on the approach chosen, also on the territory of the Member State in which they are served on the relevant service provider.

In addition, the type of data (i.e. whether content or non-content) is a key factor to take into account when defining possible legislative options for direct cooperation.

The combination of the two sets of key factors above (i.e. whether the instruction is voluntary/mandatory and whether for content/non content data) generates the following legislative measures for direct cooperation with service providers:

Table 6: legislative measures for direct cooperation with service providers

All the measures above share the scope, definitions of types of e-evidence and the obligation for service providers to appoint a legal representative:

1)Scope:

·All the measures in the above would share the same scope, which is the one defined in section 5.1 for this initiative, across its various dimensions:

·Data (material scope):

oContent and non-content, stored (not intercept), concerning concrete criminal offences (no mass surveillance), all crimes (not limited to serious ones) in all areas.

oData should be provided regardless of whether the service provider is able to decrypt the data or disclose it in encrypted form only.

·Service providers (personal scope):

oThe service providers within the scope of this legislative acts would be those listed in section 5.1.

oThe scope needs to be comprehensive enough to create an effective tool, yet clear enough to allow providers to reliably assess whether they fall into the scope. A concrete list of type of service providers concerned provides clarity and legal certainty, and was therefore preferred to a "negative list" approach, including all service providers whose services might generate electronic evidence and excluding a limited number of service providers, or an open provision without any list.

·Geography:

oIn line with the geographical scope described in section 5.1., these legislative measures would cover data regardless of where it is stored 81 , as well as service providers regardless of where they are based, as long as they offer services on the EU market. "Offering services" on the EU market would be determined by a number of possible indicators, e.g., the availability of the service in an EU Member State language not widely spoken outside the EU or the possibility to pay for services in Euro. 82 The mere accessibility of the service from the EU would not be sufficient. 83

oOther connecting factors were not retained, in particular:

§Data storage location:

·if used as a connecting factor, it essentially leaves it up to the choice of service providers whether and where access to data should be granted and what rights apply;

·it has little to no connection to the case at hand, or even to the user;

·in certain situations, it might also create difficulties for authorities if they cannot discern the data storage location when making a request and are not in a position to verify providers' statements about where data is stored;

·it would also leave compliance with production orders to the discretion of service providers or their users, who could easily choose to store their data out of reach of the instrument, despite strong links to the investigating jurisdiction.

§Service providers’ location:

·regardless of their market presence in the EU, service providers could choose to avoid establishing themselves in the EU;

·service providers established outside of the EU may face a conflict of obligations between EU and national law of the country where they are established, in particular in the case of production orders. The different sub-options would include a procedure to resolve these conflicts of law (see below under “Sanctioning mechanism”).

2)Definitions of types of e-evidence:

·All the measures in this section would share the legal definitions of the types of electronic evidence. Harmonizing these definitions would provide for a common understanding and legal certainty for all the stakeholders concerned by the legislation.

·These definitions would take into account existing definitions, such as those in the Council of Europe Convention on Cybercrime and the proposal for an ePrivacy Regulation (see section 1 for more details on these legislative acts).

·The differentiation between different categories of e-evidence would allow to take into account different requirements by law or jurisprudence for one or more categories.

·To ensure that the definitions are not only future-proof (i.e. not affected by technological developments) but also precise, clear and comprehensive, stakeholders suggested the creation of a technical library, built in cooperation with Member States and service providers. This library would contain information about and examples of the different types of e-evidence as defined by the legislation and would, e.g. provide clarity where the interpretation varies at present.

3)The legal representative:

·Overview: 

oThe expert process identified the importance of obliging service providers to designate at least one legal representative (a natural or legal person) in at least one of the participating Member States to facilitate direct cooperation between the public authorities of the requesting Member State and the service provider.

oThe condition that triggers the designation of a legal representative would be the provision of services on the EU market (see "Geography" section above). The legal representative model could draw, e.g., on the same approach as the legal representative for data protection purposes.

oExemptions or mitigation criteria could be considered, similarly to those contained in Art. 27 GDPR. An exemption could e.g. apply when the processing of personal data of EU data subjects is occasional. For effectiveness reasons, no general exemption for SMEs from the obligation to designate a legal representative is proposed (see Annex 13).

·Purpose:

oThe purpose of the legal representative would be to facilitate direct cooperation by turning the process of serving production orders/requests to service providers established outside the Union into an EU-internal process.

oThe same legal framework would apply to all service providers with a significant presence in the EU, whether or not they have their seat in the EU.

·Function:

oThe legal representative would have to be able and authorised by the service provider to receive, process and comply with production orders and/or production requests. It would be left up to the service provider's internal organisation how compliance would be accomplished, which would not necessarily have to be performed by the legal representative (see below).

oIn the case of production orders, the legal representative would also be the person through which legal obligations could be enforced by means of administrative sanctions imposed on the service provider.

oIn case of service providers established outside of the EU, the legal representative would enable the production orders and/or requests to be served and, in the case of production orders, enforced in the EU. Member States have asked to also have a legal representative designated in case of service providers established in the EU, in order to have a clear addressee for production orders and/or production requests.

oThe legal representative would be an intermediary with no need for specific control or access to data. The designation of such a representative would not affect the responsibility or liability of the service provider (i.e. the service provider would remain the one liable and responsible). Like the legal representative under Article 27 of the GDPR 84 , it is therefore a procedural tool to facilitate direct cooperation and enforcement.

·Choice of legal representative:

oIn principle, providers should be free to designate as legal representative one or several entities in the EU and may choose to accumulate separate functions in one and the same person (e.g. GDPR or ePrivacy representatives 85 ).

oOne representative could be shared among a number of service providers. This could be particularly relevant to avoid excessive burden for SME's.

The following flowchart illustrates the possible alternatives for serving an EPO:

The following sections describe the specificities of each of the related measures.

Measure 5: European Production Order

1)Overview:

·This measure proposes a cross-border European Production Order, an official demand issued or validated by a judicial authority of a Member State for the disclosure of information stored in digital form that could serve as evidence in the framework of criminal investigations or criminal proceedings.

·The European Production Order could be directly addressed to a service provider outside of the Member State where it is issued, irrespective of where the service provider is based (i.e. whether in another Member State or outside of the EU) and of where the data is stored. The European Production Order would be binding, i.e. the service provider has an obligation to cooperate when so required by the competent authority and could face fines in case of non-compliance.

·It would also provide for deadlines to respond. These deadlines could be two-fold: a deadline for normal cases, which would give the service provider a reasonable period to reply to orders, and a deadline for urgent cases, which could be accompanied by a lighter procedure. This would also address the issue of timing of obtaining e-evidence, which is a crucial aim of the initiative.

Simplified illustration of procedure:

2)Sanctioning mechanism:

·Authorising authorities to compel a service provider to disclose e-evidence in cross-border cases and obliging service providers to respond can only be effective in practice if there is a possibility for execution of such orders in case of non-compliance. While compliance with a legal obligation might still be expected from a number of companies, without a possibility for sanctioning in case of non-compliance, the European Production Order would in practice resemble a production request, as the obligatory nature would be merely theoretical. The added value would thus be limited.

·Currently, not all Member States have a legal framework in place for imposing financial sanctions against non-compliant service providers in their national laws.

·As a minimum, the legal proposal under this measure should therefore impose an obligation on Member States to set up effective, proportionate and dissuasive sanctions. A harmonised framework for financial administrative sanctions could also be envisaged to avoid discrepancies between Member States for similar situations. 86

·In order to maximise the efficiency of the new instrument, the proposal could include provisions on the imposition and execution of sanctions:

oWithin the EU, the imposition and execution of sanctions could be entrusted to the Member State where the service provider is based, based on mutual recognition mechanisms.

oWith non-EU countries, should a financial sanction be imposed against a company based outside the EU, the legal representative would also be served with the decision imposing sanctions on the service provider. Such a financial sanction could be executed in a non-EU country only through applicable international agreements, as the legal proposal could not oblige the authorities of non-EU countries to execute the sanction.

·Conflicts of law:

oThe need to avoid creating new conflicts of laws was raised repeatedly by service providers, civil society and some Member States during the consultations. This is particularly relevant when the service provider is based in a non-EU country (e.g. the US).

oConflicting obligations for service providers could arise from the national law of non-EU countries, as this EU instrument would cover data stored outside of the EU and service providers established outside of the EU or subject to the law of a non-EU country. In particular, service providers could be caught between the obligation to comply with a European Production Order and the law of the non-EU country applicable to the data or the service provider, which may prohibit or restrict/condition such disclosure of data to foreign authorities. An example is the US Electronic Communication and Privacy Act, which prevents companies under US jurisdiction from sharing content data directly with foreign law enforcement.

oThis issue could be addressed by means of a dedicated procedure for reviewing such conflicting obligations in the issuing Member State. In case of a conflict of obligations arising from the law of a non-EU country, the service provider could invoke that conflict on the basis of a reasoned refusal to comply. In case of disagreement between the issuing authority and the service provider, a court could be asked to review the case. The court and the issuing authority could also engage in consultations with the other country’s authorities. The judge could eventually either uphold the order (if he finds there is no conflict of law) or lift the order (if he finds there is a conflict of law) and order preservation of the data while awaiting mutual legal assistance from the authorities of the other country.

oAs an auxiliary measure to the European Production Order, the legal proposal would include the possibility to execute an order to preserve the data, which would be sent by the competent authority directly to the service provider 87 .

oMeasures to prevent abuse of such a "conflict of law clause" would need to be considered. For example, the criteria mentioned above should be limited to relevant types of legislation such as criminal procedural law and data protection law.

oSuch a clause would, in addition to protecting service providers from conflicts of law, also address potential issues of extra-territoriality, i.e. the intrusion on the sovereignty of the non-EU country, and of reciprocity, i.e. legitimisation of similar production orders by non-EU countries with respect to data held in the EU or providers headquartered in the EU. Reciprocity issues would be particularly problematic if they involved countries which do not have fundamental rights safeguards in place that can be considered comparable to those in the EU, including in the field of data protection 88 , and if the relevant legislation in those countries did not provide for comparable conditions and safeguards as those that should be included in any European Production Order proposal. The conflict of laws clause could contribute to mitigating the intrusiveness of the measure, from both an international law and privacy point of view, and would ensure international comity. Because the conflicting laws of non-EU countries would be taken into account, the Union and Member States could claim that these countries should do the same when requesting electronic evidence from an EU service provider, e.g. when there is a conflict with the EU data protection regime. This would mitigate the risk that our data protection acquis is undermined by non-EU countries.

3)Safeguards:

The European Production Order would be accompanied by comprehensive safeguards, which could include the following:

a)Procedural rights of accused and suspected persons:

oThe suspect would be protected by the EU acquis on the rights of suspected and accused persons in criminal proceedings and the full respect for due process.

oIn particular, Directive 2012/13/EU on the right to information in criminal proceedings 89 grants the suspected or accused person access to all material evidence in the possession of the competent authorities at minimum, in order to safeguard the fairness of the proceedings and to allow for preparation of the defence.

b)Intervention of a judicial authority:

oEvery European Production Order would have to be issued or validated by a judicial authority.

oIn most Member States, law enforcement authorities can order service providers in their own jurisdiction to disclose subscriber data. The cross-border European Production Orders would have to be validated by a judicial authority. This creates an additional safeguard and also matches the approach taken in the European Investigation Order.

oFurthermore, the legal basis of this initiative, Article 82 TFEU, refers to "judicial cooperation in criminal matters (…) based on the principle of mutual recognition of judgments and judicial decisions." 

oThe intervention of a judicial authority would generate greater mutual trust and contribute to greater reassurance for the service providers receiving the order. It would also ensure that the proportionality and legality of the measure have been checked and that the order does not infringe fundamental rights such as the lawyer-client privilege or the right to media freedom.

c)Charter of Fundamental Rights including the principles of necessity and proportionality:

oThe judicial authority would have to ensure the respect of the Charter of Fundamental Rights including by taking into account the principles of necessity and proportionality in its decision to issue or validate a production order, and specific aspects to consider could be enumerated. These should include that the data sought, including the data category, is necessary for and the measure is limited to what is necessary and proportionate to the purpose of the proceedings, also in view of the nature and gravity of the offence under investigation (petty crime versus more serious offences).

d)Principle of "controller first":

oThe production order should by preference be addressed to the data controller, i.e. the entity that determines the purposes and means of the processing of personal data (Art. 4(7) GDPR). This could be of relevance in particular when it comes to larger entities, such as corporations, that avail themselves of the services of service providers within scope of this instrument to provide their corporate IT infrastructure and/or services.

oHowever, for cases where this is not opportune, e.g. because the controller itself is suspected of involvement in the case under investigation or of otherwise colluding with the target of the investigation, authorities should be able to address a service provider able to provide the data in question.

e)User notification:

oBy public authorities, in line with national criminal procedural laws which provide for notification and with Directive 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities (the "Police Directive") 90 , which establishes:

§a right for the data subject to be personally informed by the competent authority about the data processing in specific cases, in particular where the personal data are collected without the knowledge of the data subject (Article 12 et seq);

§that this right to be informed may be delayed, restricted or omitted to "avoid obstructing official (…) investigations [and] prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties" (Article 13(3)(a) and (b)); and

§that such a restriction requires a legislative measure and can only be imposed to the extent that, and for as long as, such a measure constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned (Article 13(3)).

oBy the service provider:

§An immediate notification to the user could jeopardise the investigation and is therefore not provided in the criminal procedural laws of most Member States.

