This is the fourth post in a series about recommendations EFF, European Digital Rights, the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic, and other civil society organizations have submitted to the Parliamentary Assembly of the Council of Europe (PACE), which is currently reviewing the Second Additional Protocol to the Budapest Convention on Cybercrime, to amend the text before final approval in the fall. Read the full series here, here, here,  here, and here.

Two very different assessments of a proposed treaty on cross border police access to user data were presented to the Council of Europe (CoE) Parliamentary Assembly at a hearing earlier this month. EFF expressed grave concerns about a lack of detailed human rights safeguards in the text, while officials with CoE’s Cybercrime Convention Committee (T-CY), which drafted the treaty, not surprisingly voiced confidence that the instrument provides adequate protection for individual rights.

The treaty, created to facilitate cross border law enforcement investigations of cybercrime and procedures for efficiently accessing electronic evidence, including user data, will reshape cross-border law enforcement data-gathering on a global scale. At this point, with final approval of the
treaty expected in November, we are still far apart on the issue of human rights protections.

It was made clear at the
September 14 virtual hearing that the treaty—called the Second Additional Protocol to the Budapest Convention on Cybercrime—was crafted with an eye towards appeasing as many states as possible, all with highly varying criminal legal systems and human rights track records. No easy task, to be sure. Representatives of CoE Cybercrime Committee (T-CY) said the Protocol’s “carefully calibrated” text is the result of intensive negotiations in dozens of meetings with dozens of states, parties, and experts, over many years.

Compromises had to be made, they said, to accommodate the needs of multiple states with competing law enforcement approaches to investigating cybercrime, safeguarding data, and protecting human rights. The reality is that T-CY Member States are willing to impose detailed, mandatory standards for law enforcement access to electronic information, but not willing to impose solid human rights and data protection standards globally.

As EFF Policy Director for Global Privacy
Katitza Rodriguez said at the hearing, detailed international law enforcement powers should come with detailed legal safeguards for privacy and data protection. The Protocol does not establish clear and enforceable baseline safeguards in cross-border evidence gathering, and avoids imposing strong privacy and data protections in an active attempt to entice states with weaker human rights records to sign on.

To this end, the Protocol recognizes many mandatory and intrusive police powers, coupled with relatively weak safeguards that are largely optional in nature. The result is a net dilution of privacy and human rights on a global scale. But the right to privacy is a universal right. Incorporating strong safeguards alongside law enforcement  powers will not impede cross-border law enforcement, but will ensure human rights are respected, Rodriguez added.

The hearing confirmed some of gravest concerns regarding the treaty. For example, while Article 13 states the Protocol’s investigative powers should be applied in a manner that is proportionate and subject to adequate privacy and human rights safeguards, we have argued that each Party is left to decide for themselves what meets this standard and many anticipated signatories have very weak safeguards. T-CY confirmed that Article 13 provides Parties with substantial flexibility, but saw this as a feature, not a bug, because it allows countries to sign on despite lacking meaningful and robust human rights protection.

Even worse, Article 14, which sets out the Protocol’s central privacy protections, can be easily bypassed. Any two more Parties can simply agree to use weaker safeguards when relying on the Protocol’s policing powers. Also, while T-CY officials claimed that the Protocol’s safeguards are “particularly” strong, this is sadly not the case. Article 14’s provisions fail to reflect privacy safeguards in modern data protection regimes (such as the CoE’s own marquee privacy treaty—Convention 108+) and in many instances even work to undermine emerging global standards.

To begin with, Article 14 fails to require that all processing of personal data be adequate, fair, and proportionate to its objectives. The absence of these terms in the Protocol is troubling, as it indicates fewer and weaker conditions to access data will be allowed and tolerated.

The Protocol’s treatment of biometric data is even more troubling. Recognizing the sensitive nature of biometric data (and its substantial potential as a highly intrusive surveillance capability), legal regimes and courts around the world are increasingly requiring additional safeguards. But Article 14 prevents Parties from treating biometric data as sensitive (and, as a result, applying stronger safeguards) unless it can be shown that heightened risks are involved. At the hearing, T-CY officials acknowledged the weaker standard adopted for biometric data, but indicated the negotiated compromise was necessary to accommodate the range of protection afforded to biometric data amongst some of the Protocol’s would-be signatories. Once again, privacy is taking a back seat.

PACE will issue a report with their recommendations in the coming weeks.
The assembly  has an opportunity to substantially improve human rights protections in the Protocol by recommending to the Council of Ministers—CoE's decision-making body—amendments that will fix  technical mistakes in the Protocol and strengthen its privacy and data protection safeguards. We have also suggested that accession to the Protocol should be made conditional upon signing Convention 108+. Without that, the Protocol, and the CoE’s efforts to modernize cross border data access and provide strong, enforceable human rights protections, risk being left behind.

Read more on this topic: