Foreign police often want to investigate a crime by gathering potential evidence from Internet companies located in another country. What if police in Poland want to get a user’s data from an ISP in Germany, Philippines, Japan—or vice versa? Can they do this? Under what rules, and with what kind of oversight?

It’s easy to get this wrong by making deals that undercut human rights protections, like having judges review data requests after the fact, rather than needing to authorize them beforehand. Another danger is signing agreements that ignore differences between countries’ legal systems, like whether or not particular actions are even crimes in both countries. But the pressure to find ways to give police routine and streamlined access to potential evidence is mounting. We’ve seen this before with the CLOUD Act in the United States, the US-UK Cloud Act Agreement, and the European e-evidence proposal.

Now, a global major effort is currently being negotiated at the Council of Europe (CoE)—an intergovernmental organization, not to be confused with the European Council, nor the European Union. Currently, the CoE Cybercrime Committee (TC-Y) is working on a set of additions to the Budapest Convention, CoE’s major international treaty on cybercrime that has been ratified by more than 60 countries around the world.

This set of additions, known as the Second Additional Protocol, seeks to make it much easier for police in one country to get users’ data from companies in another country, typically foreign Internet companies and ISPs. This mechanism of police-to-company direct cooperation is limited to narrow requests for information about the identity of a subscriber, but the Protocol's vague scope means that other types of data could be swept in as well.

These changes would be major in the European context. Right now, in the European Union, companies can’t disclose personal data voluntarily, due to the General Data Protection Regulation (GDPR). ISPs are also subject to an even stricter legal framework, the E-Privacy Directive, that further constrains how both metadata and content are disclosed. Furthermore, ISPs are only required to disclose user data to national law enforcement agencies, under certain conditions established by law, and are prohibited from disclosing data in response to foreign requests or orders. 

Also, they can only comply with orders they receive from their own government’s authorities. Requests from foreign countries have to be converted into national orders through the MLAT procedure before the ISP can comply. In contrast, US law allows ISPs to voluntarily disclose non-content data, which has been interpreted as allowing the voluntary disclosure to foreign government entities. 

The Second Additional Protocol could change the situation in Europe by, among other things, creating and allowing a routine mechanism for direct police-to-company requests across national borders, and permitting or requiring the companies in Europe to turn over data in response. And because law enforcement orders will come directly to the companies, ISPs will have to take on the burden of checking the lawfulness, necessity, and proportionality of the requests—a burden that was originally handled by the government in the ISP’s home country. 

European stakeholders appear highly skeptical. In view of ISPA, the Austrian association of internet service providers, the draft agreement would lead most probably to an obligation for European ISPs to respond to foreign law enforcement requests:

The draft requires the state parties to adopt the necessary legislative measures to allow ISPs in their territory to respond directly to foreign data requests. Such direct cooperation is currently prohibited under EU data protection law. Despite not explicitly imposing an obligation for ISPs to respond to such a request – which is why Article 4 has been presented as a mere voluntary measure – EU data protection laws at the same time require that an ISP is not left with the discretion to respond. This should ensure that data is only disclosed when necessary and proportionate. In practice, in order to comply with this requirement, EU Member States would thus have to put ISPs under an obligation to respond to foreign requests. This, however, would clearly go beyond that is now seen as voluntary measures.

EFF has joined together with other civil society groups, including EDRi, EPIC, and IT-Pol, to warn that countries should not throw away their legal safeguards and strip away the public’s privacy rights. Our submission points out some of the protections that could be swept away by these proposed additions to the Budapest Convention, and makes recommendations about how to improve the proposal.  

  • When governments make deals to facilitate international criminal investigations, they should maintain the human rights and civil liberties protections that their people are supposed to enjoy domestically. 
  • Judges and governments should be kept in the loop about what police are asking for, and why. They should limit the kinds of information that can be requested, and provide legal safeguards.
  • Any direct access mechanism should be limited to basic subscriber information. Courts at many levels across Europe have expressed concern about giving law enforcement access to so-called “traffic data” that goes beyond that, as it can be unexpectedly revealing about people’s lives.
  • The public should be able to know how these powers are being used. Companies should have the option, and information they need, to challenge requests that they think are inappropriate.

Ideally, we would prefer that governments rely on mutual legal assistance treaties (MLATs). Rather than creating a new mechanism without critical safeguards that are typically included in MLATs, they could work to improve the speed with which MLAT requests are processed.

For more details, please read our submission. The proposals and responses to them will next be discussed at the CoE’s Octopus Conference in Strasbourg, France, later this week. EFF and many of our partners will be there to participate in the discussion—and make sure that Internet users’ rights are a part of it. And if you would like to learn more about the global implications on cross border access to data, we recommend reading the thesis by Andreas Gruber who works as a lawyer for ISPA. Stay tuned.