Shadowfetch

World

European Parliament Committee Tightens Rules on Cross-Border Electronic Evidence Requests

New draft legislation would require notification and judicial review when EU authorities seek data stored in another member state.

Portrait of Shanda RoolanskiBy Shanda Roolanski5 min read
European Parliament Committee Tightens Rules on Cross-Border Electronic Evidence Requests

BRUSSELS — The European Parliament's civil-liberties committee approved draft legislation on Thursday that would impose new notification requirements and judicial-authorization standards when law-enforcement authorities in one European Union member state seek electronic data stored in another member state. The measure updates the bloc's 2018 e-evidence framework and is intended to reduce legal uncertainty for service providers while strengthening protections for individuals whose data is requested.

The committee vote came after months of negotiations among political groups. The approved text requires that, in most cases, the state where the data is held must receive advance notice of a production order. The requesting authority must provide a detailed description of the suspected offense, the precise categories of data sought, and the domestic legal basis for the request. Providers would generally have ten days to respond to ordinary requests and six hours when authorities certify an imminent threat to life or physical integrity.

How the current system works and why changes are proposed

Under existing rules, authorities can issue production orders directly to service providers located in another member state. The approach was designed to speed investigations in an era when most communications and stored files cross borders. Europol's 2025 Internet Organised Crime Threat Assessment reported that 78 percent of its operational cases involved data located outside the investigating country. The European Commission recorded more than 140,000 preservation and production orders issued to providers in 2025.

In practice, the direct-order model has produced uneven outcomes. Some member states report that providers sometimes comply with requests that would not satisfy stricter domestic standards. Others note delays when providers seek clarification from their home authorities. The new draft attempts to address both speed and oversight by introducing a structured notification step while preserving short deadlines for genuine emergencies.

The legislation distinguishes between different types of data. Subscriber information and traffic data would face lower authorization thresholds than content data such as the text of messages or stored files. Requests for content data would require judicial authorization in the requesting state and would trigger the notification procedure in nearly all cases. The notified state would have a defined window to raise objections if the request appears to conflict with its constitutional protections or international human-rights obligations.

Reactions from governments, providers, and civil society

German Justice Minister Sabine Leutheusser-Schnarrenberger welcomed the committee's text, saying it would increase legal certainty for companies operating across the single market. She noted that companies currently face differing interpretations of their obligations depending on which national authority issues an order. French Interior Ministry officials expressed concern that the notification requirement could slow time-sensitive investigations into terrorism and organized crime. They indicated they would seek adjustments during upcoming negotiations between the Parliament, the Council of the EU, and the Commission.

Industry associations and digital-rights groups also weighed in. The European Digital Rights network argued that the objection mechanism must be meaningful and not reduced to a formality. Cloud-service providers told the committee they need standardized technical formats for verifying the authenticity of cross-border orders and clear guidance on how to handle conflicting legal demands.

Several data-protection authorities welcomed the requirement that they receive statistical information about the volume and nature of requests. They said aggregated data would help them assess whether the new rules are functioning as intended and whether additional safeguards are needed.

Background on the 2018 framework and subsequent developments

The original e-evidence package emerged after years of discussion about the limitations of traditional mutual legal assistance treaties. Those treaties, while providing strong procedural protections, often required months to process requests. The 2018 directive sought to create a faster channel while still requiring judicial oversight in the requesting state. Implementation varied across member states, and the European Court of Justice issued several rulings clarifying the limits of direct orders when fundamental rights were at stake.

The new proposal builds on those rulings. It incorporates explicit references to the Charter of Fundamental Rights of the European Union and requires that any objection based on fundamental-rights concerns be resolved before data is transferred. The text also creates a role for Eurojust in facilitating dialogue between member states when objections arise.

Implementation timeline and remaining legislative steps

The committee's draft now advances to a plenary vote expected in September. If the full Parliament approves the measure, formal negotiations with member-state governments would begin under the ordinary legislative procedure. The European Commission estimates that, once adopted, member states would have 18 to 24 months to transpose the rules into national law and to train prosecutors, judges, and law-enforcement personnel.

The legislation applies only to criminal investigations. It does not alter rules governing national-security requests or administrative proceedings. Officials emphasized that the measure leaves intact existing obligations under the General Data Protection Regulation for non-criminal access to personal data.

Civil-society organizations monitoring the file said the final shape of the objection procedure will determine whether the new rules deliver meaningful additional protection. They pointed to past instances in which individuals successfully challenged data transfers at the European Court of Justice on privacy and due-process grounds.

Practical implications for investigations and individuals

For investigators, the new procedures would introduce an additional administrative step in many cases but would also provide clearer guidance on what information must accompany a request. For individuals, the changes would mean that the state where they reside or where their data is stored would have a formal opportunity to review whether a foreign request meets local legal standards.

Service providers would gain a more predictable compliance environment. They would know in advance which categories of requests require notification and would have standardized timeframes within which to respond. The legislation also requires providers to designate a single point of contact for cross-border orders, a measure intended to reduce confusion when multiple authorities issue simultaneous requests.

Sources


Shadowfetch is a technology publication. Explore Shadowfetch Linux — our own Linux build — and the Shadowfetch apps on the App Store.

Sources

The article cites a committee draft report, Europol assessment, European Commission statistics, and reported reactions from officials, providers, and civil-society groups.

Evidence types: committee draft report, official data, public statements, stakeholder responses

Links verified

See a problem in this story? Report an error · Corrections policy · Our methodology

The Daily Newsletter

One morning email: the day’s biggest technology stories — AI, new devices, and the companies shaping them.

Double opt-in. Unsubscribe anytime. See our privacy policy.