Cross-border access to user data by law enforcement in 2021: A year in review

Law enforcement agencies around the world are getting their holiday wish list, thanks to the Council of Europe’s adoption of a flawed new protocol to the Budapest Convention, a treaty governing procedures for accessing digital evidence across borders in criminal investigations.

By EDRi · January 19, 2022

Law enforcement agencies around the world are getting their holiday wish list, thanks to the Council of Europe’s adoption of a flawed new protocol to the Budapest Convention, a treaty governing procedures for accessing digital evidence across borders in criminal investigations. The Second Additional Protocol (“the Protocol”) to the Budapest Convention, which will reshape how police in one country access data from internet companies that are based in another country, was heavily influenced by law enforcement. It mandates new intrusive powers to the police without adequate protections of privacy and other fundamental rights.

The new protocol was approved on 17 November 2021—a major disappointment that can endanger technology users, journalists, activists, and vulnerable populations in countries with flimsy privacy protections thereby weakening everyone’s right to privacy and freedom of expression across the globe. Following the decision by the Council of Europe’s (CoE) Committee of Ministers, the protocol will be open to signatories from countries that have ratified the Budapest Convention (currently 66 countries) around May 2022.

EDRi, its member the Electronic Frontier Foundation (EFF) and other allies, spent many years raising alarm bells to let the CoE and the world know that the protocol was being pushed through without adequate human rights protectionsConcerns were raised in February noting that draft meetings to finalise the text were held in closed sessions, excluding civil society and even privacy regulators. 

After the draft protocol was approved in May by the CoE’s Cybercrime Committee, EFF and 40 organisations urged the Committee of Ministers, which also reviews the draft, to give more time for suggestions and recommendations so that human rights are adequately protected in the protocol.

In August, 20 solid, comprehensive recommendations to strengthen the protocol were submitted. These included requiring law enforcement to garner independent judicial authorisation as a condition for cross border requests for user data, prohibiting police investigative teams from bypassing privacy safeguards in secret data transfer deals, and deleting provisions mandating that internet providers directly cooperate with foreign law enforcement orders for user data, even where local laws require them to have independent judicial authorisation for such disclosures. Digital rights organisations then defended their position at a virtual hearing before the Parliamentary Assembly of the Council of Europe (PACE), which suggested amendments to the Protocol text.

Unfortunately, PACE did not take all of the concerns raised on board. While some of their suggestions were acted on, several core concerns about weak privacy standards were unaddressed. PACE’s report and opinion on the matter noted a “difficult dilemma” about international legal cooperation given significantly inconsistent laws and safeguards in countries that will sign on to the treaty. 

PACE fears that “higher standards [could] jeopardise” the goal of effectively fighting cybercrime and concludes that it would be unworkable to make privacy-protective rules stronger. Basically, PACE is willing to sacrifice human rights and privacy to get more countries to sign on to their treaty.

This position is worrying, since many parts of the protocol are a law enforcement wish list—not surprising since it was mainly written by prosecutors and law enforcement officials. Meanwhile, gaps in human rights protections under some participating countries’ laws are deep. As EFF told PACE in testimony at its virtual hearing: “The Protocol openly avoids imposing strong harmonised safeguards in an active attempt to entice states with weaker human rights records to sign on. The result is a net dilution of privacy and human rights on a global scale. But the right to privacy is a universal right.”

PACE agreed that the Protocol ought to incorporate new references to proportionality as a requirement in privacy and data protection safeguards (Articles 13 and 14). It also said that “immunities of certain professions, such as lawyers, doctors, journalists, religious ministers or parliamentarians” should be explicitly respected, and that there ought to be public statistics about how the powers created by the Protocol were used and how many people were affected.

However, the Council of Ministers adopted the Protocol as-is, without any of the improvements suggested by PACE. As a result, applying human rights safeguards will be up to the broad range of individual countries that will now sign onto the treaty in the near future.

What does it mean for the European Union?

With the Protocol’s adoption, there will now be debates in national Parliaments across the world about its ratification and what standards countries adopt as they implement it. There will be an opportunity for countries to declare reservations when accessing the treaty. That means numerous chances at the domestic level to influence how governments act on the protocol throughout 2022. People—and national data protection authorities—in countries with strong protections for personal information should demand that these safeguards are not circumvented by implementation of the protocol.

This is notably the case for European Union (EU) countries. The European Commission took part in the drafting process of the protocol on behalf of the European Union and its Member States “to ensure that the agreed Additional Protocol (…) is compatible with EU law”. The Commission was seemingly a leader in the negotiations over Article 14 that contains all data protection and privacy-related safeguards. However, the European Data Protection Board (EDPB), the EU’s network of data protection authorities, substantially criticised the text in the last round of consultation, especially the very same provisions that the Commission claimed to be “in line with Union law”. In a series of recommendations, the EDPB highlights that the Protocol, as it stands, is not fully compatible with EU primary and secondary law and calls for a higher level of protection of personal data in order to ensure that EU data protection law is not undermined. Nevertheless, the European Commission advised Member States to join the Protocol with as few reservations as possible (in two proposals for Council Decisions allowing the signature and the ratification). 

For example, the Commission dissuades Member States from rejecting Article 7 – voluntary disclosure by service providers of subscriber data- which is highly problematic with regards to the principle of legal certainty. It also discourages them from forbidding access to “certain types of access numbers if that would be inconsistent with the fundamental principles of [their] domestic legal system” to foreign authorities. Lastly, it recommends to allow transfers not only of subscriber data but also of traffic data under Article 8 (giving effect to orders from another party).

And for the rest of the world?

The push by law enforcement to get faster access to data should not override current legal safeguards or impair national debates towards adequate minimum standards. Data protection and privacy advocates around the world should be ready to challenge privacy infractions.

CoE’s Secretary-General welcomed the protocol’s adoption “in the context of a free and open internet where restrictions apply only as a means to tackle crime”—an optimistic view, to be sure, given the recent spate of intense internet crackdowns by governments, including some Budapest Convention signatories.

Part of the impetus for rushing the adoption of the protocol in the first place was to forestall efforts to create a more intrusive framework for cross-border policing. Specifically, a new international cybercrime treaty, first proposed by Russia, is gaining support at the United Nations. The UN cybercrime treaty would address many of the same investigative powers as the protocol and the Budapest Convention in ways that could be even more problematic for human rights. Russia has been promoting its cybercrime treaty for at least a decade

Unfortunately, the adoption of the protocol has not staved off those efforts. Not only are these efforts actively moving forward, but the protocol has now created a new baseline of privacy-invasive police powers that the UN treaty can expand upon. Negotiations on the UN treaty will begin in January.

EFF and its civil society allies are already advocating for a human rights centered approach to drafting the proposed UN treaty. EDRi’s focus in the coming year will be on working with the European Parliament, which must consent to the ratification, in order to guarantee that the protocol does not undermine EU data protection and privacy standards. 

Image credits: Fabio Ballasina / Unsplash

(Contribution by: Katitza Rodríguez Policy Director for Global Privacy, EFF , Karen Gullo, Analyst, Senior Media Relations Specialist , Chloé Berthélémy, Policy Advisor, EDRi)