Este artículo también se encuentra en español aquí.
Yesterday, 22 countries, including the United States, signed onto a flawed international agreement on cross-border policing aimed at countering cybercrime and expediting electronic evidence gathering. Governments, including those that were actively involved in negotiations on the document, should think twice before adopting it, as the treaty is likely to erode privacy on a global scale. The treaty, which opened for signatures this week, will come into force once five countries complete the adoption process by ratifying it.
The treaty at issue, the Council of Europe’s Second Additional Protocol (the protocol) to its Cybercrime Convention, was negotiated over the past four years in a law-enforcement-driven process that locked out independent regulators and civil society from many of its central debates. The protocol’s procedures are meant to enhance international cooperation in criminal investigations, but because its drafting was heavily skewed towards increasing police powers, it doesn’t sufficiently protect the privacy and human rights of those who will be subject to its authority.
More than 60 States that ratified the underlying Cybercrime Convention (also known as the Budapest Convention) — and are thus eligible to accede to the protocol — have a decision to make. The protocol creates a range of new cross-border policing powers but adopts weak privacy and human rights standards and fails to include sufficient oversight. The good news is that, for those that decide to ratify, the protocol offers options that could be exercised, even after the initial signing, to mitigate some of its harm to human rights.
Privacy and Human Rights Sidelined to Expedite Law Enforcement Priorities
The protocol does not represent a proportionate approach to cross-border data access; instead, it prioritizes law enforcement to the detriment of privacy, data protection, and human rights.
The willingness of the protocol’s drafters to sideline human rights is perhaps best seen in their rejection of certain amendments suggested by the Council of Europe’s own Legal Affairs and Human Rights legislative committee. The committee recommended, unsuccessfully, the explicit inclusion of the principle of proportionality, articulating that the processing of personal data should be necessary and proportionate and done in a way that explicitly recognizes important privileges and immunities, such as doctor-patient confidentiality, journalists’ source protection, and lawyer-client privilege.
The protocol rarely requires judicial oversight and would essentially usurp the role played by independent data protection bodies in many jurisdictions. Many privacy frameworks entrust such independent regulators with the primary responsibility for ensuring sufficient data protection for transfers of personal information to other jurisdictions. But under the protocol, independent privacy regulators are prevented from scrutinizing data transfers to ensure they comply with national rules, and may only interfere with transfers in very narrow circumstances.
In countries with minimal judicial oversight, cross-border investigations can threaten human rights. Rather than establishing high standards, the protocol prioritizes law enforcement access at almost every turn. This is perhaps most evident from its explicit adoption of data protection standards that fall short of the Council of Europe’s own data protection regime, Convention 108+, and in its approach to subscriber data, which downplays the privacy interest threatened when the state is empowered to identify anonymous online activity, in direct contradiction of the Council’s own European Court of Human Rights.
Ceding Interpretive Control to CoE’s Cybercrime Committee
The implementation and ongoing interpretation of Council of Europe instruments such as the protocol and its underlying treaty, the Cybercrime Convention, are overseen by committees. The committee tasked with overseeing cybercrime (dubbed T-CY) is predominantly populated by law enforcement interests, to the exclusion of independent privacy regulators and even the Council of Europe’s own data protection committee (T-PD).
This is particularly problematic as T-CY’s interpretive perspectives will inevitably conflict with civil society, as they have in the past. For example, in 2016, the United States 2nd Circuit Court of Appeals issued a landmark ruling limiting the extraterritorial reach of U.S. production powers and providing important protections for the privacy rights of some EU citizens. Following this decision, T-CY issued a guidance note providing a controversially expansive and conflicting interpretation of the Cybercrime Convention’s cross-territorial reach. This guidance note then formed an important component of the U.S. Department of Justice’s appeal of the 2nd Circuit decision, including the claim that the decision “undermined the United States’ compliance with its obligations under…[the Cybercrime Convention].”
While national courts will always have the last say in applying the law, the police-driven interpretative instruments issued by T-CY are an integral and problematic component of the package States are being asked to accept when adopting the protocol.
Casting a Shadow Over the MLAT Regime and Ongoing UN Treaty Negotiations
Adopting the protocol is likely to weaken existing regimes of cross-border investigative cooperation. The current Mutual Legal Assistance Treaty (MLAT) system has faced criticism for being slow and unresponsive. Many of these issues arise from practical challenges, such as language barriers or under-resourced MLAT response teams.
But a central factor in delaying cross-border data access is the complexity of navigating competing criminal justice systems. As the U.N. Security Council’s Counter-Terrorism Committee Executive Directorate (CTED) recently noted, a proliferation of competing cross-border investigative powers can do more harm than good by creating overlapping and potentially incompatible regimes. This fragmented cross-border investigative landscape “frustrates one of the key goals of the reform initiatives, which is to simplify an overly complex and fragmented set of jurisdictional concerns for accessing digital evidence.”
Instead of training police to navigate foreign legal systems and seeking more investment and resources for the MLAT regime, the protocol adds yet another layer of rules for law enforcement to navigate. Also, a U.N. ad-hoc committee began talks in April on another Cybercrime Treaty. That treaty poses its own threats to human rights, but is also likely to overlap and conflict with the protocol, creating even more layers of complexity and perhaps rendering the protocol redundant.
Screening for Human Rights Violations
Despite the lack of human rights safeguards and the fact that there’s another cybercrime treaty in the works, many States are likely to adopt the protocol. These States have important choices to make, as the protocol offers several optional privacy and human rights safeguards, many of which must be selected when signing or ratifying. These options will provide more effective screening for human rights violations, a proportionate framework for safeguarding online anonymity, and a robust level of data protection.
