EFF, European Digital Rights (EDRi), the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC), and other civil society organizations have worked closely on recommendations to strengthen human rights protections in a flawed international cross border police surveillance treaty drafted by the Council of Europe (CoE). At a virtual hearing today before the CoE Parliamentary Assembly (PACE) Committee on Legal Affairs and Human Rights, EFF Policy Director for Global Privacy Katitza Rodriguez presented a summary of the concerns we and our partners have about the treaty’s weak privacy and human rights safeguards.

There is much at stake, as the draft Second Additional Protocol to the Budapest Convention on Cybercrime will reshape cross-border law enforcement data-gathering on a global scale. The Protocol’s objectives are to facilitate cross-border investigations between countries with varying legal systems and standards for accessing people’s personal information. In her testimony, the text of which is published in full below, Rodriguez highlighted key shortcomings in the Protocol, and recommendations for fixing them.

EFF Testimony and Statement to Committee on Legal Affairs and Human Rights, Parliamentary Assembly, Council of Europe

At the highest level, the current Protocol should establish clear and enforceable baseline safeguards in cross-border evidence gathering, but fails to do so. Though new police powers are mandatory, corresponding privacy protections are frequently optional, and the Protocol repeatedly defers to harmonised safeguards in an active attempt to entice states with weaker human rights records to sign on. The result is a net dilution of privacy and human rights on a global scale. But the right to privacy is a universal right. International law enforcement powers should come with detailed legal safeguards for privacy and data protection. When it comes to data protection, Convention 108+ should be the global reference. By its recommendations to the Council of Ministers, PACE has an opportunity to establish a commonly acceptable legal framework for international law enforcement that places privacy and human rights at its core.

Protecting Online Anonymity


Substantively, we have concerns regarding Article 7 of the Protocol, which permits direct access by law enforcement in one country to subscriber identity information held by a company in another country. In our opinion, Article 7 fails to provide, or excludes, critical safeguards contained in many national laws. For example, Article 7 does not include any explicit restrictions on targeting activities which implicate fundamental rights, such as freedom of expression or association, and prevents Parties from requiring foreign police to demonstrate that the subscriber data they seek will advance a criminal investigation.[1]

We are particularly concerned that Article 7’s explanatory text fails to acknowledge that subscriber data can be highly intrusive. Your IP address can tell authorities what websites you visit and what accounts you used. Police can also request the name and address associated with your IP address in order to link your identity to your online activity, and that can be used to learn deeply intimate aspects of your daily habits. Article 7’s identification power undermines online anonymity in a context that embraces legal systems with widely divergent approaches to criminal justice, including some governments that are autocratic in nature. The resulting threat to journalists, human rights defenders, politicians, political dissidents, whistleblowers and others is indefensible.

This is why we've urged PACE to remove Article 7 entirely from the text of the Protocol. States would still be able to access subscriber data in cross-border contexts, but would instead rely on Article 8, which includes more safeguards for human rights. If Article 7 is retained, we’ve urged for additional minimum safeguards, such as:

  • Ensuring that the explanatory text properly acknowledges that access to subscriber data can be highly intrusive.
  • Providing Parties with the option, at least, of requiring prior judicial authorization for requests made under Article 7.
  • Requiring Parties to establish a clear evidentiary basis for Article 7 requests.
  • Ensuring that Article 7 requests provide enough factual background to assesscompliance with human rights standards and protected privileges.
  • Requiring notification or consultation with a responding state for all Article 7 demands.
  • Requiring refusal of Article 7 requests when necessary to address lack of doublcriminality or protection of legal privileges.
  • Providing the ability to reserve Article 7 in a more nuanced and timely manner.
  • Ensuring that Article 7 demands include details regarding legal remedies and obligations for service provider refusal.

Raising the Bar for Data Protection


When it comes to Article 14’s data protection safeguards, we have asked that the Protocol be amended so that signatories may refuse to apply its most intrusive powers (Articles 6, 7 and 12) when dealing with any other signatory that has not also ratified Convention 108+. We also hope the Parliamentary Assembly will support the Committee of Convention 108’s mission, and remember (or take note) that the Committee of Ministers supports making Convention 108 the global reference for data protection, including in the implementation of this Protocol.

Article 14 itself falls short of modern data protection requirements and, in some contexts, will actively undermine emerging international standards. Two examples:

  • Fails to require independent oversight of law enforcement investigative activities. For example, many oversight functions can be exercised by government officials housed within the same agencies directing the investigations;
  • Article 14 limits the situations in which biometric data can be considered ‘sensitive and in need of additional protection despite a growing international consensus that biometric data is categorically sensitive.

But even with the weak standards contained in Article 14, signatories are explicitly permitted to bypass these safeguards through various mechanisms, none of which provide any assurance that meaningful privacy protections will be in place. For example, any two or more signatories can enter into an international data protection agreement that will supersede the safeguards outlined in Article 14. The agreement does not need to provide a comparable or adequate level of protection to the default rules.

Signatories can even adopt less protective standards in secret agreements or arrangements and continue to rely on the Protocol’s law enforcement powers. We have therefore recommended that the Protocol be amended to ensure a minimum threshold of privacy protection in Article 14, one which may be supplemented with more rigorous protections but cannot be replaced by weaker standards. This would also be done in a vein to avoid the fragmentation of privacy regimes.

Make Joint Investigative Team Limitations Explicit


Under Article 12, signatories can form joint investigative teams that can bypass core existing frameworks such as the MLAT regime when using highly intrusive cross-border investigative techniques or when transferring personal information between team members.

We have asked that the Protocol be amended so that some of its core intended limitations are made explicit. This is particularly important given that many teams may ultimately be operating with a higher level of informality and driven by police officers without input or supervision from other government bodies typically involved in overseeing cross-border investigations. Specifically, we have asked that the Protocol (or, alternatively, the explanatory text) clearly and unequivocally state that participants in a joint investigative team must not take investigative measures within the territory of another participant in the team and that no participant may violate the laws of another participant of that team.

We also ask that the Protocol be amended so that Parties are obligated to involve their central authorities (and, preferably, the entity responsible for data protection oversight) in the formation and general operation of an investigative team, and that agreements governing investigative teams be made public except to the degree that doing so would threaten investigative secrecy or is necessary to achieve other important public interest objectives.

Read more on this topic: