Without Changes, Council of Europe’s Draft Police Surveillance Treaty is a Pernicious Influence on Latam Legal Privacy Frameworks

The Council of Europe (CoE) is on track to approve the Second Additional Protocol to the Budapest Cybercrime Convention, which will set new invasive international rules for law enforcement access to user data and cooperation between States conducting criminal investigations. In our recent joint civil society submission to the CoE’s Parliamentary Assembly we recommended 20 solid amendments to preserve the Protocol’s objective—facilitating efficient and timely cross-border investigations between countries with varying legal systems—while embedding a much-needed baseline to safeguard human rights. In this post, the second in a series about our recommendations, we examine how the current Protocol's text threatens privacy rights in Latin America, a region with deeper challenges for fulfilling human rights safeguards and the rule of law compared to many European countries.

Article 7 of the Protocol is among the most troubling provisions, raising privacy concerns regarding police cross-border access to subscriber data. As we have written, Article 7 establishes procedures for law enforcement in one country to request access to subscriber data directly from service providers located in another country under the requesting country’s legal standards. This can create unjustifiable asymmetries in national law by applying to foreign authorities a more permissive, less privacy-protective legal basis to access subscriber data than what is granted to local law enforcement agencies under its own local law.

Article 7 focuses on authorizing police access to subscriber data. Why does subscriber data matter? Your IP address can tell authorities what websites you visit and who you communicate with. It could reveal otherwise anonymous online identities, your social networking contacts and, even at times, your physical location via GPS. Police can request your name, the subscriber data to link your identity to your online activity, and that can be used to create a nicely detailed police profile of your daily habits .

When and How Cross-Border Police Direct Cooperation Rules Will Perniciously Affect Latin American Countries

We see at least two possible scenarios for how pernicious Article 7 could be on Latam frameworks for lawful access to communications data in criminal investigations. First, this provision can serve as an influence to drive down standards in the region for accessing subscriber information (and unveiling a user’s identity). Second, it can potentially export globally a broader definition of what constitutes “subscriber information,” expanding the categories of communications data encompassed by a third-class protection standard. All in all, Article 7 contains serious flaws that should be fixed before it can serve as a robust rights-protective model to pursue and endorse.

With CoE's final adoption of the draft Protocol, countries in Latin America already parties to the original 2001 Budapest Convention will be able to ratify or accede to the Second Protocol. To date, those countries are Argentina, Chile, Costa Rica, Colombia, Dominican Republic, Panama, Paraguay, and Peru. Brazil and Mexico were invited to become parties and currently act as observers. The Budapest Convention, the first international treaty addressing internet and computer crime by harmonizing national laws and increasing cooperation among nations, has been influential in the region, acting as a model for cybercrime regulation and production of electronic evidence, even for countries that are not parties of the Convention. As many law enforcement authorities want access to potential electronic evidence across borders, Latin American countries will likely seek accession to the Protocol because of its cooperation rules. But if the final text passes without our recommended amendments, the Protocol will encourage Parties to reinforce weaker privacy standards already in place in different Latam countries instead of fostering a growing trend in other nations in the region where domestic laws or court judgments have provided stronger human rights protections. 

That’s because of another concerning mandate in Article 7: in countries with laws that prevent service providers from voluntarily responding to subscriber data requests without appropriate safeguards—such as a reasonable ground req