Cross-Border Evidence and Mutual Legal Assistance

An MLAT request begins when an investigator identifies that evidence needed for a case is held in another country. The investigator drafts a request document specifying the legal basis for the investigation, the offences alleged, the specific data or assistance needed, and the relevance of that data to the case. This draft goes to the domestic central authority, which reviews it for completeness, translates it if required, and transmits it through diplomatic channels to the central authority in the requested state.

The requested state's central authority assesses the request against the treaty terms and its own domestic law. Most MLATs allow refusal on grounds of dual criminality (the conduct must also be an offence under the requested state's law), national security, sovereignty, or ordre public. If the request is accepted, the requested state uses its own courts and agencies to gather the evidence in accordance with its domestic procedure, then transmits the results back through the same diplomatic channel.

The US central authority is the Department of Justice Office of International Affairs (OIA). The UK routes requests through the Home Office Central Authority for Mutual Legal Assistance. EU member states use their respective Justice Ministries and, for intra-EU requests, may use the European Investigation Order (EIO), which replaced most bilateral MLAT processes between EU states under Directive 2014/41/EU and significantly shortened response timelines. India processes outgoing MLAT requests through the Ministry of Home Affairs in coordination with the Ministry of External Affairs, with the specific nodal contact depending on which treaty applies to the requested country.

Article 29 of the Budapest Convention addresses a specific problem: digital evidence can be deleted or overwritten in the time it takes to prepare and transmit a full MLAT request. The provision allows a signatory state to send an expedited preservation request directly to another signatory, asking it to preserve specific stored computer data. The receiving state must preserve the data for at least 60 days, and this period is extendable on request.

A preservation request under Article 29 does not transfer the data to the requesting state. It merely prevents the data from being deleted. The requesting state must then follow up with a full MLAT request or Article 31 disclosure request to actually obtain the preserved data. The two-step structure is deliberate: preservation is fast and can be done with minimal formality, while disclosure requires judicial authorisation in most jurisdictions and therefore takes longer.

Article 30 provides a complementary mechanism: when a requested state preserves data under Article 29, it may also disclose the traffic data (not content data) immediately if there is a risk that further disclosure will be required to trace a communication chain across additional jurisdictions. This allows investigators to follow the trail of a routed attack across multiple countries more quickly than the full MLAT process would permit.

Formal MLAT processes are not the only route to cross-border assistance. Informal cooperation channels exist specifically for situations where speed is essential and compelled evidence production is not immediately needed. The G7 24/7 Network, established in 1997 and now including more than 90 countries, provides a round-the-clock contact point in each member country that investigators can reach directly to request urgent assistance, pass intelligence, or coordinate simultaneous actions. A call through the 24/7 Network can secure a voluntary preservation request from a foreign internet service provider within hours.

INTERPOL's Cybercrime Directorate coordinates multilateral operations and maintains secure communication channels between member countries' national central bureaus (NCBs). Europol's European Cybercrime Centre (EC3) plays a similar coordination role within the EU, often acting as the operational hub for joint investigation teams (JITs). JITs allow investigators from two or more countries to work together under a formal agreement without each individual action requiring a separate MLAT request. The UK, despite leaving the EU, retains operational cooperation with EC3 on specific case types.

India's INTERPOL NCB at the CBI headquarters coordinates with foreign NCBs for cybercrime operational intelligence. For South Asian regional cooperation, India participates in the SAARC Convention on Mutual Assistance in Criminal Matters, though practical use of that framework for cybercrime cases is limited. US investigators have access to FBI Legal Attachés (Legats) posted in US embassies worldwide, who can initiate informal contact with foreign law enforcement outside the MLAT process.

Evidence obtained through an MLAT is generally admissible in domestic proceedings, but admissibility is not automatic and the conditions vary by jurisdiction. Common-law courts, including those in India under the Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872), the UK under the Criminal Justice Act 2003 and associated case law, and US federal courts under the Federal Rules of Evidence, typically apply a two-part test: the evidence must have been gathered lawfully in the country where it was collected, and the chain of custody must be adequately documented.

