Cross-border access to data has to respect human rights principles
The Council of Europe started preparing an additional protocol to the Cybercrime Convention – a new tool for law enforcement authorities (LEAs) to have access to data in the context of criminal investigations. Ahead of the first meeting of the Drafting Group, EDRi coordinated a civil society submission, signed by 14 organisations from around the globe, on how to protect human rights when developing new rules on cross-border access to electronic evidence (“e-evidence”). On 18 September in Strasbourg, EDRi’s Executive Director Joe McNamee handed over the comments and suggestions on the terms of reference for drafting a new protocol.
The Council of Europe welcomed the global civil society submission. Receiving the submission on behalf of the Council, Alexander Seger, the Council of Europe’s anti-cybercrime coordinator stated:
Clear rules and more effective procedures are required to secure electronic evidence in the cloud in specific criminal investigations. Otherwise, governments will not be able to meet their obligation of protecting the rights of individuals and ensuring the rule of law in cyberspace.
The main instruments to facilitate cross-border access to data are the Mutual Legal Assistance Treaties (MLATs). However, they are criticised for being slow and inefficient. This has led countries like the United States and the United Kingdom to enter into bilateral arrangements that do not fix the MLAT, but create additional problems.
Making MLATs more efficient ought to be the number one priority, and this was part of the agenda of the last plenary meeting of the Cybercrime Convention Committee of the Council of Europe. Nonetheless, the forthcoming protocol cannot be used as a way to create parallel processes that could worsen the current situation for human rights. As stated in the civil society submission, if the MLATs are made efficient and effective, a new protocol could outline procedures under which authorities in any state can obtain access to servers and devices in another state in full compliance with three basic principles:
- Enforcement of jurisdiction by a State or State agency on the territory of another State cannot happen without the knowledge and agreement of the targeted State.
- State-parties must comply with human rights principles and requirements, including under any powers granted or envisaged in or under the Cybercrime Convention and the proposed additional protocol.
- Unjustified forced data localisation should be banned. Data transfers between jurisdictions should not occur in the absence of clear data protection standards.
Harmonisation in this area should be done “upwards”, keeping the highest standards of safeguards and practices, not downgrading them to the lowest common level. This means that proposals such as the recent US legislative proposal to require direct “cooperation” from companies bypassing key legal safeguards and increasing surveillance powers – to the detriment our rights and freedoms – would not be acceptable.
Global Civil Society Submission to the Council of Europe: Comments and suggestions on the Terms of Reference for drafting a Second Optional Protocol to the Cybercrime Convention (08.09.2017)
Cross-border access to data: EDRi delivers international NGO position to Council of Europe (18.09.2017)
New legal tool on electronic evidence: Council of Europe welcomes civil society opinion (18.09.2017)
US cross-border data deal could open surveillance floodgates (18.09.2017)
(Contribution by Maryant Fernández Pérez, EDRi)