Back to the overview
01-12-2024 Article

E-Evidence Act: Disclosure and verification obligations for online service providers in Europe-wide criminal proceedings

Update Data Protection No. 166

The Regulation on European Production Orders and European Preservation Orders for electronic evidence in criminal proceedings and for the enforcement of custodial sentences following criminal proceedings (e-Evidence Regulation), which came into force on August 18, 2023, regulates access to electronic evidence uniformly throughout Europe. In order to speed up access to digital data needed to investigate and prosecute criminal offenses, the law enforcement authorities of all EU member states will be able to contact the providers of digital services directly after the transition period expires on August 18, 2026. They will then be faced with the difficult task of checking the requests themselves and, in urgent cases, answering them in just eight hours – a task that can often only be accomplished with the involvement of external service providers, especially for smaller companies.

I. Background

The E-Evidence Regulation focuses on the European Production Order (EPOC) and the European Preservation Order (EPOC-PR), which can oblige service providers to hand over or preserve digital data in order to enable a subsequent production order if it is required as electronic evidence in ongoing criminal proceedings or for enforcement purposes. Service providers can then be obliged to hand over data to the authorities of another member state of the Union without this having to be confirmed by a national court or the public prosecutor's office. However, the e-Evidence Regulation also defines grounds for refusal and cases in which the national enforcement authorities must be involved.

Further contents of the e-Evidence Regulation concern the establishment of a decentralized IT system for communication between the authorities and the addressees (the service providers) and between the authorities themselves, as well as the legal protection options of the persons concerned against production orders (Art. 18 e-Evidence Regulation).

II. Who must act?

Service providers within the meaning of Art. 3 No. 3 e-Evidence Regulation are affected by the disclosure orders under the e-Evidence Regulation. The broad scope of application covers all providers of electronic communications services, internet domain name and IP numbering services and other information society services that enable their users to communicate with each other or store or otherwise process data for their users where the storage of data is an integral part of the service. There is no size limit or exception for small and micro-enterprises. The services must also be offered in the EU. Indicators include a branch in the EU, the availability of applications in national app stores, local advertising or the availability of customer service locally or in the language of the member state.

Electronic communications services covered by the regulation include, in particular, fixed network, mobile or satellite access, internet telephony (Voice-over-IP) or email services as well as messengers such as WhatsApp and Telegram (OTT services). However, video-on-demand services such as YouTube and Netflix, music streaming services, blogs and communication with voice assistants or chatbots are not included.

Other information society services also include data storage services without a communication function, where data storage or other data processing is a not insignificant part of the service, as well as all services with a communication function (even a subordinate one). However, this does not apply if the communication function only serves the purpose of communication between the user and the service provider. This includes, for example, all (purchasing) platforms with a messaging function (eBay, Vinted), platforms for online games or cloud computing services, as well as all other providers whose service consists to a significant extent of storing or processing digital data.

The recipients of the orders under the e-Evidence Regulation are generally those service providers who are also controllers within the meaning of the GDPR ("Data Controller", Art. 5 para. 6 e-Evidence Regulation), and only in exceptional cases their processors ("Data Processor").

III. Procedure upon receipt of an EPOC/EPOC-PR

Quick action is required upon receipt of an EPOC/EPOC-PR. If a service provider receives a production order from the authorities of a (different) member state, it must respond within ten days and grant access to the electronic evidence. In emergencies, the response time is reduced to just eight hours. In this case, service providers must immediately take measures to secure the requested data. It should then be checked whether the order conflicts with the service provider's obligations under the applicable law of a third country. If this is the case, or if it is impossible to provide the data or cannot be provided in a timely manner for other reasons, the issuing authority must be notified (see below). Otherwise, the data must be transmitted to the issuing authority within the deadline.

Particularly due to the very short deadline in emergencies, it is essential for affected companies to deal with the requirements of the e-Evidence Regulation before the first disclosure order is issued and to develop processes for dealing with disclosure orders now.

If an EPOC concerns content data or traffic data that is not requested solely for the purpose of identifying the user, the national enforcement authority will be informed at the same time as the service provider, unless the offense was or is being committed in the issuing state and the person concerned is resident in the issuing state. In this case, a suspensive effect occurs and the data may only be transmitted if the executing authority has not invoked any grounds for refusal in accordance with Art. 12 e-Evidence Regulation within the ten-day period or confirms beforehand that it will not invoke a ground for refusal. In urgent cases, this period is reduced to 96 hours. If the enforcement authority invokes a ground for refusal, the service provider may not comply with the order.

Even after receiving an EPOC-PR (Art. 11 E-Evidence Regulation), security measures must be taken immediately. From this moment on, the data may not be deleted for a period of 60 days. This period may be extended by 30 days. Upon receipt of an EPOC-PR, service providers must also check whether compliance is not possible due to a conflict of laws, impossibility or other reasons and, if necessary, notify the issuing authority accordingly.

According to Art. 14 e-Evidence Regulation, the costs of complying with the EPOC/EPOC-PR will only be reimbursed by the state of the issuing authority if the law of this state provides for reimbursement of costs for comparable situations. The various national provisions on the reimbursement of costs should be available from the EU Commission in future.

1. Clarification

If the EPOC or EPOC-PR is incomplete, contains obvious errors or insufficient information for execution, service providers must inform the issuing authority (and, if applicable, the executing authority) and request clarification. Only once the clarification or correction has been made is there an obligation to surrender or secure the digital data and the respective deadlines begin to run. If the issuing authority does not respond within five days, the obligation to secure data no longer applies.

2. Impossibility or contradiction to legal obligations

Art. 10 and 11 e-Evidence Regulation contain various exceptions in which the addressee does not have to comply with the production or preservation order, for example in the event of impossibility, incompetence of the issuing authority or contradiction of the service provider's obligations under the law of a third country. The service provider must inform the issuing authority of this immediately and give reasons using the form in Annex III to the e-Evidence Regulation. If the issuing authority agrees with the service provider's assessment, it will inform the service provider that the EPOC/EPOC-PR no longer needs to be executed.

Otherwise, the procedure will be handed over to the national enforcement authority. It will examine the grounds for refusal and, if necessary, request the service provider to take action, to which the service provider can object. This may be followed by legal proceedings. If the service provider has unjustifiably refused to take action, a fine of up to 2 % of the worldwide annual turnover can be imposed (Art. 15, 16 e-Evidence Regulation).

A refusal may be justified in particular

  • (a) if it is de facto impossible to disclose or secure the data concerned and this is due to circumstances that cannot be attributed to the service provider
  • (b) if the issuing authority does not use the form in Annex I or Annex II of the Regulation for the production or preservation order or if the order does not originate from an authority authorized under Art. 4 e-Evidence Regulation, i.e. not from a court, investigating judge, public prosecutor or other enforcement authority
  • (c) if the data, which only serve to identify the data subject, are not used in criminal proceedings or for the prosecution or enforcement of criminal offenses referred to in the e-Evidence Regulation. Offences referred to in the e-Evidence Regulation (offences punishable in the issuing State by a custodial sentence of at least four months/detention order; offences punishable in the issuing State by a custodial sentence of a maximum of at least three years; offences relating to fraudulent use of payment instruments, sexual abuse, sexual exploitation, child pornography, contacting children for sexual purposes, unlawful access to information systems, unlawful interference with data and unlawful interception of data and terrorist offences)
  • (d) where the data are protected by immunities or privileges under the law of the executing State or the requested data are subject to rules on the determination or limitation of criminal liability relating to freedom of the press or freedom of expression in other media
  • (e) where a service provider considers that a production order conflicts with its obligations under the applicable law of a third country. It must then lodge a reasoned objection with the issuing or enforcing authority, using Annex III, giving full legal and factual details of the conflicting obligations

If the service provider does not comply with the order for other reasons or does not comply within the time limit, it must also inform the issuing authority of the reasons for this using Annex 

Many of these grounds for refusal are difficult or impossible to verify without legal advice, which is why the internal legal department or specialized lawyers should be consulted in the event of an order.

3. What must be handed over?

Electronic evidence that can be requested under the Regulation includes any digital subscriber, traffic or content data used in the investigation and prosecution of criminal offenses. In detail:

  • (a) Subscriber data: Data relating to the identity of the data subject, such as name, date of birth, address and other contact details, as well as data relating to the nature and duration of the service
  • (b) Traffic data: Data relating to the service offered, such as the origin and destination of a message, the location of a device, the format or protocol used and other metadata relating to communication about and use of the service
  • (c) Content data: all other data available in a digital format, such as texts, videos and images.

4. Easy implementation by setting up authority interfaces

If an unprepared company is confronted with a production or preservation order for the first time, it will have considerable problems implementing it within the short deadlines of the e-Evidence Regulation. In less than ten days (or even eight hours), companies must carry out a legal review of the order and their own potentially conflicting obligations, the data to be released must be identified, extracted and secured, and the transfer itself must also be implemented technically via secure communication channels. In addition, care must be taken to ensure that the data is not released prematurely if the national authorities are involved, and communication with the authorities must also take place if there are objections to the EPOC or EPOC-PR.

However, companies have the option of outsourcing these obligations by commissioning a specialized IT service provider to set up an interface with the authorities. In close coordination with the company, the service provider then takes over all communication with the authorities and the legally compliant provision of data, without having to carry out a time-consuming check within the company itself. Especially for smaller companies without their own department for processing such requests, this will often be the preferred way to avoid fines or even criminal sanctions.

IV. Further obligations

Further obligations of service providers concern, for example, taking the necessary state-of-the-art operational and technical measures to ensure the confidentiality, secrecy and integrity of the respective order and the data concerned (Art. 13 para. 4 e-Evidence Regulation) or the establishment of a point of contact (service providers from third countries) or the designation of a branch (providers established in the EU) to process the respective orders.

The service provider acting merely as a processor within the meaning of Art. 28 GDPR, but not as a controller, must also inform the controller of the data disclosure. However, the data subjects may only be informed by the issuing authority.

V. Checklist & outlook

The e-Evidence Regulation will not come into force until mid-2026. However, by this time, all service providers should be in a position to implement production and preservation orders at short notice and within a few hours in accordance with the e-Evidence Regulation. To this end, at least the following measures should be taken:

  • Define responsibilities for processing EPOC and EPOC-PR;
  • Define processes for the legal review and implementation of EPOC and EPOC-PR, taking into account the various processing deadlines;
  • Ensure that data can be released and secured at short notice (if necessary, commission a third-party provider to provide technical support);
  • In the case of frequent requests, create an overview of particularly frequent conflicting obligations under the law of third countries so that these can be checked quickly and automatically;
  • Evaluate confidentiality, secrecy and integrity measures and, if necessary, adapt them to the latest state of the art.

For many companies, however, it is difficult to carry out the legal review of the orders or to identify and secure all the data concerned without external help. Communicating with the authorities when it is impossible to implement the order can also be challenging. Therefore, the most sensible approach is often to commission an external service provider who sets up an interface for official orders and ensures the technical processing, the legal review (by external lawyers), the collection of the data and its timely (but not premature) transmission to the authority.

Download as PDF
Download as PDF

Contact persons

Dr. Hans Markus Wulf
Hamburg
Dr. Johannes Rolfs, LL.M.
Hamburg

Contact persons

Dr. Hans Markus Wulf
Hamburg
Dr. Johannes Rolfs, LL.M.
Hamburg

Related articles

12-02-2025
EU DIGITAL LAW: What legal obligations will providers of SaaS (Software as a Service) services face in the future?
12-02-2025
Competition authority files another lawsuit against Amazon – What impact could this have on platform liability?
11-27-2025
Digital Omnibus: What changes in data protection (GDPR) can be expected?
11-14-2025
Bundestag approves NIS2 implementation law – What companies need to know and do now
11-14-2025
A new facet of coaching law: Is the invalidity of coaching contracts unconstitutional?
11-13-2025
Digital Omnibus: EU Commission presents draft
11-13-2025
GEMA vs. OpenAI: Landmark ruling on AI language models and copyright law
10-28-2025
AI ACT: Should ChatGPT be classified as High-Risk AI?
10-15-2025
EU DIGITAL LAW: Will there be an extension of the deadline for the implementation of the AI Act, the Data Act, and the Cyber Resilience Act (Digital Omnibus)?
10-15-2025
More transparency, more responsibility: The new EU Regulation 2024/900 and its consequences for political advertising
10-01-2025
DATA ACCESS WITHIN THE COMPANY GROUP: Are companies permitted to access the IT systems of parent, sister, or subsidiary companies?
09-25-2025
Patent Mediation and Arbitration Center (PMAC) – Alternative dispute resolution in patent law

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.