§For the same reason, the legal framework would include a provision that gives the issuing authority the right to prohibit or delay the notification to the user by the service provider for such cases.

§The affected person would have to be informed as soon as the risk of obstructing the investigation no longer exists. At the latest, this occurs when taking open measures against the affected person, e.g. bringing charges in court or arresting the person.

§If a decision is taken not to prosecute the suspect or the investigation is closed or abandoned, user notification should in principle be done at this point, to avoid circumventing the obligation to notify 91 .

f)Legal remedies:

oFor the target of the investigation:

§The remedies in Member States against national production orders vary substantially: from no legal review (except for the accused person during his trial) to the right for every affected person to seek judicial review.

§It is essential that the suspect whose data is requested in the framework of criminal investigations or proceedings can have access to an effective legal remedy in the issuing country. The legislation should therefore set out, as a minimum, the possibility for the accused to challenge during the trial the legality of an European Production Order as well as the admissibility (or the weight in the proceedings) of the evidence obtained by such means.

§Remedies for situations without trial should also be considered.

§Remedies should in any case not have suspensive effect, like the EIO. The proposal could refer to legal remedies provided by national law available in similar domestic cases as provided in Article 14 of the EIO Directive.

oFor service providers:

§Service providers may be also be affected by the investigative measure.

§The situation in Member States varies from no legal review, as the service provider is regarded as a third party unaffected by the investigation, to the possibility to challenge the order, which only exists in few Member States.

§Given the ambitious approach of the European Production Order, service providers should have the possibility to react in particular cases, including:

·requesting legal review if the European Production Order has not been issued or validated by a judicial authority;

·requesting legal review if the metadata requested is erroneously qualified as subscriber data;

·asking for clarifications if the request is unclear

·claiming any remedies set out in national law of the issuing state for a domestic case.

§In cases of non-compliance, the (separate) decision to impose a fine should be subject to legal remedies, as it directly affects the service provider.

§In all these cases, legal remedies should be brought before the courts of the issuing State. Even though it would be easier for the service provider to bring an action to its domestic courts, it should be the courts of the issuing State who should review decisions of issuing authorities in accordance with the applicable law of the issuing State. The courts in the State of the service provider would not be well-placed to apply the criminal procedural law of another Member State to control the authorities of this other Member State. This could lead to conflicts between Member States, and would create a risk of diverging decisions.

oFor third persons (e.g. victims, witnesses):

§In addition to suspects and service providers, third persons (e.g. victims or witnesses, whose data is requested) may be affected by the investigative measure.

§A legal remedy could also be considered for third persons whose data was sought and who do not have the opportunity to challenge the legality of the order in a subsequent trial against the accused person 92 .

§The right of any data subject to lodge a complaint with a supervisory authority under the data protection rules must also be respected 93 .

g)Privileges and immunities:

oJudicial cooperation in criminal matters in the Union has so far relied on mutual recognition involving two authorities, i.e. a judicial decision taken in one Member State is recognised and executed in another Member State. Since the entry into force of the EIO this also applies to the access to evidence.

oThe EIO contains a limited set of grounds for non-recognition or non-execution (Article 11). These include cases in which there is an immunity or privilege under the law of the country receiving the EIO (e.g. for certain professions such as medical and legal) and absence of dual criminality. Because of their importance, 94 the European Production Order should include the possibility for some of these grounds for non-recognition or non-execution to be taken into account in the issuing State during the trial, e.g. if raised by the accused person 95 . In addition, the issuing judicial authority should be obliged to carefully assess a number of criteria before issuing the order, e.g. that persons benefiting from immunities are not affected by the order.

oSubscriber data should be left outside the scope of these grounds for non-recognition or non-execution due to its lesser sensitivity, and because this is regularly the first step in identifying a person. This is already recognised to some extent in the EIO, where double criminality cannot be invoked as ground for refusal for subscriber data (Articles 11(2) and 10(2)(e)).

Measure 5*: European Production Request (EPR)

1)Overview:

·The European Production Request would provide, through the production request, a harmonised legal basis across Member States to recognise the legality of the current practices of direct cooperation and to further enable such cooperation between Member State by removing existing hurdles and prohibitions. It would provide judicial authorities with the competence to make non-binding requests for cross-border access to electronic evidence to service providers located in another Member State or outside of the EU, and for these service providers to reply to such requests, without passing through local law enforcement or judicial authorities. The main added value of production requests is that they would provide legal certainty for a process that is currently not clearly regulated in Member States' laws. This is advantageous from a fundamental rights perspective and adds clarity to a non-transparent system

1)Sanctioning mechanism :

·There would be no sanctioning mechanism for the European Production Request could not be executed in the country of the service provider.

2)Safeguards:

The same safeguards as for the European Production Order would apply, with the exception of:

·the immunities and privileges which should not apply to a non-executable instrument;

·the conflicts of laws clause, as no specific review procedure is required if service providers can simply choose not to comply, forcing authorities to recur to traditional tools for formal judicial cooperation.

In addition, the fact that the request cannot be executed creates a further safeguard in the form of the possibility for the service provider not to comply in case of doubt as to the legitimacy of the request. While this assessment should not be outsourced to the service provider, this could be a de facto consequence of the non-enforceable nature of the European Production Request.

Measure 5**: European Production Request and Order (EPRO)

2)Overview:

·This measure would take the form of a production request for content data. The European Production Request and Order would provide judicial authorities with the competence to make non-binding requests for cross-border access to content data to service providers located in another Member State or outside of the EU, and for these service providers to reply to such requests, without necessarily passing through local law enforcement or judicial authorities.

·For non-content data, it would be the same as the European Production Order. The European Production Request and Order would introduce a harmonised legal basis across Member States for issuing production orders for non-content data, taking one step further the current practices of direct cooperation for non-content data on a voluntary basis.

3)Sanctioning mechanism:

·For content data, there would be no sanctioning mechanism., as the measure would in essence be voluntary.

·For non-content data, the sanctioning mechanism would be idem the European Production Order.

4)Safeguards:

·For content data, the same safeguards as for the European Production Order would apply, with the exception of :

othe immunities and privileges which should not apply to a non-executable instrument;

othe conflicts of laws clause, as no specific review procedure is required if service providers can simply choose not to comply, forcing authorities to recur to traditional tools for formal judicial cooperation.

In addition, the fact that the request cannot be executed creates a further safeguard in the form of the possibility for the service provider not to comply in case of doubt as to the legitimacy of the request. While this assessment should not be outsourced to the service provider, this could be a de facto consequence of the non-executable nature of the production request.

·For non-content data, the safeguards would be idem the European Production Order.

Measure 6: access to data without individualised review (WHOIS)

For data that service providers make available for access by authorities through a system of databases without individual review by the service provider (e.g. the WHOIS systems), legislation could provide for a legal basis to perform searches in the system, in line with the rules of the system, national frameworks and EU law, including data protection rules. The main added value of a legal base to access online databases such as WHOIS would be to maintain the same possibility for access once the information is no longer publicly available. Currently, WHOIS information is extensively used by law enforcement, in particular as the starting point for investigations. Once the information is no longer publicly available, those possibilities would disappear and access would be subject to the more strictly conditions required for more intrusive searches, which however were not conceived for this situation. This would in turn frustrate the start of investigations.

1) Scope:

·Data (material scope):

oSubscriber information, stored (not intercept), concerning concrete criminal offences (no mass surveillance), all crimes (not limited to serious ones).

·Geography:

oIn line with the geographical scope described in section 5.1., this legislative measure would cover data regardless of where it is stored 96 . Data storage location is not a feasible connecting factor for a worldwide federated data access system underpinning a global resource such as the domain name or IP address systems.

2) Safeguards:

Safeguards could include the following:

a)Procedural rights of accused and suspected persons:

oThe suspect whose data is accessed would be protected by the EU acquis on the rights of suspected and accused persons in criminal proceedings and the full respect for due process.

oIn particular, Directive 2012/13/EU on the right to information in criminal proceedings 97 grants the suspected or accused person access to all material evidence in the possession of the competent authorities at minimum, in order to safeguard the fairness of the proceedings and to allow for preparation of the defence.

b)Principles of necessity and proportionality:

oThe authority would take into account the principles of necessity and proportionality in its decision to access records in the database system, and specific aspects to consider could be enumerated.

c)User notification:

oAuthorities would have to notify users in line with national criminal procedural laws which provide for notification and with the Police Directive 98 .

d)Legal remedies:

oFor the target of the investigation:

§The suspect whose data is requested in the framework of criminal investigations or proceedings must have access to an effective legal remedy in the issuing country. The legislation should therefore set out, as a minimum, the possibility for the accused to challenge during the trial the legality of the database lookup as well as the admissibility (or the weight in the proceedings) of the evidence obtained by such means.

§A remedy in case of no trial should also be considered.

§The proposal could refer to the legal remedies provided by national law available in similar domestic cases.

There would be no added administrative burden compared to today, besides implementation, as the measure proposes to maintain the same procedures as today, i.e. not requiring individual judicial review. This measure could usefully be combined with either the European Production Order, the European Production Request and Order or the European Production Request. While this measure and the latter three address different aspects of direct cooperation, they are complementary and do not overlap, as they cover different cooperation mechanisms.

Legislation on direct access

Measure 7: legislation on harmonised safeguards for direct access

This measure focuses on addressing through a new legislative instrument problem driver 3 (section 2.2.3.), specifically the part that concerns direct access to e-evidence across borders from an information system within the jurisdiction.

In particular, the new legislation under this measure would allow public authorities to access data directly when it is not certain that the data is stored in the same Member State, and also set minimum standards. It would define a set of conditions for the issuing of a judicial order permitting direct access, as well as a number of safeguards. The aim would be to establish common principles for accessing data that may be stored outside of the issuing Member State, thereby reducing fragmentation and increasing mutual trust among Member States .

1)Scope:

·Types of investigative actions covered:

oDirect access with the agreement of the data subject: e.g. if a victim or witness gives access to his or her mailbox to allow the authorities to view a relevant exchange with a suspect.

oExtended search in the context of an ongoing search under national law: e.g. when a person is searched on the basis of a warrant that extends to the search of any digital device the person is carrying.

oRemote search based on lawfully obtained user credentials: e.g. when authorities use login information obtained during a house search to access a dark web forum the suspect was active on.

·Material scope:

oContent and non-content, stored (not intercept), concerning concrete criminal offences (no mass surveillance).

·Geography:

oIn line with the geographical scope described in section 2.1.1., these legislative measure would cover data regardless of where it is stored, for the reasons described in sections 2 and 5, and to ensure that it encompasses the wide range of existing solutions in place in the Member States.

2)Conditions:

·The conditions should be enumerated in an exhaustive list, following the examples of the European Arrest Warrant 99 or the Europol Regulation 100 .

·The legislation would cover at least serious crimes and would leave it up to the Member States to cover also other types of crime, or cover all types of crimes.

oDirect access to data always takes place in the framework of a national investigative measure (e.g. seize and search). National law frameworks impose different conditions on the use of these investigating measures, which may include limitations with regard to the types of crime that would be applicable for obtaining the data stored on the device or in a cloud, when it is allowed.

oBy establishing that Member States could introduce such measures at least for serious crimes without preventing them from going further, the proposal would allow Member States to adapt the provisions to their specific situation.

oSerious forms of crime could be defined, like in mutual recognition instruments, through a list of crimes or through criteria established in the proposal (e.g. by referring to a minimum sanction of a crime), in a way that avoids conflicts with the national frameworks.

oAt the same time, imposing conditions and safeguards for serious crime only would open a path for Member States to apply less conditions and lower safeguards to direct access for lesser crimes. This might be inappropriate given the need to ensure proportionality of conditions and safeguards to the situation at hand, including the severity of the offence. Viewed from that perspective, it could be counterproductive to impose stricter conditions for more serious offences only.

·Specific conditions for direct access with the agreement of the data subject.

oThe data subject (the suspect or a third person) would have given his or her agreement to access his or her data stored in another territory, irrespective whether it is via the device of the data subject or via another computer system in the investigating State.

oNational law would have to provide an appropriate legal basis for the processing of personal data to comply with the Police Directive which requires a legal basis either in national or in European law, even when the data is processed with the agreement of the affected person.

oA similar situation is already covered by the Budapest Convention 101 , which provides for a search with the consent of the person who has the authority to disclose the data through a computer system in the territory of the investigating state.

·Specific conditions for an extended search in the context of an ongoing search under national law:

oDirect access through a seized device would be covered if there is an ongoing search (and seizure) of an electronic storage medium located in the territory of the investigating State on the basis of national law with the knowledge of the affected person.

oThe data concerned has to be considered necessary for the investigation; furthermore, direct access to the data would have to be required in order to avert the threat of losing the data. This threat can be particularly acute in the context of an open search as the suspect becomes aware of the investigation and may seek to destroy evidence. However, if swift cooperation from a service provider can be expected, direct access should not be necessary.

·Specific conditions for a remote search based on lawfully obtained user credentials:

oDirect access to data stored remotely through an authority’s device would be covered if the credentials to an online account have been lawfully obtained.

oThe credentials can have been provided by a person other than the service provider, or found during the search of a premises or a device.

oThe knowledge of the user would not be required.

oThe data concerned again has to be considered necessary for the investigation; furthermore, direct access to the data would have to be required in order to avert the threat of losing the data. The same considerations set out immediately above also apply.

·The conditions applicable for the search of the data on the device itself already set out by the respective national law would be preserved.

3)Safeguards:

·Procedural rights of accused and suspected persons (idem European Production Order, see above).

·Intervention of a judicial authority:

oAny of the forms of direct access covered by the legal act would have to be validated by a judicial authority.

oThe decision by the judicial authority to validate a form of direct access would take into account the respect of the Charter of Fundamental Rights including the principles of necessity and proportionality, taking into account that:

§Access should be limited to what is necessary and proportionate to the purpose of the proceedings, also in view of the nature and gravity of the offence under investigation.

§In addition, direct access to the data would have to be necessary in order to avert the risk of losing the data, or because of other exigent circumstances 102 .

§In case of remote access, the suspect is often unaware of the measure. As a result, the risk of deletion of evidence by the suspect is reduced. Therefore, remote access could be considered in situations where other forms of access (e.g. direct cooperation with service providers) are:

·not possible or cannot be considered as feasible: e.g. the location of the provider is unknown, such as Telegram; or in case of use of the Dark net, where it is rarely possible to determine the identity of the service provider because of the techniques used to conceal the origin of the information/data;

·could seriously undermine the investigation: e.g. in covert investigations to infiltrate paedophile networks. A remote search could be conducted in the course of the covert operation, and without compromising the covert investigation.

§Access should be limited to securing the data by copying it.

·User notification:

oWhere direct access takes place without the knowledge of the user concerned, user notification needs to be ensured.

oThe relevant considerations set out above for the European Production Order for user notification by public authorities (i.e. in coherence with Directive 2016/680) would also apply.

·Legal remedies:

oThe possibility for judicial review in the issuing State in accordance with its national law should be ensured.

oThe relevant considerations set out above for the European Production Order for legal remedies (including for third persons such as victims or witnesses) would also apply.

·The safeguards applicable for the search of the data on the device in national law (including e.g. thresholds and privileges) would be preserved.

·A drawback lies in the fact that the measure could add to the existing administrative burden in Member States that already have direct access measures in place, as it may impose additional conditions and safeguards. 

·These additional conditions and safeguards might result in restricting direct access to a narrower set of conditions as currently in place in those Member States that enable direct access. This is a result of an overall balancing act between the interest in effective investigation and prosecution of crimes and the fundamental rights of targets of those investigations, a balance that may have been determined in different ways at national level.

Measure 7*: recommendation on conditions and safeguards for cross-border online searches

This measure seeks to address problem driver 3 (section 2.2.3.), specifically the part that concerns direct access for e-evidence across borders from an information system.

Although this measure does not involve legislation at EU level, it could entail legislation in Member States, hence its inclusion under legislative action. A recommendation would set out a non-binding set of minimum standards for cross-border direct access to e-evidence. These minimum standards could be adopted by Member States and made part of national laws governing direct access. The recommendation would define conditions for the issuing of a judicial order permitting direct access, as well as a number of safeguards. The aim would be to provide common principles for accessing data that may be stored outside of the issuing Member State, thereby reducing fragmentation and increasing mutual trust among Member States. Given the non-binding nature, the impact of the measure would largely depend on Member States' willingness to adopt the proposed conditions and safeguards.

1)Scope:

The recommendation would have the same scope as Measure 7 with respect to types of investigative measures covered, material and geographic scope.

2)Conditions:

·The conditions should be enumerated in an exhaustive list.

·The recommendation would cover all types of crimes. Imposing conditions and safeguards for serious crime only would open a path for Member States to apply less conditions and lower safeguards to direct access for lesser crimes. This would be not logical and in fact inappropriate given the need to ensure proportionality of conditions and safeguards to the situation at hand, including the severity of the offence.

·The specific conditions for the three types of direct access measures to be set out in the Recommendation would be the same as those outlined above under Measure 7.

3)User notification:

·The Recommendation would suggest that, where direct access takes place without the knowledge of the user concerned, user notification needs to be ensured.

·The relevant considerations set out above for the European Production Order for user notification by public authorities (i.e. in coherence with Directive 2016/680) would also apply mutatis mutandis, given that a Recommendation is a non-binding instrument.

4)Legal remedies:

·The Recommendation would suggest that judicial review in the issuing State in accordance with its national law should be ensured.

·The relevant considerations set out above for the European Production Order for legal remedies (including for third persons such as victims or witnesses) would also apply mutatis mutandis, given that a Recommendation is a non-binding instrument.

·The safeguards applicable for the search of the data on the device itself already set out by the respective national law (including e.g. thresholds and privileges) would remain unaffected by the Recommendation.

5.3.Measures discarded at an early stage

This section lists the policy measures discarded at an early stage. Please see Annex 8 for a complete analysis of the reasons why the measures were discarded.

1)Non legislative action.

·Practical measures to enhance judicial cooperation among public authorities and direct cooperation between public authorities and service providers.

oWithin the EU:

§Develop a platform to centralise the communication between service providers and public authorities across the EU.

§Facilitate coordination of service providers to achieve full harmonisation of policies, standards and forms to provide access to e-evidence.

§Leverage ETSI (European Telecommunications Standards Institute) standards for lawful interception in telecommunications to facilitate the interactions between public authorities and service providers across the EU.

oModify the EIO form contained in the annex to the EIO Directive to adapt it better to the needs of cross-border access to e-evidence.

oWith non-EU countries:

§Develop a common online form 103  for MLAT requests to the US which could help public authorities in Member States to better comply with US requirements, in particular for probable cause in the requests for content.

2)Legislative action.

·Legislative measures on judicial and direct cooperation: amendment of the EIO Directive to include provisions on e-evidence.

·Legislative measures on judicial cooperation: international agreements.

oPromote a new United Nations convention on cross-border access to e-evidence, which would replace the Council of Europe Convention on Cybercrime.

·Legislative measures on direct cooperation with service providers.

oIntroduce mandatory data localisation, i.e. require service providers offering services in the EU to store their data in the EU.

oRestrict the scope of the legislation to data stored in the EU.

oIntroduce an obligation for service providers to decrypt encrypted data before giving access to public authorities to e-evidence.

oLimit the scope of application of the European Production Order to certain crimes (e.g. serious crimes).

oUse as a connecting factor to exercise jurisdiction:

§the accessibility of the service (e.g. web site or app) from the EU;

§the pure corporate presence in the EU of a service provider;

§the nationality of the suspect. Some of the service providers currently use this criterion to decide whether to cooperate voluntary with foreign public authorities (e.g. a service provider only facilitates access to e-evidence to Italian law enforcement if it concerns Italian nationals).

§any factor susceptible to be shaped by internal company policies.

oUse as a criterion to require service providers to designate a legal representative in the EU that the service has at least 1 million users in the EU.

oOblige service providers to nominate a legal representative in every Member State in which they are active or which they are targeting.

oAllow to address an European Production Order to any corporate presence of the service provider in the EU, without requiring service providers to nominate a legal representative in such cases.

oRely on non-EU countries for service of orders to service providers established in those countries.

oEnter into an agreement with the US to allow service of documents directly in the US on US-based service providers.

oUse under the European Production Order a notification system to the receiving State (where the service provider is located) with the right to object within 96 hours.

oA production request for non-content and a production order for content data.

·Legislative measures on direct access to electronic evidence.

oSet up an EU legal basis for direct access to electronic evidence.

oHarmonise at EU level search and seizure measures.

oRestrict the scope of the legislation to service providers with a given connection to the EU.

oRestrict the scope of the legislation to data stored in the EU (i.e. data storage requirements).

oIntroduce mandatory notification to the public authorities of the country of habitual residence of the target of the measure by the public authorities of the Member State carrying out the measure.

oIntroduce mandatory notification to the public authorities of the country where the data is stored.

5.4.Description of the policy options

The detailed analysis (see Annex 4) of the policy measures retained in the mapping stage discarded the following measures:

·in direct cooperation:

oEuropean Production Request (measure 5*);

oEuropean Production Request and Order (measure 5**);

Both measures were discarded for being less effective without bringing any additional benefits compared to the European Production Order. See Annex 4 for further details.

·in direct access:

orecommendation on conditions and safeguards for cross-border online searches in direct access (measure 7*).

This measure was discarded because given its nonbinding nature, its effectiveness would likely be limited. Its main benefit would lie in further increasing fundamental rights protections; however, these possible benefits are outweighed by the lack of legal certainty and the added risk of fragmentation. See Annex 4 for further details.

The figure below provides an overview of the measures 1 to 7 retained to form the policy options A to D. It also includes the baseline (option O):

Figure 5: mapping of policy measures and policy options

5.4.1.Option O: baseline

This section summarises the baseline scenario. More information is available in Annex 9.

The baseline or option O is the scenario in which there is no EU action. This scenario has several dimensions:

1)In general terms, the problem drivers are likely to evolve as described in section 2.3. (How will the problem evolve), worsening the situation.

·Judicial cooperation would likely take longer, given the exponential growth of electronic data and the increase in requests due to the loss of publicly available data, which is unlikely to be matched by a growth in resources to deal with the increased number of MLAT/EIO requests.

·Without a clear framework for direct cooperation between service providers and public authorities:

othe efficiency of this cooperation is, similarly, likely to decrease under the strain of the ever increasing number of requests. In addition, the sheer growth in volume of direct requests might create a disincentive for new or continued cooperation;

oin the absence of a clear legal basis in national law, law enforcement may be unable to make requests for direct cooperation that are in compliance with Directive (EU) 2016/680 (the “Police Directive” or the data protection directive for law enforcement) 104 and in particular with Article 39, which sets specific conditions for such requests;

ofor data that is publicly available at present but will move into gated-access systems by May 2018 (WHOIS), when the new data protection framework comes into effect, availability to law enforcement will cease, absent a specific legal basis to address the data protection and criminal procedural law requirements.

·Without a clear EU framework defining jurisdiction in cross-border access to e-evidence, Member States are likely to introduce different practices and legislative instruments at national level which would lead to fragmentation and hamper effective cross-border cooperation in investigations and prosecutions. This would also further exacerbate the challenges service providers already face in assessing many different legal systems and may adversely affect the willingness of service providers to continue to invest in cooperation in which they are not obliged to participate.

2)Existing and incoming EU legislation is not likely to effectively address the challenges in cross-border access to e-evidence, in the absence of specific EU action to address those challenges in each of the channels.

3)International agreements between Member States and non-EU countries are likely to evolve in an uncoordinated way without EU action. 

·Council of Europe Convention on Cybercrime:

oNegotiations on a new protocol will go ahead regardless of whether the EU acts. In the absence of EU action (i.e. active participation in the negotiations, ensuring coordination among Member States), the strength of a coordinated negotiating position would be lost, possibly with suboptimal consequences for Member States.

oAt the same time, the protocol by itself will most likely not address the problems identified as effectively as it might in combination with an EU instrument. Such a protocol, first, will not be as far-reaching as it is not based on the same level of mutual trust among the more diverse 50+ parties to the Convention and, secondly, will lack the enforcement mechanisms that EU law has, as it is an international Convention.

oIf the EU adopts its own legislative proposal on cross-border access to electronic evidence, the need for an active participation becomes even more evident as coherence between EU law and the Convention should be ensured. Otherwise Member States might be forced to choose between compliance with either the new protocol of the Convention or the new EU legal framework.

·Bilateral agreements

oJudicial cooperation between public authorities through the MLA process could also be influenced by the decision of the US Supreme Court on the Microsoft Ireland case, expected by July 2018. 105 The DOJ had previously sought access to content data from service providers in the US (also on behalf of requesting EU Member States) regardless of where it was stored. Microsoft challenged this practice in 2013 (see box below). The US Supreme Court could compel US service providers to produce e-evidence regardless of where it is stored (including evidence stored in the EU), or could limit US competence. This may further increase fragmentation.

oIn the absence of EU action, the current MLATs between the EU and non-EU countries would not be updated. In this scenario, Member States would likely be inclined to update or sign new bilateral agreements with non-EU countries, in particular with the US, to expand direct cooperation possibilities, leading to fragmentation that may hamper international cooperation in investigations and prosecutions. Member States themselves have expressed during the consultations the desire to avoid such a country-by-country approach if possible.

oThe recently proposed legislation by the DOJ may contribute to that fragmentation.

4)Direct cooperation between service providers and public authorities could evolve in a wide range of possible ways, none of which the EU would have the opportunity to shape and contribute to in the absence of EU action, likely shaped by the outcome of a relevant case on access to electronic evidence stored abroad (the "Microsoft Ireland" case) and the DOJ proposal 106 to amend the US ECPA. However, these possible changes were not taken into account in detail for the purposes of the baseline because it is at present unclear if and how the US Congress will proceed on these issues, in particular because the US Supreme Court on 16 October 2017 accepted to hear the Microsoft Ireland case.

5)Direct access to electronic evidence could increase, as Member States could introduce new legislative and non-legislative initiatives on direct access, possibly increasing fragmentation and hampering cross-border cooperation.

In summary, the baseline scenario not only falls short in addressing the concerns expressed by stakeholders, but in the absence of EU action those concerns are likely to increase as the situation worsens across multiple dimensions.

5.4.2.Option A: non-legislative action

This option groups all the non-legislative actions. It aims to address problem drivers 1 and 2 by improving judicial cooperation, both with the US and in the EU, and direct cooperation channels, thereby reducing delays and ensuring access in situations where it is currently not possible.

5.4.3.Option B: option A + international agreements

This option combines the non-legislative measures with international solutions. It aims to address all problem drivers by improving judicial cooperation and direct cooperation channels, thereby reducing delays and ensuring access in situations where it is currently not possible, and by reducing the need for judicial cooperation and clarifying jurisdiction for investigative measures.

5.4.4.Option C: option B + direct cooperation legislation

This option, building on option B plus access to databases and a European Production Order, aims to address all problem drivers, proposing a package of solutions to improving cross-border access to electronic evidence in criminal matters. It aims to achieve all specific objectives.

Regarding the direct cooperation legislation, the European Production Order has been retained as preferred option, because of its increased effectiveness compared to the European Production Request and the European Production Request and Order.

This option builds on the fact that the implementation of non-legislative measure does not exclude legislative measures and vice versa. Furthermore, the options can complement each other, in particular since the practical measures:

·are not likely to address on their own all the current challenges, such as the fragmentation of legal frameworks in Member States, which was identified as a major challenge by service providers seeking to comply with requests based on different national laws, as previously described. Also, the practical measures cannot provide legal certainty, transparency, accountability and fundamental rights safeguards that the legal measures provide;

·depend on the willingness and commitment of other public authorities (including in non-EU countries like the US) and service providers to cooperate and implement them on a voluntary basis, which increases the unpredictability of their results. In other words, they lack the enforcement mechanisms and the scope that the European Production Order could provide (i.e. mandatory compliance with requests for content and non-content data); and

·could be combined with the European Production Order in specific ways. For example, the single points of contact for service providers described in measure 1 could be used also for the legal representatives of service providers targeting the EU market with their services or providing services in the EU market.

This option also builds on the complementarity of the legislative measures proposed under direct cooperation those concerning international agreements. For example:

·They are complementary in the situations in which they apply. For example, the judicial cooperation determined by the international agreements (e.g. MLA) would apply to Member States which would not opt in the European Production Order and to non-EU countries.

·A bilateral agreement (in particular with the US), could help reduce the conflict of laws that the European Production Order could cause, or at least ensure an efficient procedure to address situations of conflict of laws. It could also take cooperation with key partner countries to a higher level, building on the Council of Europe Convention on Cybercrime and taking it above the cooperation level which can be achieved through the Convention, which brings together a more heterogeneous group of countries.

·A multilateral agreement such as the additional protocol in the Council of Europe Convention on Cybercrime could address reciprocity issues arising from the legal measures for direct cooperation:

oFor example, with regard to the European Production Order, it could address the minimum conditions and safeguards applicable to similar production orders by a number of non-EU countries with respect to data held in the EU or by providers headquartered in the EU. Also, it could improve for those countries the effectiveness of the procedure to apply the conflict of laws clause in the European Production Order.

Box 5: possible reciprocity issues arising from the legislative options

This approach would also create a useful complement to the EIO and to MLA procedures. For investigations that concern both electronic and other types of evidence, authorities are free to choose to make two separate requests (which might be desirable if swift action is required to safeguard the electronic evidence) or to submit one joint request. Several investigative measures can be included in the same MLA or EIO request, provided that they are requested from the same Member State or non-EU country. Regarding electronic evidence, there will be few cases where the Member State of establishment of the service provider would also be asked to carry out other investigative measures, as the seat of the service provider is often the only link to the other Member State. In cases where there is indeed a stronger link to that other Member State, the issuing Member State could choose to only issue an EIO, combining all investigative measures sought from the non-EU country.

5.4.5.Option D: option C + direct access legislation

This option aims to address all problem drivers across all three channels, proposing a holistic solution to improving cross-border access to electronic evidence in criminal matters. It aims to achieve all specific objectives.

This option builds on the complementarity of the legislative measures proposed under direct cooperation and legislation on direct access. For example:

·They have similar scope:

oMaterial scope, as both cover content and non-content, stored (not intercept), concerning concrete investigations of criminal offences (no mass surveillance), in all areas, and excluding machine to machine data 108 .

oGeography, as both would cover data regardless of where it is stored.

·They have similar safeguards, i.e. concerning procedural rights, intervention of a judicial authority, user notification and legal remedies.

·They are complementary in the situations in which they apply:

oDirect access would be applied in situations where there is no service provider, where cooperation with the service provider is not fast enough to avoid the risk of losing the data, not possible, or could undermine the investigation, as previously described.

oDirect cooperation on the basis of the European Production Order would be applicable in the rest of the situations where direct cooperation with the service provider is possible.

This option would also build on the complementarity of the measures under international agreements and those under direct cooperation. For example:

·A multilateral agreement such as the additional protocol in the Council of Europe Convention on Cybercrime could address reciprocity issues arising from the legal measures for direct cooperation.

·The international agreement could address the fundamental rights issues that could result from the direct access of non-EU countries to personal data of EU residents without ensuring due process and legal safeguards comparable to EU standards.

6.What are the impacts of the policy options?

6.1.Qualitative assessment

The qualitative assessment of the options based on their social, economic and fundamental rights impacts 109 was done in two stages:

1)Qualitative assessment of the policy measures (see Annex 4).

2)Qualitative assessment of the policy options (this section), based on the above assessment of the corresponding measures.

6.1.1.Social impact 

As the objective of the initiative is to ensure effective investigation and prosecution of crimes in the EU, the focus of the social impact assessment is on crime and security, in particular on public authorities' capacity to investigate and prosecute criminal activity. Any improvement of this capacity could also lead to improved deterrence for criminals, better protection of victims and improved security for EU citizens. According to Member States' input, cross-border access to e-evidence is relevant for more than half of all investigations, and many investigations come to a dead end because of failed access. Therefore, any improvement of cross-border access could have a positive impact on Member States' capacity to investigate and prosecute crime.

Option O: baseline

In the baseline scenario, authorities' capacity to investigate and prosecute crime will not improve, but is rather expected to be further reduced. This is due to the exponential growth of electronic data and the move away from publicly available data, requiring judicial cooperation procedures where formerly a direct lookup sufficed. In addition, lower or no roaming fees create incentives for criminals to use the cheapest providers in the EU for throwaway phones, regardless of Member State, expanding cross-border use. Together, these changes are likely to create a significant burden on the current system.

As previously described, judicial cooperation would probably take longer. Countries are unlikely to invest at the necessary level to deal with the increased number of MLAT/EIO requests, especially where they do not see a need for these procedures. This is particularly true for countries like the US which are taking steps to decrease reliance on judicial cooperation procedures when foreign authorities contact service providers established there. Such countries would not necessarily see a need to invest more in procedures that, from their perspective, are superfluous. They would only be motivated by an interest in serving the needs of partner countries.

Similarly, in the absence of a mandatory legal framework, direct cooperation between service providers and public authorities is likely to suffer under the strain of the ever-increasing number of requests. Feedback from the consultation process indicates the clear and growing limitations of the existing process (see Annex 2). Without an EU framework for cross-border access to e-evidence, and in view of the clear need expressed both at expert and ministerial level, Member States are likely to introduce different practices and legislative instruments at national level, which de facto cannot foster harmonisation and would lead to fragmentation. Uncoordinated solutions could also create conflicting obligations for service providers, and increase the administrative burden inherent in many different national solutions. This development is already taking place: for example, Italy has put forward new draft legislation to impose an obligation on service providers active there to nominate a legal representative in Italy. Italian authorities could thus serve domestic production orders on these companies, and have domestic enforcement tools at their disposal.

These likely developments, taken together, could create further obstacles to access e-evidence, resulting in an increased number of delays and unanswered requests. In addition, as companies within and beyond the EU start implementing stronger data protection rules, data minimisation and related rules should lead to swifter deletion of metadata in particular, in the absence of a specific legal basis for the retention. Inefficiencies and delays in data requests would lead to a growth in unanswered requests as the data would have been deleted already. This could result in less effective investigations and prosecutions, which in turn could lead to a decreased deterrent effect, less effective protection for victims and a lower overall perception of security.

Option A: non-legislative action

The practical measures to enhance judicial cooperation between public authorities in the EU and in the US, in particular the training of EU practitioners and the sharing of guidelines and best practices, would to some extent improve the quality of MLA requests submitted by EU authorities and would therefore both accelerate the treatment of these requests and improve their success rate.

The establishment of a platform for online exchange of e-evidence between EU competent authorities and the creation of an electronic form for EIO requests is expected to facilitate judicial cooperation between competent authorities of Member States, allowing them to secure and obtain e-evidence more quickly and effectively. Regarding direct cooperation with service providers, the foreseen training and sharing of guidelines and best practices as well as the creation of SPOCs should improve the quality and the treatment of requests. The streamlining of procedures and standards could increase effectiveness of voluntary cooperation channels.

These practical measures, which were widely welcomed by stakeholders, would to some extent improve the efficiency of the process: less resources would be spent on the process, and there would be an increase of the total number of requests made because requests that were not done previously because of the complexity of the process or a lack of knowledge about the procedure would now be done, thereby improving access to electronic evidence. This could in turn result in more effective investigations and prosecutions and contribute to improved deterrence for criminals, better protection of victims and improved security for EU citizens.

On the other hand, the room for improvement is limited by the shortcomings of the existing framework, or the absence of a framework. The measures in option A can only partly address the identified problems, as they cannot provide solutions to fragmented legal frameworks among Member States. The improvements to judicial cooperation channels would not fundamentally change the process, meaning that they will remain longer and more resource-intensive when compared to direct cooperation channels. Training and exchange of best practice could significantly improve the use of existing channels. For example, as reported in the EU-US MLA Agreement Review Report, direct cooperation has improved as regards providing content data in emergency cases such as those involving imminent risk of serious injury or death, including in terrorism cases. The usual process is that EU Member States’ law enforcement authorities liaise with the U.S. authorities who, in turn, facilitate the voluntary provision by service providers of the required material pursuant to U.S. law. This arrangement has worked very well and, in the most exceptionally serious and urgent cases, the U.S. has assisted in the obtaining of evidence in under 24 hours. Under U.S. law, such voluntary disclosure in emergency situations is accomplished without the need to meet the probable cause test. This improved cooperation is due at least in part to training, administrative cooperation and exchange of best practice. However, as can be deducted from the above description, these emergency procedures have strict conditions and are highly exceptional. They cannot be used for the large majority of number of cases where electronic evidence is needed in the framework of normal criminal investigations. While training and information to judicial authorities may lead to improvements in the use of MLAT channels, they cannot address the problems of bottlenecks on the US end, where authorities are overloaded by requests from all over the world. It is most unlikely that a situation where the number of direct requests outnumbers the number of MLATs by a factor of 10 would be dramatically overturned by such measures.

In addition, the US have little incentive in further investing in procedures which are not required under their laws and not necessary to protect sovereign interests. Under these circumstances, the practical improvements to the current system are naturally limited.

The practical solutions for direct cooperation would also not address the need for increased legal certainty, transparency and accountability in direct cross-border cooperation between authorities and service providers, which was highlighted as a key issue by all stakeholders in the expert process. Finally, the proposed measures on cooperation with service providers would only cover providers under US jurisdiction and be limited to non-content data. Therefore, while the overall impact on the effectiveness of criminal investigations should be positive, this measure by itself would not fully address the problem, as also highlighted by experts during the consultation.

Option B: option A + international agreements

The impacts of this option are the same as in option A, plus those of international agreements, described below.

A broadly applicable international regime, which could possibly also include the US, would be easier to implement for national authorities and service providers than many divergent regimes. The impact on the ability of public authorities to investigate and prosecute crime would depend on the concrete provisions negotiated and on the participating countries. Both judicial cooperation and direct cooperation could be improved. However, with an increasing number of countries involved, the likelihood of a shared understanding of the necessary conditions and safeguards decreases, and solutions are likely to be limited in scope.

Bilateral agreements could create more legal certainty on the basis and process for direct cooperation with private parties in non-EU countries, and allow for a tailor-made solution befitting both partners. An EU-US Agreement could allow service providers under US jurisdiction to provide content data to EU public authorities, which is currently not possible. This in particular could not be achieved by EU legislation alone, as – depending on the circumstances of the case – it could create a conflict of law with US law. Both bilateral and international agreements were therefore widely cited as good options by a range of stakeholders.

However, both bilateral and multilateral agreements are uncertain; it could take years, if at all, to reach an agreement, and the precise outcome is beyond the EU's control as it would also depend on the non-EU countries involved.

In conclusion, option B would possibly lead to improvements, but these improvements are highly uncertain and depend on a number of actors. Moreover, it is unlikely that the issues affecting the current legal framework would be adequately addressed by this option.

Option C: option B + direct cooperation legislation

The impacts of this option are the same as in option B, plus those of direct cooperation legislation described below.

European Production Order (EPO)

A measure allowing judicial authorities to compel certain foreign service providers to provide information, in a similar way to that of domestic providers, would bring significant benefits in terms of efficiencies both compared to judicial cooperation channels and to voluntary cooperation that exists with US providers on non-content data.

The major benefits of such a mechanism would be to provide a direct channel for the large majority of cases where the interest of the "receiving" country (from the judicial cooperation perspective) in the investigation is small to non-existent. It would accelerate the process compared to judicial cooperation tools, and create a mandatory framework compared to the current cooperation with US providers, which is voluntary from the perspective of US law. The European Production Order would be enforceable vis-à-vis service providers, meaning that the success rate would be significantly higher than under the current voluntary framework (where it is currently estimated to be below 50%). Because of possible cases of conflict with US law, it would not always allow EU judicial authorities to obtain content data. However, it is evident from the annual number of requests for non-content data to the US (around 120,000) as compared to the number of MLA requests, which must contain all requests for content data outside emergency situations (around 1,300), that the volume of non-content requests far exceeds those for content. Therefore, even if challenges persist when it comes to content data, the initiative would add significant value for a large proportion of requests.

With regard to EU providers, it would introduce a new mechanism, leading to a significant shift from judicial cooperation channels to more efficient direct cooperation channels.

Given that the proposed approach would represent a new step in judicial cooperation, amending existing instruments would not have the same effect. The closest instrument would be the European Investigation Order which has a different scope and cannot properly address the challenges on cross-border access to e-evidence in particular when it comes to deadlines and administrative burden. Overall, it would provide greater legal certainty and reduce the level of complexity and fragmentation for all stakeholders concerned. Authorities in particular welcomed this option in the consultation, but also service providers and civil society highlighted the need for a clear and certain framework with a robust set of guarantees.

The fact that the European Production Order would cover all forms of crime and not be limited to serious forms of crime would significantly improve the efficiency of the instrument.

It could be argued that such an option may create an incentive not to store data. However, this incentive is limited in impact as the current and future EU data protection and e-privacy frameworks already contain a data minimisation obligation: service providers are not to store data unless it is justified for certain specified purposes. In other words, data storage is determined by the purpose of the data processing and less by the possibility that a part of that data will be requested by police or judges in the framework of a specific crime investigation. Furthermore, the creation of a more effective channel to obtain electronic evidence from service providers is not expected to increase significantly the total number of requests.

The framework could also reduce issues experienced by authorities in some Member States with the admissibility in court proceedings of electronic evidence obtained through direct cooperation with service providers.

Overall, option C may result in evidence being obtained faster and evidence being obtained which public authorities would not even have tried to obtain currently because of the long delays or lack of legal basis. It would allow for a combination of the benefits for all types of measures covered by this option, as the measures are complementary, serve alternative purposes and address different problem drivers.

Improvements of judicial cooperation channels would still be useful and was highlighted as a key priority during the expert process: where the European Production Order would not help, e.g. in conflicts of law situations (content data with the US), judicial cooperation would prevail. For judicial cooperation among Member States, EIOs may still be issued to obtain e-evidence, e.g. when an investigating State needs different types of evidence form another Member State and requests it all in one go rather than choosing the European Production Order which would only work for part of the evidence. Any new instrument therefore should ensure coherence with the EIO and other procedures for judicial cooperation; this has been taken into account in the considerations. Often, however, the request for electronic evidence is an isolated one.

Some of the practical measures to improve cooperation between public authorities and service providers would to some extent become superfluous if the EPO came into force, as the legislation would establish a procedure, standard forms and an obligation to designate a legal representative. As this may take years, there would still be a benefit in the short term to introducing these practical measures on a voluntary basis. Furthermore, given that the scope of the measure is still not finalised, there may well be situations where such procedures would be necessary to obtain evidence. In addition, the training would be helpful in case of a change in legal framework because there would be a need to acquaint practitioners with the changes.

The international solutions complement legislative measures. In particular, once an agreement with the US was in place, removing conflicting obligations, the measure on cooperation with service providers could also allow authorities to obtain access to content data.

Access to WHOIS databases

Legislation providing for a legal basis to perform searches in the WHOIS database would enable authorities to continue to access the system in much the same manner as they currently do, even if some of its data elements should become password-protected and no longer publicly available. Authorities specialised in cybercrime make look-ups to the WHOIS many times a day. Providing a new legal basis for the changed circumstances would preserve an essential tool in online investigations and would prevent a significant decrease in effectiveness of investigations, as highlighted by stakeholders in various forums (see Annex 12).

Option D: option C + direct access legislation

The impacts of this option are the same as in option C, plus those of direct access legislation described below.

The option to provide a legal basis for Member States to adopt legislation on direct access, subject to stringent conditions and safeguards, could improve the capacity of public authorities to investigate and prosecute crimes, both with regard to the time to obtain data and to the number of cases where e-evidence is successfully obtained. As highlighted by authorities, alternative judicial cooperation channels are not possible in all cases. Moreover, they would at times not be successful because of longer procedures. Putting in place a harmonised system of conditions and safeguards would provide a basis for enabling direct access in a manner that is mutually acceptable among Member States. By leaving the scope of measures in those Member States that already have efficient solutions in place largely untouched, the measure would not lead to any significant decrease in efficiency in those Member States.

Taken together, option C and direct access proposed would bring the most significant gain in terms of improving the capacity of public authorities to investigate and prosecute crimes. It would allow combining the benefits for all types of measures, as the measures are complementary, serve alternative purposes and address different problem drivers. This also applies for the two legislative measures, which address different situations and would, if combined, provide for a set of efficient tools to obtain cross-border access to e-evidence. A shift from judicial cooperation channels to these two tools can be expected for cases which do not necessitate involvement of another country, which would make access to e-evidence faster and more efficient. It would also respond to the calls from the Council and other stakeholders.

6.1.2.Economic impact

The assessment of the economic impact of the different options focuses on the impact on service providers and public authorities impacted by the measures.

Option O: baseline

In the baseline scenario, the number of direct cooperation requests for non-content data is bound to increase. EU and US service providers will continue to receive requests for content data via judicial cooperation channels via their own judicial authorities, with numbers bound to increase here too in a similar order of magnitude as for direct cooperation. In both cases, service providers will either allocate additional resources to manage the increasing number of requests, or not, leading to an increase in the time to respond to such requests.

Public authorities are faced with a growing need for access to electronic evidence, which will further increase the number of requests, both using formal judicial cooperation channels and direct cooperation channels, and increase their costs. This was highlighted by authorities in particular throughout the consultation process.

Given the likely move of the WHOIS to credentialed systems, service providers could face an important rise in requests for access to subscriber information for domain names. This would create a significant additional burden both on courts and authorities in EU Member States and on the service providers, most of which do not yet have any procedures in place to deal with the expected increase in individually reviewable requests. Therefore, an important rise in costs both for internet infrastructure service providers and for national authorities is to be expected in the absence of action.

Legal fragmentation and legal uncertainty would remain and could act as a barrier to growth and innovation.

Option A: non-legislative action

Compared to the baseline scenario, the practical measures to enhance cooperation between public authorities in the EU and in the US would to some extent improve the quality of MLA requests submitted by EU authorities and would therefore generate efficiency savings for EU and US authorities. In particular the training of EU practitioners and the sharing of guidelines and best practices should have a positive impact, according to the experts consulted. The number of MLA requests from Member States to the US would likely increase slightly.

The development of the secure online platform would generate low costs for Member States who would connect to it, given that it is mostly financed from the EU budget. The platform itself would reduce costs for authorities requesting electronic evidence from another judicial authority in the EU using the EIO, by facilitating the creation and exchange of such requests.

The practical measures addressed to authorities to improve cooperation with service providers (SPOC, training, standardised forms, online portal) would generate some moderate costs for them 110 , but also improve the quality of requests and would therefore lead to a net reduction of resources and costs for both service providers and public authorities. Those practical measures addressed to service providers (SPOC, streamlining of policies) would similarly generate moderate costs for service providers, in particular if changes to procedures have to be implemented, but public authorities would have a clear point of entry, reducing transaction costs, and would be faced with more consistent policies, meaning that they would not have to adapt to a variety of individual service providers' policies, leading to cost reductions for them. In addition, these practical measures may also lead to a slight shift from judicial cooperation channels to direct cooperation channels based on a better understanding by practitioners of this later channel, generating further savings, and to an increase of the total number of requests made via direct cooperation because requests that were not done previously because of the complexity of the process or a lack of knowledge about the procedure of a particular service provider would now be done. The overall benefit from the practical measures implemented by authorities should outweigh the costs, including those incurred by service providers that choose to implement practical measures on their side.

There would be a limited impact on non-EU countries, in particular as more requests use a more effective direct cooperation channel.

As the practical measures work within the present-day legislative framework, SMEs would be free to choose whether to participate or not in direct cooperation, given that there is no legal obligation to do so under US law. Within the EU, direct cooperation is not possible besides exceptional cases so there is no impact on SMEs. In the context of judicial cooperation, SMEs in the EU and beyond would likely stand to benefit from an increased quality of requests in the same manner as the larger providers.

Option B: option A + international agreements

The impacts of this option are the same as in option A, plus those of international agreements.

International solutions that would allow direct cooperation with service providers, be it in the framework of a multilateral or a bilateral agreement, could lead to a shift from judicial cooperation procedures to direct cooperation with service providers. Similar considerations regarding the economic impact on businesses and on public authorities would apply as for a measure on direct cooperation with service providers. Legal certainty could be improved and conflicts of law avoided in relation to the states that are party to the agreement, which could result in a reduction of burden and associated costs for service providers, as stakeholders highlighted during the consultation. A shift from judicial cooperation channels to a new form of direct cooperation and direct access instituted under any such agreement would likely apply to a greater extent in the framework of a bilateral agreement, given that the scope of a bilateral agreement is likely to be wider than in a multilateral context. This could be largely cost-neutral for service providers: the initial costs associated with the adaptation to any new legal framework could be offset by efficiency gains thanks to the reduction in complexity and number of laws applying to the same types of situations.

Any option including international agreements could have a similar favourable impact on non-EU countries as in Member States, as the agreement would define common approaches.

Option C: option B + direct cooperation legislation (EPO + access to databases)

The impacts of this option are the same as option B, plus those of the EPO and access to WHOIS databases.

European Production Order (EPO)

If an efficient procedure is implemented to obtain cross-border access to electronic evidence, a significant proportion of judicial cooperation requests would shift to direct cooperation as the more efficient instrument. This concerns predominantly intra-EU requests, as direct cooperation was previously not possible here, whereas a change in numbers regarding direct cooperation with US providers is not expected. Some shifts are to be expected from direct access as well, according to expert feedback. In addition, public authorities will attempt to obtain such data also in cases where today they may have been discouraged even to try due to the cumbersome procedure required, as practitioners explained. As a result, an increase in the total number of direct cooperation requests is expected.

The European Production Order would introduce additional burdens for service providers, but also benefits for them. European service providers would receive such requests directly from public authorities from other Member States, instead of from their own public authorities. They would be subject to two sets of requests, domestic ones and European ones. This could possibly lead to uncertainty as to the applicable legal framework. To mitigate such risks, the proposal would introduce a unique form used by all public authorities throughout the Union for cross-border cases, to be translated into the language of the service provider. US service providers would benefit from a more harmonised legal framework for cross-border requests, instead of 28 different ones, and of increased legal certainty.

If the European Production Order would cover all forms of crime and not be limited to serious forms of crime, there might be an additional shift of requests to direct cooperation from judicial cooperation. The total number of requests they have to reply to would likely not change significantly, or only for those cases where public authorities decide not to pursue a case further because it would be too cumbersome to obtain the data via judicial cooperation.

The obligation to designate a legal representative in the Union would generate costs, in particular for service providers not established in the Union, who would have to mandate somebody in the Union to carry out this task. In particular for SMEs not established in the Union, there is a fear that this could represent an important burden 111 . On the other hand, this legal representative could be shared between service providers, and it could cover several functions (e.g. GDPR, ePrivacy and EPO), reducing the costs.

For public authorities, a legal framework for direct cooperation with service providers would improve efficiency, leading to a shift from judicial cooperation channels. When acting as issuing authority, public authorities would apply the same procedure, whether the service provider is established inside or outside of the Union, if they have jurisdiction under the proposal. Moreover, there would only be one authority involved, instead of two, as for judicial cooperation channels. This would reduce the costs for those authorities that otherwise would have had to recognise and execute judicial cooperation requests.

A combination of measures would result in cumulated cost reductions for both service providers and public authorities compared to the baseline scenario. The expected shift from judicial cooperation channels to cooperation with service providers could lead to important cost savings for judicial authorities both in the issuing and in the receiving State. Improvements in judicial cooperation channels, which, as explained above, would remain relevant in certain cases, could also result in some cost savings. Implementation of both practical and legislative measures would generate some costs for Member States, but these should be offset by the cost savings described above.

The biggest change for service providers offering services within the EU is that they would receive requests directly from public authorities in another Member State, rather than from their own public authorities via MLA or EIO channels. For those that participate in direct cooperation already, the main benefit would be the legal certainty and the harmonisation of procedures and forms of requests. For all service providers but particularly for SMEs, the nomination of SPOCs on the law enforcement side would make it easier (and cheaper) to authenticate EPOs.

Access to databases

If a solution is provided for access to WHOIS, authorities might be able to maintain the level of access they benefit from today, as the databases concerned are already in place. Therefore, costs would remain the same; there would be no additional costs generated by this proposal on the providers' side, and the same would be true for authorities. Costs generated by the planned changes to the WHOIS database system are independent of this proposal. The proposal would also prevent an avalanche of individual orders to service providers to produce the data, which might otherwise generate significant costs for both sides.

Option D: option C + direct access legislation

The impacts of this option are the same as in option C, plus those of the measure on direct access, which would not impose any new obligations or administrative burdens on service providers. For public authorities, there would be one-off costs for implementation of legislation. Over time, efficiency gains are to be expected because direct access involves fewer actors and is generally swifter, requiring fewer resources than judicial cooperation procedures in those situations where Member States would have chosen such alternative channels. However, because of the specific conditions for these kinds of measures, it is not expected that the cases will be numerous. Therefore the impact should be moderate.

This option should not have any effect on non-EU countries. Some non-EU countries may however object to foreign law enforcement accessing data stored in their territory.

6.1.3.Fundamental rights impact

The assessment of the fundamental rights impact of the different measures and options was carried out with particular attention, involving experts in fundamental rights and data protection, both inside the Commission and external stakeholders. The assessment included a dedicated meeting with data protection experts from the Member States and with the EDPS on 2 October (cf. Annex 2.2). The safeguards that are part of the legislative measures are the result of this assessment.

This initiative could affect the following fundamental rights:

·rights of the data subject whose data is accessed: right to protection of personal data; right to respect for private and family life; right to freedom of expression; right of defence; right to an effective remedy and to a fair trial;

·rights of the service provider: right to freedom to conduct a business; right to an effective remedy;

·rights of EU citizens: right to security.

Option O: baseline

In the baseline scenario, within the framework of public authorities’ cooperation through EIO/MLA, the concrete protection of fundamental rights of persons whose data is sought will continue to be ensured through national authorities acting under national and EU law, including the Police Directive and EU directives on procedural rights, such as the Directive on the right to information in criminal proceedings 112 . When applying the EIO Directive, the Charter of Fundamental Rights applies. For judicial cooperation channels, a double check takes place: at the level of the issuing authority, under the national law of the issuing State, and at the level of the executing authority, under the national law of the executing State 113 .

Regarding the voluntary cooperation regime, the investigations and prosecutions are exclusively conducted in accordance with the national law of the investigating State, but the service provider may refuse based on the law applicable to it if that prohibits disclosing the data to foreign authorities (e.g. US law preventing the disclosure of content data to foreign authorities). For many Member States, national law authorises data requests to domestic service providers, but does not explicitly provide for the possibility to request data from foreign ones, which means that public authorities request such data from US providers in an uncertain legal environment.

Obtaining data under the current voluntary cooperation regime in the absence of a precise legal framework may affect the fundamental rights of the persons affected by the measure, including the right to an effective remedy, the right to respect for private life, and the right to the protection of personal data, as stakeholders also mentioned in the consultation. The Charter does not apply. In the absence of a clear legal basis, public authorities may be unable to make requests for direct cooperation that are in compliance with the Police Directive for law enforcement and in particular with Article 39, which sets specific conditions for such requests. Some US service providers verify the legality of a request for data, mostly with regard to the law of the issuing State, but they are private parties, not judicial authorities (who are the ones responsible). In the absence of a mandatory regime, the rights of service providers are not affected.

Direct access takes place in accordance with the national law of the investigating State, which regulates the conditions and safeguards applicable to the investigative measure such as the search and seizure. These vary between Member States, but as these investigative measures are among the most intrusive, there is generally a high level of protection. The Charter does not apply.

The problems affecting cross-border access to electronic evidence negatively affect the fundamental rights of persons who are or may become victims of crime (e.g. the right to life and dignity, and the right to property). This negative impact stands to increase with the growing need for cross-border access, in particular if publicly available data becomes available upon individualised request only.

Option A: non-legislative action

Compared to the baseline scenario, a very limited impact on fundamental rights may be expected with respect to cooperation between public authorities, if at all: The establishment of a secure online platform for authorities to exchange EIO/ MLA requests which ensures confidentiality of all data sets may have a positive effect on the protection of personal data. It would furthermore increase transparency and accountability and contribute to ensuring sound administration. There would be no change with regard to legal certainty and individuals' rights in the framework of voluntary cooperation with service providers.

The problems affecting cross-border access to electronic evidence would only be partially addressed through these measures, so the situation would still negatively affect the fundamental rights of persons who are or may become victims of crime (right to security). The negative impact would conceivably be less strong compared to the baseline.

Option B: option A + international agreements

The impacts of this option are the same as in option A, plus those of international agreements, described below.

International agreements may be advantageous, as they might allow ensuring an adequate level of protection of fundamental rights, including data protection. They could allow for a joint definition of mutually acceptable conditions, thus reducing conflicts of law, and specific mechanisms to ensure fundamental rights protection, possibly elevating international standards to the EU level. They would also contribute to legal certainty, which could have a positive impact on the right to security and the freedom to conduct a business. Given their wider geographical coverage, they would therefore add value compared to the previous options.

Option C: option B + direct cooperation legislation (EPO + access to databases)

European Production Order (EPO)

An EPO could potentially affect a number of fundamental rights of the affected persons. To ensure the protection of the rights of these persons, the measure includes the safeguards outlined in section 5. The intervention of a judicial authority when the order is issued would ensure that the legality of the measure has been checked and that the order does not unduly infringe on fundamental rights, including the effects of important legal principles such as the lawyer client privilege or protection of journalistic freedoms. As the measure would not include a limitation to serious forms of crime, the issuing judicial authority should be required to ensure in the individual case that the EPO is necessary and proportionate, including in view of the gravity of the offence under investigation. This would prevent that an EPO is issued in a situation where it would be disproportionate in view of the lack of seriousness of the offence, but avoiding at the same time that the instrument could not be used at all for certain types of crimes which may become important for other reasons in specific cases, e.g. because they affect a high number of victims. The judicial authority would also be required to check that the data category sought is necessary for and the request itself is limited to what is necessary for and proportionate to the purpose of the proceedings.

The possibilities of an effective remedy for persons whose data is being requested would also be addressed. Immunities and privileges of certain professions such as lawyers would also have to be taken into account during trial in the issuing State, as highlighted by a number of stakeholders. The review by a judicial authority will serve as a further safeguard here.

Because the production order would be a mandatory measure, and it would also encompass the obligation to designate a legal representative, the measure could also affect the rights of service providers, in particular the freedom to conduct a business. Insofar that such measures could affect rights and freedoms of the service providers stemming from Union law, the proposal would include a right for the service provider to raise certain types of errors before a court or a tribunal in the issuing Member State, e.g. if the order has not been issued by a judicial authority.

