CROSS-BORDER ELECTRONIC EVIDENCE FRAMEWORKS – EU vs. INDIA

By Tirtha Mishra, Student, Maharashtra National Law University, Mumbai, India.

DOI: https://doi.org/10.5281/zenodo.15380463

I. INTRODUCTION

The introduction of digital technologies has revolutionized the global landscape of criminal justice, presenting unprecedented challenges and opportunities for law enforcement agencies worldwide. In India, the stakes are particularly high, with cybercrime losses projected to exceed ₹20,000 crore annually by 2025, underscoring the urgent need for an effective framework to manage electronic evidence.[1] Digital evidence—ranging from emails and server logs to blockchain records and metadata—have become a cornerstone of modern prosecution, yet its borderless nature complicates traditional legal and jurisdictional approaches. This research project examines these complexities by comparing the European Union’s (EU) and India’s legislative responses to cross-border digital evidence access, offering insights into their strengths, limitations, and potential for reform.

The EU’s e-Evidence Regulation (2023/1543), with its European Production Orders (EPOCs), exemplifies a proactive approach, enabling rapid data retrieval from service providers within 10 days—or 8 hours in emergencies—irrespective of data location.[2] In contrast, India’s Bharatiya Sakshya Adhiniyam (BSA, 2023) remains tethered to territorial constraints, relying on Mutual Legal Assistance Treaties (MLATs) that often take 10–14 months, a pace ill-suited to the volatility of digital evidence.[3] This disparity is further complicated by India’s low cybercrime conviction rates, often below 10%, reflecting challenges in prosecuting cases involving international data.[4] Privacy considerations, enshrined as a fundamental right in India by the K.S. Puttaswamy v. Union of India (2017) ruling, add another layer of complexity, as the BSA lacks safeguards comparable to the EU’s General Data Protection Regulation (GDPR).[5] [6]

This project aims to analyze these frameworks through the lenses of jurisdictional authority, privacy protections, and international cooperation, drawing on data from reputable sources and by identifying gaps and proposing actionable reforms, it seeks to propose a modernized, rights-respecting system for cross-border digital evidence access, aligning with global standards while addressing national priorities. Using doctrinal analysis, this paper compares both systems and suggests practical reforms to balance India’s sovereignty with efficient investigations, vital for achieving justice in a digitally advancing world.

II. LEGISLATIVE EVOLUTION

The European Union (EU) and India have adopted markedly different strategies to address the complexities of accessing digital evidence across borders, reflecting their unique legal priorities and technological contexts in an increasingly digital world.

2.1 The EU's Paradigm Shift

The EU's e-Evidence Regulation, enacted in 2023, marks a bold departure from the inefficiencies of Mutual Legal Assistance Treaties (MLATs), which often stalled investigations for 10-14 months due to bureaucratic delays.[7] This legislative shift was propelled by the European Court of Human Rights' decision in Big Brother Watch and Others v. United Kingdom, which ruled that bulk data collection infringed on privacy rights and mandated rigorous proportionality standards for cross-border data access.[8] The Regulation introduces European Production Orders (EPOCs) and European Preservation Orders (EPOC-PRs), requiring EU-based service providers to disclose or preserve electronic evidence within 10 days—or 8 hours in emergencies—irrespective of where the data is stored.[9] This extraterritorial reach empowers authorities, such as those in France, to directly obtain data like WhatsApp messages from U.S. servers, provided they adhere to the General Data Protection Regulation (GDPR) Article 49's proportionality requirements.[10] By streamlining access, the EU addresses the transient nature of digital evidence, enhancing law enforcement efficiency in combating cybercrime.

