EFF to Council of Europe: Cross Border Police Surveillance Treaty Must Have Ironclad Safeguards to Protect Individual Rights and Users’ Data

This is the third post in a series about recommendations EFF, European Digital Rights, the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic, and other civil society organizations have submitted to the Parliamentary Assembly of the Council of Europe (PACE), which is currently reviewing the Protocol, to amend the text before its final approval in the fall. Read the full series here, here, here and here.

A global cybercrime treaty is set to reshape how cross-border police investigations are conducted. The treaty, referred to by the inauspicious moniker “Second Additional Protocol to the Council of Europe’s Budapest Convention on Cybercrime,” grants law enforcement intrusive new powers while adopting few safeguards for privacy and human rights. 

Many elements of the Protocol are a law enforcement wish list—hardly surprising given that its drafting was largely driven by prosecutorial and law enforcement interests with minimal input from external stakeholders such as civil society groups and independent privacy regulators. As a result, EFF, European Digital Rights, the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic, and other civil society organizations have called on the Parliamentary Assembly of the Council of Europe (PACE), which is currently reviewing the Protocol, to amend the text before its final approval in the fall. 

International law enforcement investigations are becoming increasingly routine, with policing forces seeking access to digital evidence stored by service providers around the globe. But in the absence of detailed and readily enforceable international human rights standards, law enforcement authorities around the world are left to decide for themselves the conditions under which they can demand access to personal information. As a result, the lowest common denominator in terms of privacy and other protections will often prevail in cross-border investigations.

Unfortunately, the Council of Europe’s Second Additional Protocol fails to provide the type of detailed and robust safeguards necessary to ensure cross-border investigations embed respect for human rights. Quite to the contrary, the Protocol avoids imposing strong safeguards in an active attempt to entice states with weaker human rights safeguards to sign on. To this end, the Protocol recognizes many mandatory and intrusive police powers, coupled with relatively weak safeguards that are largely optional in nature. The result is a net dilution of privacy and human rights on a global scale.

Cross-border investigations raise difficult questions, as widely varying legal systems clash. How do data protection laws regulate police collection and use of personal data when the collection process spans multiple jurisdictions and legal systems? More specifically, what kinds of legal safeguards from existing human rights and data protection toolkits will govern these and other forms of evidence collection across borders? 

Although data protection laws generally apply to both public and private sectors, many countries have failed to set high standards. Some countries have exempted law enforcement data collection and processing of personal data from their data protection laws, while other privacy laws like the United States’ Privacy Act do not apply to foreigners--non-U.S. persons who are not legal permanent residents. 

Many different kinds of international evidence-gathering and international law enforcement cooperation happen today, but the draft Protocol seeks to establish a new global standard