Transborder data access: Strong critics on plans to extend CoE Cybercrime Treaty

By EDRi · June 5, 2013

The Council of Europe Cybercrime Convention Committee (T-CY) held a
hearing on 3 June 2013 in Strasbourg to collect views from civil society
and the private sector on its plans to further extent Convention 185
provisions on transborder access to data through a draft additional
Protocol. The proposal received strong criticism from most of the
participant stakeholders (EDRI, ISOC, independent academics and privacy
advocates, EuroISPA, and companies such as Google, Microsoft and
LeaseWeb) as well as from the European Commission, the European Data
Protection Supervisor, and even the Data Protection Unit from the same
CoE Data Protection and Cybercrime Division. The only participant
stakeholder who warmly welcomed the proposal was the Anti-Phishing
Working Group, while the International Chamber of Commerce (ICC) was
more concerned with economic interests of businesses and the legal
certainty of their operations vis-à-vis law enforcement authorities
requests than by issues related with personal data protection.

Besides the T-CY bureau members (Estonia, Portugal, Romania, Serbia, UK,
USA), government representatives were not very vocal and seemed to
attend mainly to hear from stakeholders before the T-CY (closed) plenary
meeting, scheduled on 4-5 June. South Africa reminded that privacy is a
constitutional right in the country, making the CoE proposal very
difficult to address. But the really notable exception was Russia,
taking the floor at numerous occasions and strongly advocating against
the proposal with arguments based both on international law and on
privacy and personal data protection. Russia is the only CoE Member
State, with San Marino, having not signed the Budapest Convention, but
is apparently very proud to be the most recent State having ratified CoE
Convention 108 on Data Protection. That being said, it is well known
that Russia never agreed on Article 32(b) of the Cybercrime Convention,
considering that its provisions would allow violations of States

Article 32(b) is precisely at the centre of the current CoE T-CY
proposal. It deals with transborder access to stored computer data and
provides that a Party to Convention 185 “may, without the authorisation
of another Party, access or receive, through a computer system in its
territory, stored computer data located in another Party, if the Party
obtains the lawful and voluntary consent of the person who has the
lawful authority to disclose the data to the Party through that computer
system.” With its draft additional Protocol, the new CoE T-CY proposal
basically aims at relaxing the remaining constraint for the requesting
Party, currently bound by the computer system location “in its territory”.

As a result of a report prepared by an ad hoc T-CY sub-group and adopted
on December 2012, this draft additional Protocol suggests different
options for allowing transborder access, identified as the “unilateral
access by law enforcement authorities of one State to data stored on a
computer system in a foreign State without the need for mutual legal
assistance”. The demand results from the increasing need to quickly and
easily collect electronic evidences to fight (cyber-)crimes, especially
with the development of cloud computing (which results in data location
often in foreign territories or even unknown places, when it is not
roaming from one territory to another), and assumes that neither
Article 32(b) nor mutual legal assistance Treaties (MLAT) provisions
allow to answer this need.

In substance, the 5 options provided in the draft Protocol are all based
on allowing transborder access mainly through (1) consent of the data
subject; (2) consent of the data controller; (3) “in good faith or in
exigent or other circumstances” or (4) when the data location is
unknown, replacing the concept of territory by that of “the power of
disposal of data”. The discussion highlighted major problems with all
such options.

First of all, the notion of consent in defined in all data protection
legislation, including CoE Convention 108, as that of the data subject,
and never that of the data controller. Except when provided by law,
disclosure of data by the data controller might even lead to a criminal

Second, the CoE proposal provides that the data subject’s consent be
evaluated by the requesting Party, which obviously might infringe the
data protection legislation of the State where the data is located,
given the lack of harmonization of this legislation among countries,
including the Cybercrime Convention Parties, that extend far beyond the
Council of Europe territory. To overcome this situation, EDRI
recommended as necessary pre-condition that concerned Parties ensure an
adequate level of data protection in their respective legislation, for
instance through the ratification of Convention 108.

Third, it also provides that the lawfulness of the transborder access
authorisation be evaluated by the requesting Party as well, which would
create rights and obligations to the State where the data is located,
while this is against international law provisions when the latter is a
third Party to the Treaty.

Fourth, allowing transborder access without consent but “in good faith
or in exigent circumstances” would be a Pandora box, soon opening the
way to all kinds of mission creep, especially when the simple fact that
data are available somewhere seems to be seen by some as a blank check
to use them in criminal proceedings, even in case of minor offences.

Fifth and last but not least, the strange proposal of replacing the
concept of territorial location of data by that of “the power of
disposal of data” as connecting factor to access them is, inter alia,
highly dangerous for political freedoms even when intended as the power
of the data subject to dispose of his/her own data. It suffices to
consider cases of political activists in authoritarian States, being
forced to disclose their data hosted in a more freedom-friendly country.

In addition to all these arguments raised by critics of the proposal,
the discussion exposed the illegality, with regards to data protection
legislation, of some provisions of the Cybercrime Convention itself and
its lack of sufficient safeguards especially w.r.t. privacy and data
protection, the right against self-incrimination, and the dual
criminality requirement in international law. That was an interesting
moment, especially for those who, like the author, were part of the
Global civil society coalition running the campaign against the danger
of the Cybercrime Convention back in 1999, when the first leaks of the
draft text were made available…

In order to address the real and legitimate concern of LEA facing the
need to collect evidence in criminal investigations, the participant
stakeholders rather recommended sticking to MLAT provisions, especially
the existing networks of 24/7 LEA contact points, and to find ways to
overcome the current difficulties, that is, mainly bureaucracy and lack
of human and technical resources. As the bureau and the secretariat
stated in conclusion, this task is also part of undertaken efforts by
the CoE T-CY, and further discussion will occur through future
consultations and the series of Octopus conferences, this year event
being scheduled on 4-6 December 2013 in Strasbourg.

CoE T-CY public hearing of civil society and private sector (03.06.2013)

CoE Convention 185 on Cybercrime (23.11.2001)

CoE Convention 108 on or the Protection of Individuals with regard to
Automatic Processing of Personal Data (28.01.1981)

Report on ‘Transborder access and jurisdiction: What are the options?’

(Draft) elements of an Additional Protocol to the Budapest Convention on
Cybercrime regarding transborder access to data (09.04.2013)

Global Internet Liberty Campaign (GILC) against the Cybercrime
Convention (1999-2004)

Cooperation without adequate safeguards : Issues with the CoE Convention
on cybercrime (11.06.2007)

EDRI-gram: Enditorial: The 2001 Coe Cybercrime Convention More Dangerous Than
Ever (20.06.2007)

CoE action against cybercrime

(Contribution by Meryem Marzouki, EDRi member IRIS – France)