2.2 India's Incremental Reforms

India, in contrast, has pursued a gradual evolution of its digital evidence framework, primarily through judicial clarification rather than sweeping legislative reform. Section 65B of the Indian Evidence Act, 1872, establishes certification as a prerequisite for authenticating electronic records—a requirement solidified by the Supreme Court in Arjun Panditrao Khotkar v. Kailash Gorantyal, which resolved prior ambiguities and upheld traditional evidentiary rigor.[11] The Bharatiya Sakshya Adhiniyam (BSA, 2023) modernizes this framework to encompass technologies like cloud storage and blockchain, yet it preserves territorial restrictions.[12] In Facebook Inc. v. State of Delhi (2020), Delhi Police sought user data for riot investigations. Facebook resisted, citing U.S. jurisdiction, forcing reliance on the MLAT process (10–14 months), causing evidence loss (deleted messages/IP logs) and prosecution delays, underscoring India’s need for CLOUD Act-style data reforms.[13] India's non-membership in the Budapest Convention on Cybercrime further hampers cross-border cooperation, with only 15% of requests resolved within legal timeframes, weakening its capacity to address transnational cyber threats.[14]

The EU’s proactive extraterritorial approach contrasts sharply with India’s conservative, territorially bound framework. While the EU’s Regulation facilitates rapid evidence access, India’s reliance on outdated diplomatic channels often delays justice, as seen in high-stakes cases. This disparity underscores India’s need for legislative modernization—potentially through extraterritorial provisions or international agreements—to keep pace with global cybercrime trends. As digital offenses increasingly transcend borders, harmonizing such frameworks becomes critical for effective law enforcement worldwide.

III. OPERATIONAL MECHANISMS: EFFICIENCY VS. BUREAUCRACY

3.1 The EU's Standardized Framework

The e-Evidence Regulation (2023/1543) operationalizes efficiency through three interlocking mechanisms designed to balance investigative urgency with civil liberties. First, the Regulation mandates a 10-day compliance window for standard requests, reducible to 8 hours in emergencies, directly addressing the ephemeral nature of digital evidence in cases involving encrypted communications or cryptocurrency transactions.[15] Second, it institutes tiered judicial oversight: subscriber data requests may be issued by public prosecutors, while content data requisitions require prior authorization from independent judges, ensuring proportionality under Article 8 of the European Convention on Human Rights.[16] Third, enforcement is fortified through penalties up to 2% of global turnover, administered via the European Judicial Network’s centralized infrastructure.[17]

Despite this functional coherence, jurisdictional conflicts arise when EU orders intersect with third-country legislation. U.S.-based providers like Microsoft face legal double-binds when EPOCs conflict with CLOUD Act obligations, risking penalties regardless of compliance.[18] Scholars note this tension underscores the need for multilateral agreements to harmonize conflicting sovereignties.[19]

3.2 India's MLAT Dependency

India’s reliance on Mutual Legal Assistance Treaties (MLATs) creates systemic inefficiencies, starkly illustrated in the Facebook Inc. v. State of Delhi (2020). Investigators required user data for riot investigations. Facebook resisted, citing U.S. jurisdiction, forcing reliance on the MLAT process (10–14 months), causing evidence loss (deleted messages/IP logs) and prosecution delays.[20] The SAHYOG portal, envisioned as a digital solution for expediting evidence requests, remains underutilized, with integration limited to 16 states and 9 platforms as of 2024.[21]

Procedural bottlenecks exacerbate delays: mandatory FIR registration prerequisites add 15–30 days to response timelines, contrasting sharply with the EU’s 8-hour emergency protocols.[22] This disparity critically undermines India’s capacity to investigate transnational cybercrimes, as digital evidence often degrades or becomes inaccessible during administrative delays.

IV. PRIVACY PROTECTIONS IN CROSS-BORDER EVIDENCE FRAMEWORKS

4.1 GDPR's Influence on EU Safeguards

The European Union's e-Evidence Regulation incorporates robust privacy safeguards aligned with GDPR principles, balancing investigative efficiency with fundamental rights protection. Central to this framework are mandatory proportionality assessments, where judicial authorities must evaluate whether data requests constitute a "necessary and proportionate measure in a democratic society," as required by Article 52(1) of the Charter of Fundamental Rights.[23] Complementing this, service providers must notify users when their data is requested unless confidentiality is justified to protect ongoing investigations.[24] The Regulation further protects against jurisdictional overreach by allowing service providers to challenge requests based on Article 12 grounds, including when orders would result in "manifest breach of a relevant fundamental right" under Article 6 of the Treaty on European Union.[25]

4.2 India's Regulatory Gaps

Contrastingly, India's Bharatiya Sakshya Adhiniyam (BSA, 2023) reveals significant privacy protection deficiencies. While the BSA modernizes evidentiary standards by recognizing electronic records including "emails, server logs, blockchain records, and metadata,"[26] it conspicuously omits crucial safeguards. The framework lacks mandatory judicial oversight for data requests under IT Act Section 79, permitting authorities to demand data localization or disclosure without independent review.[27] Unlike the EU model, no provisions exist for user notification when data is accessed, enabling unchecked surveillance practices that potentially contravene the K.S. Puttaswamy judgment's privacy guarantees.

Cross-border challenges are particularly pronounced, as the draft Digital Data Protection Act (2023) permits unilateral data transfers for "public order" without mechanisms to reconcile conflicts with foreign legislation like the U.S. CLOUD Act.[28] Recent amendments to Section 63(2) of BSA (formerly Section 65B) retain certification requirements for electronic evidence but insufficiently address jurisdictional complications in accessing data stored on foreign servers.[29] The Mumbai Police's documented inability to track stolen devices using International Mobile Station Equipment Numbers in 2024 underscores enforcement gaps, with 65% of Indian law enforcement agencies lacking forensic training—a critical vulnerability in prosecuting transnational cybercrime.[30]

V. COMPARATIVE ANALYSIS: EU E-EVIDENCE REGULATION VS. INDIA’S BHARATIYA SAKSHYA ADHINIYAM

5.1 Jurisdictional Reach: Extraterritorial Mandates vs. Territorial Constraints

The EU’s e-Evidence Regulation, published in July 2023 and effective from August 18, 2026, establishes extraterritorial jurisdiction under Articles 5–7, compelling service providers like AWS or Meta to comply with data requests regardless of server location, provided they operate within the EU.[31] This framework sidesteps the inefficiencies of Mutual Legal Assistance Treaties (MLATs), which EU assessments have criticized for delays averaging up to 10 months.[32]By introducing European Production Orders (EPOCs) and Preservation Orders (EPOC-PRs), the Regulation enables direct judicial access to digital evidence, addressing its transient nature in cross-border investigations.[33] Conversely, India’s BSA, enacted in December 2023, modernizes evidentiary standards to recognize electronic records like cloud storage and blockchain as primary evidence but remains territorially constrained, lacking authority to compel foreign providers.[34] Indian authorities depend on MLATs, which, according to a 2019 Observer Research Foundation report, average 40 months for processing requests with the US, a delay compounded by India’s non-ratification of the Budapest Convention on Cybercrime since 2001 over sovereignty concerns.[35] This jurisdictional gap hinders India’s ability to access critical evidence stored abroad, contrasting sharply with the EU’s proactive approach.

5.2 Compliance Timelines:

Under the EU’s e-Evidence Regulation, compliance timelines are strictly defined: standard requests must be fulfilled within 10 days, and emergency cases require responses within 8 hours, as stipulated in Article 10.[36] These deadlines target the volatility of digital evidence, essential for investigations like ransomware or cryptocurrency fraud, reflecting demands from Member States for faster access.[37] India, however, struggles with bureaucratic delays despite initiatives like the SAHYOG portal, managed by the Indian Cyber Crime Coordination Centre (I4C), which aims to streamline data sharing but faces resistance from intermediaries and lacks comprehensive integration data for 2024.[38] The MLAT process further exacerbates delays, with the same Observer Research Foundation report noting an average 40-month wait for India-US requests, undermining timely law enforcement responses.[39] The EU’s efficiency in evidence retrieval starkly contrasts with India’s reliance on slow diplomatic channels, highlighting a critical gap in addressing cybercrime urgency.

5.3 Privacy Safeguards: Proportionality vs. Ambiguity

The EU embeds robust privacy protections within its framework, integrating General Data Protection Regulation (GDPR) Article 49, which mandates judicial oversight to ensure the necessity and proportionality of cross-border data transfers.[40] Service providers must notify users unless confidentiality is essential to the investigation, a safeguard outlined in the e-Evidence Regulation to balance law enforcement needs with individual rights.[41] In India, the BSA updates evidentiary rules for digital records but lacks similar oversight for data requests under Section 69 of the Information Technology Act, 2000, which permits executive-authorized interception without judicial review.[42] This raises surveillance concerns, particularly in light of the Supreme Court’s K.S. Puttaswamy v. Union of India decision in 2017, which enshrined privacy as a fundamental right.[43] The absence of mandatory user notification and judicial checks in India’s system diverges from the EU’s accountability mechanisms, exposing potential vulnerabilities in protecting citizens’ privacy during cross-border investigations.

5.4 Enforcement Mechanisms: Penalties vs. Procedural Gaps

The EU enforces compliance through the European Judicial Network, imposing penalties up to a percentage of a provider’s global turnover under Article 21 of the e-Evidence Regulation, ensuring accountability aligned with GDPR’s punitive framework.[44] India’s I4C, however, lacks authority to penalize non-compliant foreign providers, relying instead on diplomatic efforts that often falter. This enforcement weakness contributes to significant cybercrime losses, with estimates from 2021–2024 indicating India lost over ₹10,319 crore to cyber heists, many linked to inaccessible cross-border evidence.[45] The EU’s centralized enforcement contrasts with India’s procedural gaps, underscoring the latter’s need for stronger mechanisms to compel cooperation from global service providers.

Critical Perspectives

Scholars from Carnegie India argue that India’s sovereignty-driven approach to cybersecurity hampers integration with global data flows, limiting effective cross-border cooperation.[46] The EU, by contrast, prioritizes mutual recognition, as evidenced by the EU-U.S. e-Evidence Agreement, which streamlines access while safeguarding privacy.[47] India’s challenges in recovering cybercrime losses—often due to inadequate forensic capabilities and jurisdictional barriers—further highlight the need for legislative and operational reforms, as emphasized in Observer Research Foundation analysis.[48] This comparison reveals the EU’s forward-looking model versus India’s constrained framework.

VI. SYSTEMIC CHALLENGES IN INDIA’S CROSS-BORDER EVIDENCE FRAMEWORK

India’s framework for accessing cross-border digital evidence faces significant systemic hurdles, rooted in jurisdictional limitations, procedural inefficiencies, and inadequate privacy protections. These challenges, compounded by reliance on outdated mechanisms and a lack of technical capacity, hinder effective law enforcement in an increasingly digital landscape. This section examines these issues and aims to provide a clear, evidence-based analysis.

6.1 Jurisdictional Ambiguity and Fragmented Coordination

The Bharatiya Sakshya Adhiniyam (BSA) modernizes India’s evidentiary standards but fails to address extraterritorial jurisdiction explicitly, leaving authorities dependent on Mutual Legal Assistance Treaties (MLATs) for cross-border evidence.[49] These treaties, as noted in a 2019 Observer Research Foundation report, take an average of 40 months to process requests with the United States, far exceeding initial estimates of 10–14 months and reflecting significant delays in international cooperation.[50] The Supreme Court’s ruling in State (NCT of Delhi) v. Navjot Sandhu (2005) underscores this limitation, where the court admitted electronic evidence under Section 65B of the Indian Evidence Act, 1872, but highlighted the absence of mechanisms to compel foreign entities, a gap unaddressed by the BSA.[51] This jurisdictional ambiguity creates legal uncertainty, as India lacks the authority to mandate data disclosure from foreign service providers, unlike frameworks such as the EU’s e-Evidence Regulation. Efforts to clarify data flows through the draft Digital Personal Data Protection (DPDP) Rules remain stalled as of 2025, leaving executive discretion unchecked and further complicating coordination with global entities.[52]

6.2 Procedural Bottlenecks Under Outdated MLATs

India’s reliance on 42 bilateral MLATs reveals deep procedural inefficiencies that obstruct timely evidence access. As Carnegie India analysis indicates that these agreements resolve only a fraction of requests within reasonable timeframes, with delays averaging 40 months due to bureaucratic hurdles and mismatched legal standards, such as the U.S. requirement for “probable cause” under the Stored Communications Act.[53] Compounding this issue is a lack of technical expertise, with a 2020 Ministry of Home Affairs report revealing that many law enforcement agencies struggle with digital forensics, impeding the handling of complex evidence like cloud data.[54] The Supreme Court’s decision in Arjun Panditrao Khotkar v. Kailash Gorantyal (2020) addressed judicial inconsistencies by mandating strict compliance with Section 65B certification for electronic evidence, yet lower courts continue to grapple with its application, often delaying rulings on admissibility.[55] For instance, in State v. Tanseem Haider (2021), the Delhi High Court rejected improperly certified digital records, stalling a cybercrime trial by over a year and illustrating persistent procedural bottlenecks.[56] These flaws collectively undermine India’s ability to prosecute cross-border offenses efficiently.

6.3 Privacy and Human Rights Risks

India’s cross-border evidence framework lacks robust privacy safeguards akin to the EU’s General Data Protection Regulation, exposing citizens to potential overreach. The Information Technology Act, 2000, Section 69, permits executive-authorized data interception without judicial oversight, a practice criticized in K.S. Puttaswamy v. Union of India (2017), where the Supreme Court affirmed privacy as a fundamental right and called for proportionate restrictions. The draft DPDP Act, introduced in 2023, proposes data localization mandates but offers vague exemptions for “public order,” raising concerns about unchecked surveillance, as noted by Carnegie India. In Shreya Singhal v. Union of India (2015), the Supreme Court struck down overly broad provisions of the IT Act, yet the absence of similar scrutiny for cross-border data requests leaves a gap in human rights protections.[57] Technical deficiencies further exacerbate these risks; law enforcement’s limited capacity to leverage digital tools, such as metadata analysis, often forces reliance on less reliable methods, weakening both investigation efficacy and privacy assurances. This contrasts sharply with the EU’s judicially supervised, rights-balanced approach, highlighting India’s need for reform to align with global standards.

VII. RECOMMENDATIONS FOR REFORMING INDIA’S FRAMEWORK

India’s reliance on Mutual Legal Assistance Treaties (MLATs) for cross-border evidence access has been criticized for multiple reasons, the below recommendations aim to address some of these issues.

7.1 Adopt Extraterritorial Jurisdiction with Judicial Oversight

Amending the BSA to include extraterritorial jurisdiction would allow Indian authorities to directly request data from service providers operating within India, regardless of storage location, mirroring the EU’s e-Evidence Regulation under Articles 5–7.[58] Judicial oversight, as mandated by the Supreme Court in K.S. Puttaswamy v. Union of India (2017), would ensure that such requests meet necessity and proportionality standards, balancing law enforcement needs with privacy rights. Negotiating bilateral agreements with the US and EU could further enhance cooperation, drawing on the EU-US e-Evidence Agreement negotiations resumed in March 2023, which aim to reconcile the US CLOUD Act with EU GDPR requirements.[59] Carnegie India’s 2020 report suggests that such agreements could position India as a leader in global data-sharing discussions, provided they incorporate robust safeguards.[60]

7.2 Enforce Mandatory Compliance with Penalties

Requiring foreign service providers like AWS and Meta to appoint local representatives in India to handle data requests would strengthen compliance, a practice aligned with the EU’s e-Evidence Regulation under Article 18.[61] Imposing penalties, such as fines up to a percentage of global turnover for non-compliance, as outlined in Article 21 of the same regulation, would ensure accountability.[62] This addresses the current enforcement gap where foreign providers face no repercussions for non-cooperation. Expanding the SAHYOG portal, an initiative of the Indian Cyber Crime Coordination Centre (I4C), to mandate participation from all states and major platforms is essential to reduce delays. Resistance from platforms like X underscores the need for enforceable participation.[63]

7.3 Integrate Privacy Safeguards into BSA

Incorporating privacy safeguards into the BSA is critical to protect citizens from overreach. Judicial assessments of necessity and proportionality for cross-border requests, as required by K.S. Puttaswamy v. Union of India (2017), would align India’s framework with international standards. Mandating service providers to notify users of data requests, unless investigations are compromised, follows the EU’s e-Evidence Regulation under Article 11 and was recommended by the Justice Srikrishna Committee in 2018 to uphold individual rights.[64] These measures address concerns over unchecked surveillance under the Information Technology Act, 2000, ensuring compliance with constitutional privacy guarantees.

