New Cybercrime Protocol: weak safeguards against big risks of abuse

In 2017, the Council of Europe (CoE) and its Cybercrime Committee started preparing an additional protocol to the Budapest Convention on Cybercrime – a new tool for law enforcement authorities (LEAs) to have access to data held by private companies in the context of criminal investigations. The list of potential participants to the Protocol goes far beyond the Council of Europe Parties and includes countries like the United States, Turkey, Morocco and Azerbaijan.

In the context of the sixth round of consultation with civil society, data protection authorities and industry, European Digital Rights (EDRi) and the Electronic Frontier Foundation (EFF) coordinated a civil society joint letter to provide feedback on the first complete draft of the new Protocol, including on the new provisions relating to conditions and safeguards related in particular to data protection.

In this letter, 14 European and American signatories expressed dissatisfaction that none of their substantiated and detailed recommendations submitted in the past rounds of consultation were taken into account.

There are a number of problems with the current text. Generally, there are no sufficient safeguards for the data protection, privacy and procedural rights proposed to counter-balance the expansion of powers of LEAs. This opinion is widely shared among stakeholders, notably the European Data Protection Board, the EU Fundamental Rights Agency, the Council of Bars and Law Societies of Europe (CCBE) and EDRi’s member Access Now.

We have solutions, but they won’t listen

Building on previous work we have highlighted the following recommendation on the basis of the problems of the current draft:

• Ensure there are data protection standards worldwide: Parties to the Additional Protocol should be required to accede to and properly implement Convention 108+ of the Council of Europe in order to ensure that safeguards provided for under domestic law regulate the law enforcement powers and that tools given by the Protocol match international standards of data protection.
• Ensure compliance with existing EU data protection standards: The draft provisions should be assessed and modified to comply with the EU acquis in the field of data protection in order to guarantee their compatibility with EU primary and secondary law, as recommended by the European Data Protection Board in its opinion. The implication of independent supervisory authorities, including data protection authorities and independent experts in the drafting process of the Protocol, would have helped secure an essentially equivalent level of protection.
• The curiosity of law enforcement is not a “compatible purpose”: The possibility to further process data received under the Protocol should be clarified and strictly limited by introducing a narrow definition of “compatible purposes”.
• Show us the numbers: An obligation to publicly disclose statistics on the use of the measures under the Second Additional Protocol and on the number of individuals affected by them should be set for supervisory authorities.

Our demands are essential to avoid creating a mechanism that bypasses critical legal protections inherent in the current Mutual Legal Assistance Treaties (MLATs) – falsely considered as “red tape”. However, it seems like the Cybercrime Committee is willing to rush through the last steps of the negotiations to finalise the new Additional Protocol to open it for signature and ratification before summer. EDRi and its members are ready to engage with EU institutions to ensure that additional fundamental rights safeguards are introduced when EU Member States will transpose the Protocol into national law.

Find our joint letter here.

Contribution by: