(1)

The Union has set itself the objective of maintaining and developing an area of freedom, security and justice. For the gradual establishment of such an area, the Union is to adopt measures relating to judicial cooperation in criminal matters based on the principle of mutual recognition of judgments and judicial decisions, which is commonly referred to as a cornerstone of judicial cooperation in criminal matters within the Union since the Tampere European Council of 15 and 16 October 1999.

(2)

Measures to obtain and preserve electronic evidence are increasingly important for criminal investigations and prosecutions across the Union. Effective mechanisms to obtain electronic evidence are essential to combat crime, and such mechanisms should be subject to conditions and safeguards to ensure full compliance with fundamental rights and principles recognised in Article 6 of the Treaty on European Union (TEU) and the Charter of Fundamental Rights of the European Union (the ‘Charter’), in particular the principles of necessity and proportionality, due process, protection of privacy and personal data and confidentiality of communications.

(3)

The Joint Statement of the Ministers of Justice and Home Affairs and representatives of the Union institutions of 24 March 2016 on the terrorist attacks in Brussels stressed the need, as a matter of priority, to secure and obtain more quickly and effectively digital evidence and to identify concrete measures to do so.

(4)

The Council conclusions of 9 June 2016 stressed the increasing importance of electronic evidence in criminal proceedings, and the importance of protecting cyberspace from abuse and criminal activities for the benefit of economies and societies, and therefore the need for law enforcement authorities and judicial authorities to have effective tools to investigate and prosecute criminal acts related to cyberspace.

(5)

In the joint communication of the Commission and of the High Representative of the Union for Foreign Affairs and Security Policy to the European Parliament and the Council of 13 September 2017 on Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, the Commission emphasised that effective investigation and prosecution of cyber-enabled crime is a key deterrent to cyber-attacks, and that today’s procedural framework needs to be better adapted to the internet age. The speed of cyber-attacks can sometimes overwhelm current procedures, thereby creating particular needs for swift cooperation across borders.

(6)

The resolution of the European Parliament of 3 October 2017 on the fight against cybercrime (3) underlined the need to find means to secure and obtain electronic evidence more rapidly, as well as the importance of close cooperation between law enforcement authorities, third countries and service providers active on European territory, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (4) and Directive (EU) 2016/680 of the European Parliament and of the Council (5), and existing mutual legal assistance agreements. That resolution of the European Parliament also highlighted that the currently fragmented legal framework can create challenges for service providers seeking to comply with law enforcement requests and called on the Commission to put forward a Union legal framework for electronic evidence with sufficient safeguards for the rights and freedoms of all concerned, while welcoming the ongoing work of the Commission towards a cooperation platform with a secure communication channel for digital exchanges of European Investigation Orders (EIOs) for electronic evidence and replies between Union judicial authorities.

(7)

Network-based services can be provided from anywhere and do not require physical infrastructure, premises or staff in the country where the relevant service is offered. Therefore, relevant electronic evidence is often stored outside of the investigating State or by a service provider established outside of that State, creating challenges regarding the gathering of electronic evidence in criminal proceedings.

(8)

Due to the way in which network-based services are provided, judicial cooperation requests are often addressed to States which are hosts to a large number of service providers. Furthermore, the number of requests has multiplied due to the fact that network-based services are being increasingly used. Directive 2014/41/EU of the European Parliament and of the Council (6) provides for the possibility of issuing an EIO for the purpose of gathering evidence in another Member State. In addition, the Convention established by the Council in accordance with Article 34 of the Treaty on European Union, on Mutual Assistance in Criminal Matters between the Member States of the European Union (7) (the ‘Convention on Mutual Assistance in Criminal Matters’) also provides for the possibility of requesting evidence from another Member State. However, the procedures and timelines provided for in Directive 2014/41/EU establishing the EIO and in the Convention on Mutual Assistance in Criminal Matters might not be appropriate for electronic evidence, which is more volatile and could more easily and quickly be deleted. Obtaining electronic evidence using judicial cooperation channels often takes a long time, resulting in situations where subsequent leads might no longer be available. Furthermore, there is no harmonised framework for cooperation with service providers, while certain third-country providers accept direct requests for data other than content data as permitted by their applicable national law. As a consequence, Member States increasingly rely on voluntary direct cooperation channels with service providers where available, and they apply different national tools, conditions and procedures. For content data, some Member States have taken unilateral action, while others continue to rely on judicial cooperation.

(9)

The fragmented legal framework creates challenges for law enforcement authorities and judicial authorities as well as for service providers seeking to comply with legal requests for electronic evidence, as they are increasingly faced with legal uncertainty and, potentially, conflicts of law. Therefore, there is a need to provide for specific rules as regards cross-border judicial cooperation for preserving and producing electronic evidence, which address the specific nature of electronic evidence. Such rules should include an obligation on service providers covered by the scope of this Regulation to respond directly to requests stemming from authorities in another Member State. This Regulation will therefore complement the existing Union law and clarify the rules applicable to law enforcement authorities and judicial authorities as well as to service providers in the field of electronic evidence, while ensuring full compliance with fundamental rights.

(10)

This Regulation respects fundamental rights and observes the principles recognised by Article 6 TEU and the Charter, by international law and by international agreements to which the Union or all the Member States are party, including the European Convention for the Protection of Human Rights and Fundamental Freedoms, and in Member States’ constitutions, in their respective fields of application. Such rights and principles include, in particular, the right to liberty and security, the respect for private and family life, the protection of personal data, the freedom to conduct a business, the right to property, the right to an effective remedy and to a fair trial, the presumption of innocence and right of defence, the principles of legality and proportionality, as well as the right not to be tried or punished twice in criminal proceedings for the same criminal offence.

(11)

Nothing in this Regulation should be interpreted as prohibiting the refusal of a European Production Order by an enforcing authority where there are reasons to believe, on the basis of objective elements, that the European Production Order has been issued for the purpose of prosecuting or punishing a person on account of the person’s gender, racial or ethnic origin, religion, sexual orientation or gender identity, nationality, language or political opinions, or that the person’s position could be prejudiced for any of those reasons.

(12)

The mechanism of the European Production Order and of the European Preservation Order for electronic evidence in criminal proceedings relies on the principle of mutual trust between the Member States and on a presumption of compliance by Member States with Union law, the rule of law and, in particular, with fundamental rights, which are essential elements of the Union’s area of freedom, security and justice. Such a mechanism enables national competent authorities to send such orders directly to service providers.

(13)

The respect for private and family life and the protection of natural persons regarding the processing of personal data are fundamental rights. In accordance with Article 7 and Article 8(1) of the Charter, everyone has the right to respect for their private and family life, home and communications and to the protection of personal data concerning them.

(14)

When implementing this Regulation, Member States should ensure that personal data are protected and processed in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680, as well as Directive 2002/58/EC of the European Parliament and of the Council (8) including in the event of further use, transmissions and onward transfers of data obtained.

(15)

Personal data obtained under this Regulation should only be processed when necessary and in a manner that is proportionate to the purposes of prevention, investigation, detection and prosecution of crime or enforcement of criminal penalties and the exercise of the rights of defence. In particular, Member States should ensure that appropriate data protection policies and measures apply to the transmission of personal data from relevant authorities to service providers for the purposes of this Regulation, including measures to ensure the security of the data. Service providers should ensure that the same safeguards apply for the transmission of personal data to relevant authorities. Only authorised persons should have access to information containing personal data which can be obtained through authentication processes.

(16)

The procedural rights in criminal proceedings set out in Directives 2010/64/EU (9), 2012/13/EU (10), 2013/48/EU (11), (EU) 2016/343 (12), (EU) 2016/800 (13) and (EU) 2016/1919 (14) of the European Parliament and of the Council should apply, within the scope of those Directives, to criminal proceedings covered by this Regulation as regards the Member States bound by those Directives. The procedural safeguards under the Charter should also apply.

(17)

In order to guarantee full respect of fundamental rights, the probative value of evidence gathered in application of this Regulation should be assessed in trial by the competent judicial authority, in accordance with national law and in compliance with, in particular, the right to a fair trial and the right of defence.

(18)

This Regulation lays down the rules under which a competent judicial authority in the Union may, in criminal proceedings, including criminal investigations, or for the execution of a custodial sentence or a detention order following criminal proceedings in accordance with this Regulation, order a service provider offering services in the Union to produce or to preserve electronic evidence through a European Production Order or a European Preservation Order. This Regulation should be applicable in all cross-border cases where the service provider has its designated establishment or legal representative in another Member State. This Regulation is without prejudice to the powers of national authorities to address service providers established or represented on their territory in order for them to comply with similar national measures.

(19)

This Regulation should regulate the gathering of data stored by a service provider at the time of receipt of a European Production Order or a European Preservation Order only. It should not lay down a general data retention obligation for service providers and it should not have the effect of resulting in any general and indiscriminate retention of data. This Regulation also should not authorise the interception of data or the obtention of data that are stored after the receipt of a European Production Order or a European Preservation Order.

(20)

The application of this Regulation should not affect the use of encryption by service providers or their users. Data requested by means of a European Production Order or a European Preservation Order should be provided or preserved regardless of whether they are encrypted or not. However, this Regulation should not lay down any obligation for service providers to decrypt data.

(21)

In many cases, data are no longer stored or otherwise processed on a user’s device but made available on a cloud-based infrastructure enabling access from anywhere. To run those services, service providers do not need to be established or to have servers in a specific jurisdiction. Thus, the application of this Regulation should not depend on the actual location of the service provider’s establishment or of the data processing or storage facility.

(22)

This Regulation is without prejudice to the investigative powers of authorities in civil or administrative proceedings, including where such proceedings can lead to penalties.

(23)

As proceedings for mutual legal assistance might be considered as criminal proceedings in accordance with applicable national law in the Member States, it should be clarified that a European Production Order or a European Preservation Order should not be issued to provide mutual legal assistance to another Member State or a third country. In such cases, the mutual legal assistance request should be addressed to the Member State or third country which can provide mutual legal assistance under its national law.

(24)

In the framework of criminal proceedings, the European Production Order and the European Preservation Order should only be issued for specific criminal proceedings concerning a specific criminal offence that has already taken place, after an individual evaluation of the necessity and proportionality of those orders in every single case, taking into account the rights of the suspect or the accused person.

(25)

This Regulation should also apply to proceedings initiated by an issuing authority to locate a convicted person that has absconded from justice, in order to execute a custodial sentence or a detention order following criminal proceedings. However, where the custodial sentence or detention order was imposed by a decision rendered in absentia it should not be possible to issue a European Production Order or a European Preservation Order, as the national law of the Member States on judicial decisions rendered in absentia varies considerably throughout the Union.

(26)

This Regulation should apply to service providers offering services in the Union, and it should only be possible to issue the orders provided for in this Regulation for data pertaining to services offered in the Union. Services offered exclusively outside the Union should not be included in the scope of this Regulation, even if the service provider is established in the Union. Therefore, this Regulation should not allow any access to data other than data related to the services offered to the user in the Union by those service providers.

(27)

The service providers most relevant for gathering evidence in criminal proceedings are providers of electronic communications services and specific providers of information society services that facilitate interaction between users. Thus, both groups should be covered by this Regulation. Electronic communication services are defined in Directive (EU) 2018/1972 of the European Parliament and of the Council (15) and include inter-personal communications services such as voice-over-IP, instant messaging and email services. This Regulation should also be applicable to information society service providers within the meaning of Directive (EU) 2015/1535 of the European Parliament and of the Council (16) that do not qualify as electronic communications service providers but offer their users the ability to communicate with each other or offer their users services that can be used to store or otherwise process data on their behalf. This would be in line with the terms used in the Council of Europe Convention on Cybercrime (ETS No 185), done at Budapest on 23 November 2001 (‘Budapest Convention’). Processing of data should be understood in a technical sense, meaning the creation or manipulation of data, that is to say technical operations to produce or alter data by means of computer processing power. The categories of service providers covered by this Regulation should include, for example, online marketplaces providing consumers and businesses with the ability to communicate with each other, and other hosting services, including where the service is provided via cloud computing, as well as online gaming platforms and online gambling platforms. Where an information society service provider does not provide its users with the ability to communicate with each other but only with the service provider, or does not provide the ability to store or otherwise process data, or where the storage of data is not a defining component, that is, an essential part, of the service provided to users, such as legal, architectural engineering and accounting services provided online at a distance, it should not fall within the scope of the definition of ‘service provider’ laid down in this Regulation, even if the services provided by that service provider are information society services within the meaning of Directive (EU) 2015/1535.

(28)

Providers of internet infrastructure services related to the assignment of names and numbers, such as domain name registries and registrars and privacy and proxy service providers, or regional internet registries for internet protocol (‘IP’) addresses, are of particular relevance when it comes to the identification of actors behind malicious or compromised websites. They hold data that could make the identification of an individual or entity behind a website used in a criminal activity, or the victim of a criminal activity, possible.

(29)

Determining whether a service provider offers services in the Union requires an assessment as to whether the service provider enables natural or legal persons in one or more Member States to use its services. However, the mere accessibility of an online interface in the Union, such as for instance the accessibility of a website or an email address or other contact details of a service provider or an intermediary, taken in isolation, should be considered insufficient to determine that a service provider offers services in the Union within the meaning of this Regulation.

