This is the third post in a series about recommendations EFF, EDRi, CIPPIC, Derechos Digitales, TEDIC, Karisma Foundation, and other civil society organizations have submitted to the Parliamentary Assembly of the Council of Europe (PACE), which is currently reviewing the Protocol, to amend the text before its final approval in the fall. Read the full series here, here, here and here.

Governments are on the cusp of adopting a set of additional international rules, which will reshape how cross-border police investigations are conducted. The protocol, referred to by the inauspicious moniker “Second Additional Protocol to the Council of Europe’s Budapest Convention on Cybercrime,” grants law enforcement intrusive new powers while adopting few safeguards for privacy and human rights. 

Many elements of the Protocol are a law enforcement wish list—hardly surprising given that its drafting was largely driven by prosecutorial and law enforcement interests with minimal input from external stakeholders such as civil society groups and independent privacy regulators. As a result, EFF, European Digital Rights, the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic, and other civil society organizations have called on the Parliamentary Assembly of the Council of Europe (PACE), which is currently reviewing the Protocol, to amend the text before its final approval in the fall. 

International law enforcement investigations are becoming increasingly routine, with policing forces seeking access to digital evidence stored by service providers around the globe. But in the absence of detailed and readily enforceable international human rights standards, law enforcement authorities around the world are left to decide for themselves the conditions under which they can demand access to personal information. As a result, the lowest common denominator in terms of privacy and other protections will often prevail in cross-border investigations.

Unfortunately, the Council of Europe’s Second Additional Protocol fails to provide the type of detailed and robust safeguards necessary to ensure cross-border investigations embed respect for human rights. Quite to the contrary, the Protocol avoids imposing strong safeguards in an active attempt to entice states with weaker human rights safeguards to sign on. To this end, the Protocol recognizes many mandatory and intrusive police powers, coupled with relatively weak safeguards that are largely optional in nature. The result is a net dilution of privacy and human rights on a global scale.

Cross-border investigations raise difficult questions, as widely varying legal systems clash. How do data protection laws regulate police collection and use of personal data when the collection process spans multiple jurisdictions and legal systems? More specifically, what kinds of legal safeguards from existing human rights and data protection toolkits will govern these and other forms of evidence collection across borders? 

Although data protection laws generally apply to both public and private sectors, many countries have failed to set high standards. Some countries have exempted law enforcement data collection and processing of personal data from their data protection laws, while other privacy laws like the United States’ Privacy Act do not apply to foreigners--non-U.S. persons who are not legal permanent residents. 

Many different kinds of international evidence-gathering and international law enforcement cooperation happen today, but the draft Protocol seeks to establish a new international standard that will govern several aspects of policing in a global scale moving forward. We’ve described some of its more intrusive powers in other posts here, and here.

The Protocol also includes some human rights and privacy safeguards that apply when states rely on powers outlined by the Protocol. These safeguards are concentrated in Chapter III, Articles 13 and 14 of the Protocol, and their shortcomings will be explored in the remainder of this post.

Article 13 recognizes a general obligation to ensure adequate protections are in place for human rights and civil liberties. The inclusion of this safeguard is important, particularly the obligation to incorporate the principle of proportionality in determining the scope of human rights safeguards. But Article 13 imposes few specific restrictions, and signatories are largely left to determine what protections are “adequate” and “proportionate” on the basis of national law. So, in practice, there are few direct obligations for states to impose specific safeguards in specific investigative contexts. 

Article 14, by contrast, does impose a number of detailed, specific data protection obligations that would apply to any personal information obtained through the Protocol’s new law enforcement powers. However, Article 14’s standards are weak and even these weak safeguards can be circumvented by any two or more signatories by agreement.

Lowering the Bar for Data Protection

The standards set by Article 14 fail to meet modern data protection requirements and, in places, actively seek to undermine emerging international standards. For example, Article 14 obligates parties to ensure that personal data collected through the Protocol’s powers shall be used in a manner that is consistent with and relevant to the criminal investigative purposes that prompted their collection. However, contrary to most other data protection instruments, Article 14 data protection safeguards don’t require all processing of personal data be “adequate, fair and proportionate” to its objective, while Article 13 requires only “adequate” safeguards and a general respect for the principle of proportionality. Adequate, fair, and proportionate are important, distinctive conditions for accessing personal data recognized in several modern data protection legislations across the world. Each term imposes different requirements when applied to the collection, use, and disclosure of personal information. The absence of all three specific terms in the Protocol is troubling, as it indicates fewer, weaker, and outdated conditions to access data will be allowed and tolerated. 

Article 14’s safeguards are also problematic in that they do not require law enforcement to be subject to oversight that is completely independent. Oversight needs to be impartial and free from direct external influences, but Article 14’s explanatory text (which was never subject to public consultation) allows oversight bodies to be subjected to indirect influence. Under Article 14, for example, many oversight functions can be conducted by government officials housed in the same agencies directing the cross-border investigations being supervised. In addition, while oversight officials must not receive instruction from the state regarding the outcome of a particular case, Article 14 allows states to exert instruction and control over general oversight operations. Article 14 even expressly prohibits Parties from requiring the use of independent regulators to protect the privacy of personal data transferred to other Parties through the Protocol’s investigative powers. All in all, Article 14 fails to meet minimal standards of independent oversight.