7.4 Establish a Centralized Digital Judicial Network

Creating a centralized digital judicial network, modeled after the European Judicial Network, would streamline cross-border requests using standardized forms, improving efficiency over India’s current ad-hoc MLAT system.[65] Capacity building in digital forensics is equally vital, with the Ministry of Home Affairs noting significant technical deficits in 2020.[66] The National e-Governance Division’s ongoing program targets training 1,000 personnel in cyber forensics, but scaling to 10,000 by 2026, as proposed, requires substantial funding.[67] The Cyber Crime Prevention against Women and Children scheme, which allocated ₹6 crore to train 40,500 personnel by 2020, offers a funding precedent that could be expanded to support this initiative.[68]

7.5 Enhance International Cooperation

Joining the Budapest Convention, ratified by 78 states as of January 2025, would provide India access to its Second Additional Protocol (2021), enhancing cross-border evidence sharing.[69][70] However, India’s historical reluctance, rooted in sovereignty concerns since 2001, has led to calls for alternative UN-led frameworks. Short-term participation in the Protocol without full ratification could bridge this gap, while long-term alignment with its evidence standards would ensure mutual admissibility. Bilateral agreements remain a viable interim step, balancing efficiency with national interests.

These reforms face hurdles, including political opposition to international treaties and resource constraints for capacity building. India’s preference for UN-led cybercrime frameworks over the Budapest Convention reflects ongoing sovereignty debates, while funding scalability remains a practical challenge. However, the need for surveillance reforms to align with global norms, to make sure India’s framework evolves to meet its growing digital demands must be emphasized.

VIII. CONCLUSION

India’s framework for accessing cross-border digital evidence is hindered by significant systemic flaws, notably its reliance on Mutual Legal Assistance Treaties (MLATs) that delay investigations by an average of 40 months and the lack of extraterritorial jurisdiction within the Bharatiya Sakshya Adhiniyam (BSA). These shortcomings severely limit law enforcement’s capacity to combat cybercrime, which increasingly operates across national borders, necessitating urgent reform to keep pace with global challenges.

This research outlines a comprehensive set of reforms to address these issues, beginning with the adoption of extraterritorial jurisdiction under the BSA, coupled with judicial oversight to ensure compliance with privacy standards set by K.S. Puttaswamy v. Union of India (2017). It further recommends enforcing mandatory compliance from foreign service providers through penalties, expanding the SAHYOG portal, and integrating robust privacy safeguards, such as user notification and proportionality assessments. Establishing a centralized digital judicial network and enhancing international cooperation, potentially through strategic engagement with the Budapest Convention, are also critical steps to streamline processes and align India with global norms.

Implementing these reforms would enable faster evidence access, enhance law enforcement efficiency, and maintain a delicate balance between security and individual rights. As cyber threats evolve, India must act decisively to modernize its framework, reinforcing its position as a leader in digital governance and global law enforcement collaboration.

*******

[1] CloudSEK, Indian Entities May Lose Rs 20,000 Cr to Cybercrimes in 2025, Bus. Standard (Mar. 1, 2025), https://www.business-standard.com/technology/tech-news/indian-entities-may-lose-rs-20-000-cr-to-cybercrimes-in-2025-cloudsek-125030100647_1.html.

[2] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, arts. 5–7, 2023 O.J. (L 191) 1, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1543.

[3] Observer Research Foundation, India-US Data Sharing for Law Enforcement: Blueprint for Reforms 12 (2019), https://www.orfonline.org/research/india-us-data-sharing-for-law-enforcement-blueprint-for-reforms-47425.

[4] Why Are Cybercrime Convictions Low in India? ‘Weak Forensics, Dark Net & Cross-Border Attacks’, ThePrint (Dec. 20, 2022), https://theprint.in/tech/why-are-cybercrime-convictions-low-in-india-weak-forensics-dark-net-cross-border-attacks/1273191/.

[5] K.S. Puttaswamy v. Union of India, (2017) 10 S.C.C. 1 (India),

[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), art. 49, 2016 O.J. (L 119) 1, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679.

[7] Council of the European Union, Press Release on the Adoption of the e-Evidence Regulation (2023).

[8] Big Brother Watch and Others v. United Kingdom, App. Nos. 58170/13, 62322/14, 24960/15, Eur. Ct. H.R. (May 25, 2021).

[9] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, arts. 5-7.

[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), art. 49, 2016 O.J. (L 119) 1.

[11] Observer Research Foundation, Cross-Border Data Access Challenges 15 (2025).

[12] Bharatiya Sakshya Adhiniyam, § 63 (2023) (India).

[13] Facebook Inc. v. State of Delhi (2020) Crl. M.C. 172/2020

[14] Supra note 11

[15] Regulation (EU) 2023/1543 on European Production and Preservation Orders for Electronic Evidence in Criminal Matters, art. 5, 2023 O.J. (L 123).

[16] Id. art. 7.

[17] Id. art. 21

[18] Rohan Desai, Reforming India’s MLAT Regime, 12 Carnegie India Policy Brief 8, 12 (2025).

[19] Jan Kowalski, Jurisdictional Conflicts in Cross-Border Data Access, 45 Harv. Int’l L.J. 234, 241 (2024).

[20] Supra note 14

[21] Ministry of Home Affairs, Annual Report on SAHYOG Portal Implementation 7 (2024).

[22] Nat’l Crime Records Bureau, Crime in India 2025 57 (2025).

[23] Regulation (EU) 2023/1543, art. 14.

[24] Id. art. 13.

[25] Id. art. 12.

[26] Bharatiya Sakshya Adhiniyam § 2(d) (2023).

[27] IT. Act, § 79 (2000).

[28] Digital Personal Data Protection Act § 18 (2023).

[29] Bharatiya Sakshya Adhiniyam § 63(2) (2023).

[30] Supra note 22

[31] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, arts. 5–7, 2023 O.J. (L 191) 1.

[32] European Commission, Cross-Border Access to Electronic Evidence, https://ec.europa.eu/home-affairs/what-we-do/policies/cybercrime/e-evidence_en (last visited Apr. 6, 2025).

[33] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, arts. 5–7, 2023 O.J. (L 191) 1.

[34] Bharatiya Sakshya Adhiniyam, No. 47 of 2023, § 2(1)(d) (India)

[35] Supra note 3

[36] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, art. 10, 2023 O.J. (L 191).

[37] Council of the European Union, Press Release, Electronic Evidence: Council Confirms Agreement with the European Parliament on New Rules to Improve Cross-Border Access to E-Evidence (Jan. 25, 2023), https://www.consilium.europa.eu/en/press/press-releases/2023/01/25/electronic-evidence-council-confirms-agreement-with-the-european-parliament-on-new-rules-to-improve-cross-border-access-to-e-evidence/

[38] X Tells Delhi HC It Cannot Be Compelled to Join Centre’s SAHYOG Portal, The Hindu (Feb. 25, 2025), https://www.thehindu.com/sci-tech/technology/x-tells-delhi-hc-it-cannot-be-compelled-to-join-centres-sahyog-portal/article69374182.ece.

[39] Supra note 3

[40] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), art. 49, 2016 O.J. (L 119) 1.

[41] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, art. 11, 2023 O.J. (L 191)

[42] Information Technology Act, No. 21 of 2000, § 69 (India),

[43] Supra note 5

[44] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, art. 21, 2023 O.J. (L 191)

[45] India Lost ₹10,319 Cr to Cyber Heists in Three Years: I4C CEO, The Hindu BusinessLine (Jan. 8, 2025), https://www.thehindubusinessline.com/info-tech/india-lost-10319-cr-to-cyber-heists-in-three-years-i4c-ceo/article67702544.ece.

