Transborder data access: Strong critics on plans to extend CoE Cybercrime Treaty
The Council of Europe Cybercrime Convention Committee (T-CY) held a hearing on 3 June 2013 in Strasbourg to collect views from civil society and the private sector on its plans to further extent Convention 185 provisions on transborder access to data through a draft additional Protocol. The proposal received strong criticism from most of the participant stakeholders (EDRI, ISOC, independent academics and privacy advocates, EuroISPA, and companies such as Google, Microsoft and LeaseWeb) as well as from the European Commission, the European Data Protection Supervisor, and even the Data Protection Unit from the same CoE Data Protection and Cybercrime Division. The only participant stakeholder who warmly welcomed the proposal was the Anti-Phishing Working Group, while the International Chamber of Commerce (ICC) was more concerned with economic interests of businesses and the legal certainty of their operations vis-à-vis law enforcement authorities requests than by issues related with personal data protection.
Besides the T-CY bureau members (Estonia, Portugal, Romania, Serbia, UK, USA), government representatives were not very vocal and seemed to attend mainly to hear from stakeholders before the T-CY (closed) plenary meeting, scheduled on 4-5 June. South Africa reminded that privacy is a constitutional right in the country, making the CoE proposal very difficult to address. But the really notable exception was Russia, taking the floor at numerous occasions and strongly advocating against the proposal with arguments based both on international law and on privacy and personal data protection. Russia is the only CoE Member State, with San Marino, having not signed the Budapest Convention, but is apparently very proud to be the most recent State having ratified CoE Convention 108 on Data Protection. That being said, it is well known that Russia never agreed on Article 32(b) of the Cybercrime Convention, considering that its provisions would allow violations of States sovereignty.
Article 32(b) is precisely at the centre of the current CoE T-CY proposal. It deals with transborder access to stored computer data and provides that a Party to Convention 185 “may, without the authorisation of another Party, access or receive, through a computer system in its territory, stored computer data located in another Party, if the Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the data to the Party through that computer system.” With its draft additional Protocol, the new CoE T-CY proposal basically aims at relaxing the remaining constraint for the requesting Party, currently bound by the computer system location “in its territory”.
As a result of a report prepared by an ad hoc T-CY sub-group and adopted on December 2012, this draft additional Protocol suggests different options for allowing transborder access, identified as the “unilateral access by law enforcement authorities of one State to data stored on a computer system in a foreign State without the need for mutual legal assistance”. The demand results from the increasing need to quickly and easily collect electronic evidences to fight (cyber-)crimes, especially with the development of cloud computing (which results in data location often in foreign territories or even unknown places, when it is not roaming from one territory to another), and assumes that neither Article 32(b) nor mutual legal assistance Treaties (MLAT) provisions allow to answer this need.
In substance, the 5 options provided in the draft Protocol are all based on allowing transborder access mainly through (1) consent of the data subject; (2) consent of the data controller; (3) “in good faith or in exigent or other circumstances” or (4) when the data location is unknown, replacing the concept of territory by that of “the power of disposal of data”. The discussion highlighted major problems with all such options.
First of all, the notion of consent in defined in all data protection legislation, including CoE Convention 108, as that of the data subject, and never that of the data controller. Except when provided by law, disclosure of data by the data controller might even lead to a criminal offence.
Second, the CoE proposal provides that the data subject’s consent be evaluated by the requesting Party, which obviously might infringe the data protection legislation of the State where the data is located, given the lack of harmonization of this legislation among countries, including the Cybercrime Convention Parties, that extend far beyond the Council of Europe territory. To overcome this situation, EDRI recommended as necessary pre-condition that concerned Parties ensure an adequate level of data protection in their respective legislation, for instance through the ratification of Convention 108.
Third, it also provides that the lawfulness of the transborder access authorisation be evaluated by the requesting Party as well, which would create rights and obligations to the State where the data is located, while this is against international law provisions when the latter is a third Party to the Treaty.
Fourth, allowing transborder access without consent but “in good faith or in exigent circumstances” would be a Pandora box, soon opening the way to all kinds of mission creep, especially when the simple fact that data are available somewhere seems to be seen by some as a blank check to use them in criminal proceedings, even in case of minor offences.
Fifth and last but not least, the strange proposal of replacing the concept of territorial location of data by that of “the power of disposal of data” as connecting factor to access them is, inter alia, highly dangerous for political freedoms even when intended as the power of the data subject to dispose of his/her own data. It suffices to consider cases of political activists in authoritarian States, being forced to disclose their data hosted in a more freedom-friendly country.
In addition to all these arguments raised by critics of the proposal, the discussion exposed the illegality, with regards to data protection legislation, of some provisions of the Cybercrime Convention itself and its lack of sufficient safeguards especially w.r.t. privacy and data protection, the right against self-incrimination, and the dual criminality requirement in international law. That was an interesting moment, especially for those who, like the author, were part of the Global civil society coalition running the campaign against the danger of the Cybercrime Convention back in 1999, when the first leaks of the draft text were made available…
In order to address the real and legitimate concern of LEA facing the need to collect evidence in criminal investigations, the participant stakeholders rather recommended sticking to MLAT provisions, especially the existing networks of 24/7 LEA contact points, and to find ways to overcome the current difficulties, that is, mainly bureaucracy and lack of human and technical resources. As the bureau and the secretariat stated in conclusion, this task is also part of undertaken efforts by the CoE T-CY, and further discussion will occur through future consultations and the series of Octopus conferences, this year event being scheduled on 4-6 December 2013 in Strasbourg.
CoE T-CY public hearing of civil society and private sector (03.06.2013)
CoE Convention 185 on Cybercrime (23.11.2001)
CoE Convention 108 on or the Protection of Individuals with regard to
Automatic Processing of Personal Data (28.01.1981)
Report on ‘Transborder access and jurisdiction: What are the options?’
(Draft) elements of an Additional Protocol to the Budapest Convention on
Cybercrime regarding transborder access to data (09.04.2013)
Global Internet Liberty Campaign (GILC) against the Cybercrime
Cooperation without adequate safeguards : Issues with the CoE Convention
on cybercrime (11.06.2007)
EDRI-gram: Enditorial: The 2001 Coe Cybercrime Convention More Dangerous Than
CoE action against cybercrime
(Contribution by Meryem Marzouki, EDRi member IRIS - France)