Latin American countries have a choice to make in the coming months—whether to accede to a new set of rules for coordinating and cooperating with each other and nations around the world on criminal investigations. Opened for signature on May 12, the Protocol has already more than 20 signing States, pending their ratification. Chile and Colombia are part of the list.
The 10,000-word Second Additional Protocol to the Budapest Cybercrime Convention aims to make cross-border exchanges of electronic evidence, including personal data, faster and more efficient, but it’s heavier on mandates increasing law enforcement powers and lighter on mandatory human rights protections.
To help countries in the region garner an understanding of the Protocol, EFF, with the collaboration of Al Sur, today released a guide providing an overview of the new treaty. The guide examines how the Protocol was drafted and highlights some of its weaknesses, which include bypassing independent vetting of foreign police orders for personal data, failing to recognize that subscriber data can be highly revealing of people's lives and habits, and mandating law enforcement powers while making most human rights protections optional.
Importantly, the guide makes solid recommendations for steps countries can take to assess the Protocol and mitigate its human rights deficiencies if they choose accession—from reserving certain articles and bolstering existing privacy laws to assessing the legal and human rights impacts the Protocol will have on their privacy and data protection regimes.
We launch the guide along with a handy outline of key issues civil society organizations can raise in urging governments to carefully consider the implications of acceding to the treaty.
EFF and its partners spent months analyzing the Protocol’s text and pushing its drafters to add greater human rights safeguards. Among the Protocol’s 25 Articles, the guide especially focuses on Article 7, which deals with direct disclosure of subscriber information, Article 13, about general human rights protections, and Article 14, about protection of personal data. The guide also points out how the Protocol's provisions allowing direct foreign requests to service providers can be a negative influence for Latin American communications privacy frameworks, acting to establish a lower level of protection for accessing subscriber data and unveiling a user's identity.
Latin American countries that have ratified the 2001 Budapest Cybercrime Convention are eligible to accede to the Protocol. As the first set of international rules for cybercrime investigations, the Budapest Convention has influenced many related laws across the region. Given the desire by international law enforcement agencies for greater powers in cross-border criminal investigations, many countries may also ratify the new treaty despite, or even because of its weaknesses.
As such, the guide points out how the Protocol's provisions allowing direct foreign requests to service providers can be a negative influence for Latin American communications privacy frameworks, and potentially lead to a lower level of protection for accessing subscriber data and unveiling a user's identity.
Our advice is: countries should think twice about ratifying the Protocol. But for those that choose to accede, the guide is an important tool for ensuring countries do their best to protect the privacy and human rights of those who will be subject to the new treaty. We hope our recommendations shape national discussions on the Protocol so new surveillance powers don’t come without detailed legal safeguards.