Law enforcement access to data is in the middle of a profound shake-up across the globe. States are pushing to get quicker, deeper, and more invasive access to personal data stored on the global Internet, and are looking to water down the international safeguards around privacy and due process in the name of “speed” and “modernization.”
One part of that push is concentrated on the Council of Europe’s Cybercrime Convention (also known as the “Budapest Convention”) — an international instrument, ratified by the United States and over 60 countries around the world, that spells out the procedures, checks and balances when law enforcement from another nation needs to comply with when requesting digital data held in another jurisdiction.
The Council of Europe’s Cybercrime Convention Committee (T-CY) is currently drafting an update in the form of a second additional protocol to the Convention. There’s lots that could go right, and plenty that could go wrong in the drafting of this new protocol. The slow and sometimes confusing mutual legal assistance treaties (MLAT) process could be reformed to better match the speed of the Internet while still protecting civil liberties and due process. But it could be an opportunity for over-eager States to create new, unprotected methods for law enforcement to pull data from big tech companies, without oversight, notification or ways for affected users to challenge the process.
The latest part of that process is a consultation on the rules governing fast-track emergency access to data in the context of mutual legal assistance. EFF, EDRI, and a number of global civil society organizations have responded. In our submission, we welcome the fact that the definition of emergency include both the words significant and imminent in order to limit the use of emergency powers to relevant situations and when the emergency is close in time. Safety means a threat that would result in serious bodily harm or injury of a natural person.
We believe that Emergency MLAs provides a mechanism for countries to access the results of the request in foreign countries necessary to prevent a situation in which there is a significant and imminent risk to the life or safety of any natural person, but also provide an opportunity to create strong legal safeguards for this process.
In our joint statement, we explained that emergency MLA should not be used to prevent risks of destruction, flight or loss of evidence nor should it be used to prevent financial or property crimes since there is no risk to human life. We also explained that although imminent threats to the life and physical well being of a person may also implicate threats to property, it is important that emergency powers focus on the protection and preservation of human life. Expanding the definition of emergency to include property risks — as has been suggested in international corridors— would open up emergency procedures to too many requests that are unrelated to significant and imminent risks to the life or safety of any natural person.
We believe that accountability mechanisms are necessary to prevent the misuse of emergency procedures. These accountability mechanisms could include penalties for blatant or systemic misuse of emergency procedures by a Party to the Convention. To further ensure emergency procedures are not being abused, the requests should always be in writing, and Parties should implement a process that compels Requesting Parties to provide a digital or paper trail of all requests in order to facilitate this audit process. Statistical and qualitative reporting on the volume of emergency requests should be published by both requesting and requested Parties on an annual basis. While this should be the case for all manner of MLA procedures, it is particularly vital for emergency mechanisms given their potential for over-reach.
Watching the Second Protocol
The T-CY aims to finalize the Second Additional Protocol by December 2019. We, along with 93 civil society organizations from across the globe have requested meaningful civil society participation in the Council of Europe’s (CoE) negotiations of the draft Second Additional Protocol. Civil society groups should be included throughout the entire process—not just during the Council of Europe’s Octopus Conferences or online consultations.
The Council of Europe has said that it’s up to the individual countries to conduct consultations; but we’ve heard little from these States to suggest that they intend to reach out Internet users and advocacy groups. If your country is on the attendees’ list for the CyberCrime Convention TC-Y drafting group, write to your government and ask them about a potential consultation -- and let us know what you hear.