After five years of nego­tia­tions, on 13 June 2023 the European Parliament adop­ted a legis­la­tive package for cross-border access to elec­tro­nic evidence from online service provi­ders (e.g. tele­com compa­nies, online-plat­forms, social media provi­ders). From 2026 on, natio­nal law enfor­ce­ment autho­ri­ties in EU member states will be able to directly request certain data from service provi­ders loca­ted in another member state, on a legally binding basis.

The intro­duc­tion of the initial propo­sal spar­ked quite a debate about cross-border access to data stored by private service provi­ders and there were stron­gly divergent views on almost every­thing despite the fact that there is a need to tackle the issue. The rules are deve­lo­ped to faci­li­tate and acce­le­rate access of law enfor­ce­ment autho­ri­ties to elec­tro­nic evidence outside their own terri­tory. As data has become an essen­tial source of evidence (not only in cases of cyber­crime but for quite any type of crimi­nal offence), law enfor­ce­ment autho­ri­ties are increa­sin­gly relying on the collec­tion of data in crimi­nal inves­ti­ga­tions. A substan­tial part of the rele­vant data accrues by the wides­pread use of online services (instant messen­gers, social media, e‑mail services, cloud data storage, etc.) and is stored by the provi­ders collec­ting data about their users. With the data in the hand of private service provi­ders, autho­ri­ties see them­selves increa­sin­gly forced to request data from private companies.

In prac­tice, there are two major obstacles limi­ting access to data from service provi­ders : First, service provi­ders are often loca­ted in another state, and as a conse­quence, subject to foreign juris­dic­tion. Due to the prin­ciple of terri­to­ria­lity, autho­ri­ties are not entit­led to execute inves­ti­ga­tive measures in foreign terri­tory. Coercive cross-border access to data is thus only possible based on mutual legal assis­tance measures, which are consi­de­red too slow and compli­ca­ted. Second, direct non-coer­cive requests to online service provi­ders in another state are only possible based on the volun­tary coope­ra­tion of the provi­der, leading to uncer­tainty and unpredictability.

The E‑Evidence package has been desi­gned to tackle these issues by provi­ding legally binding instru­ments for direct cross-border access to data without the proce­dure of mutual legal assis­tance. This article will give a short over­view of essen­tial rules of the E‑Evidence package and discuss what impli­ca­tions the new regime could have for Switzerland.

New instru­ments : European Production and Preservation Orders

The E‑Evidence-Package consists of a Regulation on European Production and Preservation Orders for elec­tro­nic evidence in crimi­nal matters and a comple­men­tary Directive laying down harmo­ni­zed rules on the appoint­ment of legal repre­sen­ta­tives for the purpose of gathe­ring evidence in crimi­nal procee­dings. The Regulation lays down binding rules to obtain data from service provi­ders, whereas the Directive obliges all service provi­ders offe­ring services in the Union to desi­gnate an esta­blish­ment or appoint a legal repre­sen­ta­tive for the receipt of, compliance with and enfor­ce­ment of the orders. By this mecha­nism, also non-European service provi­ders active in the European market will have to comply with orders from law enfor­ce­ment autho­ri­ties of member states.

The Regulation intro­duces two new legal instru­ments : a “European Production Order” and a “European Preservation Order”. By these instru­ments, competent judi­cial autho­ri­ties in member states will be able to directly request a service provi­der (or its legal repre­sen­ta­tive) in another member state to produce or preserve certain data neces­sary as evidence in crimi­nal proceedings.

Subject to European Production or Preservation Orders are all service provi­ders in the Union that offer :

• Electronic commu­ni­ca­tion services (such as instant messen­gers like Whatsapp, Telegram, etc.);
• Internet domain name and IP numbe­ring services ;
• Or other infor­ma­tion society services enabling commu­ni­ca­tion of users (such as social media networks like Facebook or TikTok, online market­places like Amazon, Ebay, etc.) or services enabling storage of data (such as cloud compu­ting services).

The Regulation applies to European service provi­ders that offer such services in more than one member state ; as well as to non-European service provi­ders that are active in the EU market and are obli­ged to appoint a legal repre­sen­ta­tive in a Member State. Similar to the GDPR which requires the esta­blish­ment of legal repre­sen­ta­tives for non-European orga­ni­za­tions proces­sing perso­nal data of data subjects in the Union, the E‑Evidence-Package requires the esta­blish­ment of legal repre­sen­ta­tives for non-EU provi­ders offe­ring services in the Union. By buil­ding on this concept, the Regulation and Directive aim to deve­lop extra­ter­ri­to­rial effects. The rele­vant factor deter­mi­ning the scope of the Regulation is the offe­ring of services in the Union, regard­less of where the service provider’s data is stored or where its servers are located.

By this mecha­nism, the Regulation will oblige the most impor­tant service provi­ders, inclu­ding WhatsApp, Google or Meta, to directly coope­rate with natio­nal authorities.

Categories of data, access requi­re­ments and duty of cooperation

The legal frame­work diffe­ren­tiates four cate­go­ries of data, consi­de­ring the varying sensi­ti­vity of the data. The cate­go­ries of data cove­red by the Regulation include :

• subscri­ber data (rela­ting to the iden­tity of the user, e.g. name, date of birth, billing and payment data, etc.);
• data reques­ted for the sole purpose of iden­ti­fying the user (IP addresses, logs and access numbers toge­ther with tech­ni­cal identifiers);
• traf­fic data (rela­ting to the provi­sion of a service, e.g. the geogra­phic loca­tion of the device used, date, time, dura­tion, etc.);
• content data (text, video, voice, images, sound, etc.).

Depending on the cate­gory of data, the requi­re­ments for cross-border access to the data differ, both with regards to both the autho­rity that may issue an order and the under­lying crimi­nal offence. In that regard, it is impor­tant to note that the Regulation lays out rules on how to access the data, but it does not impose a gene­ral obli­ga­tion of data reten­tion or speci­fic data reten­tion periods for service provi­ders, which remain to be regu­la­ted by speci­fic European data reten­tion legis­la­tion and natio­nal law. The Regulation sets rules for the access or acqui­si­tion of data as evidence, but not obli­ga­tions to retain data in general.

To obtain subscri­ber data or data reques­ted for the sole purpose of iden­ti­fying the user, a European Production order may be issued for all crimi­nal offences by a judge, a court, an inves­ti­ga­ting judge or a public prosecutor.

To obtain traf­fic data or content data, the requi­re­ments are higher, and a European Production order may only be issued by a judge, a court or an inves­ti­ga­ting judge (i.e. the autho­ri­za­tion of a public prose­cu­tor does not suffice). It may only be issued for crimi­nal offences puni­shable by a maxi­mum custo­dial sentence of at least three years.

In gene­ral, for all data cate­go­ries the issuance of a European Production Order is only allo­wed if neces­sary and propor­tio­nate for crimi­nal procee­dings. In addi­tion, the order to obtain data may only be used under the condi­tion that a simi­lar order could have been issued under the same condi­tions in a simi­lar domes­tic case.

To issue a European Preservation Order, the requi­re­ments are less strict, as this instru­ment does not (yet) include access to the data. A Preservation Order may be issued for data of any cate­gory by a judge, a court, an inves­ti­ga­ting judge or a public prose­cu­tor and for all crimi­nal offences.

Both European Production Orders and European Preservation Orders are legally-binding for the service provi­ders affec­ted in the case. Upon receipt of a Production Order, the service provi­der is obli­ged to respond within 10 days, or 8 hours in emer­gency cases. In case of non-compliance with a valid Order, the respec­tive service provi­der risks pecu­niary penal­ties of up to 2% of the world­wide annual turno­ver. Thus, in contrast to the current approach (mutual legal assis­tance or volun­tary coope­ra­tion), the new instru­ments will indeed provide very fast access to data ; with poten­tial furious effects for service provi­ders in view of the risk of sanctions.

The sticking point : invol­ve­ment of the enfor­cing state

The new instru­ments enable natio­nal law enfor­ce­ment autho­ri­ties (from the “issuing state”) to directly issue orders to service provi­ders in other member states, without prior autho­ri­za­tion of the autho­ri­ties where the provi­der is loca­ted (in the “enfor­cing state”). Contrary to the tradi­tio­nal system of mutual recog­ni­tion, where a judi­cial autho­rity in a state may issue an order which must then be reco­gni­zed and execu­ted by a judi­cial autho­rity in the other state, the new rules allow autho­ri­ties to directly issue an order to a service provi­der in the other state. The new system bypasses the judi­cial control of the enfor­cing state to whose juris­dic­tion the service provi­der is subject. This absence of prior autho­ri­za­tion by the enfor­cing state has been the thorny issue in the nego­tia­tions. The initial propo­sal did not provide for a noti­fi­ca­tion mecha­nism or autho­ri­za­tion proce­dure by the enfor­cing state and was based on the idea of abso­lute mutual trust between member states. Undoubtedly, such a direct coope­ra­tion system would signi­fi­cantly fasten cross-border access to data. However, by skip­ping the assess­ment of the enfor­cing state that the request does not violate funda­men­tal rights or prin­ciples of crimi­nal law, the direct cross-border access system risks losing a crucial layer of control (for a detai­led analy­sis see Albus 2023).