In current cross-border data access scenarios, central authorities provide an important vetting mechanism to ensure that requests align with each State’s human rights obligations. A number of the protocol’s operative provisions limit the important vetting role played by these central authorities, and parties should exercise what discretion the protocol offers to mitigate this dangerous approach.
Article 7, the protocol’s primary mechanism for cross-border access to subscriber identification data, envisions law enforcement in one country going directly to service providers in another country with requests to turn over user data. By default, central authorities need not approve any requests, nor will they even be aware a request was made in many instances. Paragraph 7.5 permits States to at least require that their central authority be notified when requests are sent to service providers in their jurisdiction, providing a low-friction screening mechanism that could hedge against user data requests that violate human rights standards.
Article 12 of the protocol outlines a framework for Joint Investigative Teams, which combine law enforcement officials from several jurisdictions into one unit empowered to investigate a cross-border crime. The protocol empowers these teams to adopt their own agreements regarding privacy safeguards, investigative assistance requests, and personal data transfers between members of the team, effectively bypassing existing MLAT mechanisms. Agreements can even override the explicit data protection safeguards and investigative limitations adopted in the protocol and can be reached by individual law enforcement officials without any need to consult or even notify central authorities. Furthermore, invoking Article 12.3 would ensure that central authorities are involved in, or at least aware of, these arrangements and their implications.
The above-mentioned Article 7 of the protocol creates a framework for direct cooperation between law enforcement officials in one State and service providers in another for the purpose of identifying subscribers.
Subscriber identification data is one of law enforcement’s most sought-after types of personal information, and so it is no surprise that the protocol’s treatment of subscriber data provides very limited protection against arbitrary interference with privacy and anonymity. But the power to identify anonymous individuals at will poses a dire threat to lawyers, journalists, political dissidents, human rights defenders, and politicians. Particularly in cross-border exchanges, where the service providers tasked with assessing requests may not be aware of the political or other context in which requests are being made, additional safeguards are important.
In implicit recognition of the controversial nature of this intrusive cross-border power, the protocol permits parties to bypass Article 7 as the primary means for cross-border subscriber data requests by reserving the right not to apply this provision. States would be wise to exercise this option. Article 8 of the protocol, which can also be used for subscriber data requests, provides a more appropriate (but still expedited) basis. It relies on existing safeguards in national legal regimes, provides for sufficiently detailed requests to assess whether the anticipated privacy incursion is justified, allows States to rely on their judiciary to authorize foreign requests, and creates more effective vehicles for States to discover and refuse subscriber data requests that threaten human rights.
Alternatively, if States choose to retain Article 7, they should commit to adopting secure channels for communicating and authenticating requests. Service providers are not effective at verifying requests that could come from any police officer from any of dozens of parties; this has proven fertile ground for fraudulent requests in the past. While the protocol fails to require parties to establish secure communications channels, it at least permits parties to establish their own should they choose to.
Finally, States should exercise paragraph 7.2.b, which requires that judicial or prosecutorial authorities be involved in cross-border identification requests. This will minimize the high potential for abuse that arises when any individual police officer can issue a data request and also somewhat mitigate the opportunities for fraudulent requests.
Other Ways to Balance the Protocol’s Intrusive Police Powers
The protocol fails to balance its intrusive law enforcement powers with modern data protections. Indeed, many of the explicit data protection standards adopted by the protocol conflict with those in the Council of Europe’s own data protection instruments. For example, consistent with trends in modern data protection, Convention 108+ treats biometric data such as facial-recognition templates as “sensitive” and requires additional protections when such data are being processed. However, Article 14.4 of the protocol prevents States from treating biometric data as “sensitive” unless additional risks can be demonstrated.
The protocol allows stronger data protection agreements such as Convention 108+ to prevail, but only if all protocol parties involved in a particular interaction are also bound by the international instrument in question. States that decide to adopt the protocol as a mechanism for cross-border investigations should therefore consider acceding to Convention 108+ as well.
In addition to the above measures, States should consider adopting the following general safeguards in national law before adopting the protocol:
- Require prior judicial authorization for access to non-content data, including metadata and subscriber data;
- Base independent prior judicial authorization on a strong evidentiary showing that the investigative step being contemplated will yield evidence of a serious crime;
- Establish effective, independent regulatory oversight of cross-border data access regimes, with audits, spot checks, and annual reporting;
- Notify users about government requests to access their personal data, and provide effective redress mechanisms and enough information so they can assess any impact on their human rights and freedoms;
- Require annual transparency reporting by the government on the volume, nature, and scope of data-access demands sent across borders, as well as on the data demands received from other States.
- Adopt legal measures to ensure that gag requests — confidentiality and secrecy orders — are not inappropriately invoked when law enforcement demands access to data;
- Explicitly guarantee that domestic legal frameworks recognize biometric data as categorically sensitive personal information in all instances that should be treated with the highest levels of protection.
These safeguards will additionally mitigate harms flowing from the adoption of the protocol and are general best practices for law enforcement.
It is premature to know which States will accede to the protocol and what added safeguards or reservations will be exercised. European Digital Rights (EDRi) is urging the European Parliament to request an opinion from the Court of Justice of the European Union on the protocol’s compatibility with the EU’s constitutional framework. The European Union and its member States would do well to support this request and await the outcome of such an opinion. Other States should also consider obtaining independent legal and constitutional advice prior to committing. As cross-border evidence gathering becomes an increasing part of day-to-day policing, it is imperative that these investigations occur in a manner that puts human rights and privacy first.