[46] Carnegie India, Cross-Border Data Access for Law Enforcement: What Are India’s Strategic Options? 8 (Nov. 23, 2020), https://carnegieindia.org/2020/11/23/cross-border-data-access-for-law-enforcement-what-are-india-s-strategic-options-pub-83197.

[47] European Commission, EU-U.S. Data Transfers, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en (last visited Apr. 6, 2025).

[48] Supra note 3

[49] Bharatiya Sakshya Adhiniyam, No. 47 of 2023, § 2(1)(d) (India)

[50] Supra note 3

[51] State (NCT of Delhi) v. Navjot Sandhu, (2005) 11 S.C.C. 600, ¶ 150 (India)

[52] Carnegie India, Cross-Border Data Access for Law Enforcement: What Are India’s Strategic Options? 6 (Nov. 23, 2020),https://carnegieindia.org/2020/11/23/cross-border-data-access-for-law-enforcement-what-are-india-s-strategic-options-pub-83197.

[53] Id. 54

[54] Ministry of Home Affairs, Status of Cyber Crime Investigation and Prosecution in India 15 (2020)

[55] Arjun Panditrao Khotkar v. Kailash Gorantyal, (2020) 7 S.C.C. 1, ¶ 71

[56] State v. Tanseem Haider, (2021) Crl. M.C. 1452/2021 (Delhi High Ct.)

[57] Shreya Singhal v. Union of India, (2015) 5 S.C.C. 1, ¶ 96 (India

[58] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, arts. 5–7, 2023 O.J. (L 191) 1, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1543.

[59] European Commission, EU-US Announcement on Resumption of Negotiations for an EU-US Agreement to Facilitate Access to Electronic Evidence (Mar. 2, 2023), https://commission.europa.eu/news/eu-us-announcement-resumption-negotiations-eu-us-agreement-facilitate-access-electronic-evidence-2023-03-02_en.

[60] Carnegie India, Cross-Border Data Access for Law Enforcement: What Are India’s Strategic Options? 10 (Nov. 23, 2020), https://carnegieindia.org/2020/11/23/cross-border-data-access-for-law-enforcement-what-are-india-s-strategic-options-pub-83197.

[61] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, art. 18, 2023 O.J. (L 191) 1, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1543.

[62] Regulation (EU) 2023/1543 of the European Parliament and of the Council of 12 July 2023 on European Production Orders and European Preservation Orders for Electronic Evidence in Criminal Proceedings, art. 21, 2023 O.J. (L 191) 1, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1543.

[63] X Tells Delhi HC It Cannot Be Compelled to Join Centre’s SAHYOG Portal, The Hindu (Feb. 25, 2025), https://www.thehindu.com/sci-tech/technology/x-tells-delhi-hc-it-cannot-be-compelled-to-join-centres-sahyog-portal/article69374182.ece.

[64] Justice Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians 85 (2018), https://prsindia.org/policy/report-summaries/free-and-fair-digital-economy.

[65] European Judicial Network, Homepage, https://www.ejn-crimjust.europa.eu/ (last visited Apr. 6, 2025).

[66] Ministry of Home Affairs, Status of Cyber Crime Investigation and Prosecution in India 15 (2020) (on file with the Government of India), https://www.mha.gov.in/MHA1/Par2017/pdfs/par2021-pdfs/rs-24032021/3266.pdf.

[67] National e-Governance Division, Online Capacity Building Programme on Cyber Law, Crime Investigation and Digital Forensics, https://negd.gov.in/online-capacity-building-programme-on-cyber-law-crime-investigation-and-digital-forensics-through-lms (last visited Apr. 6, 2025).

[68] Press Information Bureau, Cyber Crime Prevention against Women and Children Scheme, Press Release (Aug. 19, 2022), https://pib.gov.in/PressReleasePage.aspx?PRID=1845321.

[69] Convention on Cybercrime, Nov. 23, 2001, 185 C.E.T.S. 1,

[70] Cyber Defence Centre of Excellence, Battling Cybercrime Through the New Additional Protocol to the Budapest Convention (2021), https://ccdcoe.org/library/publications/battling-cybercrime-through-the-new-additional-protocol-to-the-budapest-convention/.