After leng­thy nego­tia­tions about the role and degree of control of the enfor­cing state in the access system, the legis­la­tors compro­mi­sed on a noti­fi­ca­tion mecha­nism of the enfor­cing state. Whenever a Production Order for traf­fic or content data is issued to a service provi­der, the issuing autho­rity is obli­ged to notify the enfor­cing autho­rity (at the same time the order has been trans­mit­ted to the service provi­der). The enfor­cing autho­rity then assesses the order and has the possi­bi­lity to raise grounds for refu­sal (due to immu­ni­ties, privi­leges, conflicts with the free­dom of press or free­dom of expres­sion etc.). Thus, the enfor­cing state has some degree of judi­cial control to safe­guard funda­men­tal rights, but only regar­ding traf­fic or content data.

Implications for Switzerland

The EU-wide rules for cross-border access apply to all service provi­ders offe­ring their services in the European market. Non-European service provi­ders are subject to the rules if they are active in more than one European member state. Outside the European market and for law enfor­ce­ment autho­ri­ties from non-EU member states, the rules do not take direct effect. Swiss law enfor­ce­ment autho­ri­ties will not be allo­wed to issue legally binding access requests to provi­ders esta­bli­shed (or with a legal repre­sen­ta­tive) in the EU. In turn, service provi­ders esta­bli­shed in Switzerland will not be subject to access orders unless they are also orde­ring services in more than one European member state. The Swiss messen­ger appli­ca­tion Threema for instance, which offers its services also in the European market (thus also held to comply with the GDPR), would have to desi­gnate a legal repre­sen­ta­tive in the EU respon­sible for compliance and enfor­ce­ment of access orders.

Overall, the legis­la­tion is not having direct impact on crimi­nal procee­dings in Switzerland. The E‑Evidence package is to be regar­ded as set of inter­nal EU-wide rules to harmo­nize judi­cial coope­ra­tion between European member states. Still, the new faci­li­ta­ted access regime to evidence within the EU raises the ques­tion as to whether there is need for Switzerland to regu­late access to data stored by service provi­ders and adapts its current law. The issue gains impor­tance because service provi­ders in Switzerland could expose them­selves to the risk of crimi­nal liabi­lity under Article 271 of the Swiss Criminal Code if they disclose data to foreign autho­ri­ties and thus contri­bute to acti­vi­ties on behalf of foreign states (as noted in the recently publi­shed report on the E‑Evidence-Package of the Federal Office of Justice ; for a criti­cal summary on the issue see also www​.swiss​pri​vacy​.law/​233).

Under the exis­ting legal frame­work, Swiss autho­ri­ties do not have the power to autho­ri­ta­ti­vely request access to data control­led by provi­ders outside the Swiss terri­tory. Investigative measures to obtain data from service provi­ders outside Switzerland must be reques­ted over inter­na­tio­nal mutual legal assis­tance in crimi­nal matters. Under Swiss law, direct requests to provi­ders without mutual legal assis­tance are only allo­wed on the basis of Article 32 lit. b of the Convention on Cybercrime and under the requi­re­ment that the provi­der volun­ta­rily discloses the data (see also the Decision of the Federal Supreme Court of Switzerland 141 IV 108, consi­de­ra­tion 5.10, as well as the commen­tary on the provi­sion in the Online Kommentar).

International legally binding access requests beyond volun­tary coope­ra­tion of the provi­der would require a legal basis in (bila­te­ral or multi­la­te­ral) inter­na­tio­nal trea­ties. To enable cross-border access as made possible in the E‑Evidence-package, Switzerland would have to nego­tiate excep­tions to the system of mutual assis­tance with the European Union or indi­vi­dual states. According to the report on the E‑Evidence-Package, Switzerland will have to react to the new European rules, at least to avoid conflicts of law. A more far-reaching approach would be to adapt simi­lar (natio­nal) regu­la­tion linking to the E‑Evidence-Package and to build bridges to other legal systems by the means of inter­na­tio­nal trea­ties (as mentio­ned in the report on the E‑Evidence-Package).

Certainly, binding rules for access requests to service provi­ders would be desi­rable in terms of legal certainty and clarity. Today, law enfor­ce­ment autho­ri­ties often depend on good will of provi­ders and their willin­gness for coope­ra­tion. However, with a view to funda­men­tal rights and data protec­tion, there is good reason for caution in regu­la­ting direct access requests from foreign autho­ri­ties. By skip­ping the process of mutual assis­tance, autho­ri­ties risk losing control over the disclo­sure of data to foreign autho­ri­ties. Additionally, by impo­sing binding rules to provi­ders to disclose data, the respon­si­bi­lity for evidence gathe­ring shifts somew­hat to service provi­ders, and with that to private compa­nies which are not prima­rily driven by funda­men­tal rights consi­de­ra­tions or the rule of law. Thus, the new E‑Evidence-Package should prompt Switzerland to reflect on law enfor­ce­ment access to data stored by service provi­ders and what conse­quences direct access instru­ments might have on funda­men­tal rights of indi­vi­duals. At the moment, this debate is still in its infancy in Switzerland, but should be conduc­ted sooner rather than later as the rele­vance of data in the hand of provi­ders will conti­nue to grow.