New Cybercrime Protocol: More overreach, still no data protection safeguards

In 2017, the Council of Europe and its Cybercrime Committee started preparing an additional protocol to the Budapest Convention on Cybercrime – a new tool for law enforcement authorities (LEAs) to have access to data in the context of criminal investigations. In the context of the fifth round of consultation with civil society, data protection authorities and industry, EDRi and the Electronic Frontier Foundation (EFF) coordinated a civil society submission to provide feedback on the new draft provisions relating to joint investigations, request for domain name registration information and expedited disclosure of stored computer data in an emergency.

EFF, EDRi, IT-Pol Denmark, Al Sur, Article 19, Derechos Digitales, and Homo Digitalis have shared concerns that while the draft text further expands the powers of law enforcement authorities of the Parties to the Convention, the Cybercrime Committee still has not disclosed their ongoing work on conditions and safeguards for data protection and privacy. Any effort to enable effective police investigations must go hand in hand with respecting critical human rights and data protection international frameworks, and with including transparency requirements, public oversight, and effective remedies.

Our submission focused on demanding the main following changes to the provisional text:

• Prohibiting forum shopping practices in joint investigations that enable one country to circumvent its own data protection and legal framework to get access to data that it would normally not have access to under its domestic rules.
• Bringing transparency and judicial oversight to the setting up of Joint Investigation Teams.
• Prohibiting the direct disclosure of domain name registration data to foreign law enforcement authorities and instead, request that the Party to the Convention in which the service provider is established is notified and validates the data access request.