Law enforcement around the world is apparently getting its holiday wish list, thanks to the Council of Europe’s adoption of a flawed new protocol to the Budapest Convention, a treaty governing procedures for accessing digital evidence across borders in criminal investigations. The Second Additional Protocol (“the Protocol”) to the Budapest Convention, which will reshape how police in one country access data from internet companies based in another country, was heavily influenced by law enforcement and mandates new intrusive police powers without adequate protections for privacy and other fundamental rights.
It was approved on November 17, 2021—a major disappointment that can endanger technology users, journalists, activists, and vulnerable populations in countries with flimsy privacy protections and weaken everyone's right to privacy and free expression across the globe. Following the decision by the CoE’s Committee of Ministers of the Council of Europe, the Protocol will open for signatures to countries that have ratified the Budapest Convention (currently 66 countries) around May 2022.
It’s been a long fight and a very busy year. EFF, along with CIPPIC, European Digital Rights (EDRi), and other allies, fought to let the CoE and the world know that the Protocol was being pushed through without adequate human rights protections. We sounded warnings in February about the problem and noted that draft meetings to finalize the text were held in closed session, excluding civil society and even privacy regulators. After the draft protocol was approved in May by the CoE’s Cybercrime Committee, EFF and 40 organizations urged the Committee of Ministers, which also reviews the draft, to allow more time for suggestions and recommendations so that human rights are adequately protected in the protocol.
In August, we submitted 20 solid, comprehensive recommendations to strengthen the Protocol, including requiring law enforcement to garner independent judicial authorization as a condition for cross border requests for user data, prohibiting police investigative teams from bypassing privacy safeguards in secret data transfer deals, and deleting provisions mandating that internet providers directly cooperate with foreign law enforcement orders for user data, even where local laws require them to have independent judicial authorization for such disclosures. We then defended our position at a virtual hearing before the Parliamentary Assembly of the Council of Europe (PACE), which suggested amendments to the Protocol text.
Sadly, PACE did not take all of our concerns to heart. While some of our suggestions were acted on, the core of our concerns about weak privacy standards went unaddressed. PACE’s report and opinion on the matter responds to our position by noting a “difficult dilemma” about the goal of international legal cooperation given significantly inconsistent laws and safeguards in countries that will sign on to the treaty. PACE fears that “higher standards [could] jeopardize” the goal of effectively fighting cybercrime and concludes that it would be unworkable to make privacy-protective rules stronger. Basically, PACE is willing to sacrifice human rights and privacy to get more countries to sign on to their treaty.
This position is unfortunate, since many parts of the Protocol are a law enforcement wish list—not surprising since it was mainly written by prosecutors and law enforcement officials. Meanwhile, gaps in human rights protections under some participating countries’ laws are deep. As EFF told PACE in testimony at its virtual hearing, detailed international law enforcement powers should come with robust legal safeguards for privacy and data protection. “The Protocol openly avoids imposing strong harmonized safeguards in an active attempt to entice states with weaker human rights records to sign on,” EFF stated. “The result is a net dilution of privacy and human rights on a global scale. But the right to privacy is a universal right.”
PACE suggested a few privacy-protecting changes to the Committee of Ministers—some of them based on our suggestions—but the Committee did not take these into account. For example, PACE agreed that the Protocol ought to incorporate new references to proportionality as a requirement in privacy and data protection safeguards (Articles 13 and 14). It also said that “immunities of certain professions, such as lawyers, doctors, journalists, religious ministers or parliamentarians” should be explicitly respected, and that there ought to be public statistics about how the powers created by the Protocol were used and how many people were affected.
Other civil society concerns were left unaddressed; among several examples, PACE did not propose changes to a provision that prohibits states from maintaining adequate standards for access to biometric data. The Council of Ministers then tied up a holiday gift to law enforcement by adopting the Protocol as-is, without any of the improvements that PACE suggested. As a result, applying human rights safeguards will be up to the broad range of individual countries that will now sign onto the treaty in the near future.
Further Fights on The Horizon For 2022
With the Protocol’s adoption, there will now be debates in national Parliaments across the world about its ratification and what standards countries adopt as they implement it. There will be an opportunity for countries to declare reservations when accessing the treaty. That means numerous chances at the domestic level to influence how governments act on the Protocol throughout 2022. People—and national data protection authorities—in countries with strong protections for personal information should demand that those safeguards not be circumvented by implementation of the Protocol.
This is notably the case of European Union countries. Despite strong criticism of the Protocol by the European Data Protection Board, which represents all 27 national data protection authorities in the EU, the European Commission advised Member States to join the Protocol with as few reservations as possible. Latin American countries should also be cautious and aware of their particular challenges.
Law enforcement pushed for a quick adoption of the Protocol should have not override current legal safeguards or impair national debates towards adequate minimum standards. Data protection and privacy advocates around the world should be ready for the fight.
CoE’s Secretary-General welcomed the Protocol’s adoption “in the context of a free and open internet where restrictions apply only as a means to tackle crime”—an optimistic view, to be sure, given the recent spate of intense internet crackdowns by governments, including some Budapest Convention signatories.
Part of the impetus for rushing the adoption of the Protocol in the first place was to forestall efforts to create a more intrusive framework for cross-border policing. Specifically, a new international cybercrime treaty, first proposed by Russia, is gaining support at the United Nations. The UN cybercrime treaty would address many of the same investigative powers as the Protocol and the Budapest Convention in ways that could be even more concerning for human rights. (As background, Russia has been promoting its cybercrime treaty for at least a decade). Unfortunately, the adoption of the Protocol has not staved off those efforts. Not only are these efforts actively moving forward, but the Protocol has now created a new baseline of privacy-invasive police powers that the UN treaty can expand upon. Negotiations on the UN treaty will begin in January.
EFF and its civil society allies are already advocating for a human rights-based approach to drafting the proposed UN treaty, and pushing for a more active role in the UN negotiations than was afforded by the CoE. Our focus in the coming year will be on working with our allies across the world to ensure that any new data-access rules incorporate clear and robust human rights safeguards.
This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2021.