EFF to Council of Europe: Flawed Cross Border Police Surveillance Treaty Needs Fixing—Here Are Our Recommendations to Strengthen Privacy and Data Protections Across the World

EFF has joined European Digital Rights (EDRi), the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC), and other civil society organizations in recommending 20 solid, comprehensive steps to strengthen human rights protections in the new cross border surveillance draft treaty that is under review by the Parliamentary Assembly of the Council of Europe (PACE). The recommendations aim to ensure that the draft treaty, which grants broad, intrusive police powers to access user information in criminal cross border investigations, contains a robust baseline to safeguard privacy and data protection.

From requiring law enforcement to garner independent judicial authorization as a condition for cross border requests for user data, to prohibiting police investigative teams from bypassing privacy safeguards in secret data transfer deals, our recommendations submitted to PACE will add much-needed human rights protections to the draft Second Additional Protocol to the Budapest Convention on Cybercrime. The recommendations seek to preserve the Protocol’s objective—to facilitate efficient and timely cross-border investigations between countries with varying legal systems—while embedding safeguards protecting individual rights. 

Without these amendments, the Protocol’s credibility is in question. The Budapest Cybercrime Convention has been remarkably successful in terms of signatories—large and small states from around the globe have ratified it. However, Russia’s long-standing goal to replace the treaty with its own proposed UN draft convention may be adding pressure on the Council of Europe (CoE) to rush its approval instead of extending its terms of reference to properly allow for a meaningful non-stakeholder consultation. But if the CoE intends to offer a more human right protective approach to the UN Cybercrime initiative, it must lead by example by fixing the primary technical mistakes we have highlighted in our submission and strengthen privacy and data protection safeguards in the draft Protocol. 

This post is the first of a series of articles describing our recommendations to PACE. The series will also explain how the Protocol will impact legislation in other countries.  The draft Protocol was  approved by the  Council of Europe’s Cybercrime Committee (T-CY) in May 28th following an opaque, several-year process largely commandeered by law enforcement.  

Civil society groups, data protection officials, and defense attorneys were sidelined during the process, and the draft Protocol reflects this deeply flawed and lopsided process. PACE can recommend further amendments to the draft during the treaty’s adoption and final approval process. EFF and partners urge PACE to use our recommendations to adopt new Protocol amendments to protect privacy and human rights across the globe. 

Mischaracterizing the Intrusive Nature of Subscriber Data Access Powers 

One of the draft’s biggest flaws is its treatment, in Article 7, of subscriber data, the most sought-after information by law enforcement investigators. The Protocol’s explanatory text erroneously claims that subscriber information “does not allow precise conclusions concerning the private lives and daily habits of individuals concerned,” so it’s less sensitive than other categories of data. 

But, as is increasingly