EFF has joined European Digital Rights (EDRi), the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC), and other civil society organizations in recommending 20 solid, comprehensive steps to strengthen human rights protections in the new cross border surveillance draft treaty that is under review by the Parliamentary Assembly of the Council of Europe (PACE). The recommendations aim to ensure that the draft treaty, which grants broad, intrusive police powers to access user information in criminal cross border investigations, contains a robust baseline to safeguard privacy and data protection.

From requiring law enforcement to garner independent judicial authorization as a condition for cross border requests for user data, to prohibiting police investigative teams from bypassing privacy safeguards in secret data transfer deals, our recommendations submitted to PACE will add much-needed human rights protections to the draft Second Additional Protocol to the Budapest Convention on Cybercrime. The recommendations seek to preserve the Protocol’s objective—to facilitate efficient and timely cross-border investigations between countries with varying legal systems—while embedding safeguards protecting individual rights. 

Without these amendments, the Protocol’s credibility is in question. The Budapest Cybercrime Convention has been remarkably successful in terms of signatories—large and small states from around the globe have ratified it. However, Russia’s long-standing goal to replace the treaty with its own proposed UN draft convention may be adding pressure on the Council of Europe (CoE) to rush its approval instead of extending its terms of reference to properly allow for a meaningful non-stakeholder consultation. But if the CoE intends to offer a more human right protective approach to the UN Cybercrime initiative, it must lead by example by fixing the primary technical mistakes we have highlighted in our submission and strengthen privacy and data protection safeguards in the draft Protocol. 

This post is the first of a series of articles describing our recommendations to PACE. The series will also explain how the Protocol will impact legislation in other countries.  The draft Protocol was  approved by the  Council of Europe’s Cybercrime Committee (T-CY) in May 28th following an opaque, several-year process largely commandeered by law enforcement.  

Civil society groups, data protection officials, and defense attorneys were sidelined during the process, and the draft Protocol reflects this deeply flawed and lopsided process. PACE can recommend further amendments to the draft during the treaty’s adoption and final approval process. EFF and partners urge PACE to use our recommendations to adopt new Protocol amendments to protect privacy and human rights across the globe. 

Mischaracterizing the Intrusive Nature of Subscriber Data Access Powers 

One of the draft’s biggest flaws is its treatment, in Article 7, of subscriber data, the most sought-after information by law enforcement investigators. The Protocol’s explanatory text erroneously claims that subscriber information “does not allow precise conclusions concerning the private lives and daily habits of individuals concerned,” so it’s less sensitive than other categories of data. 

But, as is increasingly recognized around the world, subscriber information such as a person’s address and telephone number, under certain conditions, is frequently used by police to uncover people’s identities and link them to specific online activities that reveal details of their private lives. Disclosing the identity of people posting anonymously exposes intimate details of individuals’ private lives. The Protocol's dismissive characterization of subscriber data directly conflicts with judicial precedent, particularly when considering the Protocol’s broad definition of subscriber information, which includes IP addresses and other online identifiers. 

In our recommendations, we therefore urge PACE to align the draft explanatory text’s description of subscriber data with judicial opinions across the world that recognize it as highly sensitive information. Unfettered access to subscribers’ data encroaches on the right to privacy and anonymity, and people’s right to free expression online, putting journalists, whistleblowers, politicians, political dissidents, and others at risk. 

Do Not Mandate Direct Cooperation Between Service Providers and Foreign Law Enforcement

Article 7 calls upon States to adopt legislation that will allow law enforcement in one country to request the production of subscriber data directly from companies located in another country under the requesting country’s legal standard. Due to the variety of legal frameworks among the Parties’ signatories, some countries’ laws authorize law enforcement to access subscriber data without appropriate safeguards, such as without prior court authorization and/or a reasonable grounds requirement. The article applies to any public or private service providers, defined very broadly to encompass internet service providers, email and messaging providers, social media sites, cell carriers, host and catching services, regardless whether free of charge or for renumeration, and regardless of whether to the public or in a closed group (e.g. community network).

For countries with strong legal safeguards, Article 7 will oblige them to remove any law that will impede local service providers holding subscriber data from voluntarily responding to requests for that data from foreign agencies or governments. So, a country that requires independent judicial authorization for local internet companies to produce information about their subscribers, for example, will need to amend its law so companies can directly turn over subscriber data to foreign entities. 

We have criticized Article 7 for failing to provide, or excluding, critical safeguards that are included in many national laws. For example, Article 7 does not include any explicit restrictions on targeting activities which implicate fundamental rights, such as freedom of expression or association, and categorically prevents any state from requiring foreign police to demonstrate that the subscriber data they seek will advance a criminal investigation before justifying access to it. 

This is why we've urged PACE to remove Article 7 entirely from the text of the Protocol. States would still be able to access subscriber data in cross-border contexts, but would instead rely on another provision of the Protocol (Article 8), which also has some issues but includes more safeguards for human rights. 

If Article 7 is retained, the Protocol should be amended to make it easier for states to limit its scope of application. As the text currently stands, countries must decide whether to adopt Article 7 or not when implementing the draft Protocol. But the scope of legal protection many states provide for subscriber data is evolving as many courts and legislatures are increasingly recognizing that access to this personal data can be intrusive and may require additional safeguards. As drafted, if a signatory to the Protocol adds more safeguards to its subscriber data access regime—out of public policy concerns or in response to a court decision—extending these safeguards to foreign police will place it in violation of its obligations under the Protocol. 

Because the draft Protocol gives law enforcement powers with direct impact on human rights and will be available to a diverse number of signatories with varying criminal justice systems and human rights records, we recommend that it provide the additional safeguards for cross border data requests:

• Allow a Party to require independent judicial authorization for foreign requests for subscriber data issued to service providers in its territory. Or even better, we would like to see a general obligation compelling independent supervision on every cross-border subscriber data request.
• Allow authorities in the country where service providers are located to be notified about subscriber data requests and given enough information to assess their impact on fundamental rights and freedoms; and
• Adopt legal measures to ensure that gag requests—confidentiality and secrecy requests—are not inappropriately invoked when law enforcement make cross-border subscriber data access demands.

We are grateful to PACE for the opportunity to present our concerns as it formulates its own opinion and recommendations before the treaty reaches CoE’s final body of approval, the Council of Ministers. We hope PACE will take our privacy and human rights concerns seriously. In recent weeks EFF and the world has learned that governments across the globe have targeted journalists, human rights activists, dissidents, lawyers, and private citizens for surveillance because of their work or political viewpoints. Regimes are weaponizing technology and data to target those who speak out. We strongly urge PACE to adopt our recommendations for adding strong human rights safeguards to the Protocol to ensure that it doesn’t become a tool for abuse. 

Read further on this topic:

• EFF to Council of Europe: Flawed Cross Border Police Surveillance Treaty Needs Fixing—Here Are Our Recommendations to Strengthen Privacy and Data Protections Across the World
• Joint Civil Society Comment to the Parliamentary Assembly of the Council of Europe (PACE) on the Second Additional Protocol to the Cybercrime Convention
• Council of Europe’s Actions Belie its Pledges to Involve Civil Society in Development of Cross Border Police Powers Treaty
• Global Law Enforcement Convention Weakens Privacy & Human Rights
• Joint Civil Society letter for the 6th round of consultation on the Cybercrime Protocol on the first complete draft of the Protocol