EUROPEAN COMMISSION
Strasbourg,17.4.2018
COM(2018) 226 final
2018/0107(COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings
{SWD(2018) 118 final}
{SWD(2018) 119 final}
EXPLANATORY MEMORANDUM
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
Online service providers such as electronic communications services or social networks, online marketplaces and other hosting service providers are important drivers of innovation and growth in the digital economy. They facilitate an unprecedented access to information and make it easier for individuals to communicate with one another. These services connect hundreds of millions of users and provide innovative services to individuals and businesses. They generate significant benefits for the digital single market and the economic and social wellbeing of users across the Union and beyond. The growing importance and presence of the internet and of communication and information society services in our daily lives and societies are reflected in the exponential growth of usage. However, these services can also be misused as tools to commit or facilitate crimes, including serious crimes such as terrorist attacks. When that happens, these services and applications (‘apps’) often are the only place where investigators can find leads to determine who committed a crime and to obtain evidence which can be used in court.
Given the borderless nature of the internet, such services can in principle be provided from anywhere in the world and do not necessarily require a physical infrastructure, corporate presence or staff in Member States where the services are offered or in the internal market as a whole. The cross-border offering of such services is encouraged and supported within the EU in particular by the freedom to provide services.
Service providers active in the internal market can be divided into three main categories: (1) service providers headquartered in a Member State offering services in the territory of only that Member State; (2) service providers headquartered in a Member State offering services in several Member States; and (3) service providers headquartered outside the EU offering services in one or several EU Member States, with or without an establishment in one or more of these Member States.
In the absence of a general requirement for service providers to ensure a physical presence within the territory of the Union, Member States have taken steps at national level to ensure compliance with national legal obligations that they consider to be essential and in line with Art. 3(4) of Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market 1 (e-Commerce Directive). Such steps include requiring access to evidence or other types of information when requested by judicial authorities in criminal matters. These national approaches vary widely across Member States and include measures ranging from expanded enforcement jurisdiction 2 to the obligation to designate a legal representative on the relevant Member State’s territory for certain service providers offering services within that territory. For example, Germany has recently passed the ‘Network Enforcement Act’ 3 , obliging providers of social networks 4 to designate a person in Germany authorised to receive law enforcement requests. The law imposes sanctions of up to EUR 500 000 for failure to name a representative or to respond to requests for information when acting as the person authorised to receive service. Discussions on similar measures are under way in Italy 5 . Other Member States, such as Belgium, do not require local representation but instead seek to enforce national obligations directly against providers based abroad through domestic proceedings 6 .
Member States also apply a number of different connecting factors to assert jurisdiction over a service provider, such as its main seat, the place where services are offered, the location of the data or a combination of factors. In addition, there are disparate cooperation mechanisms and informal agreements between the authorities of some Member States and some service providers. Some of the larger service providers estimated, for the purposes of the impact assessment, that their annual costs of compliance with national legal obligations are in the high seven digits. The cost of complying with diverging national requirements, while presumably proportionate to market presence, can prove prohibitive to smaller service providers.
When it comes to the enforceability of requests sent in the context of such arrangements, there are differences between Member States as to whether service providers are under an obligation to cooperate or not. The sanctions and enforcement in case of non-compliance are also fragmented. Even in cases where the service provider complies with the order imposing the sanction, it is still difficult to enforce the original order to provide the data.
Member States have highlighted these challenges as key issues to be tackled jointly on several occasions:
·On 22 March 2016, a joint statement of Ministers of Justice and Home Affairs and representatives of the EU institutions on the terrorist attacks in Brussels 7 , stressed the need, as a matter of priority, to find ways to secure and obtain electronic evidence more quickly and effectively by intensifying cooperation with third countries and with service providers that are active on European territory, in order to enhance compliance with EU and Member States’ legislation.
·In Council Conclusions adopted on 9 June 2016 8 , the Member States reiterated their determination to act to uphold the rule of law in cyberspace and called on the Commission to develop a common EU approach on improving criminal justice in cyberspace as a matter of priority.
A two-fold legislative approach is necessary to address these challenges. This proposal lays down rules on the legal representation in the Union of certain service providers for the purposes of gathering evidence in criminal proceedings. In addition, an instrument adopted on the basis of Article 82(1) TFEU, is needed to provide for the direct serving of orders on the service provider in cross-border situations. Thus, the foregoing challenges are dealt with through a combination of these two proposals. But it is important to keep in mind that this proposal clearly and foremost aims to identify the addressee of the orders of Member States’ authorities to obtain evidence in criminal matters held by service providers. Therefore, this proposal aims to remove some of the obstacles to addressing the service providers by offering a common, EU-wide solution for addressing legal orders to service providers by way of a legal representative. This removes the need for individualised and uncoordinated national approaches and provides legal certainty at EU level. To that end, this proposal sets obligations for the Member States to ensure that service providers designate empowered legal representatives legally responsible for complying with judicial orders and decisions on behalf of these service providers.
In addition, a harmonised approach creates a level playing field for all companies offering the same type of services in the EU, regardless of where they are established or act from, while respecting the country of origin principle set out in Art. 3 of the e-Commerce Directive. That principle applies only to providers of information society services which are established in the EU and is moreover subject to a number of exceptions and possible exemptions. Harmonised rules at EU level are not only necessary to eliminate obstacles to the provision of services and to ensure a better functioning of the internal market but also to ensure a more coherent approach to criminal law in the Union. A level playing field is also necessary for other fundamental premises for the good functioning of the internal market, such as the protection of fundamental rights of citizens and the respect of sovereignty and public authority when it comes to the effective implementation and enforcement of national and European legislation.
•Consistency with existing EU legal framework in the policy area
The obligation to designate a legal representative for service providers not established in the EU but offering services in the EU already exists in certain acts of EU law applicable in particular fields. This is the case, for instance, in the General Data Protection Regulation (EU) 2016/679 (Article 27) 9 and in Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (Article 18) 10 . The Commission proposal for an ePrivacy Regulation also contains such an obligation (Article 3) 11 .
As noted above, this proposal is consistent with the e-Commerce Directive and in particular with the country of origin principle laid down in the Directive’s Article 3. It leaves the provisions of that Directive, including the requirements on providing information pursuant to Article 5, unaffected.
•Summary of the proposed Directive (how it improves current framework)
There are currently varying approaches across Member States when it comes to obligations imposed on service providers, especially in criminal proceedings. Fragmentation has appeared in particular in electronic evidence, as certain service providers store information that can be relevant for the investigation and prosecution of criminal offences. This fragmentation creates legal uncertainty for those involved and can put service providers under different and sometimes conflicting obligations and sanctioning regimes in that regard, depending on whether they provide their services nationally, cross-border within the Union or from outside the Union. To reduce obstacles to the freedom to provide services, this Directive makes it mandatory for service providers to designate a legal representative in the Union to receive, comply with and enforce decisions aimed at gathering evidence by competent national authorities in criminal proceedings. The ensuing reduction of obstacles would ensure a better functioning of the internal market in a way which is coherent with the development of a common area of freedom, security and justice.
The obligation of designating a legal representative for all service providers that are operating in the Union would ensure that there is always a clear addressee of orders aiming at gathering evidence in criminal proceedings. This would in turn make it easier for service providers to comply with those orders, as the legal representative would be responsible for receiving, complying with and enforcing those orders on behalf of the service provider.
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
The legal basis to support action in the field is found in Articles 53 and 62 of the Treaty on the Functioning of the European Union, which provide for the adoption of measures to coordinate the provisions laid down by law, regulation or administrative action in Member States on establishing and providing services.
In the present case, an obligation to appoint a legal representative in the Union would help in particular to eliminate obstacles to the freedom to provide services enshrined in Article 56 Treaty on the Functioning of the European Union, as outlined above.
•Choice of the instrument
Under Articles 53 and 62 of the Treaty on the Functioning of the European Union, the Commission can propose directives and non-binding instruments such as recommendations. Given the need to provide legal certainty and remove obstacles to the free provision of services, which cannot be achieved by adopting a non-binding instrument, the form of a directive was chosen.
•Subsidiarity
This proposal covers service providers offering services in the EU, regardless of their place of establishment, which may be in the EU or outside the EU. In the absence of a common EU approach, uncoordinated national solutions related to the receipt of, compliance with or the enforcement of decisions for gathering evidence in criminal proceedings are liable to lead to fragmentation, creating a patchwork of diverse and possibly conflicting national obligations for service providers active in several markets. This hampers the provision of services across the EU. Given the diversity of legal approaches and the large range of stakeholders, Union-level legislation is the most appropriate means to address the identified problems.
•Proportionality
The proposal seeks to put forward a harmonised approach to remove existing and emerging obstacles to the provision of services as regards the issue of the receipt of, compliance with or the enforcement of decisions for gathering evidence in criminal proceedings. The chosen approach is considered proportionate to the burden imposed. In view of the increasing importance and presence of the internet and information society services, there are a number of possible options to address the current obstacles. Of these options, as discussed in more detail in the Impact Assessment 12 accompanying the legislative proposal, the mandatory appointment of a legal representative for certain service providers active in the EU achieves the objective of providing an effective mechanism to allow legal orders to be served without imposing an undue burden on service providers.
The obligation to designate a legal representative represents a higher burden for companies not established in the EU, as they could not rely on an existing corporate presence in the EU. On the other hand, this legal representative could be a third party, which could be shared between several service providers, in particular small and medium-sized businesses (‘SMEs’), and the legal representative may accumulate different functions (e.g. the General Data Protection Regulation or ePrivacy representatives in addition to the legal representative provided for by this instrument). It will only apply to SMEs who offer their services in the EU, and not in case of occasional data processing in the EU.
3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
•Stakeholder consultations
Over a year and a half the Commission consulted all relevant stakeholders to identify problems and ways forward, including on the possibilities for improvement in the channels for interaction between authorities and service providers. This was done through surveys, ranging from an open public consultation to targeted surveys with the relevant public authorities. Group expert meetings and bilateral meetings were also organised to discuss the potential effects of EU legislation. Conferences discussing cross-border access to electronic evidence were also used to gather feedback on the initiative.
Through a targeted survey to public authorities in the Member States, it was revealed that there was no common approach on obtaining cross-border access to electronic evidence, as each Member State has its own domestic practice. Service providers also react differently to requests from foreign law enforcement authorities, and response times vary depending on the requesting Member State. This creates legal uncertainty for all stakeholders involved.
Throughout the consultation, service providers and some civil society organisations indicated the need to ensure legal certainty in direct cooperation with public authorities and to avoid conflicts of law. Key issues highlighted by public authorities included the lack of reliable cooperation with service providers, lack of transparency, and legal uncertainty surrounding jurisdiction for investigative measures. Some civil society organisations considered that EU-level legislation in this area was not desirable and indicated a preference for limiting EU action to improving mutual legal assistance procedures, which will be taken forward in parallel.