Chain of custody in cross-border transfers involves multiple handoffs that are not present in domestic evidence handling: the foreign law enforcement officer or court official who gathered the data, the central authority that transmitted it, the diplomatic courier or secure electronic transfer mechanism, and the domestic agency that received and stored it. Each handoff must be documented. Where evidence arrives as a certified copy or affidavit rather than original electronic media, the foreign official's certification and the treaty procedures followed must be on the record.

Civil-law jurisdictions present different challenges. Many EU member states and countries with civil-law traditions require that evidence be gathered using procedures equivalent to their own investigative procedures, not merely that it was lawful in the source country. An investigator seeking to present evidence in a German or French court may need to ensure that the gathering procedure in the source country met standards comparable to those required by German or French law. Dual criminality requirements in the MLAT itself add another layer: if the conduct investigated is not a criminal offence in the requested state, that state may legitimately refuse to provide assistance.

Cryptocurrency transactions create a particular cross-border evidence challenge. The blockchain ledger is technically borderless, but the entities that can associate wallet addresses with real-world identities, primarily cryptocurrency exchanges, are incorporated in specific jurisdictions and subject to that jurisdiction's law. An investigator tracing ransomware proceeds may follow a transaction chain across a dozen wallet addresses before the funds reach an exchange, and that exchange may be registered in a country without an MLAT relationship with the investigating state.

Where an MLAT exists, the request for know-your-customer (KYC) records held by a foreign exchange is processed like any other financial evidence request. Where no treaty exists, investigators can attempt to use the Financial Action Task Force (FATF) framework. FATF mutual evaluation processes encourage member states to maintain financial intelligence cooperation mechanisms, and the Egmont Group of Financial Intelligence Units (FIUs) provides a secure channel for FIU-to-FIU intelligence sharing that operates independently of MLAT requirements.

The US has used unilateral actions such as seizure warrants directed at US-based exchange accounts, even where underlying transactions occurred elsewhere. The UK uses Part 5 of the Proceeds of Crime Act 2002 for asset recovery across borders. India's Enforcement Directorate can seek mutual legal assistance for money laundering investigations under the Prevention of Money Laundering Act 2002. In practice, the most effective cross-border cryptocurrency investigations combine blockchain analytics for transaction tracing with formal MLAT requests targeted at the specific exchanges holding user identity data.

A structured workflow reduces delays and avoids the most common mistakes in cross-border evidence gathering. The first step is precise identification: what data is needed, where is it physically located or legally held, and who is the legal custodian. IP address geolocation and WHOIS data provide initial indicators, but the authoritative answer is the service provider's terms of service and its registered jurisdiction. A server physically in one country may be legally held by a company incorporated in another.

• Identify and document: Specify the exact data needed (subscriber records, log files, content), the legal custodian, and the relevant jurisdiction. Use open-source investigation and DNS and domain investigation tools to pinpoint the custodian.
• Send preservation immediately: File an Article 29 request or use an informal channel to request voluntary preservation. Do not wait until the full MLAT request is ready.
• Draft the MLAT request: Include the offence, the specific data, its relevance, the legal basis, and assurances about use limitations. Submit to the domestic central authority for review.
• Track and follow up: Formal requests can stall. Periodic follow-up through both the domestic central authority and informal channels (if a 24/7 Network contact exists in the requested state) keeps the request visible.
• Document receipt and custody: When evidence arrives, document the form it arrived in, who received it, when, and how it was stored. Verify hash values against any provided by the foreign authority.

Investigators managing multi-jurisdictional cases should maintain a request tracker listing each foreign evidence item, the country from which it is sought, the treaty or mechanism being used, the date of the preservation request, the date the full MLAT was sent, and the current status. This record is useful both for case management and for demonstrating to a court that preservation steps were taken promptly when the timeliness of evidence gathering is challenged by the defence.