Cross Border Police Surveillance Treaty Must Have Clear, Enforceable Privacy Safeguards, Not a Patchwork of Weak Provisions

This is the fourth post in a series about recommendations EFF, European Digital Rights, the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic, and other civil society organizations have submitted to the Parliamentary Assembly of the Council of Europe (PACE), which is currently reviewing the Second Additional Protocol to the Budapest Convention on Cybercrime, to amend the text before final approval in the fall. Read the full series here, here, here,  here, and here. Two very different assessments of a proposed treaty on cross border police access to user data were presented to the Council of Europe (CoE) Parliamentary Assembly at a hearing earlier this month. EFF expressed grave concerns about a lack of detailed human rights safeguards in the text, while officials with CoE’s Cybercrime Convention Committee (T-CY), which drafted the treaty, not surprisingly voiced confidence that the instrument provides adequate protection for individual rights. The treaty, created to facilitate cross border law enforcement investigations of cybercrime and procedures for efficiently accessing electronic evidence, including user data, will reshape cross-border law enforcement data-gathering on a global scale. At this point, with final approval of the treaty expected in November, we are still far apart on the issue of human rights protections. It was made clear at the September 14 virtual hearing that the treaty—called the Second Additional Protocol to the Budapest Convention on Cybercrime—was crafted with an eye towards appeasing as many states as possible, all with highly varying criminal legal systems and human rights track records. No easy task, to be sure. Representatives of CoE Cybercrime Committee (T-CY) said the Protocol’s “carefully calibrated” text is the result of intensive negotiations in dozens of meetings with dozens of states, parties, and experts, over many years. Compromises had to be made, they said, to accommodate the needs of multiple states with competing law enforcement approaches to investigating cybercrime, safeguarding data, and protecting human rights. The reality is that T-CY Member States are willing to impose detailed, mandatory standards for law enforcement access to electronic information, but not willing to impose solid human rights and data protection standards globally. As EFF Policy Director for Global Privacy Katitza Rodriguez said at the hearing, detailed international law enforcement powers should come with detailed legal safeguards for privacy and data protection. The Protocol does not establish clear and enforceable baseline safeguards in cross-border evidence gathering, and avoids imposing strong privacy and data protections in an active attempt to entice states with weaker human rights records to sign on.

To this end, the Protocol recognizes many mandatory and intrusive police powers, coupled with relatively weak safeguards that are largely optional in nature. The result is a net dilution of privacy and human rights on a global scale. But the right to privacy is a universal right. Incorporating strong safeguards alongside law enforcement  powers will not impede cross-border law enforcement, but will ensure human rights are respected, Rodriguez added. The hearing confirmed some of gravest concerns regard