(30)

A substantial connection to the Union should also be relevant to determining whether a service provider offers services in the Union. Such a substantial connection to the Union should be considered to exist where the service provider has an establishment in the Union. In the absence of such an establishment, the criterion of a substantial connection should be based on specific factual criteria such as the existence of a significant number of users in one or more Member States, or the targeting of activities towards one or more Member States. The targeting of activities towards one or more Member States should be determined on the basis of all relevant circumstances, including factors such as the use of a language or a currency generally used in that Member State, or the possibility of ordering goods or services. The targeting of activities towards a Member State could also be derived from the availability of an application (‘app’) in the relevant national app store, from the provision of local advertising or advertising in the language generally used in that Member State, or from the handling of customer relations, such as by the provision of customer service in the language generally used in that Member State. A substantial connection should also be considered to exist where a service provider directs its activities towards one or more Member States as set out in Regulation (EU) No 1215/2012 of the European Parliament and of the Council (17). On the other hand, provision of a service for the purpose of mere compliance with the prohibition of discrimination laid down in Regulation (EU) 2018/302 of the European Parliament and of the Council (18) should not, without additional grounds, be considered to be directing or targeting activities towards a given territory within the Union. The same considerations should apply when determining whether a service provider offers services in a Member State.

(31)

This Regulation should cover the data categories of subscriber data, traffic data and content data. Such categorisation is in line with the law of many Member States and Union law, such as Directive 2002/58/EC and the case law of the Court of Justice, as well as international law, in particular the Budapest Convention.

(32)

IP addresses as well as access numbers and related information can constitute a crucial starting point for criminal investigations in which the identity of a suspect is not known. They are typically part of a record of events, also known as a server log, that indicates the commencement and termination of a user access session to a service. It is often an individual IP address, be it static or dynamic, or other identifier that singles out the network interface used during the access session. Related information on the commencement and termination of a user access session to a service, such as the source ports and time stamp, is needed as IP addresses are often shared amongst users, for example where carrier grade network address translation (CGN) or technical equivalents are in place. However, in accordance with the Union acquis, IP addresses are to be considered personal data and have to benefit from full protection under the Union’s data protection acquis. In addition, under certain circumstances, IP addresses can be considered traffic data. Also, access numbers and related information are considered traffic data in some Member States. However, for the purpose of a specific criminal investigation, law enforcement authorities might have to request an IP address as well as access numbers and related information for the sole purpose of identifying the user before subscriber data related to that identifier can be requested from the service provider. In such cases, it is appropriate to apply the same regime as for subscriber data, as defined in this Regulation.

(33)

Where IP addresses, access numbers and related information are not requested for the sole purpose of identifying the user in a specific criminal investigation, they are generally requested to obtain more privacy-intrusive information, such as the contacts and whereabouts of the user. As such, they could serve to establish a comprehensive profile of an individual concerned, but at the same time they can be processed and analysed more easily than content data, as they are presented in a structured and standardised format. It is therefore essential that, in such situations, IP addresses, access numbers and related information not requested for the sole purpose of identifying the user in a specific criminal investigation, be treated as traffic data and requested under the same regime as content data, as defined in this Regulation.

(34)

All data categories contain personal data and are thus covered by the safeguards under the Union data protection acquis. However, the intensity of the impact on fundamental rights varies between the categories, in particular between subscriber data and data requested for the sole purpose of identifying the user as defined in this Regulation, on the one hand, and traffic data, except for data requested for the sole purpose of identifying the user as defined in this Regulation, and content data on the other. While subscriber data as well as IP addresses, access numbers and related information, where requested for the sole purpose of identifying the user, could be useful to obtain first leads in an investigation about the identity of a suspect, traffic data, except for data requested for the sole purpose of identifying the user as defined in this Regulation, and content data are often more relevant as probative material. It is therefore essential that all those data categories are covered by this Regulation. Given the varying degree of interference with fundamental rights, appropriate safeguards and conditions should be imposed for obtaining such data.

(35)

Situations in which there is an imminent threat to the life, physical integrity or safety of a person should be treated as emergency cases, and entail shorter time limits for the service provider and the enforcing authority. Where the disruption or destruction of a critical infrastructure as defined in Council Directive 2008/114/EC (19) would imply such a threat, including through serious harm to the provision of basic supplies to the population or to the exercise of the core functions of the State, such a situation should also be treated as an emergency case, in accordance with Union law.

(36)

When a European Production Order or a European Preservation Order is issued, there should always be a judicial authority involved either in the process of issuing or in the process of validating the order. In view of the more sensitive nature of traffic data, except for data requested for the sole purpose of identifying the user as defined in this Regulation, and of content data, the issuing or validation of a European Production Order to obtain those data categories requires review by a judge. As subscriber data and data requested for the sole purpose of identifying the user as defined in this Regulation are less sensitive, a European Production Order to obtain such data can in addition be issued or validated by a competent public prosecutor. In accordance with the right to a fair trial, as protected by the Charter and the European Convention for the Protection of Human Rights and Fundamental Freedoms, public prosecutors are to exercise their responsibilities objectively, taking their decision in relation to the issuing or validation of a European Production Order or a European Preservation Order solely on the basis of the factual elements in the case file and taking into account all incriminatory and exculpatory evidence.

(37)

In order to ensure that fundamental rights are fully protected, any validation of European Production Orders or of European Preservation Orders by judicial authorities should in principle be obtained before the order concerned is issued. Exceptions to that principle should only be made in validly established emergency cases when requesting the production of subscriber data or data requested for the sole purpose of identifying the user, as defined in this Regulation, or the preservation of data, where it is not possible to obtain prior validation by the judicial authority in time, in particular because the validating authority cannot be reached to obtain validation and the threat is so imminent that immediate action has to be taken. However, such exceptions should only be made where the authority issuing the order concerned could issue an order in a similar domestic case under national law without prior validation.

(38)

A European Production Order should only be issued if it is necessary, proportionate, adequate and applicable to the case at hand. The issuing authority should take into account the rights of the suspect or the accused person in proceedings relating to a criminal offence and should only issue a European Production Order if such order could have been issued under the same conditions in a similar domestic case. The assessment of whether to issue a European Production Order should take into account whether such order is limited to what is strictly necessary to achieve the legitimate aim of obtaining data that are relevant and necessary as evidence in an individual case.

(39)

In cases where a European Production Order is issued to obtain different data categories, the issuing authority should ensure that the conditions and procedures, such as notification to the enforcing authority, are met for each of those data categories respectively.

(40)

In view of the more sensitive nature of traffic data, except for data requested for the sole purpose of identifying the user as defined in this Regulation, and of content data, a distinction should be made regarding the material scope of this Regulation. It should be possible to issue a European Production Order to obtain subscriber data or to obtain data requested for the sole purpose of identifying the user, as defined in this Regulation, for any criminal offence, whereas a European Production Order to obtain traffic data, except for data requested for the sole purpose of identifying the user as defined in this Regulation, or to obtain content data should be subject to stricter requirements to reflect the more sensitive nature of such data. This Regulation should provide for a threshold in relation to its scope, allowing for a proportionate approach, together with a number of other ex ante and ex post conditions and safeguards to ensure respect for proportionality and the rights of the persons affected. At the same time, such a threshold should not limit the effectiveness of this Regulation and its use by practitioners. Allowing the issuing of European Production Orders in criminal proceedings only for offences that carry at least a three-year maximum custodial sentence will limit the scope of this Regulation to more serious offences, without excessively affecting the possibilities of its use by practitioners. That limitation would exclude from the scope of this Regulation a significant number of offences which are considered less serious by Member States, as expressed in a lower maximum penalty. That limitation will also have the advantage of being easily applicable in practice.

(41)

There are specific offences where evidence will typically be available exclusively in electronic form, which is particularly fleeting in nature. This is the case for cyber-related offences, even those which might not be considered serious in and of themselves but which could cause extensive or considerable damage, in particular offences with low individual impact but high volume and overall damage. For most cases in which the offence has been committed by means of an information system, applying the same threshold as for other types of offences would to a large extent lead to impunity. That justifies the application of this Regulation for such offences also where they carry a maximum custodial sentence of less than three years. Additional terrorism-related offences within the meaning of Directive (EU) 2017/541 of the European Parliament and of the Council (20) as well as offences concerning sexual abuse and sexual exploitation of children within the meaning of Directive 2011/93/EU of the European Parliament and of the Council (21) should not require the minimum threshold of a three-year maximum custodial sentence.

(42)

As a matter of principle, a European Production Order should be addressed to the service provider, acting as controller. However, in some circumstances, determining whether a service provider has the role of controller or processor can prove particularly challenging, in particular where several service providers are involved in the processing of data or where service providers process the data on behalf of a natural person. Distinguishing between the roles of controller and processor with regard to a particular set of data requires not only specialised knowledge of the legal context, but could also require interpretation of often very complex contractual frameworks providing in a specific case for allocation to various service providers of different tasks and roles with regard to a particular set of data. Where service providers process data on behalf of a natural person, it may be difficult in some cases to determine who the controller is, even where there is only one service provider involved. Where the data concerned are stored or otherwise processed by a service provider and there is no clarity as to who the controller is, despite reasonable efforts on the part of the issuing authority, it should therefore be possible to address a European Production Order directly to that service provider. Moreover, in some cases, addressing the controller could be detrimental to the investigation in the case concerned, for example because the controller is a suspect or an accused or convicted person or there are indications that the controller could be acting in the interest of the person that is the subject of the investigation. Also in those cases, it should be possible to address a European Production Order directly to the service provider processing the data on behalf of the controller. That should not affect the right of the issuing authority to order the service provider to preserve the data.

(43)

In accordance with Regulation (EU) 2016/679, the processor that stores or otherwise processes the data on behalf of the controller should inform the controller about the production of the data unless the issuing authority has requested the service provider to refrain from informing the controller, for as long as necessary and proportionate, in order not to obstruct the relevant criminal proceedings. In that case, the issuing authority should indicate in the case file the reasons for the delay in informing the controller and a short justification should also be added in the accompanying certificate transmitted to the addressee.

(44)

Where the data are stored or otherwise processed as part of an infrastructure provided by a service provider to a public authority, it should only be possible to issue a European Production Order or a European Preservation Order where the public authority for which the data are stored or otherwise processed is located in the issuing State.

(45)

In cases where data protected by professional privilege under the law of the issuing State are stored or otherwise processed by a service provider as part of an infrastructure provided to professionals covered by professional privilege (‘privileged professional’), in their business capacity, it should only be possible to issue a European Production Order to obtain traffic data, except for data requested for the sole purpose of identifying the user as defined in this Regulation, or to obtain content data where the privileged professional resides in the issuing State, where addressing the privileged professional might be detrimental to the investigation, or where the privileges were waived in accordance with the applicable law.

(46)

The principle of ne bis in idem is a fundamental principle of law in the Union, as recognised by the Charter and developed by the case law of the Court of Justice of the European Union. Where the issuing authority has grounds to believe that parallel criminal proceedings could be ongoing in another Member State, it should consult the authorities of that Member State in accordance with Council Framework Decision 2009/948/JHA (22). In any case, a European Production Order or a European Preservation Order is not to be issued where the issuing authority has grounds to believe that this would be contrary to the ne bis in idem principle.

(47)

Immunities and privileges, which may refer to categories of persons, such as diplomats, or specifically protected relationships, such as lawyer-client privilege or the right of journalists not to disclose their sources of information, are referred to in other mutual recognition instruments such as in Directive 2014/41/EU establishing the EIO. The range and impact of immunities and privileges differ according to the applicable national law that should be taken into account at the time of issuing a European Production Order or a European Preservation Order, as the issuing authority should only be able to issue the order if it could have been issued under the same conditions in a similar domestic case. There is no common definition of what constitutes an immunity or privilege in Union law. The precise definition of those terms is therefore left to national law, and the definition can include protections which apply to, for instance, medical and legal professions, including when specialised platforms are used in those professions. The precise definition of immunities and privileges can also include rules on determination and limitation of criminal liability relating to freedom of the press and freedom of expression in other media.

(48)

Where the issuing authority seeks to obtain traffic data, except for data requested for the sole purpose of identifying the user as defined in this Regulation, or to obtain content data, by issuing a European Production Order and has reasonable grounds to believe that the data requested are protected by immunities or privileges granted under the law of the enforcing State, or that those data are subject in that State to rules on determination and limitation of criminal liability relating to freedom of the press and freedom of expression in other media, the issuing authority should be able to seek clarification before issuing the European Production Order, including by consulting the competent authorities of the enforcing State, either directly or via Eurojust or the European Judicial Network.

(49)

It should be possible to issue a European Preservation Order for any criminal offence. The issuing authority should take into account the rights of the suspect or the accused person in proceedings relating to a criminal offence and should only issue a European Preservation Order if such order could have been issued under the same conditions in a similar domestic case and where it is necessary, proportionate, adequate and applicable to the case in hand. The assessment of whether to issue a European Preservation Order should take into account whether such order is limited to what is strictly necessary to achieve the legitimate aim of preventing the removal, deletion or alteration of data that are relevant and necessary as evidence in an individual case in situations where it could take more time to obtain the production of those data.