One of the risks of a mandatory approach would be that it could inspire non-EU countries which do not have fundamental rights safeguards in place that can be considered comparable to those in the EU, including in the field of data protection, to introduce a reciprocal obligation for EU service providers active on their territory. This could undermine the high level of data protection ensured by the EU acquis, by making this data potentially available to such non-EU countries. This "model" role of EU law could be addressed in two ways: first, by providing a proposal that contains strong safeguards and explicitly references the conditions and safeguards already inherent in the EU acquis and can thus serve as a model for foreign legislation; and secondly, by including a specific conflicts of law clause that would allow service providers to identify and raise conflicting obligations they would be facing. This clause would give a role to the law of the non-EU country and include the possibility for consulting the authorities of that country on the existence of such conflicting obligations, and for taking their views into account in the decision on whether to uphold or annul the contested EPO. International agreements may further reduce conflicts of law situations. However, given that a number of non-EU countries have already implemented their own approaches to these matters, expectations as to the positive impact of any "model" role of EU law necessarily have to be limited. This is particularly true for the fundamental choice as to whether to address the challenges by imposing data localisation requirements, which this initiative seeks to avoid in view of the inherent negative side effects.

The above analysis suggests that, if applied with proportionality and complemented with the proposed safeguards, each measure in this policy option respects fundamental rights. On the other hand, by not including a measure on direct cooperation, or delaying its adoption, option C would leave direct cooperation to diverging national regimes, thereby not ensuring a similar high level of protection in the Union of direct access measures; safeguards would remain a national issue. Minimum safeguards could potentially stem from the additional protocol to the Budapest Convention, but it is too early to say. With a functioning mechanism to obtain data from service providers, it can be assumed that there would be fewer incentives for Member States to use direct access also in situations where they could instead go to a service provider.

Access to databases

The impact on fundamental rights of the legal base for access to dedicated database systems would be small as the data contained in this database is not particularly sensitive in nature and authorities' access would remain essentially unchanged. Creating such a legal base would also indirectly allow the system to move to a tiered-access model as it could still ensure the vital public policy interests at stake. This in turn would have a positive effect on individuals' fundamental right to privacy, as their personal data would no longer be publicly available and access to it – especially for abusive purposes – would be limited in a more effective manner.

Option D: option C + direct access

The impacts of this option are the same as in option C, plus those of a measure on direct access, as described below.

This option would allow public authorities to access data that is not publicly available and that is, in most cases, personal data. However, the intrusiveness is already inherent in the national investigative measure, such as the search and seizure measure. Possible EU legislation instituting conditions and safeguards could inspire further EU Member States – beyond the 20 which already provide for direct access – to adopt legislation on these issues. A proposal would therefore indirectly have an impact on the rights of the target of the investigation. It would allow public authorities to also access data stored remotely if it is not clear whether it is stored on their territory, where this is not yet provided for in national law, i.e. it would widen the scope of the measure to data to which they may not necessarily have had access until now. But whether the data is stored on a device or remotely in the cloud, on the territory of the investigating Member State or in a non-EU country, should not be a relevant factor regarding the fundamental rights protection of the data subject (which should be ensured by the conditions and safeguards), nor regarding the sensitivity of access by public authorities.

As the measure would be anchored in national law, all safeguards and conditions set out by the respective national law would be preserved by this instrument (including thresholds and privileges). In addition, it would include additional conditions and safeguards to ensure that the use of this measure remains exceptional, such as the requirement that the data sought is necessary for the investigation and the measure is limited to what is necessary and proportionate to the purpose of the proceedings, also in view of the nature and gravity of the offence under investigation. It would therefore likely have a positive impact on the fundamental rights of the person affected as it could serve to limit overly broad national legal bases. It would also have a positive impact in creating legal certainty on the mutual acceptance among EU Member States of the respective national measures.

Again, there is a risk of reciprocal response by non-EU countries. At the same time, a number of non-EU countries would not need to rely on EU legislation, as they may have already put in place other approaches to ensure access to data, such as data localisation obligations or a more expansive set of investigative measures, including possibilities for investigators to directly access data, going further than what is proposed here. In that light, creating a framework for access to electronic evidence that builds on the robust protections already provided for under EU law and including specific safeguards could also set a positive example. Moreover, international agreements may reduce reciprocity issues, if they include agreements on direct access as is already the case – to a limited extent – under the Budapest Convention.

When assessing a combination of all measures, the main ones impacting fundamental rights are the legislative measures. As explained above, they would include sufficient safeguards to make them compatible with fundamental rights. A combination of all legislative measures, including international solutions, would facilitate cross-border access to personal data to the biggest extent, and would also ensure that fundamental rights are most widely protected in all situations covered by these measures. If only some of these measures would be pursued by Union law, it would still leave room for either national unilateral solutions and/or voluntary cooperation outside of a clear legal framework. The legislative measures would also ensure that the practical measures can take place in a legal framework where fundamental rights are protected, thereby complementing the practical measures from a fundamental rights point of view.

In the Tele 2 judgement 114 , the ECJ held that general and indiscriminate data retention legislation concerning metadata entailed a particularly serious interference with the rights to privacy and data protection and that the user concerned is, as a result, likely to feel that their private lives are the subject of constant surveillance. It could also, according to the Court, affect the use of means of electronic communication and thus the exercise by users of their freedom of expression. The scope of the two legislative measures is limited to a concrete investigation and not in abstracto, and therefore cannot be compared to a general data retention scheme. The interference with fundamental rights is justified by the aim of the measure, which is to ensure effective investigation and prosecution of crimes in the EU. This would be ensured in each individual case by the issuing judicial authority.

The above analysis suggests that, if applied with proportionality and complemented with minimum conditions and safeguards, the measures in this policy option respect fundamental rights.

6.2.Quantitative assessment

The quantification of the costs and benefits of the policy measures/policy options is limited by the lack of data, and requires the use of a number of assumptions, described in detail in Annex 4. Given these limitations, the estimates in this section provide an idea of the order of magnitude of costs and benefits and therefore should not be taken as exact forecasts.

This section summarises the quantitative assessment for each policy option by estimating:

·the main administrative costs for Member States (i.e. transposition and enforcement of the legislation) and service providers (i.e. compliance with the legislation), distinguishing between one-off and continuous (annual) costs.

·the main benefits (savings) due to:

oa reduction of current administrative costs, for Member States and service providers; and

oa possible reduction of crime caused by the stronger deterrence that a more effective investigation and prosecution of crimes could create, thanks to improvements in cross-border access to e-evidence.

6.4.1 Costs

The costs of this initiative are purely administrative, i.e.:

oCost/minute:

§It includes:

·the salary based on the median of the salaries in the EU of level 2 professionals in the International Standard Classification of Occupations (ISCO) 115 ;

·non-wage labour costs such as employers’ social contributions;

· 25% overhead (i.e. expenses not related to direct labour, such as the cost of office equipment.)

§The value is 30 EUR/hour = 50 cents/minute.

§It is assumed that this value remains constant for all options and over time.

oMinutes required to do a task:

This value can change from option to option, in two ways:

§the time required to do one task changes, or

§the total number of tasks changes.

Considering the above, to calculate the costs of each option the following 5 questions where analysed for each of the measures:

1.Are there any one-off costs? (e.g. transposition of the legislation).

2.Does the measure change any of the times required to do any task required to attempt to access e-evidence across borders in each of the three channels (i.e. judicial cooperation, direct cooperation and direct access)?

3.Does the measure change the total number of attempts to access e-evidence across borders in each of the 3 channels?

4.Combining the above, does the measure change the total time to attempt to access e-evidence across borders?

5.Combining the above, does the measure change the total continuous costs to attempt to access e-evidence across borders?

Limitations

·The implementation of practical measures would be voluntary for both Member States and service providers, so it is not possible to provide accurate estimates of actual costs.

·The assumptions have a certain degree of approximation and subjectivity. To mitigate this, the methodology, the model and the input data were discussed and validated with external experts and reviewers in several dedicated meetings (focus groups). The experts included practitioners from both the private sector (service providers) and from public authorities in Member States.

·For international measures 3 and 4, because of the high degree of uncertainty regarding what would be agreed and when, it is not possible to quantify the impacts at all.

The tables below summarise the one-off and continuous costs estimates for the retained policy measures and the policy options they combine into (savings are indicated in red and with a minus sign):

Table 7: one-off and continuous costs estimates for the retained policy measures (EUR)

The Member States that are likely to be most impacted are Germany, UK and France, as the major issuers of requests (see section 2.1.1.) and Ireland as a major addressee of requests where a number of important service providers are established.

See Annex 4 for further details on the model, the assumptions and the calculations.

6.4.2 Benefits

There are two types of benefits

·Savings in administrative costs:

oThey derive directly from the calculation of costs in the previous section.

When these costs are lower than those that would be incurred in the baseline scenario, they are benefits.

oAll the options except the baseline generate savings, as shown in table 8 above.

·Reduction of crime:

oTo estimate how each policy option could reduce crime, the qualitative scores on the social impact (enhanced security through more effective fight against crime) obtained in the assessment of each policy option were translated into percentages of decrease of crime.

oThe qualitative scores range from -3 (baseline) to +3 (option D) (see table 9 below).

oIn the baseline (policy measure 0), it was assumed that there will not be any decrease of criminal acts and organised crime gains (0%).

oThe qualitative scores range of -3 to +3 results in a respective range of 0% to -3% change (decrease) of criminal acts and organised crime gains. This assumes that the range of decrease of crime due to increased deterrence thanks to the implementation of a given option would be between 0% and 3%.

oThe range of qualitative scores for the policy measures was converted into a range of percentages taking the above into account, resulting in the following table:

Table 9: one-off and continuous costs estimates for the policy options (EUR)

oIt assumes a current level of crime of 1.5% of EU GDP 116 , i.e. EUR 222 billion, based on estimates from the United Nations Office on Drugs and Crime 117 .

Limitations:

·For the benefits derived from a reduction of crime, the assumption on the conversion of the qualitative range into percentages of decrease of crime was used for the sole purpose of comparing the options. Therefore, the total value of benefits derived from a reduction of crime for a given policy option must be interpreted in relation to the other options, rather than as an accurate estimate of the actual reduction of crime that a given policy option would cause.

·The percentage for each policy option was the sum of the percentages for its policy measures. This could lead to an overestimation of the benefits, since some overlaps on the benefits can occur when developing/transposing legislation combining two or more legislative and/or non-legislative measures.

·The assumptions have a certain degree of approximation and subjectivity. To mitigate this, the methodology, the model and the input data were discussed and validated with external experts and reviewers in several dedicated meetings.

The tables below summarise the benefits for the policy options:

Table 10: estimated benefits for the policy options (EUR billion)

See Annex 4 for further details on the model, the assumptions and the calculations.

7.How do the options compare?

7.1.Qualitative comparison

The options were qualitatively compared in two ways: in relation to a set of assessment criteria and in relation to the extent that they achieve the specific objectives.

Comparison through assessment criteria

The following criteria were used to assess the impacts of each policy option:

The table below summarises the qualitative scores for each main assessment criteria and each option. All criteria were given the same weight. The detailed comparative assessment of all options can be found in Annex 4.

Effectiveness/social impact

The least effective is the baseline scenario, which even leads to a worsening of the situation due to the growing relevance of electronic data, while the most effective is option D combining all the seven retained measures. There is an important difference in terms of effectiveness between options including legislative measures and options not containing them, as the main problem to be solved is a regulatory failure. Non-legislative measures can therefore only lead to limited improvements within the existing legal framework.

Option B can improve the effectiveness in relation to option A depending on the international agreement reached, but it remains highly uncertain what the results would be and when they would become effective. The biggest added value could be achieved if international agreements complemented EU legislation, while adopting legislation would also help to define a common EU position on some of the key issues.

Option C would significantly increase the effectiveness of access to electronic evidence in different ways, as it would:

·ensure faster access compared to current judicial cooperation channels,

·bring increased legal certainty compared to current voluntary cooperation channels, and

·ensure access to content where there is no conflict of law.