•Impact assessment
The Regulatory Scrutiny Board issued a positive opinion on the impact assessment 13 and made various suggestions for improvement 14 . Following this opinion, the impact assessment was amended to further discuss fundamental rights issues associated with the cross-border sharing of data, in particular the links between the various measures that are part of the preferred option. The assessment was also modified to better reflect the views of stakeholders and Member States and how they were taken into account. Moreover, the policy context was reviewed to include additional references to various aspects, such as discussions in expert groups, which helped shape the initiative. The complementarity between different measures was clarified in terms of scope, timing and depth, and the baseline scenario was revised to better reflect developments that are likely to occur independently from the adoption of the proposed measures. Finally, flowcharts were added to better describe the workflows for data sharing.
Four main policy options were considered besides the baseline scenario (Option O): a number of practical measures to improve both judicial cooperation procedures and direct cooperation between public authorities and service providers (Option A: non-legislative); an option combining the practical measures of Option A with international solutions (Option B: legislative); an option combining the previous measures contained in Option B with a European Production Order and a measure to improve access to databases (Option C: legislative); and an option combining all previous measures contained in Option C with legislation on direct access to remotely stored data (Option D: legislative). The Impact Assessment also identified the need for service providers offering services in the EU to nominate a legal representative in the Union , and this was included in Options C and D.
The Impact Assessment revealed that options including the legal representative (C and D) would add clear value compared to the other options. Although service providers would have to incur in additional costs in the short term due to the appointment of a legal representative, a harmonised framework at EU level is likely to reduce the burden on those providers currently responding to requests for data from law enforcement on a voluntary basis, which have to assess them under the different laws of all Member States. The cost model established and validated in cooperation with relevant service providers indicated that the initiative would generate significant savings in the medium and long term and remove obstacles to the internal market. Furthermore, legal certainty and standardisation of procedures should also have a positive impact on SMEs, since they would alleviate administrative burden. Overall, the initiative is also expected to generate savings for them.
•Fundamental rights
The obligation to appoint a legal representative seeks to eliminate obstacles to and hence facilitate the exercise of the freedom to provide services. In particular, the proposal allows service providers established in the Union to designate an existing establishment as its legal representative, with an exception only when this establishment is in a Member State not participating in judicial cooperation instruments adopted under Title V of the Treaty. This exception is meant to address the particular situation created by Title V of the Treaty, which needs to be taken into account.
4.BUDGETARY IMPLICATIONS
The legislative proposal does not have an impact on the Union budget.
5.OTHER ELEMENTS
•Implementation plans and monitoring, evaluation and reporting arrangements
The Directive has to be implemented by the Member States. The Commission will support this implementation process by creating a contact committee to ensure a harmonised and coherent implementation and avoid different systems for service providers. The Commission will, if necessary, issue guidance for service providers. The Commission will submit a report on its application, building on a detailed review of its functioning, to the European Parliament and the Council at the latest 5 years after the entry into application. If necessary, the report will be accompanied by proposals adapting this Directive.
•Detailed explanation of the specific provisions of the proposal
Article 1 Subject matter and scope
Article 1 establishes the subject matter of the Directive, which is to lay down rules on the legal representation in the Union of certain service providers for the purpose of gathering evidence in criminal proceedings.
The type of obligations requested from service providers may take several forms, such as receiving an order in criminal proceedings from a prosecutor or a judge with legal consequences, providing data needed in those criminal proceedings, taking certain measures for data preservation in criminal proceedings or being addressed with an enforcement procedure in case of non-compliance. Due to their commercial and territorial policies, service providers may have difficulty in complying with these different types of increasingly frequent requests. On the other hand, competent authorities need to know whom and how to address service providers established or offering services on the territory of the Union.
Member States shall not put additional obligations to those deriving from this Directive on service providers under the scope of this Directive, such as obliging them to establish a legal representative in their own territory instead of anywhere in the Union where they offer services.
Harmonised rules on legal representation should not limit the powers given under Union and national law to competent authorities to address service providers established on their territory. In such cases, if national authorities decide to address their orders directly to the establishment of the service provider, the responsibility of the legal representative as set out in this Directive does not apply.
Article 2 Definitions
Article 2 sets out definitions which apply in this instrument.
The legal representative can be a legal or natural person designated by the service provider to act on its behalf to comply with any decisions of competent law enforcement and judicial authorities for the purpose of gathering evidence in criminal matters. Service providers should be able to choose to designate an existing establishment in a Member State, including their main seat or headquarters, and also to designate several legal representatives.
The following types of service providers fall under the scope of the Directive: providers of electronic communications services, providers of information society services that store data as part of the service provided to the user, including social networks, online marketplaces and other hosting service providers, and providers of names and numbering services for the internet.
The scope of this Directive covers providers of electronic communication services, as defined [in the Directive establishing the European Electronic Communications Code]. Traditional telecommunication services, consumers and businesses increasingly rely on new internet-based services enabling inter-personal communications such as Voice over IP, instant messaging and email services, instead of traditional communications services. These services, along with social networks, such as Twitter and Facebook, which allow users to share content, are therefore covered by this proposal.
In many cases, data is no longer stored on a user’s device but is made available on a cloud-based infrastructure allowing in principle access from anywhere. Service providers do not need to be established or to have servers in every jurisdiction but rather use centralised systems to provide their services. To take into account this development, the definition covers cloud services that provide a variety of computing resources such as networks, servers or other infrastructure, storage, apps and services that make it possible to store data for different purposes. The instrument also applies to digital marketplaces that allow consumers and/or traders to conclude transactions via online sales or service contracts with traders. Such transactions are made either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace. It is therefore this marketplace that is usually in possession of electronic evidence that may be needed in the course of criminal proceedings.
Services for which the storage of data is not a defining component are not covered by the proposal. Although most services delivered by providers nowadays involve some kind of storage of data, especially where they are delivered online at a distance, services for which the storage of data is not a main characteristic and is thus only of an ancillary nature may be discerned, including legal, architectural, engineering and accounting services provided online at distance.
Data held by providers of internet infrastructure services, such as domain name registrars and registries and privacy and proxy service providers, or by regional internet registries for internet protocol addresses, may be of relevance for criminal proceedings as they can provide traces allowing for identification of an individual or entity possibly involved in criminal activity.
For the purposes of defining those service providers falling into the ambit of application of this Directive, there should be a sufficient link between the provider and the Union. In that regard it should be assessed whether the service provider enables legal or natural persons in the Union to use its services. However, the mere accessibility of the service (which could also derive from the accessibility of the service provider’s or an intermediary’s website or of an email address and of other contact details) should not be a sufficient condition for applying this Directive. Therefore, a substantial connection to the Union should be required. Such a substantial connection would certainly exist where the service provider has an establishment in the Union. In the absence of an establishment in the Union, the criterion of a substantial connection to the Union should be assessed on the basis of the existence of a significant number of users in one or more Member States, or the targeting of activities towards one or more Member States. The targeting of activities towards one or more Member States can be determined on the basis of all relevant circumstances, including factors such as the use of a language or a currency generally used in that Member State, or the possibility of ordering goods or services. The targeting of activities towards a Member State could also be derived from the availability of an app in the relevant national app store, from providing local advertising or advertising in the language used in a Member State, from making use of any information originating from persons in Member States in the course of its activities or from the handling of customer relations such as by providing customer service in the language generally used in a Member State. A substantial connection is also to be assumed where a service provider directs its activities towards one or more Member States as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters.
Article 3 Legal representative
Article 3(1) and (2) establish the obligation that has to be imposed upon service providers providing services in the Union to designate a legal representative in the Union. In principle, service providers should be free to choose in which Member State they designate their legal representative, and in accordance with Article 1(2), Member States may not restrict this free choice, for example by imposing an obligation to designate the legal representative on their territory. However, Article 3(1) to (3) contains certain restrictions with regard to this free choice of service providers, notably that the legal representative should be established in a Member State where the service provider provides services or is established. This restriction, which requires a pre-existing connection between the service provider and the Member State where the legal representative is to be designated, limits the possibility of service providers to select the Member State based on considerations which would run counter to the aims of this Directive, such as the level of fines. Article 3(1) to (3) also defines which Member States are responsible for imposing the obligation to service providers.
Article 3(1) applies to service providers established in the Union. They have to designate at least one legal representative in the Union, more specifically in a Member State where they offer services or are established. The Member States where service providers are established are responsible for imposing this obligation.
Article 3(2) applies to service providers that are not established in the Union. In that case, they should designate a legal representative in one of the Member States where they offer services. The Member States where the service provider offers services are responsible for imposing this obligation.
Article 3(3) applies in both cases covered by Article 3(1) and 3(2) and imposes additional requirements to address the problem inherent to the interplay between an internal market instrument and judicial cooperation instruments adopted under Title V of the Treaty. A legal representative designated in a Member State not participating in a relevant judicial cooperation instrument would not fully fulfil its role, as it could not be addressed with an order under this instrument. This is why Article 3(3) requires service providers offering services in Member States participating in such instruments to designate a legal representative in one of them. As a result, a service provider establishing a legal representative in a Member State participating in a judicial cooperation instrument under Title V would fulfil its obligations both under paragraph 1 or 2, depending on the case, and under paragraph 3. On the other hand, a service provider designating a legal representative in a Member State not participating in a judicial cooperation instrument under Title V would thereby fulfil its obligation under paragraph 1 or 2, but in order to also fulfil its obligation under paragraph 3, it would have to nominate another legal representative in one of the Member States participating in a judicial cooperation instrument under Title V. The Member States taking part in a relevant instrument and where the service provider offers services are responsible for imposing this obligation.
Because of the ‘variable geometry’ that exists in the area of criminal law, with Denmark not participating in any Union legislation under Title V, and a right to opt-in for the United Kingdom and Ireland, there are currently different instruments that apply in the relationships between Member States when gathering evidence in criminal proceedings. These instruments include the Directive regarding the European Investigation Order and the 2000 Mutual Legal Assistance Convention. The European Production Order will add to this multifaceted legal regime. The resulting complexity is likely to lead to an increased risk that the Member States participating in the Regulation on European Production Orders may develop uncoordinated national solutions, which would in turn lead to further fragmentation and legal uncertainty for all stakeholders concerned. This is why all Member States should be required to ensure that service providers not established in the Union but offering services in the Union designate a legal representative in the Union, which would be the addressee of direct requests in cross-border situations, and of requests based on judicial cooperation between judicial authorities. In addition, to avoid the risk of weakening the effectiveness of the EU legal instruments adopted under Title V, Chapter 4, of the Treaty on the Functioning of the EU for gathering evidence in criminal matters, to which only some Member States participate, a legal representative should be designated in one of those Member States taking part in those legal instruments.
Service providers should be free to designate one of their establishments within the Union, including their main seat or headquarters, as their legal representative, subject to the conditions set out in the Directive.
Article 3(6) clarifies that Member States have to ensure in national law that a designated legal representative can be held liable for non-compliance, without prejudice to the liability of service provider itself. Service providers should not be able to claim they are not responsible for example for the non-compliance of their legal representative. Neither can they exculpate themselves due to missing or ineffective internal procedure, as they are responsible for providing the necessary resources and powers to guarantee compliance with orders and national decisions. Nor should the legal representative be able to exculpate himself by claiming for example he is not empowered to deliver data.
Article 4 Notifications and languages
Article 4 sets out the obligation for Member States to ensure that service providers designate one or more legal representatives and provide their contact details.
The notification should also include information on the language(s) in which the service provider can be addressed. The official language of the Member State in which the legal representative is located will be the one used by default. If there are several official languages, the service provider can choose one or more of them. Moreover, service providers will be able to choose additional official languages of the Union to be addressed in by competent authorities of all Member States. This will allow service providers to choose a language used, for example, in internal communications with headquarters or which is currently frequently used in requests and thus bring about more consistency and certainty for both competent authorities and service providers.
Where a service provider designates several legal representatives, they may also notify considerations to determine which one should be addressed. These are not binding for Member States’ authorities, but should be followed except in duly justified cases.
The service providers are responsible for making this information publicly available, e.g. on their website, and for keeping this information up to date. Additionally, the Member States should make available the relevant information on dedicated websites to help judicial authorities identify the correct addressee.
Article 5 Sanctions
For the cases where service providers covered by this Directive do not comply with the national provisions adopted pursuant to this Directive, Member States should provide in their national law effective, proportionate and dissuasive sanctions which can be imposed on service providers for not establishing a legal representative as set out in this Directive and not providing the necessary powers, resources and conditions such as infrastructure for the legal representative for generally complying with decisions by national authorities and deliver the requested evidence.
Penalties or fines for the non-compliance by the legal representative with a specific decision such as an order in concrete proceedings, on the other hand, are the matter of other specific instruments, such as the Regulation on European Production and Preservation Orders for electronic evidence in criminal matters or the national law.
Article 6 Coordination mechanism
To ensure a coherent approach, the Directive provides for a coordination mechanism on the basis of central authorities designated by Member States. This coordination mechanism will enable Member States to exchange information, provide for assistance and cooperate in their enforcement approach, e.g. by identifying the most appropriate Member State to take action in a given case of non-compliance.
Articles 7, 8, 9 and 10
These Articles contain further provisions on transposition by Member States, review by the Commission, entry into force of the Directive and the addressees of the Directive. The proposed Directive will enter into force the twentieth day after its publication in the Official Journal. Member States will have 6 months to transpose the provisions of the proposed Directive into national law. The Commission shall carry out an evaluation of this Directive in line with the Commission's Better Regulation Guidelines and pursuant to paragraph 22 of the Interinstitutional Agreement of 13 April 2016 15 .
2018/0107 (COD)
Proposal for a
DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 53 and 62 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee 16 ,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1)Network-based services can in principle be provided from anywhere and do not require a physical infrastructure, corporate presence, or staff in the country where the services are offered, nor in the internal market itself. As a consequence, it can be difficult to apply and enforce obligations laid down in national and Union law which apply to the service providers concerned, in particular the obligation to comply with an order or a decision by a judicial authority. This is the case in particular in criminal law, where Member States’ authorities face difficulties with serving, ensuring compliance and enforcing their decisions, in particular where relevant services are provided from outside their territory.
(2)Against that background, Member States have taken a variety of disparate measures to more effectively apply and enforce their legislation. This includes measures for addressing service providers to obtain electronic evidence that is of relevance to criminal proceedings.
(3)To that end, some Member States have adopted, or are considering adopting, legislation imposing mandatory legal representation within their own territory, for a number of service providers offering services in that territory. Such requirements create obstacles to the free provision of services within the internal market.
(4)There is a significant risk that other Member States will try to overcome existing shortcomings related to gathering evidence in criminal proceedings by means of imposing disparate national obligations in the absence of a Union-wide approach. This is bound to create further obstacles to the free provision of services within the internal market.
(5)Under the current circumstances, the resulting legal uncertainty affects both service providers and national authorities. Disparate and possibly conflicting obligations are set out for service providers established or offering services in different Member States, which also subject them to different sanction regimes in case of violations. This divergence in the framework of criminal proceedings will likely further expand because of the growing importance of communication and information society services in our daily lives and societies. The foregoing not only represents an obstacle to the proper functioning of the internal market but also entails problems for the establishment and correct functioning of the Union’s area of freedom, security and justice.
(6)To avoid such fragmentation and to ensure that undertakings active in the internal market are subject to the same or similar obligations, the Union has adopted a number of legal acts in related fields such as data protection 17 . To increase the level of protection for the data subjects, the rules of the General Data Protection Regulation 18 provide for the designation of a legal representative in the Union by controllers or processors not established in the Union but offering goods or services to individuals in the Union or monitoring their behaviour if their behaviour takes place within the Union, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body.
(7)By setting out harmonised rules on the legal representation of certain service providers in the Union for receipt of, compliance with and enforcement of decisions issued by competent authorities in the Member States for the purposes of gathering evidence in criminal proceedings, the existing obstacles to the free provision of services should be removed, as well as the future imposition of divergent national approaches in that regard should be prevented. Level playing field for service providers should be established. Moreover, more effective criminal law enforcement in the common area of freedom, security and justice should be facilitated.
(8)The legal representative at issue should serve as an addressee for domestic orders and decisions and for orders and decisions pursuant to Union legal instruments adopted within the scope of Title V, Chapter 4, of the Treaty on the Functioning of the European Union for gathering evidence in criminal matters. This includes both instruments that permit the direct serving of orders in cross-border situations on the service provider, and instruments based on judicial cooperation between judicial authorities under Title V, Chapter 4.