(50)

European Production Orders and European Preservation Orders should be addressed directly to the designated establishment or to the legal representative, designated or appointed by the service provider pursuant to Directive (EU) 2023/1544 of the European Parliament and of the Council (23). Exceptionally, in emergency cases as defined in this Regulation, where the designated establishment or the legal representative of a service provider does not react to the accompanying European Production Order Certificate (EPOC) or European Preservation Order Certificate (EPOC-PR) within the deadlines or has not been designated or appointed within the deadlines set out in Directive (EU) 2023/1544 it should be possible to address the EPOC or the EPOC-PR to any other establishment or legal representative of the service provider in the Union alongside or instead of pursuing enforcement of the initial order in accordance with this Regulation. Given those various possible scenarios, the general term ‘addressee’ is used in the provisions of this Regulation.

(51)

In view of the more sensitive nature of a European Production Order to obtain traffic data, except for data requested for the sole purpose of identifying the user, as defined in this Regulation, or to obtain content data, it is appropriate to provide for a notification mechanism applicable to European Production Orders to obtain those data categories. That notification mechanism should involve an enforcing authority and consist in the transmission of the EPOC to that authority at the same time as the EPOC is transmitted to the addressee. However, where a European Production Order is issued to obtain electronic evidence in criminal proceedings with substantial and strong links to the issuing State, no notification to the enforcing authority should be required. Such links should be assumed where, at the time of issuing the European Production Order, the issuing authority has reasonable grounds to believe that the offence has been committed, is being committed or is likely to be committed in the issuing State, and where the person whose data are requested resides in the issuing State.

(52)

For the purposes of this Regulation, an offence should be considered as having been committed, being committed or being likely to be committed in the issuing State if it is so considered in accordance with the national law of the issuing State. In some cases, especially in the cybercrime field, some factual elements, such as the place of residence of the victim, are usually important indications to consider when determining where the offence has been committed. For instance, ransomware crimes can often be considered as having been committed where the victim of such a crime resides, even when the exact location from where the ransomware has been launched is uncertain. Any determination as to the place where the offence was committed should be without prejudice to the rules on jurisdiction over the relevant offences pursuant to the applicable national law.

(53)

It is for the issuing authority to assess, at the time of issuing the European Production Order to obtain traffic data, except for data requested for the sole purpose of identifying the user as defined in this Regulation, or to obtain content data, and on the basis of the material before it, whether there are reasonable grounds to believe that the person whose data are requested resides in the issuing State. In that regard, various objective circumstances that could indicate that the person concerned has established the habitual centre of their interests in a particular Member State or has the intention to do so, can be of relevance. It follows from the need for uniform application of Union law and from the principle of equality that the notion of ‘residence’ in this particular context should be given uniform interpretation throughout the Union. Reasonable grounds to believe that a person resides in an issuing State could exist, in particular, where a person is registered as a resident in an issuing State, as indicated by holding an identity card or a residence permit or by being registered in an official residence register. In the absence of registration in the issuing State, residence could be indicated by the fact that a person has manifested the intention to settle in that Member State or has acquired, following a stable period of presence in that Member State, certain connections with that State which are of a similar degree as those resulting from establishing a formal residence in that Member State. In order to determine whether, in a specific situation, there are sufficient connections between the person concerned and the issuing State that give rise to reasonable grounds to believe that the person concerned resides in that State, various objective factors characterising the situation of that person could be taken into account, which include, in particular, the length, nature and conditions of the person’s presence in the issuing State or the family ties or economic connections which that person has with that Member State. A registered vehicle, a bank account, the fact that the person’s stay in the issuing State has been uninterrupted or other objective factors could be of relevance for determining that there are reasonable grounds to believe that the person concerned resides in the issuing State. A short visit, a holiday stay, including in a holiday home, or a similar stay in the issuing State without any further substantial link is not enough to establish a residence in that Member State. In cases where, at the time of issuing the European Production Order to obtain traffic data, except for data requested for the sole purpose of identifying the user as defined in this Regulation, or to obtain content data, the issuing authority does not have reasonable grounds to believe that the person whose data are requested resides in the issuing State, the issuing authority should notify the enforcing authority.

(54)

In order to provide for a swift procedure, the relevant point in time at which to determine whether there is a need to notify the enforcing authority should be the time when the European Production Order is issued. Any subsequent change of residence should not have any impact on the procedure. The person concerned should be able to invoke their rights as well as the rules on determination and limitation of criminal liability relating to freedom of the press and freedom of expression in other media, during the entire criminal proceedings, and the enforcing authority should be able to raise a ground for refusal where, in exceptional situations, there are substantial grounds to believe, on the basis of specific and objective evidence, that the execution of the order would, in the particular circumstances of the case, entail a manifest breach of a relevant fundamental right as set out in Article 6 TEU and the Charter. In addition, it should also be possible to invoke those grounds during the procedure for enforcement.

(55)

A European Production Order should be transmitted through an EPOC, and a European Preservation Order should be transmitted through an EPOC-PR. Where needed, the EPOC or the EPOC-PR should be translated into an official language of the Union accepted by the addressee. Where no language has been specified by the service provider, the EPOC or the EPOC-PR should be translated into an official language of the Member State where the designated establishment or the legal representative of the service provider is located, or into another official language that the designated establishment or the legal representative of the service provider declared it will accept. Where a notification to the enforcing authority is required pursuant to this Regulation, the EPOC to be transmitted to that authority should be translated into an official language of the enforcing State or into another official language of the Union accepted by that State. In that regard, each Member State should be encouraged to state, at any time, in a written declaration submitted to the Commission if, and in which official language or languages of the Union in addition to the official language or languages of that Member State, they would accept translations of EPOCs and EPOC-PRs. The Commission should make such declarations available to all Member States and to the European Judicial Network.

(56)

Where an EPOC has been issued and a notification to the enforcing authority is not required under this Regulation, the addressee should ensure, upon receipt of the EPOC, that the requested data are transmitted directly to the issuing authority or the law enforcement authorities as indicated in the EPOC at the latest within 10 days following receipt of the EPOC. Where a notification to the enforcing authority is required pursuant to this Regulation, upon receipt of the EPOC, the service provider should act expeditiously to preserve the data. Where the enforcing authority has not raised any grounds for refusal pursuant to this Regulation within 10 days following receipt of the EPOC, the addressee should ensure that the requested data are transmitted directly to the issuing authority or the law enforcement authorities as indicated in the EPOC at the end of that 10-day period. Where the enforcing authority, already before the end of the 10-day period, confirms to the issuing authority and the addressee that it will not raise any grounds for refusal, the addressee should act as soon as possible upon such confirmation and at the latest at the end of that 10-day period. The shorter time limits applicable in emergency cases as defined in this Regulation should be respected by the addressee, and, where applicable, the enforcing authority. The addressee, and, where applicable, the enforcing authority, should execute the EPOC as soon as possible and at the latest within the deadlines set out in this Regulation, taking as full account as possible of the procedural deadlines and other deadlines indicated by the issuing State.

(57)

Where the addressee considers, based solely on the information contained in the EPOC or in the EPOC-PR, that the execution of the EPOC or of the EPOC-PR could interfere with immunities or privileges, or with rules on the determination or limitation of criminal liability that relate to freedom of the press or freedom of expression in other media, under the law of the enforcing State, the addressee should inform the issuing authority and the enforcing authority. As regards EPOCs, where no notification to the enforcing authority took place pursuant to this Regulation, the issuing authority should take the information received from the addressee into account, and should decide, on its own initiative or at the request of the enforcing authority, whether to withdraw, adapt or maintain the European Production Order. Where a notification to the enforcing authority took place pursuant to this Regulation, the issuing authority should take the information received from the addressee into account and decide whether to withdraw, adapt or maintain the European Production Order. It should also be possible for the enforcing authority to raise the grounds for refusal set out in this Regulation.

(58)

In order to allow the addressee to address formal problems with an EPOC or an EPOC-PR, it is necessary to set out a procedure for the communication between the addressee and the issuing authority, as well as, where a notification to the enforcing authority took place pursuant to this Regulation, between the addressee and the enforcing authority, in cases where the EPOC or EPOC-PR is incomplete or contains manifest errors or does not contain sufficient information to execute the order concerned. Moreover, should the addressee not provide the information in an exhaustive or timely manner for any other reason, for example because it considers that there is a conflict with an obligation under the law of a third country, or because it considers that the European Production Order or the European Preservation Order has not been issued in accordance with the conditions set out by this Regulation, it should inform the issuing authority, as well as, where a notification to the enforcing authority took place, the enforcing authority, and provide the justification for not executing the EPOC or the EPOC-PR in a timely manner. The communication procedure should thus allow for the correction or reconsideration of the European Production Order or of the European Preservation Order by the issuing authority at an early stage. To guarantee the availability of the data requested, the addressee should preserve those data if that addressee can identify those data.

(59)

The addressee should not be obliged to comply with the European Production Order or with the European Preservation Order in the event of a de facto impossibility due to circumstances not attributable to the addressee or, if different, the service provider at the time when the European Production Order or the European Preservation Order was received. A de facto impossibility should be assumed if the person whose data were requested is not a customer of the service provider or cannot be identified as such even after a request for further information to the issuing authority, or if the data have been lawfully deleted before the order concerned was received.

(60)

Upon receipt of an EPOC-PR, the addressee should preserve the requested data for a maximum of 60 days unless the issuing authority confirms that a subsequent request for production has been issued, in which case the preservation should be continued. The issuing authority should be able to extend the duration of the preservation by an additional 30 days where necessary to allow for the issuing of a subsequent request for production, using the form set out in this Regulation. Where the issuing authority confirms during the period of preservation that a subsequent request for production has been issued, the addressee should preserve the data as long as necessary to produce the data once the subsequent request for production is received. Such a confirmation should be sent to the addressee within the relevant deadline, in an official language of the enforcing State or in any other language accepted by the addressee, using the form set out in this Regulation. To prevent the preservation from ceasing, it should be sufficient that the subsequent request for production has been issued and the confirmation has been sent by the issuing authority; it should not be necessary to complete further required formalities for the transmission, such as the translation of documents, at that point in time. Where the preservation is no longer necessary, the issuing authority should inform the addressee without undue delay and the obligation to preserve on the basis of the European Preservation Order should cease.

(61)

Notwithstanding the principle of mutual trust, it should be possible for the enforcing authority to raise grounds for refusal of a European Production Order, where a notification to the enforcing authority took place pursuant to this Regulation, based on the list of grounds for refusal provided for in this Regulation. Where a notification to the enforcing authority, or enforcement, takes place in accordance with this Regulation, the enforcing State could provide under its national law that the execution of a European Production Order might require the procedural involvement of a court in the enforcing State.

(62)

Where the enforcing authority is notified of a European Production Order to obtain traffic data, except for data requested for the sole purpose of identifying the user, as defined in this Regulation, or to obtain content data, it should have the right to assess the information set out in the order and, where appropriate, refuse it where, based on a mandatory and due analysis of the information contained in that order and in observance of the applicable rules of primary Union law, in particular the Charter, it reaches the conclusion that one or more of the grounds for refusal provided for in this Regulation could be raised. The need to respect the independence of judicial authorities requires that a degree of discretion be granted to those authorities when taking decisions as to the grounds for refusal.

(63)

It should be possible for the enforcing authority, where it is notified pursuant to this Regulation, to refuse a European Production Order where the data requested are protected by immunities or privileges granted under the law of the enforcing State which prevent the execution or enforcement of the European Production Order, or where the data requested are covered by rules on the determination or limitation of criminal liability that relate to freedom of the press or freedom of expression in other media, which prevent the execution or enforcement of the European Production Order.

(64)

It should be possible for the enforcing authority to refuse an order, in exceptional situations, where there are substantial grounds to believe, on the basis of specific and objective evidence, that the execution of the European Production Order would, in the particular circumstances of the case, entail a manifest breach of a relevant fundamental right as set out in Article 6 TEU and in the Charter. In particular, when assessing that ground for refusal, where the enforcing authority has at its disposal evidence or material such as that set out in a reasoned proposal by one third of the Member States, by the European Parliament or by the European Commission, adopted pursuant to Article 7(1) TEU, indicating that there is a clear risk, if the order were executed, of a serious breach of the fundamental right to an effective remedy and to a fair trial under Article 47 of the Charter, on account of systemic or generalised deficiencies concerning the independence of the issuing State’s judiciary, the enforcing authority should determine specifically and precisely whether, having regard to the personal situation of the person concerned, as well as to the nature of the offence for which the criminal proceedings are conducted, and the factual context that forms the basis of the order, and in the light of the information provided by the issuing authority, there are substantial grounds for believing that there is a risk of a breach of a person’s right to a fair trial.

(65)

It should be possible for the enforcing authority to refuse an order where the execution of such order would be contrary to the principle of ne bis in idem.

(66)

It should be possible for the enforcing authority, where it is notified pursuant to this Regulation, to refuse a European Production Order in the event that the conduct for which the order has been issued does not constitute an offence under the law of the enforcing State, unless it concerns an offence listed within the categories of offences set out in an annex to this Regulation, as indicated by the issuing authority in the EPOC, if it is punishable in the issuing State by a custodial sentence or a detention order for a maximum period of at least three years.

(67)

Since informing the person whose data are requested is an essential element as regards data protection rights and defence rights, in that it enables effective review and judicial redress, in accordance with Article 6 TEU and the Charter, the issuing authority should inform the person whose data are being requested, without undue delay, about the production of data on the basis of a European Production Order. However, the issuing authority should be able, in accordance with national law, to delay or restrict informing or omit to inform the person whose data are being requested, to the extent that, and for as long as, the conditions of Directive (EU) 2016/680 are met, in which case the issuing authority should indicate in the case file the reasons for the delay, restriction or omission and add a short justification in the EPOC. The addressees and, if different, the service providers should take the necessary state-of-the-art operational and technical measures to ensure the confidentiality, secrecy and integrity of the EPOC or the EPOC-PR and of the data produced or preserved.

(68)

It should be possible for a service provider to claim reimbursement of its costs for responding to a European Production Order or to a European Preservation Order from the issuing State, if that possibility is provided for in the national law of the issuing State for domestic orders in similar situations, in accordance with the national law of that State. Member States should inform the Commission about their national rules for reimbursement, and the Commission should make them public. This Regulation provides for separate rules applicable to the reimbursement of costs related to the decentralised IT system.

(69)

Without prejudice to national laws providing for the imposition of criminal penalties, Member States should lay down the rules on pecuniary penalties applicable to infringements of this Regulation and should take all measures necessary to ensure that they are implemented. Member States should ensure that pecuniary penalties provided for in their national law are effective, proportionate and dissuasive. Member States should, without delay, notify the Commission of those rules and of those measures and should notify it, without delay, of any subsequent amendment affecting them.

(70)

When assessing in the individual case the appropriate pecuniary penalty, the competent authorities should take into account all relevant circumstances, such as the nature, gravity and duration of the breach, whether it was committed intentionally or through negligence, whether the service provider has been held responsible for similar previous breaches and the financial strength of the service provider held liable. In exceptional circumstances, that assessment could lead the enforcing authority to decide to abstain from imposing any pecuniary penalties. In this respect, particular attention is to be given to microenterprises that fail to comply with a European Production Order or a European Preservation Order in an emergency case due to lack of human resources outside normal business hours, if the data are transmitted without undue delay.

(71)

Without prejudice to data protection obligations, service providers should not be held liable in Member States for prejudice caused to their users or third parties exclusively resulting from compliance in good faith with an EPOC or an EPOC-PR. The responsibility for ensuring the legality of the order concerned, in particular its necessity and proportionality, should lie with the issuing authority.

(72)

Where the addressee does not comply with an EPOC within the deadline or with an EPOC-PR, without providing reasons accepted by the issuing authority, and, if applicable, where the enforcing authority has not invoked any of the grounds for refusal as provided for in this Regulation, it should be possible for the issuing authority to request the enforcing authority to enforce the European Production Order or the European Preservation Order. To that end, the issuing authority should transfer the order concerned, the relevant form provided for in this Regulation, as completed by the addressee, and any relevant document to the enforcing authority. The issuing authority should translate the order concerned and any document to be transferred into one of the languages accepted by the enforcing State and should inform the addressee of the transfer. That State should enforce the order concerned in accordance with its national law.

(73)

The procedure for enforcement should allow the addressee to invoke grounds against the enforcement, based on a list of specific grounds provided for in this Regulation, including that the order concerned has not been issued or validated by a competent authority as provided for in this Regulation, or where the order does not concern data stored by or on behalf of the service provider at the time of receipt of the relevant certificate. The enforcing authority should be able to refuse to recognise and enforce a European Production Order or a European Preservation Order based on those same grounds, and also, in exceptional situations, on account of the manifest breach of a relevant fundamental right as set out in Article 6 TEU and the Charter. The enforcing authority should consult the issuing authority before deciding not to recognise or not to enforce the order, based on those grounds. Where the addressee does not comply with its obligations under a recognised European Production Order or European Preservation Order the enforceability of which has been confirmed by the enforcing authority, that authority should impose a pecuniary penalty. That penalty should be proportionate, in particular in view of specific circumstances such as repeated or systemic non-compliance.

(74)

Compliance with a European Production Order could conflict with an obligation under the applicable law of a third country. To ensure comity in respect of the sovereign interests of third countries, to protect the individual concerned and to address conflicting obligations on service providers, this Regulation provides for a specific mechanism for judicial review where compliance with a European Production Order would prevent a service provider from complying with legal obligations deriving from the law of a third country.

(75)

Where an addressee considers that a European Production Order in a specific case would entail the violation of a legal obligation deriving from the law of a third country, it should inform the issuing authority and the enforcing authority of its reasons for not executing the order by way of a reasoned objection, using the form provided for in this Regulation. The issuing authority should review the European Production Order on the basis of the reasoned objection and any input provided by the enforcing State, taking into account the same criteria that the competent court of the issuing State would have to follow. Where the issuing authority intends to uphold the order, it should request a review by the competent court of the issuing State, as notified by the relevant Member State, which should review the order.

(76)

In determining the existence of a conflicting obligation in the specific circumstances of the case under examination, the competent court could rely on appropriate external expertise where needed, for example on the interpretation of the law of the third country concerned. For that purpose, the competent court could for example consult the central authority of the third country, taking into account Directive (EU) 2016/680. Information should, in particular, be requested from the competent authority of the third country by the issuing State where the conflict concerns fundamental rights or other fundamental interests of the third country related to national security and defence.

(77)

Expertise on interpretation could also be provided through expert opinions where available. Information and case law on the interpretation of the law of a third country and on conflict of law procedures in Member States should be made available on a central platform such as the SIRIUS project or the European Judicial Network, with a view to making it possible to benefit from experience and expertise gathered on the same or similar questions. The availability of such information on a central platform should not prevent a renewed consultation of the third country where appropriate.

(78)

When assessing whether conflicting obligations exist, the competent court should determine whether the law of the third country is applicable and, if so, whether the law of the third country prohibits disclosure of the data concerned. Where the competent court establishes that the law of the third country prohibits disclosure of the data concerned, that court should determine whether to uphold or lift the European Production Order, by weighing a number of elements which are designed to ascertain the strength of the connection to either of the two jurisdictions involved, the respective interests in obtaining or instead preventing the disclosure of the data, and the possible consequences for the addressee or for the service provider of complying with the order. Particular importance and weight should be given to the protection of fundamental rights by the relevant law of the third country and other fundamental interests, such as national security interests of the third country, as well as the degree of connection between the criminal case and either of the two jurisdictions when conducting the assessment. Where the court decides to lift the order, it should inform the issuing authority and the addressee. If the competent court determines that the order is to be upheld, it should inform the issuing authority and the addressee, and that addressee should proceed with the execution of that order. The issuing authority should inform the enforcing authority about the outcome of the review procedure.

(79)

The conditions set out in this Regulation for the execution of an EPOC should also be applicable in the event of conflicting obligations deriving from the law of a third country. Therefore, during the judicial review, where compliance with a European Production Order would prevent service providers from complying with a legal obligation deriving from the law of a third country, the data requested by that order should be preserved. Where, following the judicial review, the competent court decides to lift a European Production Order, it should be possible to issue a European Preservation Order to allow the issuing authority to seek production of the data through other channels, such as mutual legal assistance.

(80)

It is essential that all persons whose data are requested in criminal investigations or proceedings have access to an effective legal remedy, in line with Article 47 of the Charter. In line with that requirement and without prejudice to further legal remedies available in accordance with national law, any person whose data were requested via a European Production Order should have the right to effective remedies against that order. Where that person is a suspect or an accused person, such person should have the right to effective remedies during the criminal proceedings in which the data are being used as evidence. The right to effective remedies should be exercised before a court in the issuing State in accordance with its national law and should include the possibility of challenging the legality of the measure, including its necessity and proportionality, without prejudice to the guarantees of fundamental rights in the enforcing State, or other additional remedies in accordance with national law. This Regulation should not limit the possible grounds for challenging the legality of an order. The right to effective remedies provided for in this Regulation should be without prejudice to the right to seek remedies under Regulation (EU) 2016/679 and Directive (EU) 2016/680. Information should be provided in due time about the possibilities under national law for seeking remedies and it should be ensured that they can be exercised effectively.

(81)

Appropriate channels should be developed to ensure that all parties can efficiently cooperate by digital means, through a decentralised information technology (IT) system that allows for the swift, direct, interoperable, sustainable, reliable and secure cross-border electronic exchange of case-related forms, data and information.

(82)

In order to allow for efficient and secure written communication between competent authorities and designated establishments or legal representatives of service providers under this Regulation, those designated establishments or legal representatives should be provided with electronic means of access to the national IT systems, part of the decentralised IT system, operated by the Member States.

(83)

The decentralised IT system should comprise the IT systems of Member States and the Union agencies and bodies, and interoperable access points, through which those IT systems are interconnected. The access points of the decentralised IT system should be based on the e-CODEX system, established by Regulation (EU) 2022/850 of the European Parliament and of the Council (24).

(84)

Service providers who make use of bespoke IT solutions for the purposes of exchanging information and data related to requests for electronic evidence should be provided with automated means of accessing the decentralised IT systems by means of a common data exchange standard.

(85)

As a rule, all written communication between competent authorities or between competent authorities and designated establishments or legal representatives should be carried out through the decentralised IT system. It should be possible to use alternative means only where the use of the decentralised IT system is not possible, for example because of specific forensic requirements, because the volume of data to be transferred is hampered by technical capability constraints, or because another establishment not connected to the decentralised IT system has to be addressed in an emergency case. In such cases, the transmission should be carried out by the most appropriate alternative means, taking into account the need to ensure a swift, secure and reliable exchange of information.

(86)

To ensure that the decentralised IT system contains a complete record of written exchanges under this Regulation, any transmission carried out by alternative means should be recorded in the decentralised IT system without undue delay.

(87)

The use of mechanisms to ensure authenticity, as provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council (25), should be considered.

(88)

Service providers, in particular small- and medium-sized enterprises, should not be exposed to disproportionate costs in relation to the establishment and operation of the decentralised IT system. As part of the creation, maintenance and development of the reference implementation, the Commission is therefore also to make available a web-based interface allowing service providers to communicate securely with authorities without having to establish their own dedicated infrastructure in order to access the decentralised IT system.

(89)

It should be possible for Member States to use software developed by the Commission, namely the reference implementation software, instead of a national IT system. That reference implementation software is to be based on a modular setup, meaning that the software is packaged and delivered separately from the e-CODEX system components needed to connect it to the decentralised IT system. That setup should enable Member States to reuse or enhance their existing respective national judicial communication infrastructure for the purpose of cross-border use.

(90)

The Commission should be responsible for the creation, maintenance and development of the reference implementation software. The Commission should design, develop and maintain the reference implementation software in compliance with the data protection requirements and principles laid down in Regulation (EU) 2018/1725 of the European Parliament and of the Council (26), Regulation (EU) 2016/679, and Directive (EU) 2016/680, in particular the principles of data protection by design and by default as well as a high level of cybersecurity. It is important that the reference implementation software also include appropriate technical measures and make it possible to take the organisational measures necessary for ensuring an appropriate level of security and interoperability.

(91)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (27).

(92)

For data exchanges carried out via the decentralised IT system or recorded in the decentralised IT system, Member States should be able to collect statistics to fulfil their monitoring and reporting obligations under this Regulation via their national portals.

(93)

In order to monitor the outputs, results and impacts of this Regulation, the Commission should publish an annual report on the preceding calendar year, based on data obtained from the Member States. For that purpose, Member States should collect and provide to the Commission comprehensive statistics on different aspects of this Regulation, by type of data requested, the addressees and whether it was an emergency case or not.

(94)

The use of pre-translated and standardised forms would facilitate cooperation and the exchange of information under this Regulation, thereby allowing for quicker and more effective communication in a user-friendly manner. Such forms would reduce translation costs and contribute to a high-quality standard of communication. Response forms would similarly make a standardised exchange of information possible, in particular where service providers are unable to comply because the user account does not exist or because no data are available. The forms provided for in this Regulation would also facilitate the gathering of statistics.

(95)

In order to effectively address a possible need for improvements regarding the content of the EPOC and EPOC-PR forms and of the forms to be used for providing information on the impossibility of executing an EPOC or an EPOC-PR, for confirming the issuance of a request for production following a European Preservation Order and for extending the preservation of electronic evidence, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission in respect of the amendment of the forms provided for in this Regulation. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (28). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(96)

This Regulation should not affect Union or other international instruments, agreements and arrangements on the gathering of evidence that falls within the scope of this Regulation. Member States’ authorities should choose the tool most adapted to the case at hand. In some cases, they might prefer to use Union and other international instruments, agreements and arrangements when requesting a set of different types of investigative measures that are not limited to the production of electronic evidence from another Member State. Member States should notify the Commission at the latest three years after the entry into force of this Regulation of the existing instruments, agreements and arrangements referred to in this Regulation which they will continue to apply. Member States should also notify the Commission within three months of the signing of any new agreement or arrangement as referred to in this Regulation.

(97)

Given technological developments, new forms of communication tools could prevail in a few years, or gaps could emerge in the application of this Regulation. It is therefore important to provide for an evaluation of its application.

(98)

The Commission should carry out an evaluation of this Regulation that should be based on the five criteria of efficiency, effectiveness, relevance, coherence and EU added value, and that evaluation should provide the basis for impact assessments of possible further measures. The evaluation report should include an assessment of the application of this Regulation and of the results that have been achieved with regard to its objectives, as well as an assessment of this Regulation’s impact on fundamental rights. The Commission should collect information regularly in order to inform the evaluation of this Regulation.

(99)

Since the objective of this Regulation, namely to improve the securing and obtaining of electronic evidence across borders, cannot be sufficiently achieved by the Member States given its cross-border nature, but can rather be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

(100)

In accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU, Ireland has notified its wish to take part in the adoption and application of this Regulation.

(101)

In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(102)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 6 November 2019 (29),