Improving access for non-content data is a significant step forward, as this type of evidence is more frequently requested than content data (cf. the transparency reports by US-based service providers that mostly concern non-content data, as content data can only be provided in emergency situations). For content data held by US providers, the preservation of data by service providers under the new instrument would ensure that at least the content data is not lost while judicial cooperation channels are pursued. Moreover, by also covering content data and combining it with a conflicts of obligations clause, the instrument would be future-proof and might not need to be amended if an agreement with the US was reached on access to content data in the framework of a bilateral agreement.

Option D would be slightly more effective than option C, as it would add another tool that would be useful for practitioners in certain situations. This would in particular benefit those Member States that do not access data possibly stored outside of their territory.

Efficiency

Except for the baseline, all options would generate some administrative costs for public authorities but are expected to lead to even greater benefits in terms of savings, as the processes become more efficient through the different sets of measures and public authorities would be able to use the most efficient and appropriate channel available.

Options C and D would both lead to a significant shift from judicial cooperation channels to more efficient direct cooperation channels and, to a more limited extent, to direct access channels, leading to important cost savings for Member States. If an international solution includes provisions on direct cooperation, this would also apply.

For service providers, all options will similarly generate administrative costs, and also some savings when processes become more efficient, but less than for public authorities as they remain involved to the same extent for both judicial cooperation channels and for direct cooperation channels. The main burden for them would result from options C and D including a European Production Order, as they would be faced with orders from other Member States authorities, and would have to establish a legal representative. The biggest gain for them would be an increase of legal certainty and less conflicts of law.

Competitiveness

Under the baseline and option A, companies would continue to suffer from the lack of legal certainty currently surrounding cross-border requests for electronic evidence, and from a risk of conflicts of law if Member States adopt diverging national solutions. The options including legislative measures would improve legal certainty for companies and reduce the risk of conflicts of law. Options C and D with provisions on a European Production Order score best in this regard, as companies would have a clear legal framework and as a result a better understanding of their obligations under that framework.

Options C and D with provisions on a European Production Order could however also impact the business models chosen by companies with regard to corporate customers. It would therefore be important to include a “controller first” clause in the proposal to mitigate this risk.

Fundamental rights

Non-legislative options would have a smaller impact on fundamental rights of data subjects since they don’t change the way the existing cooperation channels function, but make them more effective, either by reducing the time it takes to obtain the data (without fundamental right impact) or by increasing the number of requests. However, compared to legislative options, non-legislative options can’t achieve a similar level of protection when compared to the baseline scenario. The lack of a clear legal framework for direct cooperation creates a risk for fundamental rights of the persons whose data is sought, as they can’t refer to clear protecting provisions. This can only be overcome by a legal framework with clear rules protecting fundamental rights. The need for an appropriate legal basis in the area of criminal law (nulla poena sine lege) and criminal procedural law is furthermore anchored in national constitutions.

Option B, with the inclusion of international agreements may have a positive impact on fundamental rights, by including provisions protecting fundamental rights and by improving legal certainty in a larger number of countries, compared to the Union, but the level of protection may be lower for multilateral solutions than for bilateral agreements.

Options C and D with provisions on a European Production Order and on direct access would have the biggest potential impact on fundamental rights by facilitating access by public authorities to personal data, but these impacts would be mitigated by including sufficient safeguards and conditions, as explained above in the description of measures. E.g., the involvement of a judicial authority that assesses the proportionality and the conformity with fundamental rights of the measure, and with legal remedies clearly spelled out, protects the fundamental rights of the persons affected better than the voluntary cooperation where law enforcement issues requests in an unclear legal framework with service providers assessing the legality of this measure. This means that these options score better, in terms of fundamental rights impacts, than the non-legislative options.

Impact on international relations

While non-legislative options would not have much impact on non-EU countries, Options B, C and D including international agreements would benefit international relations by providing a mutually acceptable framework for cross-border access to e-evidence. However, international agreements are uncertain and may take a long time to become effective.

Options C and D, with provisions on a European Production Order and on direct access that move away from data storage location, could trigger reciprocal responses by non-EU countries. For the EPO, this could be mitigated by a 'conflicts of law' clause.

7.1.2 Assessment with regard to meeting the specific objectives

Reduce delays in cross-border access to electronic evidence

All options address this specific objective, but to different degrees. While options A and B would lead to reasonable reductions in delays for both MLA/EIO and direct cooperation, legislative options C and D would lead to a shift from judicial cooperation to direct cooperation (or direct access), significantly reducing delays, as the latter channels are faster. By introducing deadlines for direct cooperation, options C and D could further reduce delays.

Ensure cross-border access to electronic evidence where it is currently missing

While it can be expected that non-legislative measures would lead to some improvements also in terms of ensuring access to electronic evidence where it is currently missing, options C and D could achieve this to a greater extent, as they introduce a more efficient procedure which includes obligations for service providers to give access to the data.

Improve legal certainty, protection of fundamental rights, transparency and accountability

Only options B, C and D with their legislative measures would be able to effectively achieve this specific objective, which is closely linked to the shortcomings of the current legal framework. Options C and D would achieve it to a better extent than option B, because the outcome of international agreements is uncertain. Option D would achieve this objective slightly better than option C, because it would also add legal certainty for the situations of cross-border access to e-evidence using direct access. The result of this assessment is consistent with the scores obtained by each of the options: options including legislative measures score far better than the non-legislative option A, and among the former, options C and D obtain the highest scores because of the uncertainty of international solutions.

7.2.Quantitative comparison

Overall costs

For the purpose of comparing the options and calculating overall costs, a period of 10 years (2017-2026) was considered. Over that period, the total of costs per option is the following:

Table 11: comparative quantitative assessment of the policy options over 10 years (EUR)

The costs above are negative, which means that they are savings compared to the baseline.

Overall benefits

The overall benefits are those calculated in section 6.2. that derive from a reduction of crime (the benefits derived from administrative savings are already considered in Table 11 above). It is assumed that the overall benefits will be achieved over a 10 year period as well. The table below compares the estimated costs and benefits for the different options:

Table 12: comparative quantitative assessment of the policy options (EUR million)

Given the limitations caused by the lack of data, the calculation of benefits as a reduction of crime was carried out for the main purpose of comparing the options. In consequence, the total value of benefits must be interpreted in relation to the other options, rather than as an accurate estimate of the actual reduction of crime that the preferred policy option would actually cause. In particular, the much higher potential benefits in relation to the costs of the options should not be taken at face value. That said, option D is the option that could offer comparatively more benefits in the form of reduction of crime, followed closely by option C.

8.Preferred option

On the basis of the assessment, the preferred option identified is option D. Option D scores slightly better than option C, with a total score of +5.

Main advantages

Option D would effectively achieve the strategic objectives of the EU intervention since:

·A combination of all the measures in option D would bring the biggest improvements of the public authorities' capacity to investigate and prosecute crimes. It would allow combining the benefits of the various measures as these are complementary.

·A combination of all measures would contribute to legal certainty and transparency in direct cooperation with service providers. It could create robust measures to ensure accountability, including through judicial redress.

In particular, option D would provide a comprehensive framework for obtaining e-evidence in cross-border investigations as it would include a European Production Order which would have a wide material and geographical scope, made more effective through the support of practical measures and international agreements, and a measure on direct access which would provide solutions for swift access to data in very specific circumstances.

A combination of the European Production Order including a conflicts of law clause that would give a role to the law of the non-EU country, and of international solutions would significantly reduce the risk of reciprocal responses from non-EU countries. The risk of conflicts of law for service providers which arise from diverging national solutions would decrease. There would also be cost savings and reduced burden for authorities, both in issuing and receiving States, including non-EU countries.

Main disadvantages

Improvements to judicial cooperation in the EU would not extend beyond what is feasible within the existing legal framework, meaning that the mutual recognition process would not be fundamentally changed, as the same 120-day deadline would still apply. Some of the practical measures to improve cooperation between public authorities and service providers would to some extent become superfluous once a legislative measure on EPO comes into force.

Because of conflicts with US law, the European Production Order would not allow EU authorities to obtain content data from US providers, and a bilateral agreement could take years. Thus for some time Member States' authorities would not witness significant changes as relates to content data and would still have to rely on the existing MLA channels, which can be improved only to some extent through practical measures.

Trade-offs

This option would enhance security but at a cost for service providers not established in the Union, particularly for SMEs, due to the introduction of the obligation to designate a legal representative. Also, the measures to facilitate direct cooperation may have a considerable impact on fundamental rights, as it would allow public authorities to access data that is not publicly available and that is, in most cases, personal data.

Fundamental rights

When assessing a combination of all measures, the main options impacting fundamental rights are the two legislative measures. The two measures would include sufficient safeguards to make the measures compatible with fundamental rights. In the Tele 2 judgement, the ECJ held that general and indiscriminate data retention legislation concerning metadata entailed a particularly serious interference with the rights to privacy and data protection and that the user concerned is, as a result, likely to feel that their private lives are the subject of constant surveillance. It could also, according to the Court, affect the use of means of electronic communication and thus the exercise by users of their freedom of expression. In the framework of the two legislative measures, it cannot be excluded that a similar effect could be claimed in individual cases, but because the measures always take place in the framework of a concrete investigation and not in abstracto, it cannot be compared to a data retention scheme. The interference with these fundamental rights is justified by the aim of the measure, which is to ensure effective investigation and prosecution of crimes in the EU. This would also have to be ensured in each individual case by the issuing judicial authority.

Subsidiarity

Given the international dimension of the problems to solve, the measures included in the preferred policy option need to be adopted at EU level in order to achieve the objectives. In particular, action by Member States would fall short in addressing, e.g. the following issues:

·Different practices and legislative instruments at national level on cross-border access to e-evidence in order to enhance cross-border cooperation and ensure coherence in law enforcement approach to access to e-evidence;

·Improving the expediency of judicial cooperation on the basis of existing EU legislation, notably via the EIO;

·Obstacles to cross-border cooperation in obtaining e-evidence with non-EU countries.

Given the diversity of legal approaches, the number of policy areas concerned by the matter (security, fundamental rights including data protection, economic issues) and the large range of stakeholders, the EU seems the most appropriate level to address the identified problems.

Proportionality

The legislative instrument would introduce conditions and safeguards for judicial authorities of Member States to request from a foreign service provider through a European Production Order the disclosure of information stored in a digital form that could be used as evidence, including on proportionality, and conditions and safeguards for direct access to e-evidence from an information system on the basis of national laws. On the whole, the option does not go beyond what is necessary to achieve the objective identified for the EU intervention.

9.How will actual impacts be monitored and evaluated?

The proposal should contain a commitment for the Commission to submit a report to the European Parliament and to the Council assessing the situation 2 years after the deadline for transposition, and to evaluate the effectiveness, efficiency, relevance, coherence and EU added value 5 years after the deadline to ensure that there is a sufficiently long period to evaluate after full implementation in all Member States. It will include a public consultation and possibly a survey of stakeholders to review the effect of the potential legislative act on the different categories of stakeholders.

To limit the additional administrative burden on Member States or the private sector due to the collection of information used for monitoring, the proposed indicators on the table below rely on existing data sources (e.g. transparency reports) whenever possible. Where no data exists, the preferred option contains a requirement for Member States to systematically collect data on the time from demand to access, the percentage of requests fulfilled and other data related to the implementation of the European Production Order. The costs of this data collection were included in the analysis of the options.

The Commission will conduct targeted surveys as indicated in the table below, assisted by Europol and Eurojust as needed. The costs of these surveys should be borne by DGs HOME and JUST within their operational expenditure (e.g. as support expenditure for operations of the Cybercrime policy area). The surveys will be conducted at least twice, coinciding, if applicable, with the reporting requirements for the Commission on the transposition and implementation.

In addition, the Commission will remain in close contact with the Member States and with the relevant stakeholders (in particular service providers) to monitor the effects of the possible legislative act. The following fora will be particularly relevant to gather qualitative evidence on concrete cases:

·Eurojust, and in particular the European Judicial Cybercrime Network 118 , to exchange information with judicial authorities;

·the European multidisciplinary platform against criminal threats (EMPACT), part of the EU Policy Cycle, to exchange information with law enforcement;

the EU Internet Forum 119 , to exchange information with service providers and public authorities in Member States (Home Affairs Ministries).

Table 13: monitoring of general, specific and operational objectives