(9)Member States shall ensure that the obligation to designate a legal representative is immediate, that is from the date of transposition set out in Article 7 for service providers that offer services in the Union at that date, or from the moment service providers start offering services in the Union for those service providers that will start offering services after the date of transposition.
(10)The obligation to designate a legal representative should apply to service providers that offer services in the Union, meaning in one or more Member States. Situations where a service provider is established on the territory of a Member State and offers services exclusively on the territory of that Member State, should not be covered by this Directive.
(11)Notwithstanding the designation of a legal representative, Member States should be able to continue addressing service providers established on their territory, be it in purely domestic situations, be it after receipt of a request for assistance under legal instruments on mutual legal assistance and on mutual recognition in criminal matters.
(12)The determination whether a service provider offers services in the Union requires an assessment whether the service provider enables legal or natural persons in the Union to use its services. However, the mere accessibility of an online interface (for instance the accessibility of the service provider’s or an intermediary’s website or of an email address and of other contact details) taken in isolation should not be a sufficient condition for the application of this Directive.
(13)A substantial connection to the Union should also be relevant to determine the ambit of application of this Directive. Such a substantial connection to the Union should be considered to exist where the service provider has an establishment in the Union. In the absence of such an establishment, the criterion of a substantial connection should be assessed on the basis of the existence of a significant number of users in one or more Member States, or the targeting of activities towards one or more Member States. The targeting of activities towards one or more Member States can be determined on the basis of all relevant circumstances, including factors such as the use of a language or a currency generally used in that Member State, or the possibility of ordering goods or services. The targeting of activities towards a Member State could also be derived from the availability of an application (‘app’) in the relevant national app store, from providing local advertising or advertising in the language used in that Member State, or from the handling of customer relations such as by providing customer service in the language generally used in that Member State. A substantial connection is also to be assumed where a service provider directs its activities towards one or more Member States as set out in Article 17(1)(c) of Regulation 1215/2012 on jurisdiction and the recognition and enforcement of judgements in civil and commercial matters. On the other hand, provision of the service in view of mere compliance with the prohibition to discriminate laid down in Regulation (EU) 2018/302 19 cannot be, on that ground alone, be considered as directing or targeting activities towards a given territory within the Union. The same considerations should apply to determine whether a service provider offers services in a Member State.
(14)Service providers obliged to designate a legal representative should be able to choose to that effect an existing establishment in a Member State, be it a corporate body or a branch, agency, office or a main seat or headquarters, and also more than one legal representative. Nevertheless, a corporate group should not be forced to designate multiple representatives, one for each undertaking part of that group. Different instruments adopted within the scope of Title V, Chapter 4, of the Treaty on the Functioning of the European Union apply in the relationships between Member States when gathering evidence in criminal proceedings. As a consequence of this ‘variable geometry’ that exists in the common area of criminal law, there is a need to ensure that the Directive does not facilitate the creation of further disparities or obstacles to the provision of services in the internal market by allowing service providers offering services on their territory to designate legal representatives within Member States that do not take part in relevant legal instruments, which would fall short of addressing the problem. Therefore, at least one representative should be designated in a Member State that participates in the relevant Union legal instruments to avoid the risk of weakening the effectiveness of the designation provided for in this Directive and to make use of the synergies of having a legal representative for the receipt of, compliance with and enforcement of decisions and orders issued in the context of gathering evidence in criminal proceedings, including under the [Regulation] or the 2000 Mutual Legal Assistance Convention. In addition, designating a legal representative, which could also be utilised to ensure compliance with national legal obligations, makes use of the synergies of having a clear point of access to address the service providers for the purpose of gathering evidence in criminal matters.
(15)Service providers should be free to choose in which Member State they designate their legal representative, and Member States may not restrict this free choice, e.g. by imposing an obligation to designate the legal representative on their territory. However, the Directive also contains certain restrictions with regard to this free choice of service providers, notably that the legal representative should be established in a Member State where the service provider provides services or is established, as well as the obligation to designate a legal representative in one of the Member States participating in judicial cooperation instruments adopted under Title V of the Treaty.
(16)The service providers most relevant for gathering evidence in criminal proceedings are providers of electronic communications services and specific providers of information society services that facilitate interaction between users. Thus, both groups should be covered by this Directive. Providers of electronic communication services are defined in the proposal for a Directive establishing the European Electronic Communications Code. They include inter-personal communications such as voice-over-IP, instant messaging and e-mail services. The categories of information society services included here are those for which the storage of data is a defining component of the service provided to the user, and refer in particular to social networks to the extent they do not qualify as electronic communications services, online marketplaces facilitating transactions between their users (such as consumers or businesses)and other hosting services, including where the service is provided via cloud computing. Information society services for which the storage of data is not a defining component, and for which it is only of an ancillary nature, such as legal, architectural, engineering and accounting services provided online at distance, should be excluded from the scope of this Directive, even where they may fall within the definition of information society services as per Directive (EU) 2015/1535.
(17)Providers of internet infrastructure services related to the assignment of names and numbers, such as domain name registrars and registries and privacy and proxy service providers or regional internet registries for internet protocol (‘IP’) addresses, are of particular relevance when it comes to the identification of actors behind malicious or compromised web sites. They hold data that is of particular relevance for criminal investigations as it can allow for the identification of an individual or entity behind a web site used in criminal activity, or the victim of criminal activity in the case of a compromised web site that has been hijacked by criminals.