Finally, Article 14 of the Protocol also outlines some safeguards for biometric data, but ultimately these are insufficient and undermine a growing international recognition that biometric data is sensitive and requires additional protection in all instances. Biometric data involves mathematical representations of people’s personal features such as their finger, voice or iris prints and fuels a range of intrusive technologies such as facial recognition. Because of its ability to persistently identify individuals through automated means, biometric information is generally considered sensitive by courts and legislatures at the Council of Europe and around the world

Despite this growing recognition of the sensitive nature of biometric information, Article 14 prohibits states from using additional safeguards unless biometric information can be shown to pose an additional risk to privacy. While the Protocol provides little guidance regarding what might constitute this added risk, the result is to provide a narrower scope of protection to biometric data than required by competing laws such as the GDPR, the EU Law Enforcement Directive, and the Council of Europe’s own Convention 108+, each of which recognize the sensitivity of all biometric data in all contexts. This creates ambiguity in defining the scope of protection applied to bilateral transfers, as many anticipated signatories to the Protocol have also signed Convention 108+ and committed to its higher standards of biometric protection while many others have not. While the explanatory text appears to acknowledge that parties bound by Convention 108+ will need to apply that treaty’s heightened biometric protections, Article 14 also prohibits signatories from applying any additional “generic” data protection conditions to any data transfer between signatories.  Moreover, many Parties to the Protocol will not be bound by Convention 108+ and will be prevented from ensuring the appropriate level of protection is applied when sensitive biometric information is transferred to other jurisdictions by law enforcement. 

For all of these reasons, we have asked that the Protocol be amended so that signatories may refuse to apply its most intrusive powers (Articles 6, 7 and 12) when dealing with any other signatory that has not also ratified Convention 108+.

Anyone Can Ignore Even These Safeguards

Even the weak standards applied by Article 14 are effectively optional under the Protocol. Signatories are explicitly permitted to bypass these safeguards through various mechanisms, none of which provide any assurance that adequate privacy protections will be in place.

For example, any two or more signatories can enter into an international data protection agreement that will supersede the safeguards outlined in Article 14. There is no obligation to ensure that superseding agreements provide an adequate level of protection, or even a level  comparable to the safeguards that are actually set out in Article 14. And parties can continue to rely on the Protocol’s law enforcement powers while applying weaker safeguards established in any such superseding agreement instead of the ones in Article 14. Indeed, Article 14’s explanatory text presents the so-called EU-US ‘Umbrella’ agreement—which provides safeguards and guarantees of lawfulness for data transfers—as a paradigmatic example of a qualifying agreement. But questions have been raised as to whether the Umbrella agreement is in compliance with the EU Charter of fundamental freedoms.

Even if no binding international agreement is in place, Parties can bypass the safeguards in Article 14 by entering into ad-hoc agreements with each other. These agreements need not be formal, comprehensive, binding, or even public. If a joint investigation between law enforcement authorities in multiple jurisdictions is underway, individual frontline police officers can even decide to adopt their own agreements, raising the prospect that privacy safeguards will be sacrificed for investigative convenience. (A more detailed analysis about the Protocol’s joint investigation section will be published soon.)

To ensure that there are at least some baseline safeguards in place, we have therefore recommended that the Protocol be amended to ensure that the specific protections outlined in Article 14 establish a minimum threshold of privacy protection. These may be supplemented with more rigorous protections, but cannot be replaced by weaker standards. 

Limits on Personal Data Transfer Limits

Article 14 also undermines a key safeguard used by independent privacy regulators in cross-border investigations, where there is frequently no direct opportunity to enforce safeguards once personal data has been transferred by law enforcement to another country. Because of this, many data protection regimes require independent regulators to block data transfers to states that fail to provide certain minimum levels of privacy protection. Article 14 places strict limits on data protection authorities’ ability to stop law enforcement from transferring personal data to other jurisdictions, removing a critical tool from the human rights protection toolkit.

Under most legal systems that rely on data transfer restrictions as a privacy safeguard, independent regulators determine whether another state’s legal system provides sufficient safeguards to permit law enforcement transfers. However, Article 14 “deems” that its safeguards (or any safeguards adopted in any international data protection agreement between any two parties to the Protocol) are sufficient to meet any signatory’s national standards, removing this important adjudicative role from independent regulators. The Protocol does allow signatories to suspend data transfers if Article 14’s own safeguards are breached, but only with substantial evidence of a systematic or material breach, and only after engaging in consultation with the suspended country. By setting a restrictive evidentiary standard and obligating the executive branch of a state to enter negotiations prior to suspending transfers, Article 14 further undermines the ability of privacy regulators to ensure an adequate level of data protection. 

To prevent the Protocol from diminishing the important role played by data protection authorities in adjudicating and safeguarding privacy in cross-border law enforcement transfers, we have asked that Article 14’s attempts to limit data transfer restrictions be removed. 

Conclusion

Some have defended the Second Additional Protocol in its current configuration, saying it's needed to forestall efforts that might lead to a more intrusive framework for cross-border policing. Specifically, Russia proposed another international cybercrime treaty, which is gaining support at the United Nations. The UN treaty would address many of the same investigative powers addressed in the Protocol and the Budapest Convention. 

Civil society is raising alarm bells about the Russian-led cybercrime initiative is. Human Rights Watch has pointed out, for example, that the UN is being led by countries that use cybercrime laws as a cover to crack down on rights. The Council of Europe should be advancing a human rights-respecting alternative to the UN initiative. But the Protocol, as it currently stands, is not it. 

PACE has an opportunity to substantially improve human rights protections in the Protocol by recommending to the Council of Ministers—CoE's decision-making body—amendments that will fix the technical mistakes in the Protocol and strengthen its privacy and data protection safeguards. With detailed law enforcement powers should come detailed legal safeguards, not a one-sided compromise on privacy and data protection.

Read more on this topic: