Civil society warn against rushed global treaty for intrusive cross-border police powers
European Digital Rights (EDRi), Electronic Frontier Foundation (EFF) and 40 other civil society organisations urge the Council of Europe’s (CoE) Parliamentary Committee (PACE) to give them more time to provide much-needed analysis and feedback on the flawed cross border surveillance treaty recently approved by its Cybersecurity Committee (T-CY).
European Digital Rights (EDRi), Electronic Frontier Foundation (EFF) and 40 other civil society organisations urge the Council of Europe’s (CoE) Parliamentary Committee (PACE) to give them more time to provide much-needed analysis and feedback on the flawed cross border surveillance treaty recently approved by its Cybersecurity Committee (T-CY).
“In a bid to entice broad adoption from countries with insufficient privacy and human rights safeguards, the protocol combines mandatory and intrusive law enforcement measures with data protections that are largely optional. The result is a treaty that puts law enforcement interests first and privacy last.” said Chloé Berthélémy, Policy Advisor at EDRi.
Digital and human rights groups were largely sidelined and excluded during the drafting process of the Second Additional Protocol to the Budapest Convention, the first international treaty that will establish global procedures for law enforcement in one country to access personal user data from technology companies in other countries. The Council of Europe’s Cybercrime Committee rushed approval of the text in late May, signing off on a set of procedures that put few limitations and provided little oversight on police access to sensitive user data held by internet companies around the world.
The Protocol now heads to the Council of Europe’s PACE’s Committee on Legal Affairs and Human Rights, which can recommend further amendments. Civil society groups hope that the PACE committee will hear their privacy concerns and issue an opinion addressing the lack of adequate data protection safeguards.
In a letter to the Council of Europe’s Secretary General Marija Pejčinović Burić and PACE President Rik Daems, digital and human rights groups said the treaty will likely be used extensively, with far-reaching implications on the security and privacy of people everywhere. It is imperative that the fundamental rights guaranteed in the European Convention on Human Rights and in other agreements are not sidestepped even if they take time in favor of easier law enforcement access to user data free of judicial oversight and strong privacy protections.
The CoE’s plan is to finalise the Protocol’s adoption by November, and begin accepting signatures from Parties to the Convention in Spring 2022.
The full text of the letter follows:
Dear Secretary-General Pejčinović Burić, President, Parliamentary Assembly Rik Daems, Chair of the Committee of Ministers Péter Szijjártó
Re: Ensuring Meaningful Consultation in Cybercrime Negotiations
We, the undersigned individuals and organizations, write to ask for a meaningful opportunity to give the final draft text of the proposed second additional protocol to Convention 185, the Budapest Cybercrime Convention, the full and detailed consideration which it deserves. We specifically ask that you provide external stakeholders further opportunity to comment on the significant changes introduced to the text on the eve of the final consultation round ending on 6th May, 2021.
The Second Additional Protocol aims to standardise cross-border access by law enforcement authorities to electronic personal data. While competing initiatives are also underway at the United Nations and the OECD, the draft Protocol has the potential to become the global standard for such cross-border access, not least because of the large number of states which have already ratified the principal Convention. In these circumstances, it is imperative that the Protocol should lay down adequate standards for the protection of fundamental rights.
Furthermore, the initiative comes at a time when even routine criminal investigations increasingly include cross-border investigative elements and, in consequence, the protocol is likely to be used widely. The protocol therefore assumes great significance in setting international standards, and is likely to be used extensively, with far-reaching implications for privacy and human rights around the world. It is important that its terms are carefully considered and ensure a proportionate balance between the objective of securing or recovering data for the purposes of law enforcement and the protection of fundamental rights guaranteed in the European Convention on Human Rights and in other relevant national and international instruments.
In light of the importance of this initiative, many of us have been following this process closely and have participated actively, including at the Octopus Conference in Strasbourg in November, 2019 and the most recent and final consultation round which ended on 6th May, 2021.
Although many of us were able to engage meaningfully with the text as it stood in past consultation rounds, it is significant that these earlier iterations of the text were incomplete and lacked provisions to protect the privacy of personal data. In the event, the complete text of the draft Protocol was not publicly available before 12th April, 2021. The complete draft text introduces a number of significant alterations, most notably the inclusion of Article 14, which added for the first time proposed minimum standards for privacy and data protection. While external stakeholders were previously notified that these provisions were under active consideration and would be published in due course, the publication of the revised draft on 12th April offered the first opportunity to examine these provisions and consider other elements of the Protocol in the full light of these promised protections.
We were particularly pleased to see the addition of Article 14, and welcome its important underlying intent—to balance law enforcement objectives with fundamental rights. However, the manner in which this is done is, of necessity, complex and intricate, and, even on a cursory preliminary examination, it is apparent that there are elements of the article which require careful and thoughtful scrutiny, in the light of which might be capable of improvement.1
As a number of stakeholders has noted,2 the latest (and final) consultation window was too short. It is essential that adequate time is afforded to allow a meaningful analysis of this provision and that all interested parties be given a proper chance to comment. We believe that such continued engagement can serve only to improve the text.
The introduction of Article 14 is particularly detailed and transformative in its impact on the entirety of the draft Protocol. Keeping in mind the multiple national systems potentially impacted by the draft Protocol, providing meaningful feedback on this long anticipated set of safeguards within the comment window has proven extremely difficult for civil society groups, data protection authorities and a wide range of other concerned experts.
Complicating our analysis further are gaps in the Explanatory Report accompanying the draft Protocol. We acknowledge that the Explanatory Report might continue to evolve, even after the Protocol itself is finalised, but the absence of elaboration on a pivotal provision such as Article 14 poses challenges to our understanding of its implications and our resulting ability meaningfully to engage in this important treaty process.
We know that the Council of Europe has set high standards for its consultative process and has a strong commitment to stakeholder engagement. The importance of meaningful outreach is all the more important given the global reach of the draft Protocol, and the anticipated inclusion of many signatory parties who are not bound by the Council’s central human rights and data protection instruments. Misalignments between Article 14 and existing legal frameworks on data protection such as Convention 108/108+ similarly demand careful scrutiny so that their implications are fully understood.
In these circumstances, we anticipate that the Council will wish to accord the highest priority to ensuring that fundamental rights are adequately safeguarded and that the consultation process is sufficiently robust to instill public confidence in the Protocol across the myriad jurisdictions which are to consider its adoption. The Council will, of course, appreciate that these objectives cannot be achieved without meaningful stakeholder input.
We are anxious to assist the Council in this process. In that regard, constructive stakeholder engagement requires a proper opportunity fully to assess the draft protocol in its entirety, including the many and extensive changes introduced in April 2021. We anticipate that the Council will share this concern, and to that end we respectfully suggest that the proposed text (inclusive of a completed explanatory report) be widely disseminated and that a minimum period of 45 days be set aside for interested stakeholders to submit comments.
We do realise that the T-CY Committee had hoped for an imminent conclusion to the drafting process. That said, adding a few months to a treaty process that has already spanned several years of internal drafting is both necessary and proportionate, particularly when the benefits of doing so will include improved public accountability and legitimacy, a more effective framework for balancing law enforcement objectives with fundamental rights, and a finalised text that reflects the considered input of civil society.
We very much look forward to continuing our engagement with the Council both on this and on future matters.
With best regards,
Electronic Frontier Foundation (international)
European Digital Rights (European Union)
The Council of Bars and Law Societies of Europe (CCBE) (European Union)
Access Now (International)
ARTICLE19 (Global)
ARTICLE19 Brazil and South America
Association for Progressive Communications (APC)
Association of Technology, Education, Development, Research and Communication – TEDIC (Paraguay)
Asociación Colombiana de Usuarios de Internet (Colombia)
Asociación por los Derechos Civiles (ADC) (Argentina)
British Columbia Civil Liberties Association (Canada)
Chaos Computer Club e.V. (Germany)
Content Development & Intellectual Property (CODE-IP) Trust (Kenya)
Dataskydd.net (Sweden)
Derechos Digitales (Latinoamérica)
Digitale Gesellschaft (Germany)
Digital Rights Ireland (Ireland)
Danilo Doneda, Director of Cedis/IDP and member of the National Council for Data Protection and
Privacy (Brazil)
Electronic Frontier Finland (Finland)
Epicenter.works (Austria)
Fundación Acceso (Centroamérica)
Fundacion Karisma (Colombia)
Fundación Huaira (Ecuador)
Fundación InternetBolivia.org (Bolivia)
Hiperderecho (Peru)
Homo Digitalis (Greece)
Human Rights Watch (international)
Instituto Panameño de Derecho y Nuevas Tecnologías – IPANDETEC (Central America)
Instituto Beta: Internet e Democracia – IBIDEM (Brazil)
Institute for Technology and Society – ITS Rio (Brazil)
International Civil Liberties Monitoring Group (ICLMG)
Iuridicium Remedium z.s. (Czech Republic)
IT-Pol Denmark (Denmark)
Douwe Korff, Emeritus Professor of International Law, London Metropolitan University
Laboratório de Políticas Públicas e Internet – LAPIN (Brazil)
Laura Schertel Mendes, Professor, Brasilia University and Director of Cedis/IDP (Brazil)
Open Net Korea (Korea)
OpenMedia (Canada)
Privacy International (international)
R3D: Red en Defensa de los Derechos Digitales (México)
Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic – CIPPIC (Canada)
Usuarios Digitales (Ecuador)
Vrijschrift.org (Netherlands)
Xnet (Spain)
1 See, for example: Access Now, comments on the draft 2 nd Additional Protocol to the Budapest Convention on Cybercrime, available at: https://rm.coe.int/0900001680a25783;
EDPB, contribution to the 6th round of consultations on the draft Second Additional Protocol to the Council of Europe Budapest Convention on Cybercrime, available at: https://edpb.europa.eu/system/files/2021-05/edpb_contribution052021_6throundconsultations_budapestconvention_en.pdf
2 Alessandra Pierucci, Correspondence to Ms Chloé Berthélémy, dated 17 May 2021; Consultative Committee of the Convention for the Protection of Individuals with Regard to Automated Processing of Personal Data, Directorate General Human Rights and Rule of Law, Opinion on Draft Second Additional Protocol, May 7, 2021, https://rm.coe.int/opinion-of-the-committee-of-convention-108-on-the-draft-second-additio/1680a26489; EDPB, see footnote 1; Joint Civil Society letter, 2 May: available at https://edri.org/wp-content/uploads/2021/05/20210420_LetterCoECyberCrimeProtocol_6thRound.pdf