(18)The legal representative should be able to comply with decisions and orders addressed to them by Member States’ authorities on behalf of the service provider, which should take the appropriate measures to ensure this result, including sufficient resources and powers. The absence of such measures or their shortcomings should not serve as grounds to justify non-compliance with decisions or orders falling into the ambit of application of by this Directive, neither for the service provider nor its legal representative.
(19)Service providers should notify the Member State in which the legal representative resides or is established of the identity and contact details of their legal representative, as well as related changes and updates of information. The notification should also provide information about the languages in which the legal representative can be addressed, which should include at least one of the official languages of the Member State where the legal representative resides or is established, but may include other official languages of the Union, such as the language of its headquarters. When the service provider designates more than one legal representative, it may also notify considerations to determine which one should be addressed. These considerations are not binding for Member States’ authorities, but should be followed except in duly justified cases. All this information, which is of particular relevance for Member States’ authorities, should be made publicly available by the service provider, for example on its website, in a manner comparable to the requirements for making available general information pursuant to Article 5 Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market 20 (e-Commerce Directive). For those service providers subject to the e-Commerce Directive, Article 3(3) complements but does not replace these requirements. Furthermore, Member States should also publish the relevant information for their country on a dedicated site of the e-Justice portal to facilitate coordination between Member States and use of the legal representative by authorities from another Member State.
(20)The infringement of the obligations to designate a legal representative and to notify and make publicly available the information related thereto should be subject to effective, proportionate and dissuasive sanctions. Under no circumstances should the sanctions determine a ban, permanent or temporary, of service provision. Member States should coordinate their enforcement action where a service provider offers services in several Member States. To ensure a coherent and proportionate approach, a coordination mechanism is provided. The Commission could facilitate such coordination if necessary, but needs to be informed of cases of infringement. This Directive does not govern the contractual arrangements for transfer or shifting of financial consequences between service providers and legal representatives of sanctions imposed upon them.
(21)This Directive is without prejudice to the investigative powers of authorities in civil or administrative proceedings, including where such proceedings can lead to sanctions.
(22)In order to ensure the application of the Directive in a consistent manner, additional mechanisms for the coordination between Member States should be put in place. For that purpose, Member States should designate a central authority that can provide central authorities in other Member States with information and assistance in the application of the Directive, in particular where enforcement actions under the Directive are considered. This coordination mechanism should ensure that relevant Member States are informed of the intent of a Member State to undertake an enforcement action. In addition, Member States should ensure that central authorities can provide each other with assistance in those circumstances, and cooperate with each other where relevant. Cooperation amongst central authorities in the case of an enforcement action may entail the coordination of an enforcement action between competent authorities in different Member States. For the coordination of an enforcement action, central authorities shall also involve the Commission where relevant. The existence of the coordination mechanism does not prejudice the right of an individual Member State to impose sanctions on service providers that fail to comply with their obligations under the Directive. The designation and publication of information about central authorities will facilitate the notification by service providers of the designation and contact details of its legal representative to the Member State where its legal representative resides or is established of the designation and contact details.
(23)Since the objective of this Directive, namely to remove obstacles to the free provision of services in the framework of gathering evidence in criminal proceedings, cannot be sufficiently achieved by the Member States, but can rather, by reason of the borderless nature of such services, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Directive does not go beyond what is necessary in order to achieve those objectives.
(24)The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council 21 and delivered an opinion on (…) 22 ,
(25)The Commission should carry out an evaluation of this Directive that should be based on the five criteria of efficiency, effectiveness, relevance, coherence and EU value added and should provide the basis for impact assessments of possible further measures. The evaluation should be completed 5 years after entry into application, to allow for the gathering of sufficient data on its practical implementation. Information should be collected regularly and in order to inform the evaluation of this Directive.
HAVE ADOPTED THIS DIRECTIVE:
Article 1
Subject matter and scope
1.This Directive lays down rules on the legal representation in the Union of certain service providers for receipt of, compliance with and enforcement of decisions and orders issued by competent authorities of the Member States for the purposes of gathering evidence in criminal proceedings.
2.Member States may not impose additional obligations to those deriving from this Directive on service providers covered by this Directive for the purposes set out in paragraph 1.
3.This Directive is without prejudice to the powers of national authorities in accordance with Union and national law to address service providers established on their territory for the purposes referred to in in paragraph 1.
4.This Directive shall apply to the service providers defined in Article 2(2) offering their services in the Union. It shall not apply where those service providers are established on the territory of a single Member State and offer services exclusively on the territory of that Member State.
Article 2
Definitions
For the purpose of this Directive, the following definitions apply:
(1) ‘legal representative’ means a legal or natural person, designated in writing by a service provider for the purpose of Articles 1(1), 3(1), 3(2) and 3(3);
(2) ‘service provider’ means any natural or legal person that provides one or more of the following categories of services:
(a)electronic communications service as defined in Article 2(4) of [Directive establishing the European Electronic Communications Code];
(b)information society services as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council 23 for which the storage of data is a defining component of the service provided to the user, including social networks, online marketplaces facilitating transactions between their users, and other hosting service providers;
(c)internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services;
(3)‘offering services in a Member State’ means:
(a)enabling legal or natural persons in a Member State to use the services referred to in point (2); and
(b)having a substantial connection to the Member State referred to in point (a);
(4)‘establishment’ means either the actual pursuit of an economic activity for an indefinite period through a stable infrastructure from where the business of providing services is carried out or a stable infrastructure from where the business is managed;
(5)‘group’ means a group as defined in Article 3(15) of Directive (EU) 2015/849 of the European Parliament and of the Council 24 .
Article 3
Legal representative
1.Member States where a service provider offering services in the Union is established shall ensure that it designates at least one legal representative in the Union for the receipt of, compliance with and enforcement of decisions and orders issued by competent authorities of Member States for the purpose of gathering evidence in criminal proceedings. The legal representative shall reside or be established in one of the Member States where the service provider is established or offers the services.
2.Where a service provider is not established in the Union, Member States shall ensure that such service provider offering services on their territory designates at least one legal representative in the Union for the receipt of, compliance with and enforcement of decisions and orders issued by competent authorities of Member States for the purpose of gathering evidence in criminal proceedings. The legal representative shall reside or be established in one of the Member States where the service provider offers the services.
3.As regards the receipt of, compliance with and enforcement of decisions and orders issued by the competent authorities of Member States under Union legal instruments adopted within the scope of Title V, Chapter 4, of the Treaty on the Functioning of the European Union for gathering evidence in criminal proceedings, the Member States taking part in those legal instruments shall ensure that service providers offering services on their territory designate at least one representative in one of them. The legal representative shall reside or be established in one of the Member States where the service provider offers the services.
4.Service providers shall be free to designate additional legal representatives, resident or established in other Member States, including those where the service providers offer their services. Service providers which are part of a group shall be allowed to collectively designate one legal representative.
5.Member States shall ensure that the decisions and orders by their competent authorities for evidence gathering in criminal proceedings are addressed to the legal representative designated by the service provider to that effect. That representative shall be entrusted with the receipt, compliance and enforcement of those decisions and orders on behalf of the service provider concerned.
6.To this end, Member States shall ensure that the legal representative residing or established on their territory cooperates with the competent authorities when receiving those decisions and orders, in accordance with the applicable legal framework.
7.Member States shall ensure that service providers established or offering services in their territory provide their legal representative with the necessary powers and resources to comply with those decisions and orders.
8.Member States shall ensure that the designated legal representative can be held liable for non-compliance with obligations deriving from the applicable legal framework when receiving decisions and orders, without prejudice to the liability and legal actions that could be initiated against the service provider. In particular, the lack of appropriate internal procedures between the service provider and the legal representatives cannot be used as a justification for non-compliance with those obligations.
9.Member States shall ensure that the obligation to designate a legal representative applies from the date of transposition set out in Article 7 for service providers that offer services in the Union at that date, or from the moment service providers start offering services in the Union for those service providers that will start offering services after the date of transposition of the Directive.
Article 4
Notifications and languages
1.Member States shall ensure that, upon designation of its legal representative in accordance with Article 3(1), (2) and (3), each service provider established or offering services in their territory notifies in writing the central authority of the Member State where its legal representative resides or is established of the designation and contact details of its legal representative as well as any changes thereof.
2.The notification shall specify the official language(s) of the Union, as referred to in Regulation 1/58, in which the legal representative can be addressed. This shall include, at least, one of the official languages of the Member State where the legal representative resides or is established.
3.When a service provider designates several representatives, the notification shall specify the official language(s) of the Union or Member States covered by each of them or any other considerations to determine the appropriate legal representative to be addressed. In duly justified cases, Member States’ authorities may depart from those considerations.
4.Member States shall ensure that the service provider makes the information notified to them in accordance with this Article publicly available. Member States shall publish that information on a dedicated page of the e-Justice portal.
Article 5
Sanctions
1.Member States shall lay down rules on sanctions applicable to infringements of national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The sanctions provided for shall be effective, proportionate and dissuasive.
2.Member States shall, by the date set out in Article 7, notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them. Member States shall also inform the Commission on an annual basis about non-compliant service providers and relevant enforcement action taken against them.
Article 6
Coordination mechanism
1.Member States shall designate a central authority or, where its legal system so provides, more than one central authority, to ensure the application of this Directive in a consistent and proportionate manner.
2.Member States shall inform the Commission of their designated central authority, or central authorities, referred to in paragraph 1. The Commission shall forward a list of designated central authorities to the Member States. The Commission will also make publicly available a list of designated central authorities to facilitate the notifications by a service provider to the Member States where its legal representative resides or is established.
3.Member States shall ensure that central authorities shall provide each other with relevant information and mutual assistance relevant to application of this Directive in a consistent and proportionate manner. The provisioning of information and mutual assistance shall cover, in particular, enforcement actions.
4.Member States shall ensure that the central authorities shall cooperate with each other and, where relevant, with the Commission to ensure the application of this Directive in a consistent and proportionate manner. Cooperation shall cover, in particular, enforcement actions.
Article 7
Transposition
1.Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by 6 months after entry into force. They shall immediately inform the Commission thereof.
2.When Member States adopt these measures, they shall contain a reference to this Directive or shall be accompanied by such reference on the occasion of their official publication. The methods of making such reference shall be laid down by Member States.
3.Member States shall communicate to the Commission the text of the measures of national law which they adopt in the field covered by this Directive.
Article 8
Evaluation
By [5 years from the date of application of this Directive] at the latest, the Commission shall carry out an evaluation of the Directive and present a report to the European Parliament and to the Council on the application of this Directive, which shall include an assessment of the need to enlarge its scope. Where appropriate, the report shall be accompanied by a proposal for the amendment of this Directive. The evaluation shall be conducted according to the Commission's Better Regulation Guidelines. Member States shall provide the Commission with the information necessary for the preparation of that Report.
Article 9
Entry into force
This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Article 10
Addressees
This Directive is addressed to the Member States in accordance with the Treaties.
Done at Brussels,
For the European Parliament For the Council
The President The President
Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10 final.